2023-04-10 15:36:59 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
2017-08-04 02:35:08 +00:00
|
|
|
package acl
|
|
|
|
|
|
|
|
import (
|
2017-08-20 01:29:04 +00:00
|
|
|
"fmt"
|
2018-11-08 20:09:00 +00:00
|
|
|
"sort"
|
|
|
|
"strings"
|
2017-08-20 01:29:04 +00:00
|
|
|
|
2022-12-19 17:56:28 +00:00
|
|
|
iradix "github.com/hashicorp/go-immutable-radix/v2"
|
2018-11-08 20:09:00 +00:00
|
|
|
glob "github.com/ryanuber/go-glob"
|
2017-08-04 02:35:08 +00:00
|
|
|
)
|
|
|
|
|
2022-07-06 19:22:30 +00:00
|
|
|
// Redefine this value from structs to avoid circular dependency.
|
|
|
|
const AllNamespacesSentinel = "*"
|
|
|
|
|
2017-08-20 01:29:04 +00:00
|
|
|
// ManagementACL is a singleton used for management tokens
|
|
|
|
var ManagementACL *ACL
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
var err error
|
|
|
|
ManagementACL, err = NewACL(true, nil)
|
|
|
|
if err != nil {
|
|
|
|
panic(fmt.Errorf("failed to setup management ACL: %v", err))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-08-04 02:35:08 +00:00
|
|
|
// capabilitySet is a type wrapper to help managing a set of capabilities
|
|
|
|
type capabilitySet map[string]struct{}
|
|
|
|
|
|
|
|
func (c capabilitySet) Check(k string) bool {
|
|
|
|
_, ok := c[k]
|
|
|
|
return ok
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c capabilitySet) Set(k string) {
|
|
|
|
c[k] = struct{}{}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c capabilitySet) Clear() {
|
|
|
|
for cap := range c {
|
|
|
|
delete(c, cap)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// ACL object is used to convert a set of policies into a structure that
|
|
|
|
// can be efficiently evaluated to determine if an action is allowed.
|
|
|
|
type ACL struct {
|
|
|
|
// management tokens are allowed to do anything
|
|
|
|
management bool
|
|
|
|
|
2023-06-01 17:03:20 +00:00
|
|
|
// The attributes below map polices that have fine-grained capabilities
|
|
|
|
// with a capabilitySet.
|
|
|
|
//
|
|
|
|
// The attributes prefixed with `wildcard` maps the policies for glob
|
|
|
|
// patterns to a capabilitySet. We use an iradix for the purposes of
|
|
|
|
// ordered iteration.
|
|
|
|
namespaces *iradix.Tree[capabilitySet]
|
2022-12-19 17:56:28 +00:00
|
|
|
wildcardNamespaces *iradix.Tree[capabilitySet]
|
2018-11-08 20:09:00 +00:00
|
|
|
|
2023-06-01 17:03:20 +00:00
|
|
|
nodePools *iradix.Tree[capabilitySet]
|
|
|
|
wildcardNodePools *iradix.Tree[capabilitySet]
|
2019-05-08 11:14:24 +00:00
|
|
|
|
2023-06-01 17:03:20 +00:00
|
|
|
hostVolumes *iradix.Tree[capabilitySet]
|
2022-12-19 17:56:28 +00:00
|
|
|
wildcardHostVolumes *iradix.Tree[capabilitySet]
|
2019-05-08 11:14:24 +00:00
|
|
|
|
2022-12-19 17:56:28 +00:00
|
|
|
variables *iradix.Tree[capabilitySet]
|
|
|
|
wildcardVariables *iradix.Tree[capabilitySet]
|
2022-06-20 15:21:03 +00:00
|
|
|
|
2023-06-01 17:03:20 +00:00
|
|
|
// The attributes below store the policy value for policies that don't have
|
|
|
|
// fine-grained capabilities.
|
2017-08-04 02:35:08 +00:00
|
|
|
agent string
|
|
|
|
node string
|
|
|
|
operator string
|
2017-10-13 21:36:02 +00:00
|
|
|
quota string
|
2020-03-17 21:32:39 +00:00
|
|
|
plugin string
|
2017-08-04 02:35:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// maxPrivilege returns the policy which grants the most privilege
|
2017-08-08 04:09:13 +00:00
|
|
|
// This handles the case of Deny always taking maximum precedence.
