open-vault/api/output_policy.go

package api

import (
	"fmt"
	"net/http"
	"net/url"
	"strings"
)

const (
	ErrOutputPolicyRequest = "output a policy, please"
)

var LastOutputPolicyError *OutputPolicyError

type OutputPolicyError struct {
	method         string
	path           string
	finalHCLString string
}

func (d *OutputPolicyError) Error() string {
	if d.finalHCLString == "" {
		p, err := d.buildSamplePolicy()
		if err != nil {
			return err.Error()
		}
		d.finalHCLString = p
	}

	return ErrOutputPolicyRequest
}

func (d *OutputPolicyError) HCLString() (string, error) {
	if d.finalHCLString == "" {
		p, err := d.buildSamplePolicy()
		if err != nil {
			return "", err
		}
		d.finalHCLString = p
	}
	return d.finalHCLString, nil
}

// Builds a sample policy document from the request
func (d *OutputPolicyError) buildSamplePolicy() (string, error) {
	var capabilities []string
	switch d.method {
	case http.MethodGet, "":
		capabilities = append(capabilities, "read")
	case http.MethodPost, http.MethodPut:
		capabilities = append(capabilities, "create")
		capabilities = append(capabilities, "update")
	case http.MethodPatch:
		capabilities = append(capabilities, "patch")
	case http.MethodDelete:
		capabilities = append(capabilities, "delete")
	case "LIST":
		capabilities = append(capabilities, "list")
	}

	// sanitize, then trim the Vault address and v1 from the front of the path
	path, err := url.PathUnescape(d.path)
	if err != nil {
		return "", fmt.Errorf("failed to unescape request URL characters: %v", err)
	}

	// determine whether to add sudo capability
	if IsSudoPath(path) {
		capabilities = append(capabilities, "sudo")
	}

	// the OpenAPI response has a / in front of each path,
	// but policies need the path without that leading slash
	path = strings.TrimLeft(path, "/")

	capStr := strings.Join(capabilities, `", "`)
	return fmt.Sprintf(
		`path "%s" {
  capabilities = ["%s"]
}`, path, capStr), nil
}
Global flag that outputs minimum policy HCL required for an operation (#14899) * WIP: output policy * Outputs example policy HCL for given request * Simplify conditional * Add PATCH capability * Use OpenAPI spec and regex patterns to determine if path is sudo * Add test for isSudoPath * Add changelog * Fix broken CLI tests * Add output-policy to client cloning code * Smaller fixes from PR comments * Clone client instead of saving and restoring custom values * Fix test * Address comments * Don't unset output-policy flag on KV requests otherwise the preflight request will fail and not populate LastOutputPolicyError * Print errors saved in buffer from preflight KV requests * Unescape characters in request URL * Rename methods and properties to improve readability * Put KV-specificness at front of KV-specific error * Simplify logic by doing more direct returns of strings and errors * Use precompiled regexes and move OpenAPI call to tests * Remove commented out code * Remove legacy MFA paths * Remove unnecessary use of client * Move sudo paths map to plugin helper * Remove unused error return * Add explanatory comment * Remove need to pass in address * Make {name} regex less greedy * Use method and path instead of info from retryablerequest * Add test for IsSudoPaths, use more idiomatic naming * Use precompiled regexes and move OpenAPI call to tests (#15170) * Use precompiled regexes and move OpenAPI call to tests * Remove commented out code * Remove legacy MFA paths * Remove unnecessary use of client * Move sudo paths map to plugin helper * Remove unused error return * Add explanatory comment * Remove need to pass in address * Make {name} regex less greedy * Use method and path instead of info from retryablerequest * Add test for IsSudoPaths, use more idiomatic naming * Make stderr writing more obvious, fix nil pointer deref 2022-04-27 23:35:18 +00:00			`package api`

			`import (`
			`"fmt"`
			`"net/http"`
			`"net/url"`
			`"strings"`
			`)`

			`const (`
			`ErrOutputPolicyRequest = "output a policy, please"`
			`)`

			`var LastOutputPolicyError *OutputPolicyError`

			`type OutputPolicyError struct {`
			`method string`
			`path string`
			`finalHCLString string`
			`}`

			`func (d *OutputPolicyError) Error() string {`
			`if d.finalHCLString == "" {`
			`p, err := d.buildSamplePolicy()`
			`if err != nil {`
			`return err.Error()`
			`}`
			`d.finalHCLString = p`
			`}`

			`return ErrOutputPolicyRequest`
			`}`

			`func (d *OutputPolicyError) HCLString() (string, error) {`
			`if d.finalHCLString == "" {`
			`p, err := d.buildSamplePolicy()`
			`if err != nil {`
			`return "", err`
			`}`
			`d.finalHCLString = p`
			`}`
			`return d.finalHCLString, nil`
			`}`

			`// Builds a sample policy document from the request`
			`func (d *OutputPolicyError) buildSamplePolicy() (string, error) {`
			`var capabilities []string`
			`switch d.method {`
			`case http.MethodGet, "":`
			`capabilities = append(capabilities, "read")`
			`case http.MethodPost, http.MethodPut:`
			`capabilities = append(capabilities, "create")`
			`capabilities = append(capabilities, "update")`
			`case http.MethodPatch:`
			`capabilities = append(capabilities, "patch")`
			`case http.MethodDelete:`
			`capabilities = append(capabilities, "delete")`
			`case "LIST":`
			`capabilities = append(capabilities, "list")`
			`}`

			`// sanitize, then trim the Vault address and v1 from the front of the path`
			`path, err := url.PathUnescape(d.path)`
			`if err != nil {`
			`return "", fmt.Errorf("failed to unescape request URL characters: %v", err)`
			`}`

			`// determine whether to add sudo capability`
			`if IsSudoPath(path) {`
			`capabilities = append(capabilities, "sudo")`
			`}`

			`// the OpenAPI response has a / in front of each path,`
			`// but policies need the path without that leading slash`
			`path = strings.TrimLeft(path, "/")`

			capStr := strings.Join(capabilities, `", "`)
			`return fmt.Sprintf(`
			`path "%s" {
			`capabilities = ["%s"]`
			}`, path, capStr), nil
			`}`