Skip to content

Commit

Permalink
backport of commit 1e515ca (#16430)
Browse files Browse the repository at this point in the history
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
  • Loading branch information
1 parent ea72556 commit 481f875
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 23 deletions.
8 changes: 2 additions & 6 deletions vault/acl.go
Original file line number Diff line number Diff line change
Expand Up @@ -250,9 +250,7 @@ func NewACL(ctx context.Context, policies []*Policy) (*ACL, error) {
if existingPerms.MFAMethods == nil {
existingPerms.MFAMethods = pc.Permissions.MFAMethods
} else {
for _, method := range pc.Permissions.MFAMethods {
existingPerms.MFAMethods = append(existingPerms.MFAMethods, method)
}
existingPerms.MFAMethods = append(existingPerms.MFAMethods, pc.Permissions.MFAMethods...)
}
existingPerms.MFAMethods = strutil.RemoveDuplicates(existingPerms.MFAMethods, false)
}
Expand All @@ -268,9 +266,7 @@ func NewACL(ctx context.Context, policies []*Policy) (*ACL, error) {
}
existingPerms.ControlGroup = cg
} else {
for _, authz := range pc.Permissions.ControlGroup.Factors {
existingPerms.ControlGroup.Factors = append(existingPerms.ControlGroup.Factors, authz)
}
existingPerms.ControlGroup.Factors = append(existingPerms.ControlGroup.Factors, pc.Permissions.ControlGroup.Factors...)
}
}
}
Expand Down
27 changes: 17 additions & 10 deletions vault/acl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package vault

import (
"context"
"fmt"
"reflect"
"sync"
"testing"
Expand Down Expand Up @@ -101,7 +102,7 @@ func TestACL_Capabilities(t *testing.T) {
t.Run("root-ns", func(t *testing.T) {
t.Parallel()
policy := []*Policy{{Name: "root"}}
ctx := namespace.RootContext(nil)
ctx := namespace.RootContext(context.Background())
acl, err := NewACL(ctx, policy)
if err != nil {
t.Fatalf("err: %v", err)
Expand Down Expand Up @@ -159,7 +160,7 @@ func testACLRoot(t *testing.T, ns *namespace.Namespace) {
// Create the root policy ACL. Always create on root namespace regardless of
// which namespace to ACL check on.
policy := []*Policy{{Name: "root"}}
acl, err := NewACL(namespace.RootContext(nil), policy)
acl, err := NewACL(namespace.RootContext(context.Background()), policy)
if err != nil {
t.Fatalf("err: %v", err)
}
Expand Down Expand Up @@ -293,7 +294,7 @@ func TestACL_Layered(t *testing.T) {
if err != nil {
t.Fatalf("err: %v", err)
}
acl, err := NewACL(namespace.RootContext(nil), []*Policy{policy1, policy2})
acl, err := NewACL(namespace.RootContext(context.Background()), []*Policy{policy1, policy2})
if err != nil {
t.Fatalf("err: %v", err)
}
Expand Down Expand Up @@ -820,25 +821,33 @@ func TestACL_CreationRace(t *testing.T) {
}

var wg sync.WaitGroup
errs := make(chan error)
stopTime := time.Now().Add(20 * time.Second)

for i := 0; i < 50; i++ {
wg.Add(1)
go func() {
go func(i int) {
defer wg.Done()
for {
if time.Now().After(stopTime) {
return
}
_, err := NewACL(namespace.RootContext(nil), []*Policy{policy})
_, err := NewACL(namespace.RootContext(context.Background()), []*Policy{policy})
if err != nil {
t.Fatalf("err: %v", err)
errs <- fmt.Errorf("goroutine %d: %w", i, err)
}
}
}()
}(i)
}

wg.Wait()
go func() {
wg.Wait()
close(errs)
}()

for err := range errs {
t.Fatalf("err: %v", err)
}
}

func TestACLGrantingPolicies(t *testing.T) {
Expand Down Expand Up @@ -1179,7 +1188,6 @@ var permissionsPolicy = `
name = "dev"
path "dev/*" {
policy = "write"
allowed_parameters = {
"zip" = []
}
Expand Down Expand Up @@ -1269,7 +1277,6 @@ var valuePermissionsPolicy = `
name = "op"
path "dev/*" {
policy = "write"
allowed_parameters = {
"allow" = ["good"]
}
Expand Down
12 changes: 5 additions & 7 deletions vault/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -449,15 +449,15 @@ func parsePaths(result *Policy, list *ast.ObjectList, performTemplating bool, en

if pc.AllowedParametersHCL != nil {
pc.Permissions.AllowedParameters = make(map[string][]interface{}, len(pc.AllowedParametersHCL))
for key, val := range pc.AllowedParametersHCL {
pc.Permissions.AllowedParameters[strings.ToLower(key)] = val
for k, v := range pc.AllowedParametersHCL {
pc.Permissions.AllowedParameters[strings.ToLower(k)] = v
}
}
if pc.DeniedParametersHCL != nil {
pc.Permissions.DeniedParameters = make(map[string][]interface{}, len(pc.DeniedParametersHCL))

for key, val := range pc.DeniedParametersHCL {
pc.Permissions.DeniedParameters[strings.ToLower(key)] = val
for k, v := range pc.DeniedParametersHCL {
pc.Permissions.DeniedParameters[strings.ToLower(k)] = v
}
}
if pc.MinWrappingTTLHCL != nil {
Expand All @@ -476,9 +476,7 @@ func parsePaths(result *Policy, list *ast.ObjectList, performTemplating bool, en
}
if pc.MFAMethodsHCL != nil {
pc.Permissions.MFAMethods = make([]string, len(pc.MFAMethodsHCL))
for idx, item := range pc.MFAMethodsHCL {
pc.Permissions.MFAMethods[idx] = item
}
copy(pc.Permissions.MFAMethods, pc.MFAMethodsHCL)
}
if pc.ControlGroupHCL != nil {
pc.Permissions.ControlGroup = new(ControlGroup)
Expand Down

0 comments on commit 481f875

Please sign in to comment.