Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VAULT-3825: Wildcard ACL policies without a trailing slash should match LIST operations #23874

Merged
merged 2 commits into from
Oct 27, 2023
Merged

VAULT-3825: Wildcard ACL policies without a trailing slash should match LIST operations #23874

merged 2 commits into from
Oct 27, 2023

Conversation

miagilepner
Copy link
Contributor

@miagilepner miagilepner commented Oct 27, 2023
edited
Loading

When a LIST operation is executed on namespace foo, both of the following policies will independently allow the operation:

path "foo/sys/policies/acl" {
	capabilities = ["list"]
}

and

path "foo/sys/policies/acl/" {
	capabilities = ["list"]
}

both work 👍

However, when we use a wildcard in the policy path, we get different behavior:

path "+/sys/policies/acl" {
	capabilities = ["list"]
}

^ this fails

path "+/sys/policies/acl/" {
	capabilities = ["list"]
}

but ^ this succeeds.

This PR fixes the behavior so that it's the same for a wildcard versus no wildcard.

I considered stripping the trailing slash earlier in the request flow, but that would mean that any users that had written rules assuming that there was a trailing slash would need to update their policies after this change.

Tests for this are in enterprise.

@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Oct 27, 2023
@miagilepner miagilepner modified the milestones: 1.13.10, 1.16.0-rc1 Oct 27, 2023
@miagilepner miagilepner marked this pull request as ready for review October 27, 2023 13:30
@github-actions
Copy link

Build Results:
All builds succeeded! ✅

@github-actions
Copy link

CI Results:
All Go tests succeeded! ✅

@miagilepner miagilepner merged commit fb97a45 into main Oct 27, 2023
138 of 173 checks passed
@miagilepner miagilepner deleted the miagilepner/VAULT-3825-wildcard-policy branch October 27, 2023 13:59
This was referenced Oct 27, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@VioletHynes VioletHynes VioletHynes approved these changes

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.13.10
Development

Successfully merging this pull request may close these issues.
2 participants
@miagilepner @VioletHynes