open-vault/vault/policy.go

package vault

import (
	"errors"
	"fmt"
	"strings"
	"time"

	"github.com/hashicorp/errwrap"
	"github.com/hashicorp/go-multierror"
	"github.com/hashicorp/hcl"
	"github.com/hashicorp/hcl/hcl/ast"
	"github.com/hashicorp/vault/helper/parseutil"
	"github.com/mitchellh/copystructure"
)

const (
	DenyCapability   = "deny"
	CreateCapability = "create"
	ReadCapability   = "read"
	UpdateCapability = "update"
	DeleteCapability = "delete"
	ListCapability   = "list"
	SudoCapability   = "sudo"
	RootCapability   = "root"

	// Backwards compatibility
	OldDenyPathPolicy  = "deny"
	OldReadPathPolicy  = "read"
	OldWritePathPolicy = "write"
	OldSudoPathPolicy  = "sudo"
)

const (
	DenyCapabilityInt uint32 = 1 << iota
	CreateCapabilityInt
	ReadCapabilityInt
	UpdateCapabilityInt
	DeleteCapabilityInt
	ListCapabilityInt
	SudoCapabilityInt
)

var (
	cap2Int = map[string]uint32{
		DenyCapability:   DenyCapabilityInt,
		CreateCapability: CreateCapabilityInt,
		ReadCapability:   ReadCapabilityInt,
		UpdateCapability: UpdateCapabilityInt,
		DeleteCapability: DeleteCapabilityInt,
		ListCapability:   ListCapabilityInt,
		SudoCapability:   SudoCapabilityInt,
	}
)

// Policy is used to represent the policy specified by
// an ACL configuration.
type Policy struct {
	Name  string              `hcl:"name"`
	Paths []*PathCapabilities `hcl:"-"`
	Raw   string
}

// PathCapabilities represents a policy for a path in the namespace.
type PathCapabilities struct {
	Prefix       string
	Policy       string
	Permissions  *Permissions
	Glob         bool
	Capabilities []string

	// These keys are used at the top level to make the HCL nicer; we store in
	// the Permissions object though
	MinWrappingTTLHCL    interface{}              `hcl:"min_wrapping_ttl"`
	MaxWrappingTTLHCL    interface{}              `hcl:"max_wrapping_ttl"`
	AllowedParametersHCL map[string][]interface{} `hcl:"allowed_parameters"`
	DeniedParametersHCL  map[string][]interface{} `hcl:"denied_parameters"`
}

type Permissions struct {
	CapabilitiesBitmap uint32
	MinWrappingTTL     time.Duration
	MaxWrappingTTL     time.Duration
	AllowedParameters  map[string][]interface{}
	DeniedParameters   map[string][]interface{}
}

func (p *Permissions) Clone() (*Permissions, error) {
	ret := &Permissions{
		CapabilitiesBitmap: p.CapabilitiesBitmap,
		MinWrappingTTL:     p.MinWrappingTTL,
		MaxWrappingTTL:     p.MaxWrappingTTL,
	}

	switch {
	case p.AllowedParameters == nil:
	case len(p.AllowedParameters) == 0:
		ret.AllowedParameters = make(map[string][]interface{})
	default:
		clonedAllowed, err := copystructure.Copy(p.AllowedParameters)
		if err != nil {
			return nil, err
		}
		ret.AllowedParameters = clonedAllowed.(map[string][]interface{})
	}

	switch {
	case p.DeniedParameters == nil:
	case len(p.DeniedParameters) == 0:
		ret.DeniedParameters = make(map[string][]interface{})
	default:
		clonedDenied, err := copystructure.Copy(p.DeniedParameters)
		if err != nil {
			return nil, err
		}
		ret.DeniedParameters = clonedDenied.(map[string][]interface{})
	}

	return ret, nil
}

// Parse is used to parse the specified ACL rules into an
// intermediary set of policies, before being compiled into
// the ACL
func Parse(rules string) (*Policy, error) {
	// Parse the rules
	root, err := hcl.Parse(rules)
	if err != nil {
		return nil, fmt.Errorf("Failed to parse policy: %s", err)
	}

	// Top-level item should be the object list
	list, ok := root.Node.(*ast.ObjectList)
	if !ok {
		return nil, fmt.Errorf("Failed to parse policy: does not contain a root object")
	}

