open-vault/vault/policy.go

package vault

import (
	"fmt"
	"strings"

	"github.com/hashicorp/hcl"
)

const (
	DenyCapability   = "deny"
	CreateCapability = "create"
	ReadCapability   = "read"
	UpdateCapability = "update"
	DeleteCapability = "delete"
	ListCapability   = "list"
	SudoCapability   = "sudo"
	RootCapability   = "root"

	// Backwards compatibility
	OldDenyPathPolicy  = "deny"
	OldReadPathPolicy  = "read"
	OldWritePathPolicy = "write"
	OldSudoPathPolicy  = "sudo"
)

const (
	DenyCapabilityInt uint32 = 1 << iota
	CreateCapabilityInt
	ReadCapabilityInt
	UpdateCapabilityInt
	DeleteCapabilityInt
	ListCapabilityInt
	SudoCapabilityInt
)

var (
	cap2Int = map[string]uint32{
		DenyCapability:   DenyCapabilityInt,
		CreateCapability: CreateCapabilityInt,
		ReadCapability:   ReadCapabilityInt,
		UpdateCapability: UpdateCapabilityInt,
		DeleteCapability: DeleteCapabilityInt,
		ListCapability:   ListCapabilityInt,
		SudoCapability:   SudoCapabilityInt,
	}
)

// Policy is used to represent the policy specified by
// an ACL configuration.
type Policy struct {
	Name  string              `hcl:"name"`
	Paths []*PathCapabilities `hcl:"path,expand"`
	Raw   string
}

// Capability represents a policy for a path in the namespace
type PathCapabilities struct {
	Prefix             string `hcl:",key"`
	Policy             string
	Capabilities       []string
	CapabilitiesBitmap uint32 `hcl:"-"`
	Glob               bool
}

// Parse is used to parse the specified ACL rules into an
// intermediary set of policies, before being compiled into
// the ACL
func Parse(rules string) (*Policy, error) {
	// Decode the rules
	p := &Policy{Raw: rules}
	if err := hcl.Decode(p, rules); err != nil {
		return nil, fmt.Errorf("Failed to parse ACL rules: %v", err)
	}

	// Validate the path policy
	for _, pc := range p.Paths {
		// Strip a leading '/' as paths in Vault start after the / in the API
		// path
		if len(pc.Prefix) > 0 && pc.Prefix[0] == '/' {
			pc.Prefix = pc.Prefix[1:]
		}

		// Strip the glob character if found
		if strings.HasSuffix(pc.Prefix, "*") {
			pc.Prefix = strings.TrimSuffix(pc.Prefix, "*")
			pc.Glob = true
		}

		// Map old-style policies into capabilities
		switch pc.Policy {
		case OldDenyPathPolicy:
			pc.Capabilities = []string{DenyCapability}
		case OldReadPathPolicy:
			pc.Capabilities = append(pc.Capabilities, []string{ReadCapability, ListCapability}...)
		case OldWritePathPolicy:
			pc.Capabilities = append(pc.Capabilities, []string{CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability}...)
		case OldSudoPathPolicy:
			pc.Capabilities = append(pc.Capabilities, []string{CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability}...)
		}

		// Initialize the map
		pc.CapabilitiesBitmap = 0
		for _, cap := range pc.Capabilities {
			switch cap {
			// If it's deny, don't include any other capability
			case DenyCapability:
				pc.Capabilities = []string{DenyCapability}
				pc.CapabilitiesBitmap = DenyCapabilityInt
				goto PathFinished
			case CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability:
				pc.CapabilitiesBitmap |= cap2Int[cap]
			default:
				return nil, fmt.Errorf("Invalid capability: %#v", pc)
			}
		}

	PathFinished:
	}
	return p, nil
}
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`package vault`

			`import (`
			`"fmt"`
vault: look for glob character in policy 2015-07-05 21:58:38 +00:00			`"strings"`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00
			`"github.com/hashicorp/hcl"`
			`)`

			`const (`
Convert map to bitmap 2016-01-12 22:08:10 +00:00			`DenyCapability = "deny"`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`CreateCapability = "create"`
			`ReadCapability = "read"`
			`UpdateCapability = "update"`
			`DeleteCapability = "delete"`
			`ListCapability = "list"`
			`SudoCapability = "sudo"`
refactoring changes due to acl.Capabilities 2016-03-04 18:21:07 +00:00			`RootCapability = "root"`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00
			`// Backwards compatibility`
			`OldDenyPathPolicy = "deny"`
			`OldReadPathPolicy = "read"`
			`OldWritePathPolicy = "write"`
			`OldSudoPathPolicy = "sudo"`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`)`

