open-nomad/acl/policy.go

package acl

import (
	"fmt"
	"regexp"

	"github.com/hashicorp/hcl"
)

const (
	// The following levels are the only valid values for the `policy = "read"` stanza.
	// When policies are merged together, the most privilege is granted, except for deny
	// which always takes precedence and supercedes.
	PolicyDeny  = "deny"
	PolicyRead  = "read"
	PolicyWrite = "write"
)

const (
	// The following are the fine-grained capabilities that can be granted within a namespace.
	// The Policy stanza is a short hand for granting several of these. When capabilities are
	// combined we take the union of all capabilities. If the deny capability is present, it
	// takes precedence and overwrites all other capabilities.
	NamespaceCapabilityDeny             = "deny"
	NamespaceCapabilityListJobs         = "list-jobs"
	NamespaceCapabilityReadJob          = "read-job"
	NamespaceCapabilitySubmitJob        = "submit-job"
	NamespaceCapabilityDispatchJob      = "dispatch-job"
	NamespaceCapabilityReadLogs         = "read-logs"
	NamespaceCapabilityReadFS           = "read-fs"
	NamespaceCapabilitySentinelOverride = "sentinel-override"
)

var (
	validNamespace = regexp.MustCompile("^[a-zA-Z0-9-]{1,128}$")
)

// Policy represents a parsed HCL or JSON policy.
type Policy struct {
	Namespaces []*NamespacePolicy `hcl:"namespace,expand"`
	Agent      *AgentPolicy       `hcl:"agent"`
	Node       *NodePolicy        `hcl:"node"`
	Operator   *OperatorPolicy    `hcl:"operator"`
	Raw        string             `hcl:"-"`
}

// NamespacePolicy is the policy for a specific namespace
type NamespacePolicy struct {
	Name         string `hcl:",key"`
	Policy       string
	Capabilities []string
}

type AgentPolicy struct {
	Policy string
}

type NodePolicy struct {
	Policy string
}

type OperatorPolicy struct {
	Policy string
}

// isPolicyValid makes sure the given string matches one of the valid policies.
func isPolicyValid(policy string) bool {
	switch policy {
	case PolicyDeny, PolicyRead, PolicyWrite:
		return true
	default:
		return false
	}
}

// isNamespaceCapabilityValid ensures the given capability is valid for a namespace policy
func isNamespaceCapabilityValid(cap string) bool {
	switch cap {
	case NamespaceCapabilityDeny, NamespaceCapabilityListJobs, NamespaceCapabilityReadJob,
		NamespaceCapabilitySubmitJob, NamespaceCapabilityDispatchJob, NamespaceCapabilityReadLogs,
		NamespaceCapabilityReadFS:
		return true
	// Separate the enterprise-only capabilities
	case NamespaceCapabilitySentinelOverride:
		return true
	default:
		return false
	}
}

// expandNamespacePolicy provides the equivalent set of capabilities for
// a namespace policy
func expandNamespacePolicy(policy string) []string {
	switch policy {
	case PolicyDeny:
		return []string{NamespaceCapabilityDeny}
	case PolicyRead:
		return []string{
			NamespaceCapabilityListJobs,
			NamespaceCapabilityReadJob,
		}
	case PolicyWrite:
		return []string{
			NamespaceCapabilityListJobs,
			NamespaceCapabilityReadJob,
			NamespaceCapabilitySubmitJob,
			NamespaceCapabilityDispatchJob,
			NamespaceCapabilityReadLogs,
			NamespaceCapabilityReadFS,
		}
	default:
		return nil
	}
}

// Parse is used to parse the specified ACL rules into an
// intermediary set of policies, before being compiled into
// the ACL
func Parse(rules string) (*Policy, error) {
	// Decode the rules
	p := &Policy{Raw: rules}
	if rules == "" {
		// Hot path for empty rules
		return p, nil
	}

	// Attempt to parse
	if err := hcl.Decode(p, rules); err != nil {
		return nil, fmt.Errorf("Failed to parse ACL Policy: %v", err)
	}

	// Validate the policy
	for _, ns := range p.Namespaces {
		if !validNamespace.MatchString(ns.Name) {
			return nil, fmt.Errorf("Invalid namespace name: %#v", ns)
		}
		if ns.Policy != "" && !isPolicyValid(ns.Policy) {
			return nil, fmt.Errorf("Invalid namespace policy: %#v", ns)
		}
		for _, cap := range ns.Capabilities {
			if !isNamespaceCapabilityValid(cap) {
				return nil, fmt.Errorf("Invalid namespace capability '%s': %#v", cap, ns)
			}
		}