	// Check for invalid top-level keys
	valid := []string{
		"name",
		"path",
	}
	if err := checkHCLKeys(list, valid); err != nil {
		return nil, fmt.Errorf("Failed to parse policy: %s", err)
	}

	// Create the initial policy and store the raw text of the rules
	var p Policy
	p.Raw = rules
	if err := hcl.DecodeObject(&p, list); err != nil {
		return nil, fmt.Errorf("Failed to parse policy: %s", err)
	}

	if o := list.Filter("path"); len(o.Items) > 0 {
		if err := parsePaths(&p, o); err != nil {
			return nil, fmt.Errorf("Failed to parse policy: %s", err)
		}
	}

	return &p, nil
}

func parsePaths(result *Policy, list *ast.ObjectList) error {
	paths := make([]*PathCapabilities, 0, len(list.Items))
	for _, item := range list.Items {
		key := "path"
		if len(item.Keys) > 0 {
			key = item.Keys[0].Token.Value().(string)
		}
		valid := []string{
			"policy",
			"capabilities",
			"allowed_parameters",
			"denied_parameters",
			"min_wrapping_ttl",
			"max_wrapping_ttl",
		}
		if err := checkHCLKeys(item.Val, valid); err != nil {
			return multierror.Prefix(err, fmt.Sprintf("path %q:", key))
		}

		var pc PathCapabilities

		// allocate memory so that DecodeObject can initialize the Permissions struct
		pc.Permissions = new(Permissions)

		pc.Prefix = key
		if err := hcl.DecodeObject(&pc, item.Val); err != nil {
			return multierror.Prefix(err, fmt.Sprintf("path %q:", key))
		}

		// Strip a leading '/' as paths in Vault start after the / in the API path
		if len(pc.Prefix) > 0 && pc.Prefix[0] == '/' {
			pc.Prefix = pc.Prefix[1:]
		}

		// Strip the glob character if found
		if strings.HasSuffix(pc.Prefix, "*") {
			pc.Prefix = strings.TrimSuffix(pc.Prefix, "*")
			pc.Glob = true
		}

		// Map old-style policies into capabilities
		if len(pc.Policy) > 0 {
			switch pc.Policy {
			case OldDenyPathPolicy:
				pc.Capabilities = []string{DenyCapability}
			case OldReadPathPolicy:
				pc.Capabilities = append(pc.Capabilities, []string{ReadCapability, ListCapability}...)
			case OldWritePathPolicy:
				pc.Capabilities = append(pc.Capabilities, []string{CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability}...)
			case OldSudoPathPolicy:
				pc.Capabilities = append(pc.Capabilities, []string{CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability}...)
			default:
				return fmt.Errorf("path %q: invalid policy '%s'", key, pc.Policy)
			}
		}

		// Initialize the map
		pc.Permissions.CapabilitiesBitmap = 0
		for _, cap := range pc.Capabilities {
			switch cap {
			// If it's deny, don't include any other capability
			case DenyCapability:
				pc.Capabilities = []string{DenyCapability}
				pc.Permissions.CapabilitiesBitmap = DenyCapabilityInt
				goto PathFinished
			case CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability:
				pc.Permissions.CapabilitiesBitmap |= cap2Int[cap]
			default:
				return fmt.Errorf("path %q: invalid capability '%s'", key, cap)
			}
		}

		if pc.AllowedParametersHCL != nil {
			pc.Permissions.AllowedParameters = make(map[string][]interface{}, len(pc.AllowedParametersHCL))
			for key, val := range pc.AllowedParametersHCL {
				pc.Permissions.AllowedParameters[strings.ToLower(key)] = val
			}
		}
		if pc.DeniedParametersHCL != nil {
			pc.Permissions.DeniedParameters = make(map[string][]interface{}, len(pc.DeniedParametersHCL))

