fix(rbac): handle malformed rbac policy

Signed-off-by: Vincent Le Goff <vincent.legoff@konghq.com>
argoproj · May 27, 2023 · fb4571d · fb4571d
1 parent cae3817
commit fb4571d
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 3 deletions.
diff --git a/util/rbac/rbac.go b/util/rbac/rbac.go
@@ -468,7 +468,12 @@ func loadPolicyLine(line string, model model.Model) error {
 		return err
 	}
 
-	if len(tokens) < 2 || len(tokens[0]) < 1 {
+	tokenLen := len(tokens)
+
+	if tokenLen < 1 ||
+		tokens[0] == "" ||
+		(tokens[0] == "g" && tokenLen != 3) ||
+		(tokens[0] == "p" && tokenLen != 6) {
 		return fmt.Errorf("invalid RBAC policy: %s", line)
 	}
 

diff --git a/util/rbac/rbac_test.go b/util/rbac/rbac_test.go
@@ -402,8 +402,14 @@ func TestGlobMatchFunc(t *testing.T) {
 }
 
 func TestLoadPolicyLine(t *testing.T) {
-	t.Run("Valid policy line", func(t *testing.T) {
-		policy := `p, foo, bar, baz`
+	t.Run("Valid permission line", func(t *testing.T) {
+		policy := `p, role:Myrole, applications, *, myproj/*, allow`
+		model := newBuiltInModel()
+		err := loadPolicyLine(policy, model)
+		require.NoError(t, err)
+	})
+	t.Run("Valid grant line", func(t *testing.T) {
+		policy := `g, your-github-org:your-team, role:org-admin`
 		model := newBuiltInModel()
 		err := loadPolicyLine(policy, model)
 		require.NoError(t, err)
@@ -438,4 +444,16 @@ func TestLoadPolicyLine(t *testing.T) {
 		err := loadPolicyLine(policy, model)
 		require.Error(t, err)
 	})
+	t.Run("Invalid policy line missing comma", func(t *testing.T) {
+		policy := "p, role:Myrole, applications, *, myproj/* allow"
+		model := newBuiltInModel()
+		err := loadPolicyLine(policy, model)
+		require.Error(t, err)
+	})
+	t.Run("Invalid policy line missing policy type", func(t *testing.T) {
+		policy := ", role:Myrole, applications, *, myproj/*, allow"
+		model := newBuiltInModel()
+		err := loadPolicyLine(policy, model)
+		require.Error(t, err)
+	})
 }