open-vault/vault/capabilities.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package vault

import (
	"context"
	"sort"

	"github.com/hashicorp/vault/helper/namespace"
	"github.com/hashicorp/vault/sdk/logical"
)

// Capabilities is used to fetch the capabilities of the given token on the
// given path
func (c *Core) Capabilities(ctx context.Context, token, path string) ([]string, error) {
	if path == "" {
		return nil, &logical.StatusBadRequest{Err: "missing path"}
	}

	if token == "" {
		return nil, &logical.StatusBadRequest{Err: "missing token"}
	}

	te, err := c.tokenStore.Lookup(ctx, token)
	if err != nil {
		return nil, err
	}
	if te == nil {
		return nil, &logical.StatusBadRequest{Err: "invalid token"}
	}

	tokenNS, err := NamespaceByID(ctx, te.NamespaceID, c)
	if err != nil {
		return nil, err
	}
	if tokenNS == nil {
		return nil, namespace.ErrNoNamespace
	}

	var policyCount int
	policyNames := make(map[string][]string)
	policyNames[tokenNS.ID] = te.Policies
	policyCount += len(te.Policies)

	entity, identityPolicies, err := c.fetchEntityAndDerivedPolicies(ctx, tokenNS, te.EntityID, te.NoIdentityPolicies)
	if err != nil {
		return nil, err
	}
	if entity != nil && entity.Disabled {
		c.logger.Warn("permission denied as the entity on the token is disabled")
		return nil, logical.ErrPermissionDenied
	}
	if te.EntityID != "" && entity == nil {
		c.logger.Warn("permission denied as the entity on the token is invalid")
		return nil, logical.ErrPermissionDenied
	}

	for nsID, nsPolicies := range identityPolicies {
		policyNames[nsID] = append(policyNames[nsID], nsPolicies...)
		policyCount += len(nsPolicies)
	}

	// Add capabilities of the inline policy if it's set
	policies := make([]*Policy, 0)
	if te.InlinePolicy != "" {
		inlinePolicy, err := ParseACLPolicy(tokenNS, te.InlinePolicy)
		if err != nil {
			return nil, err
		}
		policies = append(policies, inlinePolicy)
		policyCount++
	}

	if policyCount == 0 {
		return []string{DenyCapability}, nil
	}

	// Construct the corresponding ACL object. ACL construction should be
	// performed on the token's namespace.
	tokenCtx := namespace.ContextWithNamespace(ctx, tokenNS)
	acl, err := c.policyStore.ACL(tokenCtx, entity, policyNames, policies...)
	if err != nil {
		return nil, err
	}

	capabilities := acl.Capabilities(ctx, path)
	sort.Strings(capabilities)
	return capabilities, nil
}
adding copyright header (#19555) * adding copyright header * fix fmt and a test 2023-03-15 16:00:52 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

Add vault/capabilities.go 2016-03-03 02:32:52 +00:00			`package vault`

More rep porting (#2391) * More rep porting * Add a bit more porting 2017-02-17 04:09:39 +00:00			`import (`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`"context"`
More rep porting (#2391) * More rep porting * Add a bit more porting 2017-02-17 04:09:39 +00:00			`"sort"`
Sort the capabilities before returning 2016-03-18 16:40:17 +00:00
The big one (#5346) 2018-09-18 03:03:00 +00:00			`"github.com/hashicorp/vault/helper/namespace"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
More rep porting (#2391) * More rep porting * Add a bit more porting 2017-02-17 04:09:39 +00:00			`)`
Add vault/capabilities.go 2016-03-03 02:32:52 +00:00
The big one (#5346) 2018-09-18 03:03:00 +00:00			`// Capabilities is used to fetch the capabilities of the given token on the`
			`// given path`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func (c *Core) Capabilities(ctx context.Context, token, path string) ([]string, error) {`
Add vault/capabilities.go 2016-03-03 02:32:52 +00:00			`if path == "" {`
More rep porting (#2391) * More rep porting * Add a bit more porting 2017-02-17 04:09:39 +00:00			`return nil, &logical.StatusBadRequest{Err: "missing path"}`
Add vault/capabilities.go 2016-03-03 02:32:52 +00:00			`}`

			`if token == "" {`
More rep porting (#2391) * More rep porting * Add a bit more porting 2017-02-17 04:09:39 +00:00			`return nil, &logical.StatusBadRequest{Err: "missing token"}`
Add vault/capabilities.go 2016-03-03 02:32:52 +00:00			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`te, err := c.tokenStore.Lookup(ctx, token)`
Add vault/capabilities.go 2016-03-03 02:32:52 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if te == nil {`
More rep porting (#2391) * More rep porting * Add a bit more porting 2017-02-17 04:09:39 +00:00			`return nil, &logical.StatusBadRequest{Err: "invalid token"}`
Add vault/capabilities.go 2016-03-03 02:32:52 +00:00			`}`