			for key, val := range pc.DeniedParametersHCL {
				pc.Permissions.DeniedParameters[strings.ToLower(key)] = val
			}
		}
		if pc.MinWrappingTTLHCL != nil {
			dur, err := parseutil.ParseDurationSecond(pc.MinWrappingTTLHCL)
			if err != nil {
				return errwrap.Wrapf("error parsing min_wrapping_ttl: {{err}}", err)
			}
			pc.Permissions.MinWrappingTTL = dur
		}
		if pc.MaxWrappingTTLHCL != nil {
			dur, err := parseutil.ParseDurationSecond(pc.MaxWrappingTTLHCL)
			if err != nil {
				return errwrap.Wrapf("error parsing max_wrapping_ttl: {{err}}", err)
			}
			pc.Permissions.MaxWrappingTTL = dur
		}
		if pc.Permissions.MinWrappingTTL != 0 &&
			pc.Permissions.MaxWrappingTTL != 0 &&
			pc.Permissions.MaxWrappingTTL < pc.Permissions.MinWrappingTTL {
			return errors.New("max_wrapping_ttl cannot be less than min_wrapping_ttl")
		}

	PathFinished:
		paths = append(paths, &pc)
	}

	result.Paths = paths
	return nil
}

func checkHCLKeys(node ast.Node, valid []string) error {
	var list *ast.ObjectList
	switch n := node.(type) {
	case *ast.ObjectList:
		list = n
	case *ast.ObjectType:
		list = n.List
	default:
		return fmt.Errorf("cannot check HCL keys of type %T", n)
	}

	validMap := make(map[string]struct{}, len(valid))
	for _, v := range valid {
		validMap[v] = struct{}{}
	}

	var result error
	for _, item := range list.Items {
		key := item.Keys[0].Token.Value().(string)
		if _, ok := validMap[key]; !ok {
			result = multierror.Append(result, fmt.Errorf(
				"invalid key '%s' on line %d", key, item.Assign.Line))
		}
	}

	return result
}
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`package vault`

			`import (`
Add max/min wrapping TTL ACL statements (#2411) 2017-02-27 19:42:00 +00:00			`"errors"`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`"fmt"`
vault: look for glob character in policy 2015-07-05 21:58:38 +00:00			`"strings"`
Add max/min wrapping TTL ACL statements (#2411) 2017-02-27 19:42:00 +00:00			`"time"`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00
Add max/min wrapping TTL ACL statements (#2411) 2017-02-27 19:42:00 +00:00			`"github.com/hashicorp/errwrap"`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`"github.com/hashicorp/go-multierror"`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`"github.com/hashicorp/hcl"`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`"github.com/hashicorp/hcl/hcl/ast"`
Rename helper 'duration' to 'parseutil'. (#2449) Add a ParseBool function that accepts various kinds of ways of specifying booleans. Have config use ParseBool for UI and disabling mlock/cache. 2017-03-07 16:21:22 +00:00			`"github.com/hashicorp/vault/helper/parseutil"`
Clone policy permissions and then use existing values rather than policy values for modifications (#2826) Should fix #2804 2017-06-07 17:49:51 +00:00			`"github.com/mitchellh/copystructure"`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`)`

			`const (`
Convert map to bitmap 2016-01-12 22:08:10 +00:00			`DenyCapability = "deny"`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`CreateCapability = "create"`
			`ReadCapability = "read"`
			`UpdateCapability = "update"`
			`DeleteCapability = "delete"`
			`ListCapability = "list"`
			`SudoCapability = "sudo"`
refactoring changes due to acl.Capabilities 2016-03-04 18:21:07 +00:00			`RootCapability = "root"`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00
			`// Backwards compatibility`
			`OldDenyPathPolicy = "deny"`
			`OldReadPathPolicy = "read"`
			`OldWritePathPolicy = "write"`
			`OldSudoPathPolicy = "sudo"`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`)`

Convert map to bitmap 2016-01-12 22:08:10 +00:00			`const (`
			`DenyCapabilityInt uint32 = 1 << iota`
			`CreateCapabilityInt`
			`ReadCapabilityInt`
			`UpdateCapabilityInt`
			`DeleteCapabilityInt`
			`ListCapabilityInt`
			`SudoCapabilityInt`
			`)`

