2023-03-15 16:00:52 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
|
2022-04-27 23:35:18 +00:00
|
|
|
package api
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"net/http"
|
|
|
|
|
"net/url"
|
2023-02-21 15:12:45 +00:00
|
|
|
"strconv"
|
2022-04-27 23:35:18 +00:00
|
|
|
"strings"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
ErrOutputPolicyRequest = "output a policy, please"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var LastOutputPolicyError *OutputPolicyError
|
|
|
|
|
|
|
|
|
|
type OutputPolicyError struct {
|
|
|
|
|
method string
|
|
|
|
|
path string
|
2023-02-21 15:12:45 +00:00
|
|
|
params url.Values
|
2022-04-27 23:35:18 +00:00
|
|
|
finalHCLString string
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (d *OutputPolicyError) Error() string {
|
|
|
|
|
if d.finalHCLString == "" {
|
|
|
|
|
p, err := d.buildSamplePolicy()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err.Error()
|
|
|
|
|
}
|
|
|
|
|
d.finalHCLString = p
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ErrOutputPolicyRequest
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (d *OutputPolicyError) HCLString() (string, error) {
|
|
|
|
|
if d.finalHCLString == "" {
|
|
|
|
|
p, err := d.buildSamplePolicy()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
d.finalHCLString = p
|
|
|
|
|
}
|
|
|
|
|
return d.finalHCLString, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Builds a sample policy document from the request
|
|
|
|
|
func (d *OutputPolicyError) buildSamplePolicy() (string, error) {
|
2023-02-21 15:12:45 +00:00
|
|
|
operation := d.method
|
|
|
|
|
// List is often defined as a URL param instead of as an http.Method
|
|
|
|
|
// this will check for the header and properly switch off of the intended functionality
|
|
|
|
|
if d.params.Has("list") {
|
|
|
|
|
isList, err := strconv.ParseBool(d.params.Get("list"))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("the value of the list url param is not a bool: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if isList {
|
|
|
|
|
operation = "LIST"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-27 23:35:18 +00:00
|
|
|
var capabilities []string
|
2023-02-21 15:12:45 +00:00
|
|
|
switch operation {
|
2022-04-27 23:35:18 +00:00
|
|
|
case http.MethodGet, "":
|
|
|
|
|
capabilities = append(capabilities, "read")
|
|
|
|
|
case http.MethodPost, http.MethodPut:
|
|
|
|
|
capabilities = append(capabilities, "create")
|
|
|
|
|
capabilities = append(capabilities, "update")
|
|
|
|
|
case http.MethodPatch:
|
|
|
|
|
capabilities = append(capabilities, "patch")
|
|
|
|
|
case http.MethodDelete:
|
|
|
|
|
capabilities = append(capabilities, "delete")
|
|
|
|
|
case "LIST":
|
|
|
|
|
capabilities = append(capabilities, "list")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// determine whether to add sudo capability
|
2023-02-21 15:12:45 +00:00
|
|
|
if IsSudoPath(d.path) {
|
2022-04-27 23:35:18 +00:00
|
|
|
capabilities = append(capabilities, "sudo")
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-21 15:12:45 +00:00
|
|
|
return formatOutputPolicy(d.path, capabilities), nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func formatOutputPolicy(path string, capabilities []string) string {
|
2022-04-27 23:35:18 +00:00
|
|
|
// the OpenAPI response has a / in front of each path,
|
|
|
|
|
// but policies need the path without that leading slash
|
|
|
|
|
path = strings.TrimLeft(path, "/")
|
|
|
|
|
|
|
|
|
|
capStr := strings.Join(capabilities, `", "`)
|
|
|
|
|
return fmt.Sprintf(
|
|
|
|
|
`path "%s" {
|
|
|
|
|
capabilities = ["%s"]
|
2023-02-21 15:12:45 +00:00
|
|
|
}`, path, capStr)
|
2022-04-27 23:35:18 +00:00
|
|
|
}
|