|
2017-08-04 02:35:08 +00:00
|
|
|
func maxPrivilege(a, b string) string {
|
|
|
|
switch {
|
|
|
|
case a == PolicyDeny || b == PolicyDeny:
|
|
|
|
return PolicyDeny
|
|
|
|
case a == PolicyWrite || b == PolicyWrite:
|
|
|
|
return PolicyWrite
|
|
|
|
case a == PolicyRead || b == PolicyRead:
|
|
|
|
return PolicyRead
|
2020-03-18 19:29:03 +00:00
|
|
|
case a == PolicyList || b == PolicyList:
|
|
|
|
return PolicyList
|
2017-08-04 02:35:08 +00:00
|
|
|
default:
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewACL compiles a set of policies into an ACL object
|
|
|
|
func NewACL(management bool, policies []*Policy) (*ACL, error) {
|
|
|
|
// Hot-path management tokens
|
|
|
|
if management {
|
|
|
|
return &ACL{management: true}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create the ACL object
|
|
|
|
acl := &ACL{}
|
2022-12-19 17:56:28 +00:00
|
|
|
nsTxn := iradix.New[capabilitySet]().Txn()
|
|
|
|
wnsTxn := iradix.New[capabilitySet]().Txn()
|
2023-06-01 17:03:20 +00:00
|
|
|
|
|
|
|
npTxn := iradix.New[capabilitySet]().Txn()
|
|
|
|
wnpTxn := iradix.New[capabilitySet]().Txn()
|
|
|
|
|
2022-12-19 17:56:28 +00:00
|
|
|
hvTxn := iradix.New[capabilitySet]().Txn()
|
|
|
|
whvTxn := iradix.New[capabilitySet]().Txn()
|
2023-06-01 17:03:20 +00:00
|
|
|
|
2022-12-19 17:56:28 +00:00
|
|
|
svTxn := iradix.New[capabilitySet]().Txn()
|
|
|
|
wsvTxn := iradix.New[capabilitySet]().Txn()
|
2017-08-04 02:35:08 +00:00
|
|
|
|
|
|
|
for _, policy := range policies {
|
|
|
|
NAMESPACES:
|
|
|
|
for _, ns := range policy.Namespaces {
|
2018-11-08 20:09:00 +00:00
|
|
|
// Should the namespace be matched using a glob?
|
|
|
|
globDefinition := strings.Contains(ns.Name, "*")
|
|
|
|
|
2017-08-04 02:35:08 +00:00
|
|
|
// Check for existing capabilities
|
|
|
|
var capabilities capabilitySet
|
2018-11-08 20:09:00 +00:00
|
|
|
|
|
|
|
if globDefinition {
|
2018-12-11 16:35:51 +00:00
|
|
|
raw, ok := wnsTxn.Get([]byte(ns.Name))
|
2018-11-08 20:09:00 +00:00
|
|
|
if ok {
|
2022-12-19 17:56:28 +00:00
|
|
|
capabilities = raw
|
2018-11-08 20:09:00 +00:00
|
|
|
} else {
|
|
|
|
capabilities = make(capabilitySet)
|
2018-12-11 16:35:51 +00:00
|
|
|
wnsTxn.Insert([]byte(ns.Name), capabilities)
|
2018-11-08 20:09:00 +00:00
|
|
|
}
|
2017-08-04 02:35:08 +00:00
|
|
|
} else {
|
2018-11-08 20:09:00 +00:00
|
|
|
raw, ok := nsTxn.Get([]byte(ns.Name))
|
|
|
|
if ok {
|
2022-12-19 17:56:28 +00:00
|
|
|
capabilities = raw
|
2018-11-08 20:09:00 +00:00
|
|
|
} else {
|
|
|
|
capabilities = make(capabilitySet)
|
|
|
|
nsTxn.Insert([]byte(ns.Name), capabilities)
|
|
|
|
}
|
2017-08-04 02:35:08 +00:00
|
|
|
}
|
|
|
|
|
2022-08-26 18:03:56 +00:00
|
|
|
if ns.Variables != nil {
|
|
|
|
for _, pathPolicy := range ns.Variables.Paths {
|
2022-06-20 15:21:03 +00:00
|
|
|
key := []byte(ns.Name + "\x00" + pathPolicy.PathSpec)
|
|
|
|
var svCapabilities capabilitySet
|
|
|
|
if globDefinition || strings.Contains(pathPolicy.PathSpec, "*") {
|
|
|
|
raw, ok := wsvTxn.Get(key)
|
|
|
|
if ok {
|
2022-12-19 17:56:28 +00:00
|
|
|
svCapabilities = raw
|
2022-06-20 15:21:03 +00:00
|
|
|
} else {
|
|
|
|
svCapabilities = make(capabilitySet)
|
|
|
|
}
|
|
|
|
wsvTxn.Insert(key, svCapabilities)
|
|
|
|
} else {
|
|
|
|
raw, ok := svTxn.Get(key)
|
|
|
|
if ok {
|
2022-12-19 17:56:28 +00:00
|
|
|
svCapabilities = raw
|
2022-06-20 15:21:03 +00:00
|
|
|
} else {
|
|
|
|
svCapabilities = make(capabilitySet)
|
|
|
|
}
|
|
|
|
svTxn.Insert(key, svCapabilities)
|
|
|
|
}
|
|
|
|
for _, cap := range pathPolicy.Capabilities {
|
|
|
|
svCapabilities.Set(cap)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-08-04 02:35:08 +00:00
|
|
|
// Deny always takes precedence
|
|
|
|
if capabilities.Check(NamespaceCapabilityDeny) {
|
|
|
|
continue NAMESPACES
|
|
|
|
}
|
|
|
|
|
|
|
|
// Add in all the capabilities
|
|
|
|
for _, cap := range ns.Capabilities {
|
|
|
|
if cap == NamespaceCapabilityDeny {
|
|
|
|
// Overwrite any existing capabilities
|
|
|
|
capabilities.Clear()
|
|
|
|
capabilities.Set(NamespaceCapabilityDeny)
|
|
|
|
continue NAMESPACES
|
|
|
|
}
|
|
|
|
capabilities.Set(cap)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-06-01 17:03:20 +00:00
|
|
|
NODEPOOLS:
|
|
|
|
for _, np := range policy.NodePools {
|
|
|
|
// Use wildcard transaction if policy name uses glob matching.
