open-vault/vault/acl.go

package vault

import (
	"github.com/armon/go-radix"
	"github.com/hashicorp/vault/logical"
)

// operationPolicyLevel is used to map each logical operation
// into the minimum required permissions to allow the operation.
var operationPolicyLevel = map[logical.Operation]int{
	logical.ReadOperation:   pathPolicyLevel[PathPolicyRead],
	logical.WriteOperation:  pathPolicyLevel[PathPolicyWrite],
	logical.DeleteOperation: pathPolicyLevel[PathPolicyWrite],
	logical.ListOperation:   pathPolicyLevel[PathPolicyRead],
	logical.RevokeOperation: pathPolicyLevel[PathPolicyWrite],
	logical.RenewOperation:  pathPolicyLevel[PathPolicyRead],
	logical.HelpOperation:   pathPolicyLevel[PathPolicyDeny],
}

// ACL is used to wrap a set of policies to provide
// an efficient interface for access control.
type ACL struct {
	// pathRules contains the path policies
	pathRules *radix.Tree

	// root is enabled if the "root" named policy is present.
	root bool
}

// New is used to construct a policy based ACL from a set of policies.
func NewACL(policies []*Policy) (*ACL, error) {
	// Initialize
	a := &ACL{
		pathRules: radix.New(),
		root:      false,
	}

	// Inject each policy
	for _, policy := range policies {
		// Check if this is root
		if policy.Name == "root" {
			a.root = true
		}
		for _, pp := range policy.Paths {
			// Convert to a policy level
			policyLevel := pathPolicyLevel[pp.Policy]

			// Check for an existing policy
			raw, ok := a.pathRules.Get(pp.Prefix)
			if !ok {
				a.pathRules.Insert(pp.Prefix, policyLevel)
				continue
			}
			existing := raw.(int)

			// Check if this policy is a higher access level,
			// we want to store the highest permission permitted.
			if policyLevel > existing {
				a.pathRules.Insert(pp.Prefix, policyLevel)
			}
		}
	}
	return a, nil
}

// AllowOperation is used to check if the given operation is permitted
func (a *ACL) AllowOperation(op logical.Operation, path string) bool {
	// Fast-path root
	if a.root {
		return true
	}

	// Find a matching rule, default deny if no match
	policyLevel := 0
	_, rule, ok := a.pathRules.LongestPrefix(path)
	if ok {
		policyLevel = rule.(int)
	}

	// Convert the operation to a minimum required level
	requiredLevel := operationPolicyLevel[op]

	// Check if the minimum permissions are met
	return policyLevel >= requiredLevel
}

// RootPrivilege checks if the user has root level permission
// to given path. This requires that the user be root, or that
// sudo privilege is available on that path.
func (a *ACL) RootPrivilege(path string) bool {
	// Fast-path root
	if a.root {
		return true
	}

	// Check the rules for a match
	_, rule, ok := a.pathRules.LongestPrefix(path)
	if !ok {
		return false
	}

	// Check the policy level
	policyLevel := rule.(int)
	return policyLevel == pathPolicyLevel[PathPolicySudo]
}
vault: Adding ACL representation 2015-03-18 01:31:20 +00:00			`package vault`

			`import (`
			`"github.com/armon/go-radix"`
			`"github.com/hashicorp/vault/logical"`
			`)`

			`// operationPolicyLevel is used to map each logical operation`
			`// into the minimum required permissions to allow the operation.`
			`var operationPolicyLevel = map[logical.Operation]int{`
			`logical.ReadOperation: pathPolicyLevel[PathPolicyRead],`
			`logical.WriteOperation: pathPolicyLevel[PathPolicyWrite],`
			`logical.DeleteOperation: pathPolicyLevel[PathPolicyWrite],`
			`logical.ListOperation: pathPolicyLevel[PathPolicyRead],`
			`logical.RevokeOperation: pathPolicyLevel[PathPolicyWrite],`
			`logical.RenewOperation: pathPolicyLevel[PathPolicyRead],`
			`logical.HelpOperation: pathPolicyLevel[PathPolicyDeny],`
			`}`

			`// ACL is used to wrap a set of policies to provide`
			`// an efficient interface for access control.`
			`type ACL struct {`
			`// pathRules contains the path policies`
			`pathRules *radix.Tree`

			`// root is enabled if the "root" named policy is present.`
			`root bool`
			`}`

			`// New is used to construct a policy based ACL from a set of policies.`
			`func NewACL(policies []Policy) (ACL, error) {`
			`// Initialize`
			`a := &ACL{`
			`pathRules: radix.New(),`
			`root: false,`
			`}`

			`// Inject each policy`
			`for _, policy := range policies {`
			`// Check if this is root`
			`if policy.Name == "root" {`
			`a.root = true`
			`}`
			`for _, pp := range policy.Paths {`
			`// Convert to a policy level`
			`policyLevel := pathPolicyLevel[pp.Policy]`

			`// Check for an existing policy`
			`raw, ok := a.pathRules.Get(pp.Prefix)`
			`if !ok {`
			`a.pathRules.Insert(pp.Prefix, policyLevel)`
			`continue`
			`}`
			`existing := raw.(int)`

			`// Check if this policy is a higher access level,`
			`// we want to store the highest permission permitted.`
			`if policyLevel > existing {`
			`a.pathRules.Insert(pp.Prefix, policyLevel)`
			`}`
			`}`
			`}`
			`return a, nil`
			`}`

			`// AllowOperation is used to check if the given operation is permitted`
			`func (a *ACL) AllowOperation(op logical.Operation, path string) bool {`
			`// Fast-path root`
			`if a.root {`
			`return true`
			`}`

			`// Find a matching rule, default deny if no match`
			`policyLevel := 0`
			`_, rule, ok := a.pathRules.LongestPrefix(path)`
			`if ok {`
			`policyLevel = rule.(int)`
			`}`

			`// Convert the operation to a minimum required level`
			`requiredLevel := operationPolicyLevel[op]`

			`// Check if the minimum permissions are met`
			`return policyLevel >= requiredLevel`
			`}`

			`// RootPrivilege checks if the user has root level permission`
			`// to given path. This requires that the user be root, or that`
			`// sudo privilege is available on that path.`
			`func (a *ACL) RootPrivilege(path string) bool {`
			`// Fast-path root`
			`if a.root {`
			`return true`
			`}`

			`// Check the rules for a match`
			`_, rule, ok := a.pathRules.LongestPrefix(path)`
			`if !ok {`
			`return false`
			`}`

			`// Check the policy level`
			`policyLevel := rule.(int)`
			`return policyLevel == pathPolicyLevel[PathPolicySudo]`
			`}`