open-vault/vault/acl.go

package vault

import (
	"github.com/armon/go-radix"
	"github.com/hashicorp/vault/logical"
)

// ACL is used to wrap a set of policies to provide
// an efficient interface for access control.
type ACL struct {
	// exactRules contains the path policies that are exact
	exactRules *radix.Tree

	// globRules contains the path policies that glob
	globRules *radix.Tree

	// root is enabled if the "root" named policy is present.
	root bool
}

// New is used to construct a policy based ACL from a set of policies.
func NewACL(policies []*Policy) (*ACL, error) {
	// Initialize
	a := &ACL{
		exactRules: radix.New(),
		globRules:  radix.New(),
		root:       false,
	}

	// Inject each policy
	for _, policy := range policies {
		// Ignore a nil policy object
		if policy == nil {
			continue
		}
		// Check if this is root
		if policy.Name == "root" {
			a.root = true
		}
		for _, pc := range policy.Paths {
			// Check which tree to use
			tree := a.exactRules
			if pc.Glob {
				tree = a.globRules
			}

			// Check for an existing policy
			raw, ok := tree.Get(pc.Prefix)
			if !ok {
				tree.Insert(pc.Prefix, pc.CapabilitiesBitmap)
				continue
			}
			existing := raw.(uint32)

			switch {
			case existing&DenyCapabilityInt > 0:
				// If we are explicitly denied in the existing capability set,
				// don't save anything else

			case pc.CapabilitiesBitmap&DenyCapabilityInt > 0:
				// If this new policy explicitly denies, only save the deny value
				tree.Insert(pc.Prefix, DenyCapabilityInt)

			default:
				// Insert the capabilities in this new policy into the existing
				// value
				tree.Insert(pc.Prefix, existing|pc.CapabilitiesBitmap)
			}
		}
	}
	return a, nil
}

func (a *ACL) Capabilities(path string) (pathCapabilities []string) {
	// Fast-path root
	if a.root {
		return []string{RootCapability}
	}

	// Find an exact matching rule, look for glob if no match
	var capabilities uint32
	raw, ok := a.exactRules.Get(path)
	if ok {
		capabilities = raw.(uint32)
		goto CHECK
	}

	// Find a glob rule, default deny if no match
	_, raw, ok = a.globRules.LongestPrefix(path)
	if !ok {
		return []string{DenyCapability}
	} else {
		capabilities = raw.(uint32)
	}

CHECK:
	if capabilities&SudoCapabilityInt > 0 {
		pathCapabilities = append(pathCapabilities, SudoCapability)
	}
	if capabilities&ReadCapabilityInt > 0 {
		pathCapabilities = append(pathCapabilities, ReadCapability)
	}
	if capabilities&ListCapabilityInt > 0 {
		pathCapabilities = append(pathCapabilities, ListCapability)
	}
	if capabilities&UpdateCapabilityInt > 0 {
		pathCapabilities = append(pathCapabilities, UpdateCapability)
	}
	if capabilities&DeleteCapabilityInt > 0 {
		pathCapabilities = append(pathCapabilities, DeleteCapability)
	}
	if capabilities&CreateCapabilityInt > 0 {
		pathCapabilities = append(pathCapabilities, CreateCapability)
	}

	// If "deny" is explicitly set or if the path has no capabilities at all,
	// set the path capabilities to "deny"
	if capabilities&DenyCapabilityInt > 0 || len(pathCapabilities) == 0 {
		pathCapabilities = []string{DenyCapability}
	}
	return
}

// AllowOperation is used to check if the given operation is permitted. The
// first bool indicates if an op is allowed, the second whether sudo priviliges
// exist for that op and path.
func (a *ACL) AllowOperation(op logical.Operation, path string) (allowed bool, sudo bool) {
	// Fast-path root
	if a.root {
		return true, true
	}

	// Help is always allowed
	if op == logical.HelpOperation {
		return true, false
	}

	// Find an exact matching rule, look for glob if no match
	var capabilities uint32
	raw, ok := a.exactRules.Get(path)
	if ok {
		capabilities = raw.(uint32)
		goto CHECK
	}

	// Find a glob rule, default deny if no match
	_, raw, ok = a.globRules.LongestPrefix(path)
	if !ok {
		return false, false
	} else {
		capabilities = raw.(uint32)
	}

CHECK:
	// Check if the minimum permissions are met
	// If "deny" has been explicitly set, only deny will be in the map, so we
	// only need to check for the existence of other values
	sudo = capabilities&SudoCapabilityInt > 0
	switch op {
	case logical.ReadOperation:
		allowed = capabilities&ReadCapabilityInt > 0
	case logical.ListOperation:
		allowed = capabilities&ListCapabilityInt > 0
	case logical.UpdateOperation:
		allowed = capabilities&UpdateCapabilityInt > 0
	case logical.DeleteOperation:
		allowed = capabilities&DeleteCapabilityInt > 0
	case logical.CreateOperation:
		allowed = capabilities&CreateCapabilityInt > 0