|
|
|
|
txn := npTxn
|
|
|
|
if strings.Contains(np.Name, "*") {
|
|
|
|
txn = wnpTxn
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check for existing capabilities.
|
|
|
|
var capabilities capabilitySet
|
|
|
|
|
|
|
|
raw, ok := txn.Get([]byte(np.Name))
|
|
|
|
if ok {
|
|
|
|
capabilities = raw
|
|
|
|
} else {
|
|
|
|
capabilities = make(capabilitySet)
|
|
|
|
txn.Insert([]byte(np.Name), capabilities)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Deny always takes precedence.
|
|
|
|
if capabilities.Check(NodePoolCapabilityDeny) {
|
|
|
|
continue NODEPOOLS
|
|
|
|
}
|
|
|
|
|
|
|
|
// Add in all the capabilities.
|
|
|
|
for _, cap := range np.Capabilities {
|
|
|
|
if cap == NodePoolCapabilityDeny {
|
|
|
|
// Overwrite any existing capabilities.
|
|
|
|
capabilities.Clear()
|
|
|
|
capabilities.Set(NodePoolCapabilityDeny)
|
|
|
|
continue NODEPOOLS
|
|
|
|
}
|
|
|
|
capabilities.Set(cap)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-05-08 11:14:24 +00:00
|
|
|
HOSTVOLUMES:
|
|
|
|
for _, hv := range policy.HostVolumes {
|
|
|
|
// Should the volume be matched using a glob?
|
|
|
|
globDefinition := strings.Contains(hv.Name, "*")
|
|
|
|
|
|
|
|
// Check for existing capabilities
|
|
|
|
var capabilities capabilitySet
|
|
|
|
|
|
|
|
if globDefinition {
|
|
|
|
raw, ok := whvTxn.Get([]byte(hv.Name))
|
|
|
|
if ok {
|
2022-12-19 17:56:28 +00:00
|
|
|
capabilities = raw
|
2019-05-08 11:14:24 +00:00
|
|
|
} else {
|
|
|
|
capabilities = make(capabilitySet)
|
|
|
|
whvTxn.Insert([]byte(hv.Name), capabilities)
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
raw, ok := hvTxn.Get([]byte(hv.Name))
|
|
|
|
if ok {
|
2022-12-19 17:56:28 +00:00
|
|
|
capabilities = raw
|
2019-05-08 11:14:24 +00:00
|
|
|
} else {
|
|
|
|
capabilities = make(capabilitySet)
|
|
|
|
hvTxn.Insert([]byte(hv.Name), capabilities)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Deny always takes precedence
|
|
|
|
if capabilities.Check(HostVolumeCapabilityDeny) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
// Add in all the capabilities
|
|
|
|
for _, cap := range hv.Capabilities {
|
|
|
|
if cap == HostVolumeCapabilityDeny {
|
|
|
|
// Overwrite any existing capabilities
|
|
|
|
capabilities.Clear()
|
|
|
|
capabilities.Set(HostVolumeCapabilityDeny)
|
|
|
|
continue HOSTVOLUMES
|
|
|
|
}
|
|
|
|
capabilities.Set(cap)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-08-04 02:35:08 +00:00
|
|
|
// Take the maximum privilege for agent, node, and operator
|
|
|
|
if policy.Agent != nil {
|
|
|
|
acl.agent = maxPrivilege(acl.agent, policy.Agent.Policy)
|
|
|
|
}
|
|
|
|
if policy.Node != nil {
|
|
|
|
acl.node = maxPrivilege(acl.node, policy.Node.Policy)
|
|
|
|
}
|
|
|
|
if policy.Operator != nil {
|
|
|
|
acl.operator = maxPrivilege(acl.operator, policy.Operator.Policy)
|
|
|
|
}
|
2017-10-13 21:36:02 +00:00
|
|
|
if policy.Quota != nil {
|
|
|
|
acl.quota = maxPrivilege(acl.quota, policy.Quota.Policy)
|
|
|
|
}
|
2020-03-17 21:32:39 +00:00
|
|
|
if policy.Plugin != nil {
|
|
|
|
acl.plugin = maxPrivilege(acl.plugin, policy.Plugin.Policy)
|
|
|
|
}
|
2017-08-04 02:35:08 +00:00
|
|
|
}
|
|
|
|
|
2023-06-01 17:03:20 +00:00
|
|
|
// Finalize policies with capabilities.
