Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of VAULT-3825: Wildcard ACL policies without a trailing slash should match LIST operations into release/1.14.x #23876

Merged
merged 1 commit into from
Oct 27, 2023
Merged

Backport of VAULT-3825: Wildcard ACL policies without a trailing slash should match LIST operations into release/1.14.x #23876

merged 1 commit into from
Oct 27, 2023

Conversation

hc-github-team-secure-vault-core
Copy link
Collaborator

Backport

This PR is auto-generated from #23874 to be assessed for backporting due to the inclusion of the label backport/1.14.x.

The below text is copied from the body of the original PR.

I'll split this into an OSS PR and add a changelog there once it's approved.

When a LIST operation is executed on namespace foo, both of the following policies will independently allow the operation:

path "foo/sys/policies/acl" {
	capabilities = ["list"]
}

and

path "foo/sys/policies/acl/" {
	capabilities = ["list"]
}

both work 👍

However, when we use a wildcard in the policy path, we get different behavior:

path "+/sys/policies/acl" {
	capabilities = ["list"]
}

^ this fails

path "+/sys/policies/acl/" {
	capabilities = ["list"]
}

but ^ this succeeds.

This PR fixes the behavior so that it's the same for a wildcard versus no wildcard.

I considered stripping the trailing slash earlier in the request flow, but that would mean that any users that had written rules assuming that there was a trailing slash would need to update their policies after this change.

Tests for this are in enterprise.

Overview of commits

@hc-github-team-secure-vault-core hc-github-team-secure-vault-core force-pushed the backport/miagilepner/VAULT-3825-wildcard-policy/reasonably-willing-shad branch from c948c64 to afb3b2a Compare October 27, 2023 14:00
@hc-github-team-secure-vault-core hc-github-team-secure-vault-core force-pushed the backport/miagilepner/VAULT-3825-wildcard-policy/reasonably-willing-shad branch from d90932b to 30275c3 Compare October 27, 2023 14:00
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Oct 27, 2023
@miagilepner miagilepner added this to the 1.14.6 milestone Oct 27, 2023
@miagilepner miagilepner enabled auto-merge (squash) October 27, 2023 14:01
@github-actions
Copy link

Build Results:
All builds succeeded! ✅

@miagilepner miagilepner merged commit 3fe08e8 into release/1.14.x Oct 27, 2023
97 of 98 checks passed
@miagilepner miagilepner deleted the backport/miagilepner/VAULT-3825-wildcard-policy/reasonably-willing-shad branch October 27, 2023 14:28
@github-actions
Copy link

CI Results:
All Go tests succeeded! ✅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@miagilepner miagilepner miagilepner approved these changes

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.14.6
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@hc-github-team-secure-vault-core @miagilepner