From 2beb9d529e7bb4a63820c3b4edf547c6364cd434 Mon Sep 17 00:00:00 2001
From: Ingo Oppermann <ingo@datarhei.com>
Date: Wed, 9 Jul 2025 14:37:58 +0200
Subject: [PATCH] Fix leaking slices

---
 iam/policy/access.go  | 11 +++++++++++
 iam/policy/manager.go |  9 +++++----
 iam/policy/model.go   | 18 +++++++++++++-----
 3 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/iam/policy/access.go b/iam/policy/access.go
index 1d69bfce..0e49c909 100644
--- a/iam/policy/access.go
+++ b/iam/policy/access.go
@@ -2,6 +2,7 @@ package policy
 
 import (
 	"fmt"
+	"slices"
 	"strings"
 )
 
@@ -17,6 +18,16 @@ func (p Policy) String() string {
 	return fmt.Sprintf("%s@%s (%s):%s %s", p.Name, p.Domain, strings.Join(p.Types, "|"), p.Resource, strings.Join(p.Actions, "|"))
 }
 
+func (p Policy) Clone() Policy {
+	return Policy{
+		Name:     p.Name,
+		Domain:   p.Domain,
+		Types:    slices.Clone(p.Types),
+		Resource: p.Resource,
+		Actions:  slices.Clone(p.Actions),
+	}
+}
+
 type Enforcer interface {
 	Enforce(name, domain, rtype, resource, action string) (bool, Policy)
 
diff --git a/iam/policy/manager.go b/iam/policy/manager.go
index ffb83636..d85726bc 100644
--- a/iam/policy/manager.go
+++ b/iam/policy/manager.go
@@ -2,6 +2,7 @@ package policy
 
 import (
 	"fmt"
+	"slices"
 
 	"github.com/datarhei/core/v16/log"
 )
@@ -51,9 +52,9 @@ func (am *policyaccess) HasPolicy(name, domain string, types []string, resource
 	return am.enforcer.HasPolicy(Policy{
 		Name:     name,
 		Domain:   domain,
-		Types:    types,
+		Types:    slices.Clone(types),
 		Resource: resource,
-		Actions:  actions,
+		Actions:  slices.Clone(actions),
 	})
 }
 
@@ -61,9 +62,9 @@ func (am *policyaccess) AddPolicy(name, domain string, types []string, resource
 	policy := Policy{
 		Name:     name,
 		Domain:   domain,
-		Types:    types,
+		Types:    slices.Clone(types),
 		Resource: resource,
-		Actions:  actions,
+		Actions:  slices.Clone(actions),
 	}
 
 	return am.enforcer.AddPolicy(policy)
diff --git a/iam/policy/model.go b/iam/policy/model.go
index 9f9e36f6..59e4a7f6 100644
--- a/iam/policy/model.go
+++ b/iam/policy/model.go
@@ -91,7 +91,7 @@ func (m *model) addPolicy(policy Policy) error {
 		policies = []Policy{}
 	}
 
-	policies = append(policies, policy)
+	policies = append(policies, policy.Clone())
 	m.policies[key] = policies
 
 	return nil
@@ -152,7 +152,9 @@ func (m *model) GetFilteredPolicy(name, domain string) []Policy {
 
 	if len(name) == 0 && len(domain) == 0 {
 		for _, policies := range m.policies {
-			filteredPolicies = append(filteredPolicies, policies...)
+			for _, p := range policies {
+				filteredPolicies = append(filteredPolicies, p.Clone())
+			}
 		}
 	} else if len(name) != 0 && len(domain) == 0 {
 		for key, policies := range m.policies {
@@ -160,7 +162,9 @@ func (m *model) GetFilteredPolicy(name, domain string) []Policy {
 				continue
 			}
 
-			filteredPolicies = append(filteredPolicies, policies...)
+			for _, p := range policies {
+				filteredPolicies = append(filteredPolicies, p.Clone())
+			}
 		}
 	} else if len(name) == 0 && len(domain) != 0 {
 		for key, policies := range m.policies {
@@ -168,7 +172,9 @@ func (m *model) GetFilteredPolicy(name, domain string) []Policy {
 				continue
 			}
 
-			filteredPolicies = append(filteredPolicies, policies...)
+			for _, p := range policies {
+				filteredPolicies = append(filteredPolicies, p.Clone())
+			}
 		}
 	} else {
 		for key, policies := range m.policies {
@@ -178,7 +184,9 @@ func (m *model) GetFilteredPolicy(name, domain string) []Policy {
 				continue
 			}
 
-			filteredPolicies = append(filteredPolicies, policies...)
+			for _, p := range policies {
+				filteredPolicies = append(filteredPolicies, p.Clone())
+			}
 		}
 	}