2023-03-15 16:00:52 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
2016-04-06 00:30:38 +00:00
|
|
|
package policyutil
|
|
|
|
|
|
|
|
import (
|
|
|
|
"sort"
|
|
|
|
"strings"
|
2016-05-05 14:22:28 +00:00
|
|
|
|
2021-07-16 00:17:31 +00:00
|
|
|
"github.com/hashicorp/go-secure-stdlib/strutil"
|
2016-04-06 00:30:38 +00:00
|
|
|
)
|
|
|
|
|
2016-12-16 05:36:39 +00:00
|
|
|
const (
|
|
|
|
AddDefaultPolicy = true
|
|
|
|
DoNotAddDefaultPolicy = false
|
|
|
|
)
|
|
|
|
|
2016-05-13 15:50:00 +00:00
|
|
|
// ParsePolicies parses a comma-delimited list of policies.
|
|
|
|
// The resulting collection will have no duplicate elements.
|
|
|
|
// If 'root' policy was present in the list of policies, then
|
|
|
|
// all other policies will be ignored, the result will contain
|
|
|
|
// just the 'root'. In cases where 'root' is not present, if
|
2016-05-13 16:20:10 +00:00
|
|
|
// 'default' policy is not already present, it will be added.
|
2017-08-15 00:15:51 +00:00
|
|
|
func ParsePolicies(policiesRaw interface{}) []string {
|
|
|
|
if policiesRaw == nil {
|
2016-05-05 14:22:28 +00:00
|
|
|
return []string{"default"}
|
|
|
|
}
|
|
|
|
|
2017-08-15 00:15:51 +00:00
|
|
|
var policies []string
|
|
|
|
switch policiesRaw.(type) {
|
|
|
|
case string:
|
|
|
|
if policiesRaw.(string) == "" {
|
2017-09-13 15:36:52 +00:00
|
|
|
return []string{}
|
2017-08-15 00:15:51 +00:00
|
|
|
}
|
|
|
|
policies = strings.Split(policiesRaw.(string), ",")
|
|
|
|
case []string:
|
|
|
|
policies = policiesRaw.([]string)
|
|
|
|
}
|
2016-05-05 14:22:28 +00:00
|
|
|
|
2017-09-13 15:36:52 +00:00
|
|
|
return SanitizePolicies(policies, false)
|
2016-05-05 14:22:28 +00:00
|
|
|
}
|
|
|
|
|
2016-05-13 15:50:00 +00:00
|
|
|
// SanitizePolicies performs the common input validation tasks
|
|
|
|
// which are performed on the list of policies across Vault.
|
|
|
|
// The resulting collection will have no duplicate elements.
|
|
|
|
// If 'root' policy was present in the list of policies, then
|
|
|
|
// all other policies will be ignored, the result will contain
|
|
|
|
// just the 'root'. In cases where 'root' is not present, if
|
|
|
|
// 'default' policy is not already present, it will be added
|
|
|
|
// if addDefault is set to true.
|
|
|
|
func SanitizePolicies(policies []string, addDefault bool) []string {
|
2016-04-06 00:30:38 +00:00
|
|
|
defaultFound := false
|
|
|
|
for i, p := range policies {
|
2016-05-05 09:22:59 +00:00
|
|
|
policies[i] = strings.ToLower(strings.TrimSpace(p))
|
2016-05-05 14:22:28 +00:00
|
|
|
// Eliminate unnamed policies.
|
|
|
|
if policies[i] == "" {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2016-04-06 00:30:38 +00:00
|
|
|
// If 'root' policy is present, ignore all other policies.
|
|
|
|
if policies[i] == "root" {
|
|
|
|
policies = []string{"root"}
|
|
|
|
defaultFound = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
if policies[i] == "default" {
|
|
|
|
defaultFound = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Always add 'default' except only if the policies contain 'root'.
|
2016-05-13 15:50:00 +00:00
|
|
|
if addDefault && (len(policies) == 0 || !defaultFound) {
|
2016-04-06 00:30:38 +00:00
|
|
|
policies = append(policies, "default")
|
|
|
|
}
|
|
|
|
|
2017-04-04 15:54:18 +00:00
|
|
|
return strutil.RemoveDuplicates(policies, true)
|
2016-04-06 00:30:38 +00:00
|
|
|
}
|
|
|
|
|
2016-07-22 12:44:16 +00:00
|
|
|
// EquivalentPolicies checks whether the given policy sets are equivalent, as in,
|
2016-04-06 00:30:38 +00:00
|
|
|
// they contain the same values. The benefit of this method is that it leaves
|
|
|
|
// the "default" policy out of its comparisons as it may be added later by core
|
|
|
|
// after a set of policies has been saved by a backend.
|
|
|
|
func EquivalentPolicies(a, b []string) bool {
|
2018-07-17 05:23:26 +00:00
|
|
|
switch {
|
|
|
|
case a == nil && b == nil:
|
2016-04-06 00:30:38 +00:00
|
|
|
return true
|
2018-07-17 05:23:26 +00:00
|
|
|
case a == nil && len(b) == 1 && b[0] == "default":
|
|
|
|
return true
|
|
|
|
case b == nil && len(a) == 1 && a[0] == "default":
|
|
|
|
return true
|
|
|
|
case a == nil || b == nil:
|
2016-04-06 00:30:38 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// First we'll build maps to ensure unique values and filter default
|
|
|
|
mapA := map[string]bool{}
|
|
|
|
mapB := map[string]bool{}
|
|
|
|
for _, keyA := range a {
|
|
|
|
if keyA == "default" {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
mapA[keyA] = true
|
|
|
|
}
|
|
|
|
for _, keyB := range b {
|
|
|
|
if keyB == "default" {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
mapB[keyB] = true
|
|
|
|
}
|
|
|
|
|
|
|
|
// Now we'll build our checking slices
|
|
|
|
var sortedA, sortedB []string
|
2021-04-08 16:43:39 +00:00
|
|
|
for keyA := range mapA {
|
2016-04-06 00:30:38 +00:00
|
|
|
sortedA = append(sortedA, keyA)
|
|
|
|
}
|
2021-04-08 16:43:39 +00:00
|
|
|
for keyB := range mapB {
|
2016-04-06 00:30:38 +00:00
|
|
|
sortedB = append(sortedB, keyB)
|
|
|
|
}
|
|
|
|
sort.Strings(sortedA)
|
|
|
|
sort.Strings(sortedB)
|
|
|
|
|
|
|
|
// Finally, compare
|
|
|
|
if len(sortedA) != len(sortedB) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
for i := range sortedA {
|
|
|
|
if sortedA[i] != sortedB[i] {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return true
|
|
|
|
}
|