|
2017-08-04 02:35:08 +00:00
|
|
|
acl.namespaces = nsTxn.Commit()
|
2018-12-11 16:35:51 +00:00
|
|
|
acl.wildcardNamespaces = wnsTxn.Commit()
|
2023-06-01 17:03:20 +00:00
|
|
|
|
|
|
|
acl.nodePools = npTxn.Commit()
|
|
|
|
acl.wildcardNodePools = wnpTxn.Commit()
|
|
|
|
|
2019-05-08 11:14:24 +00:00
|
|
|
acl.hostVolumes = hvTxn.Commit()
|
|
|
|
acl.wildcardHostVolumes = whvTxn.Commit()
|
2023-06-01 17:03:20 +00:00
|
|
|
|
2022-08-26 18:03:56 +00:00
|
|
|
acl.variables = svTxn.Commit()
|
|
|
|
acl.wildcardVariables = wsvTxn.Commit()
|
2019-05-08 11:14:24 +00:00
|
|
|
|
2017-08-04 02:35:08 +00:00
|
|
|
return acl, nil
|
|
|
|
}
|
|
|
|
|
2017-09-13 18:38:29 +00:00
|
|
|
// AllowNsOp is shorthand for AllowNamespaceOperation
|
|
|
|
func (a *ACL) AllowNsOp(ns string, op string) bool {
|
|
|
|
return a.AllowNamespaceOperation(ns, op)
|
|
|
|
}
|
|
|
|
|
2022-07-06 19:22:30 +00:00
|
|
|
// AllowNsOpFunc is a helper that returns a function that can be used to check
|
|
|
|
// namespace permissions.
|
|
|
|
func (a *ACL) AllowNsOpFunc(ops ...string) func(string) bool {
|
|
|
|
return func(ns string) bool {
|
|
|
|
return NamespaceValidator(ops...)(a, ns)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// AllowNamespaceOperation checks if a given operation is allowed for a namespace.
|
2017-08-04 02:35:08 +00:00
|
|
|
func (a *ACL) AllowNamespaceOperation(ns string, op string) bool {
|
2022-07-06 19:22:30 +00:00
|
|
|
// Hot path if ACL is not enabled.
|
|
|
|
if a == nil {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2017-08-04 02:35:08 +00:00
|
|
|
// Hot path management tokens
|
|
|
|
if a.management {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2022-07-06 19:22:30 +00:00
|
|
|
// If using the all namespaces wildcard, allow if any namespace allows the
|
|
|
|
// operation.
|
|
|
|
if ns == AllNamespacesSentinel && a.anyNamespaceAllowsOp(op) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2017-08-04 02:35:08 +00:00
|
|
|
// Check for a matching capability set
|
2019-05-08 11:14:24 +00:00
|
|
|
capabilities, ok := a.matchingNamespaceCapabilitySet(ns)
|
2017-08-04 02:35:08 +00:00
|
|
|
if !ok {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if the capability has been granted
|
|
|
|
return capabilities.Check(op)
|
|
|
|
}
|
|
|
|
|
2017-10-13 21:36:02 +00:00
|
|
|
// AllowNamespace checks if any operations are allowed for a namespace
|
|
|
|
func (a *ACL) AllowNamespace(ns string) bool {
|
2022-07-06 19:22:30 +00:00
|
|
|
// Hot path if ACL is not enabled.
|
|
|
|
if a == nil {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2017-10-13 21:36:02 +00:00
|
|
|
// Hot path management tokens
|
|
|
|
if a.management {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2022-07-06 19:22:30 +00:00
|
|
|
// If using the all namespaces wildcard, allow if any namespace allows any
|
|
|
|
// operation.
|
|
|
|
if ns == AllNamespacesSentinel && a.anyNamespaceAllowsAnyOp() {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2017-10-13 21:36:02 +00:00
|
|
|
// Check for a matching capability set
|
2019-05-08 11:14:24 +00:00
|
|
|
capabilities, ok := a.matchingNamespaceCapabilitySet(ns)
|
|
|
|
if !ok {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if the capability has been granted
|
|
|
|
if len(capabilities) == 0 {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
return !capabilities.Check(PolicyDeny)
|
|
|
|
}
|
|
|
|
|
2023-06-01 17:03:20 +00:00
|
|
|
// AllowNodePoolOperation returns true if the given operation is allowed in the
|
|
|
|
// node pool specified.
|
|
|
|
func (a *ACL) AllowNodePoolOperation(pool string, op string) bool {
|
|
|
|
// Hot path if ACL is not enabled or if it's a management token.
|
|
|
|
if a == nil || a.management {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check for matching capability set.
|
|
|
|
capabilities, ok := a.matchingNodePoolCapabilitySet(pool)
|
|
|
|
if !ok {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if the capability has been granted.
|
|
|
|
return capabilities.Check(op)
|
|
|
|
}
|
|
|
|
|
|
|
|
// AllowNodePool returns true if any operation is allowed for the node pool.
|
|
|
|
func (a *ACL) AllowNodePool(pool string) bool {
|
|
|
|
// Hot path if ACL is not enabled or if it's a management token.
|
|
|
|
if a == nil || a.management {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check for matching capability set.
|
|
|
|
capabilities, ok := a.matchingNodePoolCapabilitySet(pool)
|
|
|
|
if !ok {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(capabilities) == 0 {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
return !capabilities.Check(PolicyDeny)
|
|
|
|
}
|
|
|
|
|
2023-06-01 21:48:14 +00:00
|
|
|
// AllowNodePoolSearch returns true if any operation is allowed in at least one
|
|
|
|
// node pool.