		// Expand the short hand policy to the capabilities and
		// add to any existing capabilities
		if ns.Policy != "" {
			extraCap := expandNamespacePolicy(ns.Policy)
			ns.Capabilities = append(ns.Capabilities, extraCap...)
		}
	}

	if p.Agent != nil && !isPolicyValid(p.Agent.Policy) {
		return nil, fmt.Errorf("Invalid agent policy: %#v", p.Agent)
	}

	if p.Node != nil && !isPolicyValid(p.Node.Policy) {
		return nil, fmt.Errorf("Invalid node policy: %#v", p.Node)
	}

	if p.Operator != nil && !isPolicyValid(p.Operator.Policy) {
		return nil, fmt.Errorf("Invalid operator policy: %#v", p.Operator)
	}
	return p, nil
}
acl: Adding policy parsing with tests 2017-08-04 00:41:33 +00:00			`package acl`

			`import (`
			`"fmt"`
acl: adding validation to the namespace name 2017-08-05 00:34:22 +00:00			`"regexp"`
acl: Adding policy parsing with tests 2017-08-04 00:41:33 +00:00
			`"github.com/hashicorp/hcl"`
			`)`

			`const (`
Addressing @dadgar review feedback 2017-08-08 04:09:13 +00:00			// The following levels are the only valid values for the `policy = "read"` stanza.
			`// When policies are merged together, the most privilege is granted, except for deny`
			`// which always takes precedence and supercedes.`
acl: Adding policy parsing with tests 2017-08-04 00:41:33 +00:00			`PolicyDeny = "deny"`
			`PolicyRead = "read"`
			`PolicyWrite = "write"`
			`)`

			`const (`
Addressing @dadgar review feedback 2017-08-08 04:09:13 +00:00			`// The following are the fine-grained capabilities that can be granted within a namespace.`
			`// The Policy stanza is a short hand for granting several of these. When capabilities are`
			`// combined we take the union of all capabilities. If the deny capability is present, it`
			`// takes precedence and overwrites all other capabilities.`
sync 2017-09-19 14:47:10 +00:00			`NamespaceCapabilityDeny = "deny"`
			`NamespaceCapabilityListJobs = "list-jobs"`
			`NamespaceCapabilityReadJob = "read-job"`
			`NamespaceCapabilitySubmitJob = "submit-job"`
job dispatch should have dispatch policy 2017-09-28 14:27:51 +00:00			`NamespaceCapabilityDispatchJob = "dispatch-job"`
sync 2017-09-19 14:47:10 +00:00			`NamespaceCapabilityReadLogs = "read-logs"`
			`NamespaceCapabilityReadFS = "read-fs"`
			`NamespaceCapabilitySentinelOverride = "sentinel-override"`
acl: Adding policy parsing with tests 2017-08-04 00:41:33 +00:00			`)`

acl: adding validation to the namespace name 2017-08-05 00:34:22 +00:00			`var (`
			`validNamespace = regexp.MustCompile("^[a-zA-Z0-9-]{1,128}$")`
			`)`

acl: Adding policy parsing with tests 2017-08-04 00:41:33 +00:00			`// Policy represents a parsed HCL or JSON policy.`
			`type Policy struct {`
			Namespaces []*NamespacePolicy `hcl:"namespace,expand"`
			Agent *AgentPolicy `hcl:"agent"`
			Node *NodePolicy `hcl:"node"`
			Operator *OperatorPolicy `hcl:"operator"`
			Raw string `hcl:"-"`
			`}`

			`// NamespacePolicy is the policy for a specific namespace`
			`type NamespacePolicy struct {`
			Name string `hcl:",key"`
			`Policy string`
			`Capabilities []string`
			`}`

			`type AgentPolicy struct {`
			`Policy string`
			`}`

			`type NodePolicy struct {`
			`Policy string`
			`}`

			`type OperatorPolicy struct {`
			`Policy string`
			`}`

			`// isPolicyValid makes sure the given string matches one of the valid policies.`
			`func isPolicyValid(policy string) bool {`
			`switch policy {`
Addressing @dadgar review feedback 2017-08-08 04:09:13 +00:00			`case PolicyDeny, PolicyRead, PolicyWrite:`
acl: Adding policy parsing with tests 2017-08-04 00:41:33 +00:00			`return true`
			`default:`
			`return false`
			`}`
			`}`

