fix: empty matched policies list for roles

yunionio · May 22, 2020 · 728524f · 728524f
1 parent 575f1c2
commit 728524f
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/pkg/cloudcommon/policy/policy.go b/pkg/cloudcommon/policy/policy.go
@@ -553,10 +553,10 @@ func (manager *SPolicyManager) AllPolicies() map[string][]string {
 }
 
 func (manager *SPolicyManager) RoleMatchPolicies(roleName string) []string {
+	ident := rbacutils.NewRbacIdentity("", "", []string{roleName})
 	ret := make([]string, 0)
 	for _, policies := range manager.policies {
 		for i := range policies {
-			ident := rbacutils.NewRbacIdentity("", "", []string{roleName})
 			if matched, _ := policies[i].Policy.Match(ident); matched {
 				ret = append(ret, policies[i].Name)
 			}

diff --git a/pkg/util/rbacutils/rbac.go b/pkg/util/rbacutils/rbac.go
@@ -591,7 +591,7 @@ func (policy *SRbacPolicy) IsSystemWidePolicy() bool {
 }
 
 func (policy *SRbacPolicy) MatchDomain(domainId string) bool {
-	if len(policy.DomainId) == 0 {
+	if len(domainId) == 0 {
 		return true
 	}
 	if policy.DomainId == domainId {

diff --git a/pkg/util/rbacutils/rbac_test.go b/pkg/util/rbacutils/rbac_test.go
@@ -489,6 +489,15 @@ func TestSRbacPolicyMatch(t *testing.T) {
 			},
 			true,
 		},
+		{
+			SRbacPolicy{
+				Projects: []string{},
+				Roles:    []string{"admin"},
+				Auth:     true,
+			},
+			NewRbacIdentity("", "", []string{"admin"}),
+			true,
+		},
 	}
 	for i, c := range cases {
 		got, _ := c.policy.Match(c.userCred)