	// These three re-use UpdateCapabilityInt since that's the most appropriate capability/operation mapping
	case logical.RevokeOperation, logical.RenewOperation, logical.RollbackOperation:
		allowed = capabilities&UpdateCapabilityInt > 0

	default:
		return false, false
	}
	return
}
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00			`package vault`

			`import (`
			`"github.com/armon/go-radix"`
			`"github.com/hashicorp/vault/logical"`
			`)`

			`// ACL is used to wrap a set of policies to provide`
			`// an efficient interface for access control.`
			`type ACL struct {`
vault: Handle exact vs glob match, deny has highest precedence 2015-07-05 23:31:30 +00:00			`// exactRules contains the path policies that are exact`
			`exactRules *radix.Tree`

			`// globRules contains the path policies that glob`
			`globRules *radix.Tree`
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00
			`// root is enabled if the "root" named policy is present.`
			`root bool`
			`}`

			`// New is used to construct a policy based ACL from a set of policies.`
			`func NewACL(policies []Policy) (ACL, error) {`
			`// Initialize`
			`a := &ACL{`
vault: Handle exact vs glob match, deny has highest precedence 2015-07-05 23:31:30 +00:00			`exactRules: radix.New(),`
			`globRules: radix.New(),`
			`root: false,`
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00			`}`

			`// Inject each policy`
			`for _, policy := range policies {`
vault: ignore a nil policy object, as it has no permissions 2015-03-24 22:49:17 +00:00			`// Ignore a nil policy object`
			`if policy == nil {`
			`continue`
			`}`
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00			`// Check if this is root`
			`if policy.Name == "root" {`
			`a.root = true`
			`}`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`for _, pc := range policy.Paths {`
vault: Handle exact vs glob match, deny has highest precedence 2015-07-05 23:31:30 +00:00			`// Check which tree to use`
			`tree := a.exactRules`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`if pc.Glob {`
vault: Handle exact vs glob match, deny has highest precedence 2015-07-05 23:31:30 +00:00			`tree = a.globRules`
			`}`
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00
			`// Check for an existing policy`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`raw, ok := tree.Get(pc.Prefix)`
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00			`if !ok {`
Store uint32s in radix 2016-01-12 22:24:01 +00:00			`tree.Insert(pc.Prefix, pc.CapabilitiesBitmap)`
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00			`continue`
			`}`
Store uint32s in radix 2016-01-12 22:24:01 +00:00			`existing := raw.(uint32)`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00
			`switch {`
Store uint32s in radix 2016-01-12 22:24:01 +00:00			`case existing&DenyCapabilityInt > 0:`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`// If we are explicitly denied in the existing capability set,`
			`// don't save anything else`

Convert map to bitmap 2016-01-12 22:08:10 +00:00			`case pc.CapabilitiesBitmap&DenyCapabilityInt > 0:`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`// If this new policy explicitly denies, only save the deny value`
Store uint32s in radix 2016-01-12 22:24:01 +00:00			`tree.Insert(pc.Prefix, DenyCapabilityInt)`
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`default:`
			`// Insert the capabilities in this new policy into the existing`
Fix out-of-date comment 2016-03-03 18:37:51 +00:00			`// value`
Store uint32s in radix 2016-01-12 22:24:01 +00:00			`tree.Insert(pc.Prefix, existing\|pc.CapabilitiesBitmap)`
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00			`}`
			`}`
			`}`
			`return a, nil`
			`}`

Adding acl.Capabilities to do the path matching 2016-03-04 17:04:26 +00:00			`func (a *ACL) Capabilities(path string) (pathCapabilities []string) {`
			`// Fast-path root`
			`if a.root {`
refactoring changes due to acl.Capabilities 2016-03-04 18:21:07 +00:00			`return []string{RootCapability}`
Adding acl.Capabilities to do the path matching 2016-03-04 17:04:26 +00:00			`}`

			`// Find an exact matching rule, look for glob if no match`
			`var capabilities uint32`
			`raw, ok := a.exactRules.Get(path)`
			`if ok {`
			`capabilities = raw.(uint32)`
			`goto CHECK`
			`}`

			`// Find a glob rule, default deny if no match`
			`_, raw, ok = a.globRules.LongestPrefix(path)`
			`if !ok {`
refactoring changes due to acl.Capabilities 2016-03-04 18:21:07 +00:00			`return []string{DenyCapability}`
Adding acl.Capabilities to do the path matching 2016-03-04 17:04:26 +00:00			`} else {`
			`capabilities = raw.(uint32)`
			`}`