|
|
|
|
//
|
|
|
|
// This is a very loose check and is expected that callers perform more precise
|
|
|
|
// verification later.
|
|
|
|
func (a *ACL) AllowNodePoolSearch() bool {
|
|
|
|
// Hot path if ACL is not enabled or token is management.
|
|
|
|
if a == nil || a.management {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check for any non-deny capabilities.
|
|
|
|
iter := a.nodePools.Root().Iterator()
|
|
|
|
for _, capability, ok := iter.Next(); ok; _, capability, ok = iter.Next() {
|
|
|
|
if !capability.Check(NodePoolCapabilityDeny) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
iter = a.wildcardNodePools.Root().Iterator()
|
|
|
|
for _, capability, ok := iter.Next(); ok; _, capability, ok = iter.Next() {
|
|
|
|
if !capability.Check(NodePoolCapabilityDeny) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2019-05-08 11:14:24 +00:00
|
|
|
// AllowHostVolumeOperation checks if a given operation is allowed for a host volume
|
|
|
|
func (a *ACL) AllowHostVolumeOperation(hv string, op string) bool {
|
|
|
|
// Hot path management tokens
|
|
|
|
if a.management {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check for a matching capability set
|
|
|
|
capabilities, ok := a.matchingHostVolumeCapabilitySet(hv)
|
|
|
|
if !ok {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if the capability has been granted
|
|
|
|
return capabilities.Check(op)
|
|
|
|
}
|
|
|
|
|
|
|
|
// AllowHostVolume checks if any operations are allowed for a HostVolume
|
|
|
|
func (a *ACL) AllowHostVolume(ns string) bool {
|
|
|
|
// Hot path management tokens
|
|
|
|
if a.management {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check for a matching capability set
|
|
|
|
capabilities, ok := a.matchingHostVolumeCapabilitySet(ns)
|
2017-10-13 21:36:02 +00:00
|
|
|
if !ok {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if the capability has been granted
|
|
|
|
if len(capabilities) == 0 {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
return !capabilities.Check(PolicyDeny)
|
|
|
|
}
|
|
|
|
|
2023-03-03 16:41:59 +00:00
|
|
|
func (a *ACL) AllowVariableOperation(ns, path, op string, claim *ACLClaim) bool {
|
2022-06-20 15:21:03 +00:00
|
|
|
if a.management {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check for a matching capability set
|
2023-03-03 16:41:59 +00:00
|
|
|
capabilities, ok := a.matchingVariablesCapabilitySet(ns, path, claim)
|
2022-06-20 15:21:03 +00:00
|
|
|
if !ok {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
return capabilities.Check(op)
|
2022-07-21 12:39:36 +00:00
|
|
|
}
|
2022-06-20 15:21:03 +00:00
|
|
|
|
2023-03-03 16:41:59 +00:00
|
|
|
type ACLClaim struct {
|
|
|
|
Namespace string
|
|
|
|
Job string
|
|
|
|
Group string
|
|
|
|
Task string
|
|
|
|
}
|
|
|
|
|
2022-08-26 18:03:56 +00:00
|
|
|
// AllowVariableSearch is a very loose check that the token has *any* access to
|
|
|
|
// a variables path for the namespace, with an expectation that the actual
|
|
|
|
// search result will be filtered by specific paths
|
|
|
|
func (a *ACL) AllowVariableSearch(ns string) bool {
|
2022-07-21 12:39:36 +00:00
|
|
|
if a.management {
|
|
|
|
return true
|
|
|
|
}
|
2022-08-26 18:03:56 +00:00
|
|
|
iter := a.variables.Root().Iterator()
|
2022-07-21 12:39:36 +00:00
|
|
|
iter.SeekPrefix([]byte(ns))
|
|
|
|
_, _, ok := iter.Next()
|
|
|
|
if ok {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2022-08-26 18:03:56 +00:00
|
|
|
iter = a.wildcardVariables.Root().Iterator()
|
2022-07-21 12:39:36 +00:00
|
|
|
iter.SeekPrefix([]byte(ns))
|
|
|
|
_, _, ok = iter.Next()
|
|
|
|
return ok
|
2022-06-20 15:21:03 +00:00
|
|
|
}
|
|
|
|
|
2019-05-08 11:14:24 +00:00
|
|
|
// matchingNamespaceCapabilitySet looks for a capabilitySet that matches the namespace,
|
2018-11-08 20:09:00 +00:00
|
|
|
// if no concrete definitions are found, then we return the closest matching
|
|
|
|
// glob.
|
|
|
|
// The closest matching glob is the one that has the smallest character
|
|
|
|
// difference between the namespace and the glob.
|
2019-05-08 11:14:24 +00:00
|
|
|
func (a *ACL) matchingNamespaceCapabilitySet(ns string) (capabilitySet, bool) {
|
2018-11-08 20:09:00 +00:00
|
|
|
// Check for a concrete matching capability set
|
|
|
|
raw, ok := a.namespaces.Get([]byte(ns))
|
|
|
|
if ok {
|
2022-12-19 17:56:28 +00:00
|
|
|
return raw, true
|
2018-11-08 20:09:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// We didn't find a concrete match, so lets try and evaluate globs.
