open-vault/vault/policy_store.go

package vault

import (
	"fmt"
	"time"

	"github.com/armon/go-metrics"
	"github.com/hashicorp/errwrap"
	"github.com/hashicorp/golang-lru"
	"github.com/hashicorp/vault/logical"
)

const (
	// policySubPath is the sub-path used for the policy store
	// view. This is nested under the system view.
	policySubPath = "policy/"

	// policyCacheSize is the number of policies that are kept cached
	policyCacheSize = 1024
)

// PolicyStore is used to provide durable storage of policy, and to
// manage ACLs associated with them.
type PolicyStore struct {
	view   *BarrierView
	lru    *lru.TwoQueueCache
	system logical.SystemView
}

// PolicyEntry is used to store a policy by name
type PolicyEntry struct {
	Version int
	Raw     string
}

// NewPolicyStore creates a new PolicyStore that is backed
// using a given view. It used used to durable store and manage named policy.
func NewPolicyStore(view *BarrierView, system logical.SystemView) *PolicyStore {
	p := &PolicyStore{
		view:   view,
		system: system,
	}
	if !system.CachingDisabled() {
		cache, _ := lru.New2Q(policyCacheSize)
		p.lru = cache
	}

	return p
}

// setupPolicyStore is used to initialize the policy store
// when the vault is being unsealed.
func (c *Core) setupPolicyStore() error {
	// Create a sub-view
	view := c.systemBarrierView.SubView(policySubPath)

	// Create the policy store
	c.policyStore = NewPolicyStore(view, &dynamicSystemView{core: c})

	// Ensure that the default policy exists, and if not, create it
	policy, err := c.policyStore.GetPolicy("default")
	if err != nil {
		return errwrap.Wrapf("error fetching default policy from store: {{err}}", err)
	}
	if policy == nil {
		err := c.policyStore.createDefaultPolicy()
		if err != nil {
			return err
		}
	}
	return nil
}

// teardownPolicyStore is used to reverse setupPolicyStore
// when the vault is being sealed.
func (c *Core) teardownPolicyStore() error {
	c.policyStore = nil
	return nil
}

// SetPolicy is used to create or update the given policy
func (ps *PolicyStore) SetPolicy(p *Policy) error {
	defer metrics.MeasureSince([]string{"policy", "set_policy"}, time.Now())
	if p.Name == "root" {
		return fmt.Errorf("cannot update root policy")
	}
	if p.Name == "" {
		return fmt.Errorf("policy name missing")
	}

	// Create the entry
	entry, err := logical.StorageEntryJSON(p.Name, &PolicyEntry{
		Version: 2,
		Raw:     p.Raw,
	})
	if err != nil {
		return fmt.Errorf("failed to create entry: %v", err)
	}
	if err := ps.view.Put(entry); err != nil {
		return fmt.Errorf("failed to persist policy: %v", err)
	}

	if !ps.system.CachingDisabled() {
		// Update the LRU cache
		ps.lru.Add(p.Name, p)
	}
	return nil
}

// GetPolicy is used to fetch the named policy
func (ps *PolicyStore) GetPolicy(name string) (*Policy, error) {
	defer metrics.MeasureSince([]string{"policy", "get_policy"}, time.Now())
	if !ps.system.CachingDisabled() {
		// Check for cached policy
		if raw, ok := ps.lru.Get(name); ok {
			return raw.(*Policy), nil
		}
	}

	// Special case the root policy
	if name == "root" {
		p := &Policy{Name: "root"}
		if !ps.system.CachingDisabled() {
			ps.lru.Add(p.Name, p)
		}
		return p, nil
	}

	// Load the policy in
	out, err := ps.view.Get(name)
	if err != nil {
		return nil, fmt.Errorf("failed to read policy: %v", err)
	}
	if out == nil {
		return nil, nil
	}

	// In Vault 0.1.X we stored the raw policy, but in
	// Vault 0.2 we switch to the PolicyEntry
	policyEntry := new(PolicyEntry)
	var policy *Policy
	if err := out.DecodeJSON(policyEntry); err == nil {
		// Parse normally
		p, err := Parse(policyEntry.Raw)
		if err != nil {
			return nil, fmt.Errorf("failed to parse policy: %v", err)
		}
		p.Name = name
		policy = p

