open-vault/vault/policy.go

package vault

import (
	"fmt"
	"strings"

	"github.com/hashicorp/go-multierror"
	"github.com/hashicorp/hcl"
	"github.com/hashicorp/hcl/hcl/ast"
)

const (
	DenyCapability   = "deny"
	CreateCapability = "create"
	ReadCapability   = "read"
	UpdateCapability = "update"
	DeleteCapability = "delete"
	ListCapability   = "list"
	SudoCapability   = "sudo"
	RootCapability   = "root"

	// Backwards compatibility
	OldDenyPathPolicy  = "deny"
	OldReadPathPolicy  = "read"
	OldWritePathPolicy = "write"
	OldSudoPathPolicy  = "sudo"
)

const (
	DenyCapabilityInt uint32 = 1 << iota
	CreateCapabilityInt
	ReadCapabilityInt
	UpdateCapabilityInt
	DeleteCapabilityInt
	ListCapabilityInt
	SudoCapabilityInt
)

var (
	cap2Int = map[string]uint32{
		DenyCapability:   DenyCapabilityInt,
		CreateCapability: CreateCapabilityInt,
		ReadCapability:   ReadCapabilityInt,
		UpdateCapability: UpdateCapabilityInt,
		DeleteCapability: DeleteCapabilityInt,
		ListCapability:   ListCapabilityInt,
		SudoCapability:   SudoCapabilityInt,
	}
)

// Policy is used to represent the policy specified by
// an ACL configuration.
type Policy struct {
	Name  string              `hcl:"name"`
	Paths []*PathCapabilities `hcl:"-"`
	Raw   string
}

/*
 */
// PathCapabilities represents a policy for a path in the namespace.
type PathCapabilities struct {
	Prefix       string
	Policy       string
	Capabilities []string
  Permissions  *Permissions
	Glob         bool
}

type Permissions struct {
	CapabilitiesBitmap   uint32
	AllowedParameters    map[string][]string
	DisallowedParameters map[string][]string
}

// Parse is used to parse the specified ACL rules into an
// intermediary set of policies, before being compiled into
// the ACL
func Parse(rules string) (*Policy, error) {
	// Parse the rules
	root, err := hcl.Parse(rules)
	if err != nil {
		return nil, fmt.Errorf("Failed to parse policy: %s", err)
	}

	// Top-level item should be the object list
	list, ok := root.Node.(*ast.ObjectList)
	if !ok {
		return nil, fmt.Errorf("Failed to parse policy: does not contain a root object")
	}

	// Check for invalid top-level keys
	valid := []string{
		"name",
		"path",
	}
	if err := checkHCLKeys(list, valid); err != nil {
		return nil, fmt.Errorf("Failed to parse policy: %s", err)
	}

	// Create the initial policy and store the raw text of the rules
	var p Policy
	p.Raw = rules
	if err := hcl.DecodeObject(&p, list); err != nil {
		return nil, fmt.Errorf("Failed to parse policy: %s", err)
	}

	if o := list.Filter("path"); len(o.Items) > 0 {
		if err := parsePaths(&p, o); err != nil {
			return nil, fmt.Errorf("Failed to parse policy: %s", err)
		}
	}

	return &p, nil
}

func parsePaths(result *Policy, list *ast.ObjectList) error {
	// specifically how can we access the key value pairs for
	// permissions
	paths := make([]*PathCapabilities, 0, len(list.Items))
	for _, item := range list.Items {
		key := "path"
		if len(item.Keys) > 0 {
			key = item.Keys[0].Token.Value().(string) // "secret/foo"
		}
		valid := []string{
			"policy",
			"capabilities",
			"permissions", // added here to validate
		}
		if err := checkHCLKeys(item.Val, valid); err != nil {
			return multierror.Prefix(err, fmt.Sprintf("path %q:", key))
		}

		var pc PathCapabilities

		// allocate memory so that DecodeObject can initialize the Permissions struct
		pc.Permissions = new(Permissions)

		pc.Prefix = key
		if err := hcl.DecodeObject(&pc, item.Val); err != nil {
			return multierror.Prefix(err, fmt.Sprintf("path %q:", key))
		}