|
2019-05-08 11:14:24 +00:00
|
|
|
return a.findClosestMatchingGlob(a.wildcardNamespaces, ns)
|
|
|
|
}
|
|
|
|
|
2022-07-06 19:22:30 +00:00
|
|
|
// anyNamespaceAllowsOp returns true if any namespace in ACL object allows the
|
|
|
|
// given operation.
|
|
|
|
func (a *ACL) anyNamespaceAllowsOp(op string) bool {
|
|
|
|
return a.anyNamespaceAllows(func(c capabilitySet) bool {
|
|
|
|
return c.Check(op)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
// anyNamespaceAllowsAnyOp returns true if any namespace in ACL object allows
|
|
|
|
// at least one operation.
|
|
|
|
func (a *ACL) anyNamespaceAllowsAnyOp() bool {
|
|
|
|
return a.anyNamespaceAllows(func(c capabilitySet) bool {
|
|
|
|
return len(c) > 0 && !c.Check(PolicyDeny)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
// anyNamespaceAllows returns true if the callback cb returns true for any
|
|
|
|
// namespace operation of the ACL object.
|
|
|
|
func (a *ACL) anyNamespaceAllows(cb func(capabilitySet) bool) bool {
|
|
|
|
allow := false
|
|
|
|
|
2022-12-19 17:56:28 +00:00
|
|
|
checkFn := func(_ []byte, v capabilitySet) bool {
|
2022-07-06 19:22:30 +00:00
|
|
|
allow = cb(v)
|
|
|
|
return allow
|
|
|
|
}
|
|
|
|
|
|
|
|
a.namespaces.Root().Walk(checkFn)
|
|
|
|
if allow {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
a.wildcardNamespaces.Root().Walk(checkFn)
|
|
|
|
return allow
|
|
|
|
}
|
|
|
|
|
2023-06-01 17:03:20 +00:00
|
|
|
// matchingNodePoolCapabilitySet returns the capabilitySet that closest match
|
|
|
|
// the node pool.
|
|
|
|
func (a *ACL) matchingNodePoolCapabilitySet(pool string) (capabilitySet, bool) {
|
|
|
|
raw, ok := a.nodePools.Get([]byte(pool))
|
|
|
|
if ok {
|
|
|
|
return raw, true
|
|
|
|
}
|
|
|
|
|
|
|
|
return a.findClosestMatchingGlob(a.wildcardNodePools, pool)
|
|
|
|
}
|
|
|
|
|
2019-05-08 11:14:24 +00:00
|
|
|
// matchingHostVolumeCapabilitySet looks for a capabilitySet that matches the host volume name,
|
|
|
|
// if no concrete definitions are found, then we return the closest matching
|
|
|
|
// glob.
|
|
|
|
// The closest matching glob is the one that has the smallest character
|
|
|
|
// difference between the volume name and the glob.
|
|
|
|
func (a *ACL) matchingHostVolumeCapabilitySet(name string) (capabilitySet, bool) {
|
|
|
|
// Check for a concrete matching capability set
|
|
|
|
raw, ok := a.hostVolumes.Get([]byte(name))
|
|
|
|
if ok {
|
2022-12-19 17:56:28 +00:00
|
|
|
return raw, true
|
2019-05-08 11:14:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// We didn't find a concrete match, so lets try and evaluate globs.
|
|
|
|
return a.findClosestMatchingGlob(a.wildcardHostVolumes, name)
|
2018-11-08 20:09:00 +00:00
|
|
|
}
|
|
|
|
|
2023-03-03 16:41:59 +00:00
|
|
|
var workloadVariablesCapabilitySet = capabilitySet{"read": struct{}{}, "list": struct{}{}}
|
|
|
|
|
|
|
|
// matchingVariablesCapabilitySet looks for a capabilitySet in the following order:
|
|
|
|
// - matching the namespace and path from a policy
|
|
|
|
// - automatic access based on the claim
|
|
|
|
// - closest matching glob
|
|
|
|
//
|
2022-06-20 15:21:03 +00:00
|
|
|
// The closest matching glob is the one that has the smallest character
|
|
|
|
// difference between the namespace and the glob.
|
2023-03-03 16:41:59 +00:00
|
|
|
func (a *ACL) matchingVariablesCapabilitySet(ns, path string, claim *ACLClaim) (capabilitySet, bool) {
|
2022-06-20 15:21:03 +00:00
|
|
|
// Check for a concrete matching capability set
|
2023-03-03 16:41:59 +00:00
|
|
|
capSet, ok := a.variables.Get([]byte(ns + "\x00" + path))
|
2022-06-20 15:21:03 +00:00
|
|
|
if ok {
|
2023-03-03 16:41:59 +00:00
|
|
|
return capSet, true
|
|
|
|
}
|
|
|
|
if claim != nil && ns == claim.Namespace {
|
|
|
|
switch path {
|
|
|
|
case "nomad/jobs",
|
|
|
|
fmt.Sprintf("nomad/jobs/%s", claim.Job),
|
|
|
|
fmt.Sprintf("nomad/jobs/%s/%s", claim.Job, claim.Group),
|
|
|
|
fmt.Sprintf("nomad/jobs/%s/%s/%s", claim.Job, claim.Group, claim.Task):
|
|
|
|
return workloadVariablesCapabilitySet, true
|
|
|
|
default:
|
|
|
|
}
|
2022-06-20 15:21:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// We didn't find a concrete match, so lets try and evaluate globs.