	} else {
		// On error, attempt to use V1 parsing
		p, err := Parse(string(out.Value))
		if err != nil {
			return nil, fmt.Errorf("failed to parse policy: %v", err)
		}
		p.Name = name

		// V1 used implicit glob, we need to do a fix-up
		for _, pp := range p.Paths {
			pp.Glob = true
		}
		policy = p
	}

	if !ps.system.CachingDisabled() {
		// Update the LRU cache
		ps.lru.Add(name, policy)
	}

	return policy, nil
}

// ListPolicies is used to list the available policies
func (ps *PolicyStore) ListPolicies() ([]string, error) {
	defer metrics.MeasureSince([]string{"policy", "list_policies"}, time.Now())
	// Scan the view, since the policy names are the same as the
	// key names.
	return CollectKeys(ps.view)
}

// DeletePolicy is used to delete the named policy
func (ps *PolicyStore) DeletePolicy(name string) error {
	defer metrics.MeasureSince([]string{"policy", "delete_policy"}, time.Now())
	if name == "root" {
		return fmt.Errorf("cannot delete root policy")
	}
	if name == "default" {
		return fmt.Errorf("cannot delete default policy")
	}
	if err := ps.view.Delete(name); err != nil {
		return fmt.Errorf("failed to delete policy: %v", err)
	}

	if !ps.system.CachingDisabled() {
		// Clear the cache
		ps.lru.Remove(name)
	}
	return nil
}

// ACL is used to return an ACL which is built using the
// named policies.
func (ps *PolicyStore) ACL(names ...string) (*ACL, error) {
	// Fetch the policies
	var policy []*Policy
	for _, name := range names {
		p, err := ps.GetPolicy(name)
		if err != nil {
			return nil, fmt.Errorf("failed to get policy '%s': %v", name, err)
		}
		policy = append(policy, p)
	}

	// Construct the ACL
	acl, err := NewACL(policy)
	if err != nil {
		return nil, fmt.Errorf("failed to construct ACL: %v", err)
	}
	return acl, nil
}

func (ps *PolicyStore) createDefaultPolicy() error {
	policy, err := Parse(`
path "auth/token/lookup-self" {
    capabilities = ["read"]
}

path "auth/token/renew-self" {
    capabilities = ["update"]
}

path "auth/token/revoke-self" {
    capabilities = ["update"]
}

path "cubbyhole/*" {
    capabilities = ["create", "read", "update", "delete", "list"]
}

path "cubbyhole" {
    capabilities = ["list"]
}
`)
	if err != nil {
		return errwrap.Wrapf("error parsing default policy: {{err}}", err)
	}

	if policy == nil {
		return fmt.Errorf("parsing default policy resulted in nil policy")
	}

	policy.Name = "default"
	return ps.SetPolicy(policy)
}
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`package vault`

			`import (`
			`"fmt"`
vault: Adding metrics profiling 2015-04-08 23:43:17 +00:00			`"time"`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00
vault: Adding metrics profiling 2015-04-08 23:43:17 +00:00			`"github.com/armon/go-metrics"`
Create a "default" policy with sensible rules. It is forced to be included with each token, but can be changed (but not deleted). Fixes #732 2015-11-06 22:27:15 +00:00			`"github.com/hashicorp/errwrap"`
vault: Adding policy LRU cache 2015-04-06 23:41:48 +00:00			`"github.com/hashicorp/golang-lru"`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`"github.com/hashicorp/vault/logical"`
			`)`

vault: integrate policy and token store into core 2015-03-18 21:00:42 +00:00			`const (`
			`// policySubPath is the sub-path used for the policy store`
			`// view. This is nested under the system view.`
			`policySubPath = "policy/"`
vault: Adding policy LRU cache 2015-04-06 23:41:48 +00:00
			`// policyCacheSize is the number of policies that are kept cached`
			`policyCacheSize = 1024`
vault: integrate policy and token store into core 2015-03-18 21:00:42 +00:00			`)`

vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`// PolicyStore is used to provide durable storage of policy, and to`
			`// manage ACLs associated with them.`
			`type PolicyStore struct {`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`view *BarrierView`
			`lru *lru.TwoQueueCache`
			`system logical.SystemView`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`}`

vault: upgrade old policies with implicit glob 2015-07-06 01:14:15 +00:00			`// PolicyEntry is used to store a policy by name`
			`type PolicyEntry struct {`
			`Version int`
			`Raw string`
			`}`

vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`// NewPolicyStore creates a new PolicyStore that is backed`
			`// using a given view. It used used to durable store and manage named policy.`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`func NewPolicyStore(view BarrierView, system logical.SystemView) PolicyStore {`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`p := &PolicyStore{`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`view: view,`
			`system: system,`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`}`
Make a non-caching but still locking variant of transit for when caches are disabled 2016-04-21 20:32:06 +00:00			`if !system.CachingDisabled() {`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`cache, _ := lru.New2Q(policyCacheSize)`
			`p.lru = cache`
			`}`

vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`return p`
			`}`

vault: integrate policy and token store into core 2015-03-18 21:00:42 +00:00			`// setupPolicyStore is used to initialize the policy store`
			`// when the vault is being unsealed.`
			`func (c *Core) setupPolicyStore() error {`
			`// Create a sub-view`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`view := c.systemBarrierView.SubView(policySubPath)`
vault: integrate policy and token store into core 2015-03-18 21:00:42 +00:00
			`// Create the policy store`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`c.policyStore = NewPolicyStore(view, &dynamicSystemView{core: c})`
Rename core's 'policy' to 'policyStore' for clarification 2015-11-06 16:52:26 +00:00
Create a "default" policy with sensible rules. It is forced to be included with each token, but can be changed (but not deleted). Fixes #732 2015-11-06 22:27:15 +00:00			`// Ensure that the default policy exists, and if not, create it`
			`policy, err := c.policyStore.GetPolicy("default")`
			`if err != nil {`
			`return errwrap.Wrapf("error fetching default policy from store: {{err}}", err)`
			`}`
			`if policy == nil {`
			`err := c.policyStore.createDefaultPolicy()`
Rename core's 'policy' to 'policyStore' for clarification 2015-11-06 16:52:26 +00:00			`if err != nil {`
Create a "default" policy with sensible rules. It is forced to be included with each token, but can be changed (but not deleted). Fixes #732 2015-11-06 22:27:15 +00:00			`return err`
Rename core's 'policy' to 'policyStore' for clarification 2015-11-06 16:52:26 +00:00			`}`
Create a "default" policy with sensible rules. It is forced to be included with each token, but can be changed (but not deleted). Fixes #732 2015-11-06 22:27:15 +00:00			`}`
vault: integrate policy and token store into core 2015-03-18 21:00:42 +00:00			`return nil`
			`}`

			`// teardownPolicyStore is used to reverse setupPolicyStore`
			`// when the vault is being sealed.`
			`func (c *Core) teardownPolicyStore() error {`
Rename core's 'policy' to 'policyStore' for clarification 2015-11-06 16:52:26 +00:00			`c.policyStore = nil`
vault: integrate policy and token store into core 2015-03-18 21:00:42 +00:00			`return nil`
			`}`

vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`// SetPolicy is used to create or update the given policy`
			`func (ps PolicyStore) SetPolicy(p Policy) error {`
vault: Adding metrics profiling 2015-04-08 23:43:17 +00:00			`defer metrics.MeasureSince([]string{"policy", "set_policy"}, time.Now())`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`if p.Name == "root" {`
			`return fmt.Errorf("cannot update root policy")`
			`}`
			`if p.Name == "" {`
			`return fmt.Errorf("policy name missing")`
			`}`

vault: upgrade old policies with implicit glob 2015-07-06 01:14:15 +00:00			`// Create the entry`
			`entry, err := logical.StorageEntryJSON(p.Name, &PolicyEntry{`
			`Version: 2,`
			`Raw: p.Raw,`
			`})`
			`if err != nil {`
			`return fmt.Errorf("failed to create entry: %v", err)`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`}`
			`if err := ps.view.Put(entry); err != nil {`
			`return fmt.Errorf("failed to persist policy: %v", err)`
			`}`
vault: Adding policy LRU cache 2015-04-06 23:41:48 +00:00
Make a non-caching but still locking variant of transit for when caches are disabled 2016-04-21 20:32:06 +00:00			`if !ps.system.CachingDisabled() {`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`// Update the LRU cache`
			`ps.lru.Add(p.Name, p)`
			`}`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`return nil`
			`}`

