add test and code fix for group read capability

G-Research · Nov 11, 2024 · fffb882 · fffb882
1 parent 4662ca7
commit fffb882
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/app/lib/clients/vault/policy.rb b/app/lib/clients/vault/policy.rb
@@ -32,9 +32,9 @@ def verify_policy(identity, producer_policy_name, groups = nil, consumer_policy_
         return if policies.any? { |p| p == producer_policy_name }
 
         # check group role
-        if groups.present? && group_role_name.present?
+        if groups.present? && consumer_policy_name.present?
           role = read_oidc_role(make_role_name(consumer_policy_name))
-          return if (role.data["bound_claims"] & groups).any?
+          return if ((role.data.dig(:bound_claims, :groups) || []) & groups).any?
         end
         raise AuthError.new("Policy has not been granted to the identity")
       end

diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb
@@ -89,7 +89,7 @@ class VaultTest < ActiveSupport::TestCase
   test "kv methods" do
     # check kv_write
     path = "test/path/#{SecureRandom.hex}"
-    secret = @client.kv_write(@identity, [], path, { data: "data" })
+    secret = @client.kv_write(@identity, [ "group_can_read" ], path, { data: "data" })
     assert_kind_of Vault::Secret, secret
 
     # check kv_read
@@ -100,12 +100,17 @@ class VaultTest < ActiveSupport::TestCase
     entity = @client.read_entity(@identity.sub)
     assert_includes entity.data[:policies], "kv_policy/#{path}/producer"
 
-    # check kv_read denied to other identity
+    # check kv_read denied to other identity by default
     alt_identity = Identity.new
     alt_identity.sub = SecureRandom.hex(4)
     err = assert_raises { @client.kv_read(alt_identity, path) }
     assert_kind_of AuthError, err
 
+    # check kv_read permitted to other identity with group membership
+    alt_identity.groups = [ "group_can_read" ]
+    group_read_secret = @client.kv_read(alt_identity, path)
+    assert_kind_of Vault::Secret, group_read_secret
+
     # check kv_delete denied to other identity
     err = assert_raises { @client.kv_delete(alt_identity, path) }
     assert_kind_of AuthError, err