|
2022-08-26 18:03:56 +00:00
|
|
|
return a.findClosestMatchingGlob(a.wildcardVariables, ns+"\x00"+path)
|
2022-06-20 15:21:03 +00:00
|
|
|
}
|
|
|
|
|
2018-11-08 20:09:00 +00:00
|
|
|
type matchingGlob struct {
|
2019-05-08 11:14:24 +00:00
|
|
|
name string
|
2018-12-11 16:35:51 +00:00
|
|
|
difference int
|
2018-11-08 20:09:00 +00:00
|
|
|
capabilitySet capabilitySet
|
|
|
|
}
|
|
|
|
|
2022-12-19 17:56:28 +00:00
|
|
|
func (a *ACL) findClosestMatchingGlob(radix *iradix.Tree[capabilitySet], ns string) (capabilitySet, bool) {
|
2018-11-08 20:09:00 +00:00
|
|
|
// First, find all globs that match.
|
2019-05-08 11:14:24 +00:00
|
|
|
matchingGlobs := findAllMatchingWildcards(radix, ns)
|
2018-11-08 20:09:00 +00:00
|
|
|
|
|
|
|
// If none match, let's return.
|
|
|
|
if len(matchingGlobs) == 0 {
|
|
|
|
return capabilitySet{}, false
|
|
|
|
}
|
|
|
|
|
|
|
|
// If a single matches, lets be efficient and return early.
|
|
|
|
if len(matchingGlobs) == 1 {
|
|
|
|
return matchingGlobs[0].capabilitySet, true
|
|
|
|
}
|
|
|
|
|
|
|
|
// Stable sort the matched globs, based on the character difference between
|
|
|
|
// the glob definition and the requested namespace. This allows us to be
|
|
|
|
// more consistent about results based on the policy definition.
|
|
|
|
sort.SliceStable(matchingGlobs, func(i, j int) bool {
|
2018-12-11 16:35:51 +00:00
|
|
|
return matchingGlobs[i].difference <= matchingGlobs[j].difference
|
2018-11-08 20:09:00 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
return matchingGlobs[0].capabilitySet, true
|
|
|
|
}
|
|
|
|
|
2022-12-19 17:56:28 +00:00
|
|
|
func findAllMatchingWildcards(radix *iradix.Tree[capabilitySet], name string) []matchingGlob {
|
2018-11-08 20:09:00 +00:00
|
|
|
var matches []matchingGlob
|
|
|
|
|
2019-05-08 11:14:24 +00:00
|
|
|
nsLen := len(name)
|
2018-12-11 16:35:51 +00:00
|
|
|
|
2022-12-19 17:56:28 +00:00
|
|
|
radix.Root().Walk(func(bk []byte, v capabilitySet) bool {
|
2018-12-11 16:35:51 +00:00
|
|
|
k := string(bk)
|
|
|
|
|
2019-05-08 11:14:24 +00:00
|
|
|
isMatch := glob.Glob(k, name)
|
2018-11-08 20:09:00 +00:00
|
|
|
if isMatch {
|
|
|
|
pair := matchingGlob{
|
2019-05-08 11:14:24 +00:00
|
|
|
name: k,
|
2018-12-12 11:43:16 +00:00
|
|
|
difference: nsLen - len(k) + strings.Count(k, glob.GLOB),
|
2018-11-08 20:09:00 +00:00
|
|
|
capabilitySet: v,
|
|
|
|
}
|
|
|
|
matches = append(matches, pair)
|
|
|
|
}
|
2018-12-11 16:35:51 +00:00
|
|
|
|
|
|
|
// We always want to walk the entire tree, never terminate early.