Convert map to bitmap 2016-01-12 22:08:10 +00:00			`const (`
			`DenyCapabilityInt uint32 = 1 << iota`
			`CreateCapabilityInt`
			`ReadCapabilityInt`
			`UpdateCapabilityInt`
			`DeleteCapabilityInt`
			`ListCapabilityInt`
			`SudoCapabilityInt`
			`)`

			`var (`
			`cap2Int = map[string]uint32{`
			`DenyCapability: DenyCapabilityInt,`
			`CreateCapability: CreateCapabilityInt,`
			`ReadCapability: ReadCapabilityInt,`
			`UpdateCapability: UpdateCapabilityInt,`
			`DeleteCapability: DeleteCapabilityInt,`
			`ListCapability: ListCapabilityInt,`
			`SudoCapability: SudoCapabilityInt,`
			`}`
			`)`

vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`// Policy is used to represent the policy specified by`
			`// an ACL configuration.`
			`type Policy struct {`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			Name string `hcl:"name"`
			Paths []*PathCapabilities `hcl:"path,expand"`
vault: Refactor to use CollectKeys 2015-03-18 19:03:33 +00:00			`Raw string`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`

Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`// Capability represents a policy for a path in the namespace`
			`type PathCapabilities struct {`
Convert map to bitmap 2016-01-12 22:08:10 +00:00			Prefix string `hcl:",key"`
			`Policy string`
			`Capabilities []string`
			CapabilitiesBitmap uint32 `hcl:"-"`
			`Glob bool`
vault: Adding precedence logic for conflicting policy 2015-07-05 23:30:19 +00:00			`}`

vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`// Parse is used to parse the specified ACL rules into an`
			`// intermediary set of policies, before being compiled into`
			`// the ACL`
			`func Parse(rules string) (*Policy, error) {`
			`// Decode the rules`
vault: Refactor to use CollectKeys 2015-03-18 19:03:33 +00:00			`p := &Policy{Raw: rules}`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`if err := hcl.Decode(p, rules); err != nil {`
			`return nil, fmt.Errorf("Failed to parse ACL rules: %v", err)`
			`}`

			`// Validate the path policy`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`for _, pc := range p.Paths {`
Strip leading paths in policies. It appears to be a common mistake, but they won't ever match. Fixes #1167 2016-03-03 16:32:48 +00:00			`// Strip a leading '/' as paths in Vault start after the / in the API`
			`// path`
			`if len(pc.Prefix) > 0 && pc.Prefix[0] == '/' {`
			`pc.Prefix = pc.Prefix[1:]`
			`}`

vault: look for glob character in policy 2015-07-05 21:58:38 +00:00			`// Strip the glob character if found`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`if strings.HasSuffix(pc.Prefix, "*") {`
			`pc.Prefix = strings.TrimSuffix(pc.Prefix, "*")`
			`pc.Glob = true`
vault: look for glob character in policy 2015-07-05 21:58:38 +00:00			`}`

Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`// Map old-style policies into capabilities`
			`switch pc.Policy {`
			`case OldDenyPathPolicy:`
Convert map to bitmap 2016-01-12 22:08:10 +00:00			`pc.Capabilities = []string{DenyCapability}`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`case OldReadPathPolicy:`
			`pc.Capabilities = append(pc.Capabilities, []string{ReadCapability, ListCapability}...)`
			`case OldWritePathPolicy:`
			`pc.Capabilities = append(pc.Capabilities, []string{CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability}...)`
			`case OldSudoPathPolicy:`
			`pc.Capabilities = append(pc.Capabilities, []string{CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability}...)`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00
			`// Initialize the map`
Convert map to bitmap 2016-01-12 22:08:10 +00:00			`pc.CapabilitiesBitmap = 0`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`for _, cap := range pc.Capabilities {`
			`switch cap {`
			`// If it's deny, don't include any other capability`
			`case DenyCapability:`
			`pc.Capabilities = []string{DenyCapability}`
Convert map to bitmap 2016-01-12 22:08:10 +00:00			`pc.CapabilitiesBitmap = DenyCapabilityInt`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`goto PathFinished`
			`case CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability:`
Convert map to bitmap 2016-01-12 22:08:10 +00:00			`pc.CapabilitiesBitmap \|= cap2Int[cap]`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`default:`
			`return nil, fmt.Errorf("Invalid capability: %#v", pc)`
			`}`
			`}`

			`PathFinished:`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`
			`return p, nil`
			`}`