fix(auth): scope path-like name args by command
Build and Push Docker Container / build-and-push (push) Successful in 4m41s
Build and Push Docker Container / build-and-push (push) Successful in 4m41s
- Stop treating property names as vault paths during policy checks. - Keep rename name targets protected by path restrictions. - Add regression coverage for property:set name=from. - Add regression coverage for blocked rename targets. - Bump package version to 1.0.4 for the Docker image tag.
This commit is contained in:
+9
-2
@@ -29,7 +29,10 @@ class CommandTarget:
|
||||
vault:str|None
|
||||
paths:tuple[str, ...]
|
||||
|
||||
PATH_KEYS = {"path", "file", "folder", "name", "to"}
|
||||
DEFAULT_PATH_KEYS = {"path", "file", "folder", "to"}
|
||||
PATH_KEYS_BY_COMMAND = {
|
||||
"rename": DEFAULT_PATH_KEYS | {"name"},
|
||||
}
|
||||
PATH_REQUIRED_WHEN_RESTRICTED = {
|
||||
"append", "prepend", "read", "create", "delete", "rename", "move", "file", "folder", "open", "diff",
|
||||
"search", "search:context", "files", "folders",
|
||||
@@ -100,6 +103,9 @@ def parse_kv_arg(arg:str) -> tuple[str, str]|None:
|
||||
return None
|
||||
return key, value
|
||||
|
||||
def path_keys_for_command(command:str|None) -> set[str]:
|
||||
return PATH_KEYS_BY_COMMAND.get(command or "", DEFAULT_PATH_KEYS)
|
||||
|
||||
def extract_command_target(args:list[str]) -> CommandTarget:
|
||||
vault:str|None = None
|
||||
command:str|None = None
|
||||
@@ -113,12 +119,13 @@ def extract_command_target(args:list[str]) -> CommandTarget:
|
||||
command = arg
|
||||
break
|
||||
|
||||
path_keys = path_keys_for_command(command)
|
||||
for arg in args:
|
||||
parsed = parse_kv_arg(arg)
|
||||
if not parsed:
|
||||
continue
|
||||
key, value = parsed
|
||||
if key in PATH_KEYS and value:
|
||||
if key in path_keys and value:
|
||||
paths.append(value)
|
||||
|
||||
return CommandTarget(command=command, vault=vault, paths=tuple(paths))
|
||||
|
||||
Reference in New Issue
Block a user