Comments clarification

G-Research · Nov 12, 2024 · 39d244a · 39d244a
1 parent 4a442fe
commit 39d244a
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/app/lib/clients/vault/policy.rb b/app/lib/clients/vault/policy.rb
@@ -31,7 +31,7 @@ def verify_policy(identity, producer_policy_name, consumer_policy_name = nil)
         policies, _ = get_entity_data(sub)
         return if policies.any? { |p| p == producer_policy_name }
 
-        # check group role
+        # check group membership in consumer policy if given
         if consumer_policy_name.present?
           role = read_oidc_role(make_role_name(consumer_policy_name))
           return if ((role&.data&.dig(:bound_claims, :groups) || []) & identity.groups).any?

diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb
@@ -111,7 +111,7 @@ class VaultTest < ActiveSupport::TestCase
     group_read_secret = @client.kv_read(alt_identity, path)
     assert_kind_of Vault::Secret, group_read_secret
 
-    # check kv_delete denied to other identity
+    # check kv_delete denied to other identity even with group
     err = assert_raises { @client.kv_delete(alt_identity, path) }
     assert_kind_of AuthError, err