Add the ability to glob allowed roles in the Database Backend (#3387)

* Add the ability to glob allowed roles in the Database Backend * Make the error messages better * Switch to the go-glob repo
hashicorp · Oct 30, 2017 · 4121791 · 4121791
1 parent 3e831ec
commit 4121791
Show file tree

Hide file tree

Showing 4 changed files with 80 additions and 1 deletion.
diff --git a/builtin/logical/database/backend_test.go b/builtin/logical/database/backend_test.go
@@ -609,6 +609,40 @@ func TestBackend_allowedRoles(t *testing.T) {
 		t.Fatalf("expected error to be:%s got:%#v\n", logical.ErrPermissionDenied, err)
 	}
 
+	// update connection with glob allowed roles connection
+	data = map[string]interface{}{
+		"connection_url": connURL,
+		"plugin_name":    "postgresql-database-plugin",
+		"allowed_roles":  "allow*",
+	}
+	req = &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "config/plugin-test",
+		Storage:   config.StorageView,
+		Data:      data,
+	}
+	resp, err = b.HandleRequest(req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("err:%s resp:%#v\n", err, resp)
+	}
+
+	// Get creds, should work.
+	data = map[string]interface{}{}
+	req = &logical.Request{
+		Operation: logical.ReadOperation,
+		Path:      "creds/allowed",
+		Storage:   config.StorageView,
+		Data:      data,
+	}
+	credsResp, err = b.HandleRequest(req)
+	if err != nil || (credsResp != nil && credsResp.IsError()) {
+		t.Fatalf("err:%s resp:%#v\n", err, credsResp)
+	}
+
+	if !testCredsExist(t, credsResp, connURL) {
+		t.Fatalf("Creds should exist")
+	}
+
 	// update connection with * allowed roles connection
 	data = map[string]interface{}{
 		"connection_url": connURL,

diff --git a/builtin/logical/database/path_creds_create.go b/builtin/logical/database/path_creds_create.go
@@ -49,7 +49,7 @@ func (b *databaseBackend) pathCredsCreateRead() framework.OperationFunc {
 
 		// If role name isn't in the database's allowed roles, send back a
 		// permission denied.
-		if !strutil.StrListContains(dbConfig.AllowedRoles, "*") && !strutil.StrListContains(dbConfig.AllowedRoles, name) {
+		if !strutil.StrListContains(dbConfig.AllowedRoles, "*") && !strutil.StrListContainsGlob(dbConfig.AllowedRoles, name) {
 			return nil, logical.ErrPermissionDenied
 		}
 

diff --git a/helper/strutil/strutil.go b/helper/strutil/strutil.go
@@ -6,8 +6,21 @@ import (
 	"fmt"
 	"sort"
 	"strings"
+
+	glob "github.com/ryanuber/go-glob"
 )
 
+// StrListContainsGlob looks for a string in a list of strings and allows
+// globs.
+func StrListContainsGlob(haystack []string, needle string) bool {
+	for _, item := range haystack {
+		if glob.Glob(item, needle) {
+			return true
+		}
+	}
+	return false
+}
+
 // StrListContains looks for a string in a list of strings.
 func StrListContains(haystack []string, needle string) bool {
 	for _, item := range haystack {

diff --git a/helper/strutil/strutil_test.go b/helper/strutil/strutil_test.go
@@ -57,6 +57,38 @@ func TestStrutil_EquivalentSlices(t *testing.T) {
 	}
 }
 
+func TestStrutil_ListContainsGlob(t *testing.T) {
+	haystack := []string{
+		"dev",
+		"ops*",
+		"root/*",
+		"*-dev",
+		"_*_",
+	}
+	if StrListContainsGlob(haystack, "tubez") {
+		t.Fatalf("Value shouldn't exist")
+	}
+	if !StrListContainsGlob(haystack, "root/test") {
+		t.Fatalf("Value should exist")
+	}
+	if !StrListContainsGlob(haystack, "ops_test") {
+		t.Fatalf("Value should exist")
+	}
+	if !StrListContainsGlob(haystack, "ops") {
+		t.Fatalf("Value should exist")
+	}
+	if !StrListContainsGlob(haystack, "dev") {
+		t.Fatalf("Value should exist")
+	}
+	if !StrListContainsGlob(haystack, "test-dev") {
+		t.Fatalf("Value should exist")
+	}
+	if !StrListContainsGlob(haystack, "_test_") {
+		t.Fatalf("Value should exist")
+	}
+
+}
+
 func TestStrutil_ListContains(t *testing.T) {
 	haystack := []string{
 		"dev",