		// Strip a leading '/' as paths in Vault start after the / in the API path
		if len(pc.Prefix) > 0 && pc.Prefix[0] == '/' {
			pc.Prefix = pc.Prefix[1:]
		}

		// Strip the glob character if found
		if strings.HasSuffix(pc.Prefix, "*") {
			pc.Prefix = strings.TrimSuffix(pc.Prefix, "*")
			pc.Glob = true
		}

		// Map old-style policies into capabilities
		if len(pc.Policy) > 0 {
			switch pc.Policy {
			case OldDenyPathPolicy:
				pc.Capabilities = []string{DenyCapability}
			case OldReadPathPolicy:
				pc.Capabilities = append(pc.Capabilities, []string{ReadCapability, ListCapability}...)
			case OldWritePathPolicy:
				pc.Capabilities = append(pc.Capabilities, []string{CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability}...)
			case OldSudoPathPolicy:
				pc.Capabilities = append(pc.Capabilities, []string{CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability}...)
			default:
				return fmt.Errorf("path %q: invalid policy '%s'", key, pc.Policy)
			}
		}

		// Initialize the map
		pc.Permissions.CapabilitiesBitmap = 0
		for _, cap := range pc.Capabilities {
			switch cap {
			// If it's deny, don't include any other capability
			case DenyCapability:
				pc.Capabilities = []string{DenyCapability}
				pc.Permissions.CapabilitiesBitmap = DenyCapabilityInt
				goto PathFinished
			case CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability:
				pc.Permissions.CapabilitiesBitmap |= cap2Int[cap]
			default:
				return fmt.Errorf("path %q: invalid capability '%s'", key, cap)
			}
		}

	PathFinished:

		paths = append(paths, &pc)
	}

	result.Paths = paths
	return nil
}

func checkHCLKeys(node ast.Node, valid []string) error {
	var list *ast.ObjectList
	switch n := node.(type) {
	case *ast.ObjectList:
		list = n
	case *ast.ObjectType:
		list = n.List
	default:
		return fmt.Errorf("cannot check HCL keys of type %T", n)
	}

	validMap := make(map[string]struct{}, len(valid))
	for _, v := range valid {
		validMap[v] = struct{}{}
	}

	var result error
	for _, item := range list.Items {
		key := item.Keys[0].Token.Value().(string)
		if _, ok := validMap[key]; !ok {
			result = multierror.Append(result, fmt.Errorf(
				"invalid key '%s' on line %d", key, item.Assign.Line))
		}
	}

	return result
}
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`package vault`

			`import (`
			`"fmt"`
vault: look for glob character in policy 2015-07-05 21:58:38 +00:00			`"strings"`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`"github.com/hashicorp/go-multierror"`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`"github.com/hashicorp/hcl"`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`"github.com/hashicorp/hcl/hcl/ast"`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`)`

			`const (`
Convert map to bitmap 2016-01-12 22:08:10 +00:00			`DenyCapability = "deny"`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`CreateCapability = "create"`
			`ReadCapability = "read"`
			`UpdateCapability = "update"`
			`DeleteCapability = "delete"`
			`ListCapability = "list"`
			`SudoCapability = "sudo"`
refactoring changes due to acl.Capabilities 2016-03-04 18:21:07 +00:00			`RootCapability = "root"`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00
			`// Backwards compatibility`
			`OldDenyPathPolicy = "deny"`
			`OldReadPathPolicy = "read"`
			`OldWritePathPolicy = "write"`
			`OldSudoPathPolicy = "sudo"`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`)`

Convert map to bitmap 2016-01-12 22:08:10 +00:00			`const (`
			`DenyCapabilityInt uint32 = 1 << iota`
			`CreateCapabilityInt`
			`ReadCapabilityInt`
			`UpdateCapabilityInt`
			`DeleteCapabilityInt`
			`ListCapabilityInt`
			`SudoCapabilityInt`
			`)`

