status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-02-23 02:48:19 +00:00
Code Issues Projects Releases Wiki Activity
consul/acl/policy_ce.go
sarahalsmiller 32ce33825d
[Security] Secvuln 8633 Consul configuration allowed repeated keys (#21908) 
* upgrade hcl package and account for possiblity of duplicates existing already in the cache

* upgrade to new tag

* add defensive line to prevent potential forever loop

* o mod tidy and changelog

* Update acl/policy.go

* fix raft reversion

* go mod tidy

* fix test

* remove duplicate key in test

* remove duplicates from test cases

* clean up

* go mod tidy

* go mod tidy

* pull in new hcl tag
2024-11-14 09:57:08 -06:00

59 lines
1.4 KiB
Go
Raw Blame History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
//go:build !consulent
package acl
import (
"fmt"
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/hcl"
"strings"
)
// EnterprisePolicyMeta stub
type EnterprisePolicyMeta struct{}
// EnterpriseRule stub
type EnterpriseRule struct{}
func (r *EnterpriseRule) Validate(string, *Config) error {
// nothing to validate
return nil
}
// EnterprisePolicyRules stub
type EnterprisePolicyRules struct{}
func (r *EnterprisePolicyRules) Validate(*Config) error {
// nothing to validate
return nil
}
func decodeRules(rules string, warnOnDuplicateKey bool, _ *Config, _ *EnterprisePolicyMeta) (*Policy, error) {
p := &Policy{}
err := hcl.DecodeErrorOnDuplicates(p, rules)
if errIsDuplicateKey(err) && warnOnDuplicateKey {
//because the snapshot saves the unparsed rules we have to assume some snapshots exist that shouldn't fail, but
// have duplicates
if err := hcl.Decode(p, rules); err != nil {
hclog.Default().Warn("Warning- Duplicate key in ACL Policy ignored", "errorMessage", err.Error())
return nil, fmt.Errorf("Failed to parse ACL rules: %v", err)
}
} else if err != nil {
return nil, fmt.Errorf("Failed to parse ACL rules: %v", err)
}
return p, nil
}
func errIsDuplicateKey(err error) bool {
if err == nil {
return false
}
return strings.Contains(err.Error(), "was already set. Each argument can only be defined once")
}
Reference in New Issue View Git Blame Copy Permalink