open-vault/vault/capabilities.go

package vault

// Struct to identify user input errors.
// This is helpful in responding the appropriate status codes to clients
// from the HTTP endpoints.
type ErrUserInput struct {
	Message string
}

// Implementing error interface
func (e *ErrUserInput) Error() string {
	return e.Message
}

// CapabilitiesAccessor is used to fetch the capabilities of the token associated with
// the token accessor an the given path
func (c *Core) CapabilitiesAccessor(accessorID, path string) ([]string, error) {
	if path == "" {
		return nil, &ErrUserInput{
			Message: "missing path",
		}
	}

	if accessorID == "" {
		return nil, &ErrUserInput{
			Message: "missing accessor_id",
		}
	}

	token, err := c.tokenStore.lookupByAccessorID(accessorID)
	if err != nil {
		return nil, err
	}

	return c.Capabilities(token, path)
}

// Capabilities is used to fetch the capabilities of the given token on the given path
func (c *Core) Capabilities(token, path string) ([]string, error) {
	if path == "" {
		return nil, &ErrUserInput{
			Message: "missing path",
		}
	}

	if token == "" {
		return nil, &ErrUserInput{
			Message: "missing token",
		}
	}

	te, err := c.tokenStore.Lookup(token)
	if err != nil {
		return nil, err
	}
	if te == nil {
		return nil, &ErrUserInput{
			Message: "invalid token",
		}
	}

	if te.Policies == nil {
		return []string{DenyCapability}, nil
	}

	var policies []*Policy
	for _, tePolicy := range te.Policies {
		policy, err := c.policyStore.GetPolicy(tePolicy)
		if err != nil {
			return nil, err
		}
		policies = append(policies, policy)
	}

	if len(policies) == 0 {
		return []string{DenyCapability}, nil
	}

	acl, err := NewACL(policies)
	if err != nil {
		return nil, err
	}

	return acl.Capabilities(path), nil
}
Add vault/capabilities.go 2016-03-03 02:32:52 +00:00			`package vault`

Introduced ErrUserInput to distinguish user error from server error 2016-03-08 03:16:09 +00:00			`// Struct to identify user input errors.`
			`// This is helpful in responding the appropriate status codes to clients`
			`// from the HTTP endpoints.`
			`type ErrUserInput struct {`
			`Message string`
			`}`
use errwrap to check the type of error message, fix typos 2016-03-07 23:36:26 +00:00
Introduced ErrUserInput to distinguish user error from server error 2016-03-08 03:16:09 +00:00			`// Implementing error interface`
			`func (e *ErrUserInput) Error() string {`
			`return e.Message`
			`}`
Add vault/capabilities.go 2016-03-03 02:32:52 +00:00
Implemented /sys/capabilities-accessor and a way for setting HTTP error code in all the responses 2016-03-09 00:14:29 +00:00			`// CapabilitiesAccessor is used to fetch the capabilities of the token associated with`
			`// the token accessor an the given path`
			`func (c *Core) CapabilitiesAccessor(accessorID, path string) ([]string, error) {`
			`if path == "" {`
			`return nil, &ErrUserInput{`
			`Message: "missing path",`
			`}`
			`}`

			`if accessorID == "" {`
			`return nil, &ErrUserInput{`
			`Message: "missing accessor_id",`
			`}`
			`}`

			`token, err := c.tokenStore.lookupByAccessorID(accessorID)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return c.Capabilities(token, path)`
			`}`

Add vault/capabilities.go 2016-03-03 02:32:52 +00:00			`// Capabilities is used to fetch the capabilities of the given token on the given path`
refactoring changes due to acl.Capabilities 2016-03-04 18:21:07 +00:00			`func (c *Core) Capabilities(token, path string) ([]string, error) {`
Add vault/capabilities.go 2016-03-03 02:32:52 +00:00			`if path == "" {`
Introduced ErrUserInput to distinguish user error from server error 2016-03-08 03:16:09 +00:00			`return nil, &ErrUserInput{`
			`Message: "missing path",`
			`}`
Add vault/capabilities.go 2016-03-03 02:32:52 +00:00			`}`

			`if token == "" {`
Introduced ErrUserInput to distinguish user error from server error 2016-03-08 03:16:09 +00:00			`return nil, &ErrUserInput{`
			`Message: "missing token",`
			`}`
Add vault/capabilities.go 2016-03-03 02:32:52 +00:00			`}`

			`te, err := c.tokenStore.Lookup(token)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if te == nil {`
Introduced ErrUserInput to distinguish user error from server error 2016-03-08 03:16:09 +00:00			`return nil, &ErrUserInput{`
			`Message: "invalid token",`
			`}`
Add vault/capabilities.go 2016-03-03 02:32:52 +00:00			`}`

			`if te.Policies == nil {`
refactoring changes due to acl.Capabilities 2016-03-04 18:21:07 +00:00			`return []string{DenyCapability}, nil`
Add vault/capabilities.go 2016-03-03 02:32:52 +00:00			`}`

Adding acl.Capabilities to do the path matching 2016-03-04 17:04:26 +00:00			`var policies []*Policy`
Add vault/capabilities.go 2016-03-03 02:32:52 +00:00			`for _, tePolicy := range te.Policies {`
			`policy, err := c.policyStore.GetPolicy(tePolicy)`
			`if err != nil {`
			`return nil, err`
			`}`
Adding acl.Capabilities to do the path matching 2016-03-04 17:04:26 +00:00			`policies = append(policies, policy)`
			`}`

			`if len(policies) == 0 {`
refactoring changes due to acl.Capabilities 2016-03-04 18:21:07 +00:00			`return []string{DenyCapability}, nil`
Adding acl.Capabilities to do the path matching 2016-03-04 17:04:26 +00:00			`}`

			`acl, err := NewACL(policies)`
			`if err != nil {`
			`return nil, err`
			`}`

refactoring changes due to acl.Capabilities 2016-03-04 18:21:07 +00:00			`return acl.Capabilities(path), nil`
Add vault/capabilities.go 2016-03-03 02:32:52 +00:00			`}`