Fix hasMountPath for segment wildcard mounts; introduce priority order #6532
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vishalnayak
reviewed
Apr 4, 2019
vishalnayak
reviewed
Apr 4, 2019
kalafut
reviewed
Apr 4, 2019
vault/acl.go
Outdated
| // isn't; use that | ||
| continue | ||
| } | ||
| // Carry on checking |
There was a problem hiding this comment.
Should the checks currently in the else block be run here?
vishalnayak
reviewed
Apr 4, 2019
vishalnayak
reviewed
Apr 4, 2019
|
BTW, for those who've been looking at this PR, I've pushed #6535 to (I hope) simplify it. |
…6535) Readability rewrite. It should have exactly the same behaviour, at least, that's the intent. Add some test cases. Removed a rule (total # of segments) from priority ordering because I couldn't come up with a case where it would apply and the two that followed it wouldn't. Also add support for policy paths '+' and '+*' which until now haven't been properly handled as wildcard segment paths.
|
@ncabatoff I can't approve since I initially opened the PR, but looks great! Thanks for picking this up! |
use case:
path "pki/kubernetes-clusters-ca/*"
{
capabilities = ["read", "list"]
}
path "pki/kubernetes-clusters-ca/+/api/issue/sre-role"
{
capabilities = ["update"]
}
Now a glob is treated as a wildcard for the purpose of prioritizing
"first wildcard", and the "number of wildcards" case swallows the
"is/isn't prefix" case.
and wc segments (+), but went too far. We still treat them the same in terms of prioritizing based on the first position of + or *. But trying to lump them together and counting the number of +/*s doesn't make sense in some cases: foo/* should be lower priority than foo/+/+.
foo/+ outranks foo/*.
to see a policy prevent mount access, then modify the policy so it allows it.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes
hasMountPathwhen operating on segment wildcards, fixing the kv preflight check. As a part of this, I also introduce a longest-prefix priority ordering for cases where you have path segment wildcards in multiple paths. This will need some explanation in docs but for now it's well-commented.Fixes #6525