2016-03-03 02:32:52 +00:00
|
|
|
package vault
|
|
|
|
|
2016-03-08 03:16:09 +00:00
|
|
|
// Struct to identify user input errors.
|
|
|
|
// This is helpful in responding the appropriate status codes to clients
|
|
|
|
// from the HTTP endpoints.
|
2016-03-09 02:47:24 +00:00
|
|
|
type StatusBadRequest struct {
|
2016-03-09 03:27:24 +00:00
|
|
|
Err string
|
2016-03-08 03:16:09 +00:00
|
|
|
}
|
2016-03-07 23:36:26 +00:00
|
|
|
|
2016-03-08 03:16:09 +00:00
|
|
|
// Implementing error interface
|
2016-03-09 03:27:24 +00:00
|
|
|
func (s *StatusBadRequest) Error() string {
|
|
|
|
return s.Err
|
2016-03-08 03:16:09 +00:00
|
|
|
}
|
2016-03-03 02:32:52 +00:00
|
|
|
|
2016-03-09 03:27:24 +00:00
|
|
|
// CapabilitiesAccessor is used to fetch the capabilities of the token
|
|
|
|
// which associated with the given accessorID on the given path
|
2016-03-09 00:14:29 +00:00
|
|
|
func (c *Core) CapabilitiesAccessor(accessorID, path string) ([]string, error) {
|
|
|
|
if path == "" {
|
2016-03-09 03:27:24 +00:00
|
|
|
return nil, &StatusBadRequest{Err: "missing path"}
|
2016-03-09 00:14:29 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if accessorID == "" {
|
2016-03-09 03:27:24 +00:00
|
|
|
return nil, &StatusBadRequest{Err: "missing accessor_id"}
|
2016-03-09 00:14:29 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
token, err := c.tokenStore.lookupByAccessorID(accessorID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return c.Capabilities(token, path)
|
|
|
|
}
|
|
|
|
|
2016-03-03 02:32:52 +00:00
|
|
|
// Capabilities is used to fetch the capabilities of the given token on the given path
|
2016-03-04 18:21:07 +00:00
|
|
|
func (c *Core) Capabilities(token, path string) ([]string, error) {
|
2016-03-03 02:32:52 +00:00
|
|
|
if path == "" {
|
2016-03-09 03:27:24 +00:00
|
|
|
return nil, &StatusBadRequest{Err: "missing path"}
|
2016-03-03 02:32:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if token == "" {
|
2016-03-09 03:27:24 +00:00
|
|
|
return nil, &StatusBadRequest{Err: "missing token"}
|
2016-03-03 02:32:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
te, err := c.tokenStore.Lookup(token)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if te == nil {
|
2016-03-09 03:27:24 +00:00
|
|
|
return nil, &StatusBadRequest{Err: "invalid token"}
|
2016-03-03 02:32:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if te.Policies == nil {
|
2016-03-04 18:21:07 +00:00
|
|
|
return []string{DenyCapability}, nil
|
2016-03-03 02:32:52 +00:00
|
|
|
}
|
|
|
|
|
2016-03-04 17:04:26 +00:00
|
|
|
var policies []*Policy
|
2016-03-03 02:32:52 +00:00
|
|
|
for _, tePolicy := range te.Policies {
|
|
|
|
policy, err := c.policyStore.GetPolicy(tePolicy)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2016-03-04 17:04:26 +00:00
|
|
|
policies = append(policies, policy)
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(policies) == 0 {
|
2016-03-04 18:21:07 +00:00
|
|
|
return []string{DenyCapability}, nil
|
2016-03-04 17:04:26 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
acl, err := NewACL(policies)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2016-03-04 18:21:07 +00:00
|
|
|
return acl.Capabilities(path), nil
|
2016-03-03 02:32:52 +00:00
|
|
|
}
|