Switch policies in AppRole to TypeCommaStringSlice (#3163)

2026-06-08 16:24:51 -04:00 · 2017-08-14 20:15:51 -04:00 · 2017-08-14 20:15:51 -04:00 · 64cb31ad9c
commit 64cb31ad9c
parent ff0bbbe2fc
2 changed files with 20 additions and 11 deletions
--- a/builtin/credential/approle/path_role.go
+++ b/builtin/credential/approle/path_role.go
@ -113,7 +113,7 @@ func rolePaths(b *backend) []*framework.Path {
 addresses which can perform the login operation`,
 				},
 				"policies": &framework.FieldSchema{
-					Type:        framework.TypeString,
+					Type:        framework.TypeCommaStringSlice,
 					Default:     "default",
 					Description: "Comma separated list of policies on the role.",
 				},
@ -172,7 +172,7 @@ TTL will be set to the value of this parameter.`,
 					Description: "Name of the role.",
 				},
 				"policies": &framework.FieldSchema{
-					Type:        framework.TypeString,
+					Type:        framework.TypeCommaStringSlice,
 					Default:     "default",
 					Description: "Comma separated list of policies on the role.",
 				},
@ -768,9 +768,9 @@ func (b *backend) pathRoleCreateUpdate(req *logical.Request, data *framework.Fie
 	}

 	if policiesRaw, ok := data.GetOk("policies"); ok {
-		role.Policies = policyutil.ParsePolicies(policiesRaw.(string))
+		role.Policies = policyutil.ParsePolicies(policiesRaw)
 	} else if req.Operation == logical.CreateOperation {
-		role.Policies = policyutil.ParsePolicies(data.Get("policies").(string))
+		role.Policies = policyutil.ParsePolicies(data.Get("policies"))
 	}

 	periodRaw, ok := data.GetOk("period")
@ -1306,8 +1306,8 @@ func (b *backend) pathRolePoliciesUpdate(req *logical.Request, data *framework.F
 		return nil, nil
 	}

-	policies := strings.TrimSpace(data.Get("policies").(string))
-	if policies == "" {
+	policiesRaw, ok := data.GetOk("policies")
+	if !ok {
 		return logical.ErrorResponse("missing policies"), nil
 	}

@ -1316,7 +1316,7 @@ func (b *backend) pathRolePoliciesUpdate(req *logical.Request, data *framework.F
 	lock.Lock()
 	defer lock.Unlock()

-	role.Policies = policyutil.ParsePolicies(policies)
+	role.Policies = policyutil.ParsePolicies(policiesRaw)

 	return nil, b.setRoleEntry(req.Storage, roleName, role, "")
 }
@ -1359,7 +1359,7 @@ func (b *backend) pathRolePoliciesDelete(req *logical.Request, data *framework.F
 	lock.Lock()
 	defer lock.Unlock()

-	role.Policies = policyutil.ParsePolicies(data.GetDefaultOrZero("policies").(string))
+	role.Policies = policyutil.ParsePolicies(data.GetDefaultOrZero("policies"))

 	return nil, b.setRoleEntry(req.Storage, roleName, role, "")
 }
--- a/helper/policyutil/policyutil.go
+++ b/helper/policyutil/policyutil.go
@ -18,12 +18,21 @@ const (
 // all other policies will be ignored, the result will contain
 // just the 'root'. In cases where 'root' is not present, if
 // 'default' policy is not already present, it will be added.
-func ParsePolicies(policiesRaw string) []string {
-	if policiesRaw == "" {
+func ParsePolicies(policiesRaw interface{}) []string {
+	if policiesRaw == nil {
 		return []string{"default"}
 	}

-	policies := strings.Split(policiesRaw, ",")
+	var policies []string
+	switch policiesRaw.(type) {
+	case string:
+		if policiesRaw.(string) == "" {
+			return []string{"default"}
+		}
+		policies = strings.Split(policiesRaw.(string), ",")
+	case []string:
+		policies = policiesRaw.([]string)
+	}

 	return SanitizePolicies(policies, true)
 }