Allow explicit browser search fill
ci / lint-test (pull_request) Successful in 6m13s
ci / build (pull_request) Successful in 6m8s

This commit is contained in:
Joe Julian
2026-04-28 21:15:15 -07:00
parent e171f49287
commit 72006aa4b1
5 changed files with 116 additions and 10 deletions
+4
View File
@@ -394,6 +394,10 @@ func (s *Server) GetBrowserCredential(ctx context.Context, req *keepassgov1.GetB
return nil, status.Error(codes.InvalidArgument, "entry url does not match requested page")
}
}
return s.browserCredential(ctx, token, entry)
}
func (s *Server) browserCredential(ctx context.Context, token apitokens.Token, entry vault.Entry) (*keepassgov1.GetBrowserCredentialResponse, error) {
if strings.TrimSpace(entry.Username) != "" {
if _, err := s.authorizeResourceRequest(ctx, token, apitokens.OperationCopyUsername, apitokens.Resource{Kind: apitokens.ResourceEntry, EntryID: entry.ID, Path: entry.Path}); err != nil {
return nil, err
+34
View File
@@ -693,6 +693,40 @@ func TestVaultServiceGetsBrowserCredentialForAuthorizedClients(t *testing.T) {
}
}
func TestVaultServiceGetsExplicitBrowserCredentialWithoutURLMatch(t *testing.T) {
t.Parallel()
client, _, cleanup := newTestClientForModel(t, vault.Model{
Entries: []vault.Entry{
{
ID: "no-url-entry",
Title: "Livingston Console",
Username: "livingstondell",
Password: "demo-loop",
Path: []string{"Root", "Heist Crew"},
},
testAPITokenEntry(t,
apitokens.PolicyRule{Effect: apitokens.EffectAllow, Operation: apitokens.OperationCopyUsername, Resource: apitokens.Resource{Kind: apitokens.ResourceEntry, EntryID: "no-url-entry", Path: []string{"Root", "Heist Crew"}}},
apitokens.PolicyRule{Effect: apitokens.EffectAllow, Operation: apitokens.OperationCopyPassword, Resource: apitokens.Resource{Kind: apitokens.ResourceEntry, EntryID: "no-url-entry", Path: []string{"Root", "Heist Crew"}}},
),
},
})
defer cleanup()
resp, err := client.GetBrowserCredential(tokenContext(defaultTestTokenSecret), &keepassgov1.GetBrowserCredentialRequest{
Id: "no-url-entry",
})
if err != nil {
t.Fatalf("GetBrowserCredential(no-url-entry without page URL) error = %v", err)
}
if resp.GetId() != "no-url-entry" {
t.Fatalf("GetBrowserCredential(no-url-entry without page URL).Id = %q, want no-url-entry", resp.GetId())
}
if resp.GetPassword() != "demo-loop" {
t.Fatalf("GetBrowserCredential(no-url-entry without page URL).Password = %q, want demo-loop", resp.GetPassword())
}
}
func TestVaultServiceRejectsUnauthorizedBrowserCredentialAccess(t *testing.T) {
t.Parallel()