Fix browser authorization edge cases
This commit is contained in:
@@ -348,22 +348,26 @@ func (s *Server) authorizedBrowserMatches(ctx context.Context, token apitokens.T
|
||||
if _, err := s.authorizeResourceRequest(ctx, token, apitokens.OperationListEntries, match.resource); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return browserMatchesWithinPath(matches, match.resource.Path), nil
|
||||
return s.authorizedBrowserMatchesWithinPath(ctx, token, matches, match.resource.Path)
|
||||
}
|
||||
return out, nil
|
||||
}
|
||||
|
||||
func browserMatchesWithinPath(matches []rankedBrowserMatch, path []string) []*keepassgov1.BrowserLoginMatch {
|
||||
func (s *Server) authorizedBrowserMatchesWithinPath(_ context.Context, _ apitokens.Token, matches []rankedBrowserMatch, path []string) ([]*keepassgov1.BrowserLoginMatch, error) {
|
||||
out := make([]*keepassgov1.BrowserLoginMatch, 0, len(matches))
|
||||
for _, match := range matches {
|
||||
if len(path) > len(match.resource.Path) {
|
||||
continue
|
||||
}
|
||||
if slices.Equal(path, match.resource.Path[:len(path)]) {
|
||||
out = append(out, match.match)
|
||||
if !slices.Equal(path, match.resource.Path[:len(path)]) {
|
||||
continue
|
||||
}
|
||||
if match.decision == apitokens.DecisionDeny {
|
||||
continue
|
||||
}
|
||||
out = append(out, match.match)
|
||||
}
|
||||
return out
|
||||
return out, nil
|
||||
}
|
||||
|
||||
func (s *Server) GetBrowserCredential(ctx context.Context, req *keepassgov1.GetBrowserCredentialRequest) (*keepassgov1.GetBrowserCredentialResponse, error) {
|
||||
@@ -1068,8 +1072,6 @@ func classifyBrowserEntryMatch(pageHost, rawEntryURL string) (string, int) {
|
||||
return "exact-host", 3
|
||||
case strings.HasSuffix(pageHost, "."+entryHost):
|
||||
return "subdomain", 2
|
||||
case strings.HasSuffix(entryHost, "."+pageHost):
|
||||
return "parent-domain", 1
|
||||
default:
|
||||
return "", 0
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user