2016-03-03 02:32:52 +00:00
|
|
|
package vault
|
|
|
|
|
2017-02-17 04:09:39 +00:00
|
|
|
import (
|
2018-01-19 06:44:44 +00:00
|
|
|
"context"
|
2017-02-17 04:09:39 +00:00
|
|
|
"sort"
|
2016-03-18 16:40:17 +00:00
|
|
|
|
2017-02-17 04:09:39 +00:00
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
)
|
2016-03-03 02:32:52 +00:00
|
|
|
|
|
|
|
// Capabilities is used to fetch the capabilities of the given token on the given path
|
2018-01-19 06:44:44 +00:00
|
|
|
func (c *Core) Capabilities(ctx context.Context, token, path string) ([]string, error) {
|
2016-03-03 02:32:52 +00:00
|
|
|
if path == "" {
|
2017-02-17 04:09:39 +00:00
|
|
|
return nil, &logical.StatusBadRequest{Err: "missing path"}
|
2016-03-03 02:32:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if token == "" {
|
2017-02-17 04:09:39 +00:00
|
|
|
return nil, &logical.StatusBadRequest{Err: "missing token"}
|
2016-03-03 02:32:52 +00:00
|
|
|
}
|
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
te, err := c.tokenStore.Lookup(ctx, token)
|
2016-03-03 02:32:52 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if te == nil {
|
2017-02-17 04:09:39 +00:00
|
|
|
return nil, &logical.StatusBadRequest{Err: "invalid token"}
|
2016-03-03 02:32:52 +00:00
|
|
|
}
|
|
|
|
|
2018-09-04 18:18:59 +00:00
|
|
|
// Start with token entry policies
|
|
|
|
policies := te.Policies
|
2016-03-04 17:04:26 +00:00
|
|
|
|
2018-09-04 18:18:59 +00:00
|
|
|
// Fetch entity and entity group policies
|
2018-04-23 22:00:02 +00:00
|
|
|
entity, derivedPolicies, err := c.fetchEntityAndDerivedPolicies(te.EntityID)
|
2017-11-03 15:20:10 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2018-04-23 22:00:02 +00:00
|
|
|
if entity != nil && entity.Disabled {
|
2018-06-19 16:57:19 +00:00
|
|
|
c.logger.Warn("permission denied as the entity on the token is disabled")
|
|
|
|
return nil, logical.ErrPermissionDenied
|
|
|
|
}
|
2018-09-04 18:18:59 +00:00
|
|
|
if te.EntityID != "" && entity == nil {
|
2018-06-19 16:57:19 +00:00
|
|
|
c.logger.Warn("permission denied as the entity on the token is invalid")
|
2018-04-23 22:00:02 +00:00
|
|
|
return nil, logical.ErrPermissionDenied
|
|
|
|
}
|
2018-09-04 18:18:59 +00:00
|
|
|
policies = append(policies, derivedPolicies...)
|
2017-11-03 15:20:10 +00:00
|
|
|
|
2016-03-04 17:04:26 +00:00
|
|
|
if len(policies) == 0 {
|
2016-03-04 18:21:07 +00:00
|
|
|
return []string{DenyCapability}, nil
|
2016-03-04 17:04:26 +00:00
|
|
|
}
|
|
|
|
|
2018-09-04 18:18:59 +00:00
|
|
|
acl, err := c.policyStore.ACL(ctx, entity, policies...)
|
2016-03-04 17:04:26 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2016-03-18 16:40:17 +00:00
|
|
|
capabilities := acl.Capabilities(path)
|
|
|
|
sort.Strings(capabilities)
|
|
|
|
return capabilities, nil
|
2016-03-03 02:32:52 +00:00
|
|
|
}
|