From d2a03ded78b34ee703fe7a35c2dab566b19d5ade Mon Sep 17 00:00:00 2001
From: James Rasell <jrasell@users.noreply.github.com>
Date: Mon, 10 Jun 2024 16:17:51 +0100
Subject: [PATCH] acl: fix validation of ACL plugin policy entries. (#23274)

---
 .changelog/23274.txt |  3 +++
 acl/policy.go        |  2 +-
 acl/policy_test.go   | 44 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 .changelog/23274.txt

diff --git a/.changelog/23274.txt b/.changelog/23274.txt
new file mode 100644
index 000000000..af27940e3
--- /dev/null
+++ b/.changelog/23274.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+acl: Fix plugin policy validation when checking write permissions
+```
diff --git a/acl/policy.go b/acl/policy.go
index e038ab4d1..a290316d8 100644
--- a/acl/policy.go
+++ b/acl/policy.go
@@ -191,7 +191,7 @@ func isPolicyValid(policy string) bool {
 
 func (p *PluginPolicy) isValid() bool {
 	switch p.Policy {
-	case PolicyDeny, PolicyRead, PolicyList:
+	case PolicyDeny, PolicyRead, PolicyList, PolicyWrite:
 		return true
 	default:
 		return false
diff --git a/acl/policy_test.go b/acl/policy_test.go
index d7a351ed2..6d36a3ce9 100644
--- a/acl/policy_test.go
+++ b/acl/policy_test.go
@@ -9,6 +9,7 @@ import (
 	"testing"
 
 	"github.com/hashicorp/nomad/ci"
+	"github.com/shoenig/test/must"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -898,3 +899,46 @@ func TestParse_BadInput(t *testing.T) {
 		})
 	}
 }
+
+func TestPluginPolicy_isValid(t *testing.T) {
+	ci.Parallel(t)
+
+	testCases := []struct {
+		name              string
+		inputPluginPolicy *PluginPolicy
+		expectedOutput    bool
+	}{
+		{
+			name:              "policy deny",
+			inputPluginPolicy: &PluginPolicy{Policy: "deny"},
+			expectedOutput:    true,
+		},
+		{
+			name:              "policy read",
+			inputPluginPolicy: &PluginPolicy{Policy: "read"},
+			expectedOutput:    true,
+		},
+		{
+			name:              "policy list",
+			inputPluginPolicy: &PluginPolicy{Policy: "list"},
+			expectedOutput:    true,
+		},
+		{
+			name:              "policy write",
+			inputPluginPolicy: &PluginPolicy{Policy: "write"},
+			expectedOutput:    true,
+		},
+		{
+			name:              "policy invalid",
+			inputPluginPolicy: &PluginPolicy{Policy: "invalid"},
+			expectedOutput:    false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			actualOutput := tc.inputPluginPolicy.isValid()
+			must.Eq(t, tc.expectedOutput, actualOutput)
+		})
+	}
+}