			`var (`
			`cap2Int = map[string]uint32{`
			`DenyCapability: DenyCapabilityInt,`
			`CreateCapability: CreateCapabilityInt,`
			`ReadCapability: ReadCapabilityInt,`
			`UpdateCapability: UpdateCapabilityInt,`
			`DeleteCapability: DeleteCapabilityInt,`
			`ListCapability: ListCapabilityInt,`
			`SudoCapability: SudoCapabilityInt,`
			`}`
			`)`

vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`// Policy is used to represent the policy specified by`
			`// an ACL configuration.`
			`type Policy struct {`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			Name string `hcl:"name"`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			Paths []*PathCapabilities `hcl:"-"`
vault: Refactor to use CollectKeys 2015-03-18 19:03:33 +00:00			`Raw string`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`

Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`// PathCapabilities represents a policy for a path in the namespace.`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`type PathCapabilities struct {`
updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure 2016-10-09 22:39:58 +00:00			`Prefix string`
			`Policy string`
Implemented AllowOperation parameter permission checking for request data. 2016-10-22 01:38:05 +00:00			`Permissions *Permissions`
Fixed Policy Permissions intergration and spelling. 2016-10-14 17:22:00 +00:00			`Glob bool`
Remove "permissions" from ACL 2017-02-16 02:12:26 +00:00			`Capabilities []string`

Add max/min wrapping TTL ACL statements (#2411) 2017-02-27 19:42:00 +00:00			`// These keys are used at the top level to make the HCL nicer; we store in`
			`// the Permissions object though`
			MinWrappingTTLHCL interface{} `hcl:"min_wrapping_ttl"`
			MaxWrappingTTLHCL interface{} `hcl:"max_wrapping_ttl"`
Remove "permissions" from ACL 2017-02-16 02:12:26 +00:00			AllowedParametersHCL map[string][]interface{} `hcl:"allowed_parameters"`
			DeniedParametersHCL map[string][]interface{} `hcl:"denied_parameters"`
Fixed Policy Permissions intergration and spelling. 2016-10-14 17:22:00 +00:00			`}`

			`type Permissions struct {`
Implemented AllowOperation parameter permission checking for request data. 2016-10-22 01:38:05 +00:00			`CapabilitiesBitmap uint32`
Add max/min wrapping TTL ACL statements (#2411) 2017-02-27 19:42:00 +00:00			`MinWrappingTTL time.Duration`
			`MaxWrappingTTL time.Duration`
Remove "permissions" from ACL 2017-02-16 02:12:26 +00:00			`AllowedParameters map[string][]interface{}`
			`DeniedParameters map[string][]interface{}`
vault: Adding precedence logic for conflicting policy 2015-07-05 23:30:19 +00:00			`}`

Clone policy permissions and then use existing values rather than policy values for modifications (#2826) Should fix #2804 2017-06-07 17:49:51 +00:00			`func (p Permissions) Clone() (Permissions, error) {`
			`ret := &Permissions{`
			`CapabilitiesBitmap: p.CapabilitiesBitmap,`
			`MinWrappingTTL: p.MinWrappingTTL,`
			`MaxWrappingTTL: p.MaxWrappingTTL,`
			`}`

			`switch {`
			`case p.AllowedParameters == nil:`
			`case len(p.AllowedParameters) == 0:`
			`ret.AllowedParameters = make(map[string][]interface{})`
			`default:`
			`clonedAllowed, err := copystructure.Copy(p.AllowedParameters)`
			`if err != nil {`
			`return nil, err`
			`}`
			`ret.AllowedParameters = clonedAllowed.(map[string][]interface{})`
			`}`

			`switch {`
			`case p.DeniedParameters == nil:`
			`case len(p.DeniedParameters) == 0:`
			`ret.DeniedParameters = make(map[string][]interface{})`
			`default:`
			`clonedDenied, err := copystructure.Copy(p.DeniedParameters)`
			`if err != nil {`
			`return nil, err`
			`}`
			`ret.DeniedParameters = clonedDenied.(map[string][]interface{})`
			`}`

			`return ret, nil`
			`}`

vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`// Parse is used to parse the specified ACL rules into an`
			`// intermediary set of policies, before being compiled into`
			`// the ACL`
			`func Parse(rules string) (*Policy, error) {`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`// Parse the rules`
			`root, err := hcl.Parse(rules)`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed to parse policy: %s", err)`
			`}`

			`// Top-level item should be the object list`
			`list, ok := root.Node.(*ast.ObjectList)`
			`if !ok {`
			`return nil, fmt.Errorf("Failed to parse policy: does not contain a root object")`
			`}`

