Add the ability to glob allowed roles in the Database Backend #3387
Conversation
helper/strutil/strutil_test.go
Outdated
| "root/*", | ||
| } | ||
| if StrListContainsGlob(haystack, "tubez") { | ||
| t.Fatalf("Bad") |
There was a problem hiding this comment.
Perhaps change these to more descriptive messages
| @@ -609,6 +609,40 @@ func TestBackend_allowedRoles(t *testing.T) { | |||
| t.Fatalf("expected error to be:%s got:%#v\n", logical.ErrPermissionDenied, err) | |||
| } | |||
|
|
|||
| // update connection with glob allowed roles connection | |||
There was a problem hiding this comment.
Can we add a test that has a role name containing a /, with a corresponding allowed_role having a glob after the /?
There was a problem hiding this comment.
I tested with a /* in the strutil package, but role names actually are not able to have /s in them. This is because they use the name regex in the path.
|
Somewhere -- maybe ACLs, maybe in the PKI backend -- we use @ryanuber's https://github.com/ryanuber/go-glob -- would that be a better fit here or do you want to place more restrictions around where/how globbing can be performed? |
|
@jefferai I was thinking of restricting to prefix checking, but could make it more flexible with that library if we want |
|
LGTM |
fixes #3230