open-vault/vault/policy.go

package vault

import (
	"fmt"
	"strings"

	"github.com/hashicorp/hcl"
)

const (
	PathPolicyDeny  = "deny"
	PathPolicyRead  = "read"
	PathPolicyWrite = "write"
	PathPolicySudo  = "sudo"
)

// Policy is used to represent the policy specified by
// an ACL configuration.
type Policy struct {
	Name  string        `hcl:"name"`
	Paths []*PathPolicy `hcl:"path,expand"`
	Raw   string
}

// PathPolicy represents a policy for a path in the namespace
type PathPolicy struct {
	Prefix string `hcl:",key"`
	Policy string
	Glob   bool
}

// TakesPrecedence is used when multiple policies
// collide on a path to determine which policy takes
// precendence.
func (p *PathPolicy) TakesPrecedence(other *PathPolicy) bool {
	// Handle the full merge matrix
	switch p.Policy {
	case PathPolicyDeny:
		// Deny always takes precendence
		return true

	case PathPolicyRead:
		// Read never takes precedence
		return false

	case PathPolicyWrite:
		switch other.Policy {
		case PathPolicyRead:
			return true
		case PathPolicyDeny, PathPolicyWrite, PathPolicySudo:
			return false
		default:
			panic("missing case")
		}

	case PathPolicySudo:
		switch other.Policy {
		case PathPolicyRead, PathPolicyWrite:
			return true
		case PathPolicyDeny, PathPolicySudo:
			return false
		default:
			panic("missing case")
		}

	default:
		panic("missing case")
	}
}

// Parse is used to parse the specified ACL rules into an
// intermediary set of policies, before being compiled into
// the ACL
func Parse(rules string) (*Policy, error) {
	// Decode the rules
	p := &Policy{Raw: rules}
	if err := hcl.Decode(p, rules); err != nil {
		return nil, fmt.Errorf("Failed to parse ACL rules: %v", err)
	}

	// Validate the path policy
	for _, pp := range p.Paths {
		// Strip the glob character if found
		if strings.HasSuffix(pp.Prefix, "*") {
			pp.Prefix = strings.TrimSuffix(pp.Prefix, "*")
			pp.Glob = true
		}

		// Check the policy is valid
		switch pp.Policy {
		case PathPolicyDeny:
		case PathPolicyRead:
		case PathPolicyWrite:
		case PathPolicySudo:
		default:
			return nil, fmt.Errorf("Invalid path policy: %#v", pp)
		}
	}
	return p, nil
}
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`package vault`

			`import (`
			`"fmt"`
vault: look for glob character in policy 2015-07-05 21:58:38 +00:00			`"strings"`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00
			`"github.com/hashicorp/hcl"`
			`)`

			`const (`
			`PathPolicyDeny = "deny"`
			`PathPolicyRead = "read"`
			`PathPolicyWrite = "write"`
			`PathPolicySudo = "sudo"`
			`)`

			`// Policy is used to represent the policy specified by`
			`// an ACL configuration.`
			`type Policy struct {`
			Name string `hcl:"name"`
			Paths []*PathPolicy `hcl:"path,expand"`
vault: Refactor to use CollectKeys 2015-03-18 19:03:33 +00:00			`Raw string`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`

			`// PathPolicy represents a policy for a path in the namespace`
			`type PathPolicy struct {`
			Prefix string `hcl:",key"`
			`Policy string`
vault: look for glob character in policy 2015-07-05 21:58:38 +00:00			`Glob bool`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`

vault: Adding precedence logic for conflicting policy 2015-07-05 23:30:19 +00:00			`// TakesPrecedence is used when multiple policies`
			`// collide on a path to determine which policy takes`
			`// precendence.`
			`func (p PathPolicy) TakesPrecedence(other PathPolicy) bool {`
			`// Handle the full merge matrix`
			`switch p.Policy {`
			`case PathPolicyDeny:`
			`// Deny always takes precendence`
			`return true`

			`case PathPolicyRead:`
			`// Read never takes precedence`
			`return false`

			`case PathPolicyWrite:`
			`switch other.Policy {`
			`case PathPolicyRead:`
			`return true`
			`case PathPolicyDeny, PathPolicyWrite, PathPolicySudo:`
			`return false`
			`default:`
			`panic("missing case")`
			`}`

			`case PathPolicySudo:`
			`switch other.Policy {`
			`case PathPolicyRead, PathPolicyWrite:`
			`return true`
			`case PathPolicyDeny, PathPolicySudo:`
			`return false`
			`default:`
			`panic("missing case")`
			`}`

			`default:`
			`panic("missing case")`
			`}`
			`}`

vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`// Parse is used to parse the specified ACL rules into an`
			`// intermediary set of policies, before being compiled into`
			`// the ACL`
			`func Parse(rules string) (*Policy, error) {`
			`// Decode the rules`
vault: Refactor to use CollectKeys 2015-03-18 19:03:33 +00:00			`p := &Policy{Raw: rules}`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`if err := hcl.Decode(p, rules); err != nil {`
			`return nil, fmt.Errorf("Failed to parse ACL rules: %v", err)`
			`}`

			`// Validate the path policy`
			`for _, pp := range p.Paths {`
vault: look for glob character in policy 2015-07-05 21:58:38 +00:00			`// Strip the glob character if found`
			`if strings.HasSuffix(pp.Prefix, "*") {`
			`pp.Prefix = strings.TrimSuffix(pp.Prefix, "*")`
			`pp.Glob = true`
			`}`

			`// Check the policy is valid`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`switch pp.Policy {`
			`case PathPolicyDeny:`
			`case PathPolicyRead:`
			`case PathPolicyWrite:`
			`case PathPolicySudo:`
			`default:`
			`return nil, fmt.Errorf("Invalid path policy: %#v", pp)`
			`}`
			`}`
			`return p, nil`
			`}`