			`// Check for invalid top-level keys`
			`valid := []string{`
			`"name",`
			`"path",`
			`}`
			`if err := checkHCLKeys(list, valid); err != nil {`
			`return nil, fmt.Errorf("Failed to parse policy: %s", err)`
			`}`

			`// Create the initial policy and store the raw text of the rules`
Preserve pointer 2016-03-10 20:55:47 +00:00			`var p Policy`
			`p.Raw = rules`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`if err := hcl.DecodeObject(&p, list); err != nil {`
			`return nil, fmt.Errorf("Failed to parse policy: %s", err)`
			`}`

			`if o := list.Filter("path"); len(o.Items) > 0 {`
Preserve pointer 2016-03-10 20:55:47 +00:00			`if err := parsePaths(&p, o); err != nil {`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`return nil, fmt.Errorf("Failed to parse policy: %s", err)`
			`}`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`

Preserve pointer 2016-03-10 20:55:47 +00:00			`return &p, nil`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`}`

			`func parsePaths(result Policy, list ast.ObjectList) error {`
			`paths := make([]*PathCapabilities, 0, len(list.Items))`
			`for _, item := range list.Items {`
			`key := "path"`
			`if len(item.Keys) > 0 {`
Remove some extra comments 2017-01-20 19:32:58 +00:00			`key = item.Keys[0].Token.Value().(string)`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`}`
			`valid := []string{`
			`"policy",`
			`"capabilities",`
Remove "permissions" from ACL 2017-02-16 02:12:26 +00:00			`"allowed_parameters",`
			`"denied_parameters",`
Add max/min wrapping TTL ACL statements (#2411) 2017-02-27 19:42:00 +00:00			`"min_wrapping_ttl",`
			`"max_wrapping_ttl",`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`}`
			`if err := checkHCLKeys(item.Val, valid); err != nil {`
			`return multierror.Prefix(err, fmt.Sprintf("path %q:", key))`
			`}`

			`var pc PathCapabilities`
policy now includes whether a certain parameter can be updated 2016-10-15 23:43:55 +00:00
			`// allocate memory so that DecodeObject can initialize the Permissions struct`
			`pc.Permissions = new(Permissions)`

Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`pc.Prefix = key`
			`if err := hcl.DecodeObject(&pc, item.Val); err != nil {`
			`return multierror.Prefix(err, fmt.Sprintf("path %q:", key))`
			`}`

			`// Strip a leading '/' as paths in Vault start after the / in the API path`
Strip leading paths in policies. It appears to be a common mistake, but they won't ever match. Fixes #1167 2016-03-03 16:32:48 +00:00			`if len(pc.Prefix) > 0 && pc.Prefix[0] == '/' {`
			`pc.Prefix = pc.Prefix[1:]`
			`}`

vault: look for glob character in policy 2015-07-05 21:58:38 +00:00			`// Strip the glob character if found`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`if strings.HasSuffix(pc.Prefix, "*") {`
			`pc.Prefix = strings.TrimSuffix(pc.Prefix, "*")`
			`pc.Glob = true`
vault: look for glob character in policy 2015-07-05 21:58:38 +00:00			`}`

Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`// Map old-style policies into capabilities`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`if len(pc.Policy) > 0 {`
			`switch pc.Policy {`
			`case OldDenyPathPolicy:`
			`pc.Capabilities = []string{DenyCapability}`
			`case OldReadPathPolicy:`
			`pc.Capabilities = append(pc.Capabilities, []string{ReadCapability, ListCapability}...)`
			`case OldWritePathPolicy:`
			`pc.Capabilities = append(pc.Capabilities, []string{CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability}...)`
			`case OldSudoPathPolicy:`
			`pc.Capabilities = append(pc.Capabilities, []string{CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability}...)`
			`default:`
			`return fmt.Errorf("path %q: invalid policy '%s'", key, pc.Policy)`
			`}`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00
			`// Initialize the map`
updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure 2016-10-09 22:39:58 +00:00			`pc.Permissions.CapabilitiesBitmap = 0`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`for _, cap := range pc.Capabilities {`
			`switch cap {`
			`// If it's deny, don't include any other capability`
			`case DenyCapability:`
			`pc.Capabilities = []string{DenyCapability}`
updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure 2016-10-09 22:39:58 +00:00			`pc.Permissions.CapabilitiesBitmap = DenyCapabilityInt`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`goto PathFinished`
			`case CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability:`
updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure 2016-10-09 22:39:58 +00:00			`pc.Permissions.CapabilitiesBitmap \|= cap2Int[cap]`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`default:`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`return fmt.Errorf("path %q: invalid capability '%s'", key, cap)`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`}`
			`}`

