Fix member_role_policy_template for Openbao

Jayakrishnan Mallisseryrequested to merge
jay-fix-openbao-member-policy-template into master

Why this MR ?

  • To close this issue
  • We have a bug in the ACL policy template for member_role_policy
  • It does not handle the case where the member_role_id: claim is nil in the OIDC JWT token

What does this MR do ?

  • Update the ACL policy template for member_role_policy to handle the case where member_role_id: is NOT present in the JWT
  • The solution is to as suggested in the docs, to add a guard clause using the index function.
  • If member_role_id: claim is NOT present in the JWT, we exclude member_role_policy_template from the list of policy templates

References

Screenshots

Logs for project provisioned with buggy template Logs for project provisioned with fixed template
"policies":["default","project_70/users/direct/user_2","project_70/users/roles/50", "project_70/users/direct/member_role_\u003cno value\u003e"] "policies":["default","project_75/users/direct/user_2","project_75/users/roles/50"]
"token_policies":["default","project_70/users/direct/user_2","project_70/users/roles/50", "project_70/users/direct/member_role_\u003cno value\u003e"] "token_policies":["default","project_75/users/direct/user_2","project_75/users/roles/50"]

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jayakrishnan Mallissery

Merge request reports