open-vault/vault/capabilities.go

91 lines
2.3 KiB
Go
Raw Normal View History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
2016-03-03 02:32:52 +00:00
package vault
import (
"context"
"sort"
2016-03-18 16:40:17 +00:00
2018-09-18 03:03:00 +00:00
"github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/sdk/logical"
)
2016-03-03 02:32:52 +00:00
2018-09-18 03:03:00 +00:00
// Capabilities is used to fetch the capabilities of the given token on the
// given path
func (c *Core) Capabilities(ctx context.Context, token, path string) ([]string, error) {
2016-03-03 02:32:52 +00:00
if path == "" {
return nil, &logical.StatusBadRequest{Err: "missing path"}
2016-03-03 02:32:52 +00:00
}
if token == "" {
return nil, &logical.StatusBadRequest{Err: "missing token"}
2016-03-03 02:32:52 +00:00
}
te, err := c.tokenStore.Lookup(ctx, token)
2016-03-03 02:32:52 +00:00
if err != nil {
return nil, err
}
if te == nil {
return nil, &logical.StatusBadRequest{Err: "invalid token"}
2016-03-03 02:32:52 +00:00
}
2018-09-18 03:03:00 +00:00
tokenNS, err := NamespaceByID(ctx, te.NamespaceID, c)
if err != nil {
return nil, err
}
if tokenNS == nil {
return nil, namespace.ErrNoNamespace
}
2018-09-18 03:03:00 +00:00
var policyCount int
policyNames := make(map[string][]string)
policyNames[tokenNS.ID] = te.Policies
policyCount += len(te.Policies)
entity, identityPolicies, err := c.fetchEntityAndDerivedPolicies(ctx, tokenNS, te.EntityID, te.NoIdentityPolicies)
if err != nil {
return nil, err
}
if entity != nil && entity.Disabled {
c.logger.Warn("permission denied as the entity on the token is disabled")
return nil, logical.ErrPermissionDenied
}
if te.EntityID != "" && entity == nil {
c.logger.Warn("permission denied as the entity on the token is invalid")
return nil, logical.ErrPermissionDenied
}
2018-09-18 03:03:00 +00:00
for nsID, nsPolicies := range identityPolicies {
policyNames[nsID] = append(policyNames[nsID], nsPolicies...)
policyCount += len(nsPolicies)
}
// Add capabilities of the inline policy if it's set
policies := make([]*Policy, 0)
if te.InlinePolicy != "" {
inlinePolicy, err := ParseACLPolicy(tokenNS, te.InlinePolicy)
if err != nil {
return nil, err
}
policies = append(policies, inlinePolicy)
policyCount++
}
2018-09-18 03:03:00 +00:00
if policyCount == 0 {
return []string{DenyCapability}, nil
}
// Construct the corresponding ACL object. ACL construction should be
// performed on the token's namespace.
tokenCtx := namespace.ContextWithNamespace(ctx, tokenNS)
acl, err := c.policyStore.ACL(tokenCtx, entity, policyNames, policies...)
if err != nil {
return nil, err
}
2018-09-18 03:03:00 +00:00
capabilities := acl.Capabilities(ctx, path)
2016-03-18 16:40:17 +00:00
sort.Strings(capabilities)
return capabilities, nil
2016-03-03 02:32:52 +00:00
}