ToLower parameter strings 2017-02-17 01:50:10 +00:00			`if pc.AllowedParametersHCL != nil {`
			`pc.Permissions.AllowedParameters = make(map[string][]interface{}, len(pc.AllowedParametersHCL))`
			`for key, val := range pc.AllowedParametersHCL {`
			`pc.Permissions.AllowedParameters[strings.ToLower(key)] = val`
			`}`
			`}`
			`if pc.DeniedParametersHCL != nil {`
			`pc.Permissions.DeniedParameters = make(map[string][]interface{}, len(pc.DeniedParametersHCL))`

			`for key, val := range pc.DeniedParametersHCL {`
			`pc.Permissions.DeniedParameters[strings.ToLower(key)] = val`
			`}`
			`}`
Add max/min wrapping TTL ACL statements (#2411) 2017-02-27 19:42:00 +00:00			`if pc.MinWrappingTTLHCL != nil {`
Rename helper 'duration' to 'parseutil'. (#2449) Add a ParseBool function that accepts various kinds of ways of specifying booleans. Have config use ParseBool for UI and disabling mlock/cache. 2017-03-07 16:21:22 +00:00			`dur, err := parseutil.ParseDurationSecond(pc.MinWrappingTTLHCL)`
Add max/min wrapping TTL ACL statements (#2411) 2017-02-27 19:42:00 +00:00			`if err != nil {`
			`return errwrap.Wrapf("error parsing min_wrapping_ttl: {{err}}", err)`
			`}`
			`pc.Permissions.MinWrappingTTL = dur`
			`}`
			`if pc.MaxWrappingTTLHCL != nil {`
Rename helper 'duration' to 'parseutil'. (#2449) Add a ParseBool function that accepts various kinds of ways of specifying booleans. Have config use ParseBool for UI and disabling mlock/cache. 2017-03-07 16:21:22 +00:00			`dur, err := parseutil.ParseDurationSecond(pc.MaxWrappingTTLHCL)`
Add max/min wrapping TTL ACL statements (#2411) 2017-02-27 19:42:00 +00:00			`if err != nil {`
			`return errwrap.Wrapf("error parsing max_wrapping_ttl: {{err}}", err)`
			`}`
			`pc.Permissions.MaxWrappingTTL = dur`
			`}`
			`if pc.Permissions.MinWrappingTTL != 0 &&`
			`pc.Permissions.MaxWrappingTTL != 0 &&`
			`pc.Permissions.MaxWrappingTTL < pc.Permissions.MinWrappingTTL {`
			`return errors.New("max_wrapping_ttl cannot be less than min_wrapping_ttl")`
			`}`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00
Remove "permissions" from ACL 2017-02-16 02:12:26 +00:00			`PathFinished:`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`paths = append(paths, &pc)`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00
			`result.Paths = paths`
			`return nil`
			`}`

			`func checkHCLKeys(node ast.Node, valid []string) error {`
			`var list *ast.ObjectList`
			`switch n := node.(type) {`
			`case *ast.ObjectList:`
			`list = n`
			`case *ast.ObjectType:`
			`list = n.List`
			`default:`
			`return fmt.Errorf("cannot check HCL keys of type %T", n)`
			`}`

			`validMap := make(map[string]struct{}, len(valid))`
			`for _, v := range valid {`
			`validMap[v] = struct{}{}`
			`}`

			`var result error`
			`for _, item := range list.Items {`
			`key := item.Keys[0].Token.Value().(string)`
			`if _, ok := validMap[key]; !ok {`
			`result = multierror.Append(result, fmt.Errorf(`
			`"invalid key '%s' on line %d", key, item.Assign.Line))`
			`}`
			`}`

			`return result`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`