The big one (#5346) 2018-09-18 03:03:00 +00:00			`tokenNS, err := NamespaceByID(ctx, te.NamespaceID, c)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if tokenNS == nil {`
			`return nil, namespace.ErrNoNamespace`
			`}`
Adding acl.Capabilities to do the path matching 2016-03-04 17:04:26 +00:00
The big one (#5346) 2018-09-18 03:03:00 +00:00			`var policyCount int`
			`policyNames := make(map[string][]string)`
			`policyNames[tokenNS.ID] = te.Policies`
			`policyCount += len(te.Policies)`

Adds ability to define an inline policy and internal metadata on tokens (#12682) * Adds ability to define an inline policy and internal metadata to tokens * Update comment on fetchEntityAndDerivedPolicies * Simplify handling of inline policy * Update comment on InternalMeta Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Improve argument name Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Use explicit SkipIdentityInheritance token field instead of implicit InlinePolicy behavior * Add SkipIdentityInheritance to pb struct in token store create method * Rename SkipIdentityInheritance to NoIdentityPolicies * Merge latest from main and make proto Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-10-07 17:36:22 +00:00			`entity, identityPolicies, err := c.fetchEntityAndDerivedPolicies(ctx, tokenNS, te.EntityID, te.NoIdentityPolicies)`
Capabilities responds considering policies on entities and groups (#3522) * Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint 2017-11-03 15:20:10 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled 2018-04-23 22:00:02 +00:00			`if entity != nil && entity.Disabled {`
disallow token use if entity is invalid (#4791) 2018-06-19 16:57:19 +00:00			`c.logger.Warn("permission denied as the entity on the token is disabled")`
			`return nil, logical.ErrPermissionDenied`
			`}`
Fixing capabilities check for templated policies (#5250) * fixing capabilities check for templated policies * remove unnecessary change * formatting 2018-09-04 18:18:59 +00:00			`if te.EntityID != "" && entity == nil {`
disallow token use if entity is invalid (#4791) 2018-06-19 16:57:19 +00:00			`c.logger.Warn("permission denied as the entity on the token is invalid")`
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled 2018-04-23 22:00:02 +00:00			`return nil, logical.ErrPermissionDenied`
			`}`
Capabilities responds considering policies on entities and groups (#3522) * Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint 2017-11-03 15:20:10 +00:00
The big one (#5346) 2018-09-18 03:03:00 +00:00			`for nsID, nsPolicies := range identityPolicies {`
			`policyNames[nsID] = append(policyNames[nsID], nsPolicies...)`
			`policyCount += len(nsPolicies)`
			`}`

Adds ability to define an inline policy and internal metadata on tokens (#12682) * Adds ability to define an inline policy and internal metadata to tokens * Update comment on fetchEntityAndDerivedPolicies * Simplify handling of inline policy * Update comment on InternalMeta Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Improve argument name Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Use explicit SkipIdentityInheritance token field instead of implicit InlinePolicy behavior * Add SkipIdentityInheritance to pb struct in token store create method * Rename SkipIdentityInheritance to NoIdentityPolicies * Merge latest from main and make proto Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-10-07 17:36:22 +00:00			`// Add capabilities of the inline policy if it's set`
			`policies := make([]*Policy, 0)`
			`if te.InlinePolicy != "" {`
			`inlinePolicy, err := ParseACLPolicy(tokenNS, te.InlinePolicy)`
			`if err != nil {`
			`return nil, err`
			`}`
			`policies = append(policies, inlinePolicy)`
			`policyCount++`
			`}`

The big one (#5346) 2018-09-18 03:03:00 +00:00			`if policyCount == 0 {`
refactoring changes due to acl.Capabilities 2016-03-04 18:21:07 +00:00			`return []string{DenyCapability}, nil`
Adding acl.Capabilities to do the path matching 2016-03-04 17:04:26 +00:00			`}`

Fix Capabilities check when in a child namespace (#5406) 2018-09-26 22:10:36 +00:00			`// Construct the corresponding ACL object. ACL construction should be`
			`// performed on the token's namespace.`
			`tokenCtx := namespace.ContextWithNamespace(ctx, tokenNS)`
Adds ability to define an inline policy and internal metadata on tokens (#12682) * Adds ability to define an inline policy and internal metadata to tokens * Update comment on fetchEntityAndDerivedPolicies * Simplify handling of inline policy * Update comment on InternalMeta Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Improve argument name Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Use explicit SkipIdentityInheritance token field instead of implicit InlinePolicy behavior * Add SkipIdentityInheritance to pb struct in token store create method * Rename SkipIdentityInheritance to NoIdentityPolicies * Merge latest from main and make proto Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-10-07 17:36:22 +00:00			`acl, err := c.policyStore.ACL(tokenCtx, entity, policyNames, policies...)`
Adding acl.Capabilities to do the path matching 2016-03-04 17:04:26 +00:00			`if err != nil {`
			`return nil, err`
			`}`

The big one (#5346) 2018-09-18 03:03:00 +00:00			`capabilities := acl.Capabilities(ctx, path)`
Sort the capabilities before returning 2016-03-18 16:40:17 +00:00			`sort.Strings(capabilities)`
			`return capabilities, nil`
Add vault/capabilities.go 2016-03-03 02:32:52 +00:00			`}`