			`// isNamespaceCapabilityValid ensures the given capability is valid for a namespace policy`
			`func isNamespaceCapabilityValid(cap string) bool {`
			`switch cap {`
Addressing @dadgar review feedback 2017-08-08 04:09:13 +00:00			`case NamespaceCapabilityDeny, NamespaceCapabilityListJobs, NamespaceCapabilityReadJob,`
job dispatch should have dispatch policy 2017-09-28 14:27:51 +00:00			`NamespaceCapabilitySubmitJob, NamespaceCapabilityDispatchJob, NamespaceCapabilityReadLogs,`
			`NamespaceCapabilityReadFS:`
acl: Adding policy parsing with tests 2017-08-04 00:41:33 +00:00			`return true`
Enable more linters 2017-09-26 22:26:33 +00:00			`// Separate the enterprise-only capabilities`
sync 2017-09-19 14:47:10 +00:00			`case NamespaceCapabilitySentinelOverride:`
			`return true`
acl: Adding policy parsing with tests 2017-08-04 00:41:33 +00:00			`default:`
			`return false`
			`}`
			`}`

			`// expandNamespacePolicy provides the equivalent set of capabilities for`
			`// a namespace policy`
			`func expandNamespacePolicy(policy string) []string {`
			`switch policy {`
			`case PolicyDeny:`
			`return []string{NamespaceCapabilityDeny}`
			`case PolicyRead:`
			`return []string{`
			`NamespaceCapabilityListJobs,`
			`NamespaceCapabilityReadJob,`
			`}`
			`case PolicyWrite:`
			`return []string{`
			`NamespaceCapabilityListJobs,`
			`NamespaceCapabilityReadJob,`
			`NamespaceCapabilitySubmitJob,`
job dispatch should have dispatch policy 2017-09-28 14:27:51 +00:00			`NamespaceCapabilityDispatchJob,`
acl: Adding policy parsing with tests 2017-08-04 00:41:33 +00:00			`NamespaceCapabilityReadLogs,`
			`NamespaceCapabilityReadFS,`
			`}`
			`default:`
			`return nil`
			`}`
			`}`

			`// Parse is used to parse the specified ACL rules into an`
			`// intermediary set of policies, before being compiled into`
			`// the ACL`
			`func Parse(rules string) (*Policy, error) {`
			`// Decode the rules`
			`p := &Policy{Raw: rules}`
			`if rules == "" {`
			`// Hot path for empty rules`
			`return p, nil`
			`}`

			`// Attempt to parse`
			`if err := hcl.Decode(p, rules); err != nil {`
			`return nil, fmt.Errorf("Failed to parse ACL Policy: %v", err)`
			`}`

			`// Validate the policy`
			`for _, ns := range p.Namespaces {`
acl: adding validation to the namespace name 2017-08-05 00:34:22 +00:00			`if !validNamespace.MatchString(ns.Name) {`
			`return nil, fmt.Errorf("Invalid namespace name: %#v", ns)`
			`}`
acl: Adding policy parsing with tests 2017-08-04 00:41:33 +00:00			`if ns.Policy != "" && !isPolicyValid(ns.Policy) {`
			`return nil, fmt.Errorf("Invalid namespace policy: %#v", ns)`
			`}`
			`for _, cap := range ns.Capabilities {`
			`if !isNamespaceCapabilityValid(cap) {`
Addressing @dadgar review feedback 2017-08-08 04:09:13 +00:00			`return nil, fmt.Errorf("Invalid namespace capability '%s': %#v", cap, ns)`
acl: Adding policy parsing with tests 2017-08-04 00:41:33 +00:00			`}`
			`}`

			`// Expand the short hand policy to the capabilities and`
			`// add to any existing capabilities`
			`if ns.Policy != "" {`
			`extraCap := expandNamespacePolicy(ns.Policy)`
			`ns.Capabilities = append(ns.Capabilities, extraCap...)`
			`}`
			`}`

			`if p.Agent != nil && !isPolicyValid(p.Agent.Policy) {`
			`return nil, fmt.Errorf("Invalid agent policy: %#v", p.Agent)`
			`}`

			`if p.Node != nil && !isPolicyValid(p.Node.Policy) {`
			`return nil, fmt.Errorf("Invalid node policy: %#v", p.Node)`
			`}`

			`if p.Operator != nil && !isPolicyValid(p.Operator.Policy) {`
			`return nil, fmt.Errorf("Invalid operator policy: %#v", p.Operator)`
			`}`
			`return p, nil`
			`}`