Validate policies can contain comments, be JSON

cipherboy · cipherboy · commit fd1caccd735f · 2025-03-19T22:15:48.000-05:00
Uncommenting the JSON test fails presently: --- FAIL: TestPolicy_Parse (0.00s) --- FAIL: TestPolicy_Parse/JSON (0.00s) policy_test.go:247: value: &vault.PathRules{Path:"test/types", Policy:"", Permissions:(*vault.ACLPermissions)(0xc000467570), IsPrefix:false, HasSegmentWildcards:false, Capabilities:[]string{"create", "sudo"}, MinWrappingTTLHCL:interface {}(nil), MaxWrappingTTLHCL:interface {}(nil), AllowedParametersHCL:map[string][]interface {}{"int":[]interface {}{1, 2}, "map":[]interface {}{map[string]interface {}{"good":"one"}}}, DeniedParametersHCL:map[string][]interface {}{"bool":[]interface {}{}, "string":[]interface {}{"test"}}, RequiredParametersHCL:[]string(nil), MFAMethodsHCL:[]string(nil), PaginationLimitHCL:0} policy_test.go:494: [slice[8].Permissions.DeniedParameters.map[bool].slice[0]: <no value> != false slice[8].DeniedParametersHCL.map[bool].slice[0]: <no value> != false] FAIL FAIL github.com/openbao/openbao/vault 0.021s FAIL See also: hashicorp/hcl#740 See also: hashicorp/hcl#741 Signed-off-by: Alexander Scheel <ascheel@gitlab.com>
diff --git a/vault/policy_test.go b/vault/policy_test.go
@@ -26,6 +26,7 @@ path "stage/*" {
 # Limited read privilege to production
 path "prod/version" {
 	policy = "read"
+	comment = "this comment is stored but not parsed"
 }
 # Read access to foobar
 # Also tests stripping of leading slash and parsing of min/max as string and
@@ -120,12 +121,140 @@ path "unpaginated-kv/metadata" {
 }
 `)
 
+var rawPolicyJSON = strings.TrimSpace(`
+{
+  "name": "dev",
+  "path": {
+    "*": {
+        "policy": "deny"
+    },
+    "stage/*": {
+        "policy": "sudo"
+    },
+    "prod/version": {
+        "policy": "read",
+        "comment": "this comment is stored but not parsed"
+    },
+    "/foo/bar": {
+      "policy": "read",
+      "min_wrapping_ttl": 300,
+      "max_wrapping_ttl": "1h"
+    },
+    "foo/bar": {
+      "capabilities": ["create", "sudo"],
+      "min_wrapping_ttl": "300s",
+      "max_wrapping_ttl": 3600
+    },
+    "foo/bar": {
+      "capabilities": ["create", "sudo"],
+      "allowed_parameters": {
+        "zip": [],
+        "zap": []
+      }
+    },
+    "baz/bar": {
+      "capabilities": ["create", "sudo"],
+      "denied_parameters": {
+        "zip": [],
+        "zap": []
+      }
+    },
+    "biz/bar": {
+      "capabilities": ["create", "sudo"],
+      "allowed_parameters": {
+        "zim": [],
+        "zam": []
+      },
+      "denied_parameters": {
+        "zip": [],
+        "zap": []
+      }
+    },
+    "test/types": {
+      "capabilities": ["create", "sudo"],
+      "allowed_parameters": {
+		"map": [{"good": "one"}],
+        "int": [1, 2]
+      },
+      "denied_parameters": {
+        "string": ["test"],
+        "bool": [false]
+      }
+    },
+    "test/req": {
+      "capabilities": ["create", "sudo"],
+      "required_parameters": ["foo"]
+    },
+    "test/patch": {
+      "capabilities": ["patch"]
+    },
+    "test/scan": {
+      "capabilities": ["scan"]
+    },
+    "test/mfa": {
+      "capabilities": ["create", "sudo"],
+      "mfa_methods": ["my_totp", "my_totp2"]
+    },
+    "test/+/segment": {
+      "capabilities": ["create", "sudo"]
+    },
+    "test/segment/at/end/+": {
+      "capabilities": ["create", "sudo"]
+    },
+    "test/segment/at/end/v2/+/": {
+      "capabilities": ["create", "sudo"]
+    },
+    "test/+/wildcard/+/*": {
+      "capabilities": ["create", "sudo"]
+    },
+    "test/+/wildcard/+/end*": {
+      "capabilities": ["create", "sudo"]
+    },
+    "paginated-kv/metadata": {
+      "capabilities": ["list"],
+      "pagination_limit": 12345
+    },
+    "unpaginated-kv/metadata": {
+      "capabilities": ["list"]
+    }
+  }
+}
+`)
+
 func TestPolicy_Parse(t *testing.T) {
-	p, err := ParseACLPolicy(namespace.RootNamespace, rawPolicy)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
+	t.Run("HCL", func(t *testing.T) {
+		pHcl, err := ParseACLPolicy(namespace.RootNamespace, rawPolicy)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		validatePolicy(t, pHcl)
+	})
+
+	/*
+		TODO(ascheel): When https://github.com/hashicorp/hcl/pull/741 merges, we'll
+		want to update and uncomment this test.
+
+		t.Run("JSON", func(t *testing.T) {
+			var parsed map[string]interface{}
+			err := json.Unmarshal([]byte(rawPolicyJSON), &parsed)
+			if err != nil {
+				t.Fatalf("failed to parse JSON: %v", err)
+			}
+
+			pJson, err := ParseACLPolicy(namespace.RootNamespace, rawPolicyJSON)
+			if err != nil {
+				t.Fatalf("err: %v", err)
+			}
+
+			t.Logf("value: %#v", pJson.Paths[8])
+
+			validatePolicy(t, pJson)
+		})
+	*/
+}
 
+func validatePolicy(t *testing.T, p *Policy) {
 	if p.Name != "dev" {
 		t.Fatalf("bad name: %q", p.Name)
 	}