			`var (`
			`cap2Int = map[string]uint32{`
			`DenyCapability: DenyCapabilityInt,`
			`CreateCapability: CreateCapabilityInt,`
			`ReadCapability: ReadCapabilityInt,`
			`UpdateCapability: UpdateCapabilityInt,`
			`DeleteCapability: DeleteCapabilityInt,`
			`ListCapability: ListCapabilityInt,`
			`SudoCapability: SudoCapabilityInt,`
			`}`
			`)`

vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`// Policy is used to represent the policy specified by`
			`// an ACL configuration.`
			`type Policy struct {`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			Name string `hcl:"name"`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			Paths []*PathCapabilities `hcl:"-"`
vault: Refactor to use CollectKeys 2015-03-18 19:03:33 +00:00			`Raw string`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`

updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure 2016-10-09 22:39:58 +00:00			`/*`
			`*/`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`// PathCapabilities represents a policy for a path in the namespace.`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`type PathCapabilities struct {`
updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure 2016-10-09 22:39:58 +00:00			`Prefix string`
			`Policy string`
			`Capabilities []string`
Merge allowed and disallowed parameters maps. 2016-10-16 22:24:32 +00:00			`Permissions *Permissions`
Fixed Policy Permissions intergration and spelling. 2016-10-14 17:22:00 +00:00			`Glob bool`
			`}`

			`type Permissions struct {`
Merge allowed and disallowed parameters maps. 2016-10-16 22:24:32 +00:00			`CapabilitiesBitmap uint32`
			`AllowedParameters map[string][]string`
			`DisallowedParameters map[string][]string`
vault: Adding precedence logic for conflicting policy 2015-07-05 23:30:19 +00:00			`}`

vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`// Parse is used to parse the specified ACL rules into an`
			`// intermediary set of policies, before being compiled into`
			`// the ACL`
			`func Parse(rules string) (*Policy, error) {`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`// Parse the rules`
			`root, err := hcl.Parse(rules)`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed to parse policy: %s", err)`
			`}`

			`// Top-level item should be the object list`
			`list, ok := root.Node.(*ast.ObjectList)`
			`if !ok {`
			`return nil, fmt.Errorf("Failed to parse policy: does not contain a root object")`
			`}`

			`// Check for invalid top-level keys`
			`valid := []string{`
			`"name",`
			`"path",`
			`}`
			`if err := checkHCLKeys(list, valid); err != nil {`
			`return nil, fmt.Errorf("Failed to parse policy: %s", err)`
			`}`

			`// Create the initial policy and store the raw text of the rules`
Preserve pointer 2016-03-10 20:55:47 +00:00			`var p Policy`
			`p.Raw = rules`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`if err := hcl.DecodeObject(&p, list); err != nil {`
			`return nil, fmt.Errorf("Failed to parse policy: %s", err)`
			`}`

			`if o := list.Filter("path"); len(o.Items) > 0 {`
Preserve pointer 2016-03-10 20:55:47 +00:00			`if err := parsePaths(&p, o); err != nil {`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`return nil, fmt.Errorf("Failed to parse policy: %s", err)`
			`}`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`

Preserve pointer 2016-03-10 20:55:47 +00:00			`return &p, nil`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`}`

			`func parsePaths(result Policy, list ast.ObjectList) error {`
updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure 2016-10-09 22:39:58 +00:00			`// specifically how can we access the key value pairs for`
			`// permissions`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`paths := make([]*PathCapabilities, 0, len(list.Items))`
			`for _, item := range list.Items {`
			`key := "path"`
			`if len(item.Keys) > 0 {`
updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure 2016-10-09 22:39:58 +00:00			`key = item.Keys[0].Token.Value().(string) // "secret/foo"`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`}`
			`valid := []string{`
			`"policy",`
			`"capabilities",`
updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure 2016-10-09 22:39:58 +00:00			`"permissions", // added here to validate`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`}`
			`if err := checkHCLKeys(item.Val, valid); err != nil {`
			`return multierror.Prefix(err, fmt.Sprintf("path %q:", key))`
			`}`

