From 4a442fee4c167e2c7fc4c862b22cb6b220530051 Mon Sep 17 00:00:00 2001 From: Geoff Wilson Date: Mon, 11 Nov 2024 17:12:48 -0500 Subject: [PATCH] simplify signature for group/consumer_policy matching --- app/lib/clients/vault/key_value.rb | 2 +- app/lib/clients/vault/policy.rb | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/app/lib/clients/vault/key_value.rb b/app/lib/clients/vault/key_value.rb index 2ea3d2f..4af1d2d 100644 --- a/app/lib/clients/vault/key_value.rb +++ b/app/lib/clients/vault/key_value.rb @@ -4,7 +4,7 @@ module KeyValue extend Policy def kv_read(identity, path) - verify_policy(identity, producer_policy_path(path), identity.groups, consumer_policy_path(path)) + verify_policy(identity, producer_policy_path(path), consumer_policy_path(path)) client.kv(kv_mount).read(path) end diff --git a/app/lib/clients/vault/policy.rb b/app/lib/clients/vault/policy.rb index 0baf5cd..c8e2068 100644 --- a/app/lib/clients/vault/policy.rb +++ b/app/lib/clients/vault/policy.rb @@ -25,16 +25,16 @@ def assign_groups_policy(groups, policy_name) create_oidc_role(make_role_name(policy_name), groups, policy_name) end - def verify_policy(identity, producer_policy_name, groups = nil, consumer_policy_name = nil) + def verify_policy(identity, producer_policy_name, consumer_policy_name = nil) # check identity policies sub = identity.sub policies, _ = get_entity_data(sub) return if policies.any? { |p| p == producer_policy_name } # check group role - if groups.present? && consumer_policy_name.present? + if consumer_policy_name.present? role = read_oidc_role(make_role_name(consumer_policy_name)) - return if ((role.data.dig(:bound_claims, :groups) || []) & groups).any? + return if ((role&.data&.dig(:bound_claims, :groups) || []) & identity.groups).any? end raise AuthError.new("Policy has not been granted to the identity") end