-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix signing key template processing dropping allow #3390
Conversation
Scoped signing keys allow for optional values in allow rules If an allow rule therefore gets removed because a tag is not present, the removal needs to be compensated by adding in a deny > Signed-off-by: Matthias Hanel <mh@synadia.com>
server/auth.go
Outdated
@@ -523,6 +527,14 @@ func processUserPermissionsTemplate(lim jwt.UserPermissionLimits, ujwt *jwt.User | |||
} else if lim.Permissions.Pub.Deny, err = applyTemplate(lim.Permissions.Pub.Deny, true); err != nil { | |||
return jwt.UserPermissionLimits{}, err | |||
} | |||
|
|||
// if pub/sub allow where not empty, but are empty post template processing, add in a deny to compensate |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
were
instead of where
. But more importantly, looks like the code is opposite of the comment. That is, you wrote if they were not empty, but are empty after processing add deny. Then should it not be if !subAllowWasEmpty && ..
(notice the "!"). Same for the pub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wrong variable name. fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for pointing that out
Signed-off-by: Matthias Hanel <mh@synadia.com>
Signed-off-by: Matthias Hanel <mh@synadia.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Scoped signing keys allow for optional values in allow rules
If an allow rule therefore gets removed because a tag is not present,
the removal needs to be compensated by adding in a deny >
Signed-off-by: Matthias Hanel mh@synadia.com