			`var pc PathCapabilities`
policy now includes whether a certain parameter can be updated 2016-10-15 23:43:55 +00:00
			`// allocate memory so that DecodeObject can initialize the Permissions struct`
			`pc.Permissions = new(Permissions)`

Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`pc.Prefix = key`
			`if err := hcl.DecodeObject(&pc, item.Val); err != nil {`
			`return multierror.Prefix(err, fmt.Sprintf("path %q:", key))`
			`}`

			`// Strip a leading '/' as paths in Vault start after the / in the API path`
Strip leading paths in policies. It appears to be a common mistake, but they won't ever match. Fixes #1167 2016-03-03 16:32:48 +00:00			`if len(pc.Prefix) > 0 && pc.Prefix[0] == '/' {`
			`pc.Prefix = pc.Prefix[1:]`
			`}`

vault: look for glob character in policy 2015-07-05 21:58:38 +00:00			`// Strip the glob character if found`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`if strings.HasSuffix(pc.Prefix, "*") {`
			`pc.Prefix = strings.TrimSuffix(pc.Prefix, "*")`
			`pc.Glob = true`
vault: look for glob character in policy 2015-07-05 21:58:38 +00:00			`}`

Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`// Map old-style policies into capabilities`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`if len(pc.Policy) > 0 {`
			`switch pc.Policy {`
			`case OldDenyPathPolicy:`
			`pc.Capabilities = []string{DenyCapability}`
			`case OldReadPathPolicy:`
			`pc.Capabilities = append(pc.Capabilities, []string{ReadCapability, ListCapability}...)`
			`case OldWritePathPolicy:`
			`pc.Capabilities = append(pc.Capabilities, []string{CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability}...)`
			`case OldSudoPathPolicy:`
			`pc.Capabilities = append(pc.Capabilities, []string{CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability}...)`
			`default:`
			`return fmt.Errorf("path %q: invalid policy '%s'", key, pc.Policy)`
			`}`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00
			`// Initialize the map`
updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure 2016-10-09 22:39:58 +00:00			`pc.Permissions.CapabilitiesBitmap = 0`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`for _, cap := range pc.Capabilities {`
			`switch cap {`
			`// If it's deny, don't include any other capability`
			`case DenyCapability:`
			`pc.Capabilities = []string{DenyCapability}`
updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure 2016-10-09 22:39:58 +00:00			`pc.Permissions.CapabilitiesBitmap = DenyCapabilityInt`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`goto PathFinished`
			`case CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability:`
updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure 2016-10-09 22:39:58 +00:00			`pc.Permissions.CapabilitiesBitmap \|= cap2Int[cap]`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`default:`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`return fmt.Errorf("path %q: invalid capability '%s'", key, cap)`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`}`
			`}`

			`PathFinished:`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00
			`paths = append(paths, &pc)`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00
			`result.Paths = paths`
			`return nil`
			`}`

			`func checkHCLKeys(node ast.Node, valid []string) error {`
			`var list *ast.ObjectList`
			`switch n := node.(type) {`
			`case *ast.ObjectList:`
			`list = n`
			`case *ast.ObjectType:`
			`list = n.List`
			`default:`
			`return fmt.Errorf("cannot check HCL keys of type %T", n)`
			`}`

			`validMap := make(map[string]struct{}, len(valid))`
			`for _, v := range valid {`
			`validMap[v] = struct{}{}`
			`}`

			`var result error`
			`for _, item := range list.Items {`
			`key := item.Keys[0].Token.Value().(string)`
			`if _, ok := validMap[key]; !ok {`
			`result = multierror.Append(result, fmt.Errorf(`
			`"invalid key '%s' on line %d", key, item.Assign.Line))`
			`}`
			`}`

			`return result`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`