diff --git a/app/lib/clients/vault/policy.rb b/app/lib/clients/vault/policy.rb index c2a5b74..0baf5cd 100644 --- a/app/lib/clients/vault/policy.rb +++ b/app/lib/clients/vault/policy.rb @@ -32,9 +32,9 @@ def verify_policy(identity, producer_policy_name, groups = nil, consumer_policy_ return if policies.any? { |p| p == producer_policy_name } # check group role - if groups.present? && group_role_name.present? + if groups.present? && consumer_policy_name.present? role = read_oidc_role(make_role_name(consumer_policy_name)) - return if (role.data["bound_claims"] & groups).any? + return if ((role.data.dig(:bound_claims, :groups) || []) & groups).any? end raise AuthError.new("Policy has not been granted to the identity") end diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb index acbe6a4..ac367b8 100644 --- a/test/lib/clients/vault_test.rb +++ b/test/lib/clients/vault_test.rb @@ -89,7 +89,7 @@ class VaultTest < ActiveSupport::TestCase test "kv methods" do # check kv_write path = "test/path/#{SecureRandom.hex}" - secret = @client.kv_write(@identity, [], path, { data: "data" }) + secret = @client.kv_write(@identity, [ "group_can_read" ], path, { data: "data" }) assert_kind_of Vault::Secret, secret # check kv_read @@ -100,12 +100,17 @@ class VaultTest < ActiveSupport::TestCase entity = @client.read_entity(@identity.sub) assert_includes entity.data[:policies], "kv_policy/#{path}/producer" - # check kv_read denied to other identity + # check kv_read denied to other identity by default alt_identity = Identity.new alt_identity.sub = SecureRandom.hex(4) err = assert_raises { @client.kv_read(alt_identity, path) } assert_kind_of AuthError, err + # check kv_read permitted to other identity with group membership + alt_identity.groups = [ "group_can_read" ] + group_read_secret = @client.kv_read(alt_identity, path) + assert_kind_of Vault::Secret, group_read_secret + # check kv_delete denied to other identity err = assert_raises { @client.kv_delete(alt_identity, path) } assert_kind_of AuthError, err