|
|
|
|
return false
|
|
|
|
})
|
2018-11-08 20:09:00 +00:00
|
|
|
|
|
|
|
return matches
|
|
|
|
}
|
|
|
|
|
2017-08-04 02:35:08 +00:00
|
|
|
// AllowAgentRead checks if read operations are allowed for an agent
|
|
|
|
func (a *ACL) AllowAgentRead() bool {
|
|
|
|
switch {
|
|
|
|
case a.management:
|
|
|
|
return true
|
|
|
|
case a.agent == PolicyWrite:
|
|
|
|
return true
|
|
|
|
case a.agent == PolicyRead:
|
|
|
|
return true
|
|
|
|
default:
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// AllowAgentWrite checks if write operations are allowed for an agent
|
|
|
|
func (a *ACL) AllowAgentWrite() bool {
|
|
|
|
switch {
|
|
|
|
case a.management:
|
|
|
|
return true
|
|
|
|
case a.agent == PolicyWrite:
|
|
|
|
return true
|
|
|
|
default:
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// AllowNodeRead checks if read operations are allowed for a node
|
|
|
|
func (a *ACL) AllowNodeRead() bool {
|
|
|
|
switch {
|
|
|
|
case a.management:
|
|
|
|
return true
|
|
|
|
case a.node == PolicyWrite:
|
|
|
|
return true
|
|
|
|
case a.node == PolicyRead:
|
|
|
|
return true
|
|
|
|
default:
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// AllowNodeWrite checks if write operations are allowed for a node
|
|
|
|
func (a *ACL) AllowNodeWrite() bool {
|
|
|
|
switch {
|
|
|
|
case a.management:
|
|
|
|
return true
|
|
|
|
case a.node == PolicyWrite:
|
|
|
|
return true
|
|
|
|
default:
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// AllowOperatorRead checks if read operations are allowed for a operator
|
|
|
|
func (a *ACL) AllowOperatorRead() bool {
|
|
|
|
switch {
|
|
|
|
case a.management:
|
|
|
|
return true
|
|
|
|
case a.operator == PolicyWrite:
|
|
|
|
return true
|
|
|
|
case a.operator == PolicyRead:
|
|
|
|
return true
|
|
|
|
default:
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// AllowOperatorWrite checks if write operations are allowed for a operator
|
|
|
|
func (a *ACL) AllowOperatorWrite() bool {
|
|
|
|
switch {
|
|
|
|
case a.management:
|
|
|
|
return true
|
|
|
|
case a.operator == PolicyWrite:
|
|
|
|
return true
|
|
|
|
default:
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
2017-08-19 23:43:49 +00:00
|
|
|
|
2017-10-13 21:36:02 +00:00
|
|
|
// AllowQuotaRead checks if read operations are allowed for all quotas
|
|
|
|
func (a *ACL) AllowQuotaRead() bool {
|
|
|
|
switch {
|
|
|
|
case a.management:
|
|
|
|
return true
|
|
|
|
case a.quota == PolicyWrite:
|
|
|
|
return true
|
|
|
|
case a.quota == PolicyRead:
|
|
|
|
return true
|
|
|
|
default:
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// AllowQuotaWrite checks if write operations are allowed for quotas
|
|
|
|
func (a *ACL) AllowQuotaWrite() bool {
|
|
|
|
switch {
|
|
|
|
case a.management:
|
|
|
|
return true
|
|
|
|
case a.quota == PolicyWrite:
|
|
|
|
return true
|
|
|
|
default:
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-03-17 21:32:39 +00:00
|
|
|
// AllowPluginRead checks if read operations are allowed for all plugins
|
|
|
|
func (a *ACL) AllowPluginRead() bool {
|
2020-03-18 19:29:03 +00:00
|
|
|
switch {
|
2020-03-17 21:32:39 +00:00
|
|
|
// ACL is nil only if ACLs are disabled
|
2020-03-18 19:29:03 +00:00
|
|
|
case a == nil:
|
|
|
|
return true
|
|
|
|
case a.management:
|
2020-03-17 21:32:39 +00:00
|
|
|
return true
|
2020-03-18 19:29:03 +00:00
|
|
|
case a.plugin == PolicyRead:
|
|
|
|
return true
|
|
|
|
default:
|
|
|
|
return false
|
2020-03-17 21:32:39 +00:00
|
|
|
}
|
2020-03-18 19:29:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// AllowPluginList checks if list operations are allowed for all plugins
|
|
|
|
func (a *ACL) AllowPluginList() bool {
|
2020-03-17 21:32:39 +00:00
|
|
|
switch {
|
2020-03-18 19:29:03 +00:00
|
|
|
// ACL is nil only if ACLs are disabled
|
|
|
|
case a == nil:
|
|
|
|
return true
|
2020-03-17 21:32:39 +00:00
|
|
|
case a.management:
|
|
|
|
return true
|
2020-03-18 19:29:03 +00:00
|
|
|
case a.plugin == PolicyList:
|
|
|
|
return true
|
2020-03-17 21:32:39 +00:00
|
|
|
case a.plugin == PolicyRead:
|
|
|
|
return true
|
|
|
|
default:
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-08-19 23:43:49 +00:00
|
|
|
// IsManagement checks if this represents a management token
|
|
|
|
func (a *ACL) IsManagement() bool {
|
|
|
|
return a.management
|
|
|
|
}
|
2019-10-01 20:06:24 +00:00
|
|
|
|
|
|
|
// NamespaceValidator returns a func that wraps ACL.AllowNamespaceOperation in
|
|
|
|
// a list of operations. Returns true (allowed) if acls are disabled or if
|
|
|
|
// *any* capabilities match.
|
|
|
|
func NamespaceValidator(ops ...string) func(*ACL, string) bool {
|
|
|
|
return func(acl *ACL, ns string) bool {
|
|
|
|
// Always allow if ACLs are disabled.
|
|
|
|
if acl == nil {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, op := range ops {
|
|
|
|
if acl.AllowNamespaceOperation(ns, op) {
|
|
|
|
// An operation is allowed, return true
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// No operations are allowed by this ACL, return false
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|