			`CHECK:`
			`if capabilities&SudoCapabilityInt > 0 {`
			`pathCapabilities = append(pathCapabilities, SudoCapability)`
			`}`
			`if capabilities&ReadCapabilityInt > 0 {`
			`pathCapabilities = append(pathCapabilities, ReadCapability)`
			`}`
			`if capabilities&ListCapabilityInt > 0 {`
			`pathCapabilities = append(pathCapabilities, ListCapability)`
			`}`
			`if capabilities&UpdateCapabilityInt > 0 {`
			`pathCapabilities = append(pathCapabilities, UpdateCapability)`
			`}`
			`if capabilities&DeleteCapabilityInt > 0 {`
			`pathCapabilities = append(pathCapabilities, DeleteCapability)`
			`}`
			`if capabilities&CreateCapabilityInt > 0 {`
			`pathCapabilities = append(pathCapabilities, CreateCapability)`
			`}`
refactoring changes due to acl.Capabilities 2016-03-04 18:21:07 +00:00
			`// If "deny" is explicitly set or if the path has no capabilities at all,`
			`// set the path capabilities to "deny"`
			`if capabilities&DenyCapabilityInt > 0 \|\| len(pathCapabilities) == 0 {`
Adding acl.Capabilities to do the path matching 2016-03-04 17:04:26 +00:00			`pathCapabilities = []string{DenyCapability}`
			`}`
			`return`
			`}`

Convert map to bitmap 2016-01-12 22:08:10 +00:00			`// AllowOperation is used to check if the given operation is permitted. The`
			`// first bool indicates if an op is allowed, the second whether sudo priviliges`
			`// exist for that op and path.`
			`func (a *ACL) AllowOperation(op logical.Operation, path string) (allowed bool, sudo bool) {`
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00			`// Fast-path root`
			`if a.root {`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`return true, true`
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00			`}`

Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`// Help is always allowed`
			`if op == logical.HelpOperation {`
			`return true, false`
vault: Handle exact vs glob match, deny has highest precedence 2015-07-05 23:31:30 +00:00			`}`

			`// Find an exact matching rule, look for glob if no match`
Store uint32s in radix 2016-01-12 22:24:01 +00:00			`var capabilities uint32`
vault: Handle exact vs glob match, deny has highest precedence 2015-07-05 23:31:30 +00:00			`raw, ok := a.exactRules.Get(path)`
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00			`if ok {`
Store uint32s in radix 2016-01-12 22:24:01 +00:00			`capabilities = raw.(uint32)`
vault: Handle exact vs glob match, deny has highest precedence 2015-07-05 23:31:30 +00:00			`goto CHECK`
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00			`}`

vault: Handle exact vs glob match, deny has highest precedence 2015-07-05 23:31:30 +00:00			`// Find a glob rule, default deny if no match`
			`_, raw, ok = a.globRules.LongestPrefix(path)`
			`if !ok {`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`return false, false`
vault: Handle exact vs glob match, deny has highest precedence 2015-07-05 23:31:30 +00:00			`} else {`
Store uint32s in radix 2016-01-12 22:24:01 +00:00			`capabilities = raw.(uint32)`
vault: Handle exact vs glob match, deny has highest precedence 2015-07-05 23:31:30 +00:00			`}`
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00
vault: Handle exact vs glob match, deny has highest precedence 2015-07-05 23:31:30 +00:00			`CHECK:`
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00			`// Check if the minimum permissions are met`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`// If "deny" has been explicitly set, only deny will be in the map, so we`
			`// only need to check for the existence of other values`
Store uint32s in radix 2016-01-12 22:24:01 +00:00			`sudo = capabilities&SudoCapabilityInt > 0`
Use logical operations instead of strings for comparison 2016-01-13 02:16:31 +00:00			`switch op {`
			`case logical.ReadOperation:`
Store uint32s in radix 2016-01-12 22:24:01 +00:00			`allowed = capabilities&ReadCapabilityInt > 0`
Use logical operations instead of strings for comparison 2016-01-13 02:16:31 +00:00			`case logical.ListOperation:`
Store uint32s in radix 2016-01-12 22:24:01 +00:00			`allowed = capabilities&ListCapabilityInt > 0`
Use logical operations instead of strings for comparison 2016-01-13 02:16:31 +00:00			`case logical.UpdateOperation:`
Store uint32s in radix 2016-01-12 22:24:01 +00:00			`allowed = capabilities&UpdateCapabilityInt > 0`
Use logical operations instead of strings for comparison 2016-01-13 02:16:31 +00:00			`case logical.DeleteOperation:`
Store uint32s in radix 2016-01-12 22:24:01 +00:00			`allowed = capabilities&DeleteCapabilityInt > 0`
Use logical operations instead of strings for comparison 2016-01-13 02:16:31 +00:00			`case logical.CreateOperation:`
Store uint32s in radix 2016-01-12 22:24:01 +00:00			`allowed = capabilities&CreateCapabilityInt > 0`
Cleanup 2016-01-12 22:10:48 +00:00
Speling police 2016-05-15 16:58:36 +00:00			`// These three re-use UpdateCapabilityInt since that's the most appropriate capability/operation mapping`
Use logical operations instead of strings for comparison 2016-01-13 02:16:31 +00:00			`case logical.RevokeOperation, logical.RenewOperation, logical.RollbackOperation:`
Store uint32s in radix 2016-01-12 22:24:01 +00:00			`allowed = capabilities&UpdateCapabilityInt > 0`
Cleanup 2016-01-12 22:10:48 +00:00
Convert map to bitmap 2016-01-12 22:08:10 +00:00			`default:`
			`return false, false`
			`}`
			`return`
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00			`}`