simplify signature for group/consumer_policy matching

G-Research · Nov 11, 2024 · 4a442fe · 4a442fe
1 parent fffb882
commit 4a442fe
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/app/lib/clients/vault/key_value.rb b/app/lib/clients/vault/key_value.rb
@@ -4,7 +4,7 @@ module KeyValue
       extend Policy
 
       def kv_read(identity, path)
-        verify_policy(identity, producer_policy_path(path), identity.groups, consumer_policy_path(path))
+        verify_policy(identity, producer_policy_path(path), consumer_policy_path(path))
         client.kv(kv_mount).read(path)
       end
 

diff --git a/app/lib/clients/vault/policy.rb b/app/lib/clients/vault/policy.rb
@@ -25,16 +25,16 @@ def assign_groups_policy(groups, policy_name)
         create_oidc_role(make_role_name(policy_name), groups, policy_name)
       end
 
-      def verify_policy(identity, producer_policy_name, groups = nil, consumer_policy_name = nil)
+      def verify_policy(identity, producer_policy_name, consumer_policy_name = nil)
         # check identity policies
         sub = identity.sub
         policies, _ = get_entity_data(sub)
         return if policies.any? { |p| p == producer_policy_name }
 
         # check group role
-        if groups.present? && consumer_policy_name.present?
+        if consumer_policy_name.present?
           role = read_oidc_role(make_role_name(consumer_policy_name))
-          return if ((role.data.dig(:bound_claims, :groups) || []) & groups).any?
+          return if ((role&.data&.dig(:bound_claims, :groups) || []) & identity.groups).any?
         end
         raise AuthError.new("Policy has not been granted to the identity")
       end