|
7 | 7 | "errors" |
8 | 8 | "fmt" |
9 | 9 | "reflect" |
| 10 | + "sort" |
10 | 11 | "time" |
11 | 12 |
|
12 | 13 | "github.com/davecgh/go-spew/spew" |
@@ -380,17 +381,69 @@ func overrideSessionTimeZone(session *Session) { |
380 | 381 | // as nil in the bbolt store. Therefore, we also override the permissions |
381 | 382 | // or caveats to nil for the migrated session in that scenario, so that the |
382 | 383 | // deep equals check does not fail in this scenario either. |
| 384 | +// |
| 385 | +// Additionally, we sort the caveats & permissions of both the kv and sql |
| 386 | +// sessions by their ID, so that they are always comparable in a deterministic |
| 387 | +// way with deep equals. |
383 | 388 | func overrideMacaroonRecipe(kvSession *Session, migratedSession *Session) { |
384 | 389 | if kvSession.MacaroonRecipe != nil { |
385 | 390 | kvPerms := kvSession.MacaroonRecipe.Permissions |
386 | 391 | kvCaveats := kvSession.MacaroonRecipe.Caveats |
387 | 392 |
|
| 393 | + // If the kvSession has a MacaroonRecipe with nil set for any |
| 394 | + // of the fields, we need to override the migratedSession |
| 395 | + // MacaroonRecipe to match that. |
388 | 396 | if kvPerms == nil && kvCaveats == nil { |
389 | 397 | migratedSession.MacaroonRecipe = &MacaroonRecipe{} |
390 | 398 | } else if kvPerms == nil { |
391 | 399 | migratedSession.MacaroonRecipe.Permissions = nil |
392 | 400 | } else if kvCaveats == nil { |
393 | 401 | migratedSession.MacaroonRecipe.Caveats = nil |
394 | 402 | } |
| 403 | + |
| 404 | + sqlCaveats := migratedSession.MacaroonRecipe.Caveats |
| 405 | + sqlPerms := migratedSession.MacaroonRecipe.Permissions |
| 406 | + |
| 407 | + // If there have been caveats set for the MacaroonRecipe, |
| 408 | + // the order of the postgres db caveats will in very rare cases |
| 409 | + // differ from the kv store caveats. Therefore, we sort |
| 410 | + // both the kv and sql caveats by their ID, so that we can |
| 411 | + // compare them in a deterministic way. |
| 412 | + if kvCaveats != nil { |
| 413 | + sort.Slice(kvCaveats, func(i, j int) bool { |
| 414 | + return bytes.Compare( |
| 415 | + kvCaveats[i].Id, kvCaveats[j].Id, |
| 416 | + ) < 0 |
| 417 | + }) |
| 418 | + |
| 419 | + sort.Slice(sqlCaveats, func(i, j int) bool { |
| 420 | + return bytes.Compare( |
| 421 | + sqlCaveats[i].Id, sqlCaveats[j].Id, |
| 422 | + ) < 0 |
| 423 | + }) |
| 424 | + } |
| 425 | + |
| 426 | + // Similarly, we sort the macaroon permissions for both the kv |
| 427 | + // and sql sessions, so that we can compare them in a |
| 428 | + // deterministic way. |
| 429 | + if kvPerms != nil { |
| 430 | + sort.Slice(kvPerms, func(i, j int) bool { |
| 431 | + if kvPerms[i].Entity == kvPerms[j].Entity { |
| 432 | + return kvPerms[i].Action < |
| 433 | + kvPerms[j].Action |
| 434 | + } |
| 435 | + |
| 436 | + return kvPerms[i].Entity < kvPerms[j].Entity |
| 437 | + }) |
| 438 | + |
| 439 | + sort.Slice(sqlPerms, func(i, j int) bool { |
| 440 | + if sqlPerms[i].Entity == sqlPerms[j].Entity { |
| 441 | + return sqlPerms[i].Action < |
| 442 | + sqlPerms[j].Action |
| 443 | + } |
| 444 | + |
| 445 | + return sqlPerms[i].Entity < sqlPerms[j].Entity |
| 446 | + }) |
| 447 | + } |
395 | 448 | } |
396 | 449 | } |
0 commit comments