			`// GetPolicy is used to fetch the named policy`
			`func (ps PolicyStore) GetPolicy(name string) (Policy, error) {`
vault: Adding metrics profiling 2015-04-08 23:43:17 +00:00			`defer metrics.MeasureSince([]string{"policy", "get_policy"}, time.Now())`
Make a non-caching but still locking variant of transit for when caches are disabled 2016-04-21 20:32:06 +00:00			`if !ps.system.CachingDisabled() {`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`// Check for cached policy`
			`if raw, ok := ps.lru.Get(name); ok {`
			`return raw.(*Policy), nil`
			`}`
vault: Adding policy LRU cache 2015-04-06 23:41:48 +00:00			`}`
vault: Special case root policy 2015-03-24 18:27:21 +00:00
			`// Special case the root policy`
			`if name == "root" {`
			`p := &Policy{Name: "root"}`
Make a non-caching but still locking variant of transit for when caches are disabled 2016-04-21 20:32:06 +00:00			`if !ps.system.CachingDisabled() {`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`ps.lru.Add(p.Name, p)`
			`}`
vault: Special case root policy 2015-03-24 18:27:21 +00:00			`return p, nil`
			`}`

vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`// Load the policy in`
			`out, err := ps.view.Get(name)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to read policy: %v", err)`
			`}`
			`if out == nil {`
			`return nil, nil`
			`}`

vault: upgrade old policies with implicit glob 2015-07-06 01:14:15 +00:00			`// In Vault 0.1.X we stored the raw policy, but in`
			`// Vault 0.2 we switch to the PolicyEntry`
			`policyEntry := new(PolicyEntry)`
			`var policy *Policy`
			`if err := out.DecodeJSON(policyEntry); err == nil {`
			`// Parse normally`
			`p, err := Parse(policyEntry.Raw)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to parse policy: %v", err)`
			`}`
			`p.Name = name`
			`policy = p`

			`} else {`
			`// On error, attempt to use V1 parsing`
			`p, err := Parse(string(out.Value))`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to parse policy: %v", err)`
			`}`
			`p.Name = name`

			`// V1 used implicit glob, we need to do a fix-up`
			`for _, pp := range p.Paths {`
			`pp.Glob = true`
			`}`
			`policy = p`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`}`
vault: Update LRU on GetPolicy 2015-04-06 23:43:05 +00:00
Make a non-caching but still locking variant of transit for when caches are disabled 2016-04-21 20:32:06 +00:00			`if !ps.system.CachingDisabled() {`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`// Update the LRU cache`
			`ps.lru.Add(name, policy)`
			`}`

vault: upgrade old policies with implicit glob 2015-07-06 01:14:15 +00:00			`return policy, nil`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`}`

			`// ListPolicies is used to list the available policies`
			`func (ps *PolicyStore) ListPolicies() ([]string, error) {`
vault: Adding metrics profiling 2015-04-08 23:43:17 +00:00			`defer metrics.MeasureSince([]string{"policy", "list_policies"}, time.Now())`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`// Scan the view, since the policy names are the same as the`
			`// key names.`
			`return CollectKeys(ps.view)`
			`}`

			`// DeletePolicy is used to delete the named policy`
			`func (ps *PolicyStore) DeletePolicy(name string) error {`
vault: Adding metrics profiling 2015-04-08 23:43:17 +00:00			`defer metrics.MeasureSince([]string{"policy", "delete_policy"}, time.Now())`
vault: Special case root policy 2015-03-24 18:27:21 +00:00			`if name == "root" {`
			`return fmt.Errorf("cannot delete root policy")`
			`}`
Create a "default" policy with sensible rules. It is forced to be included with each token, but can be changed (but not deleted). Fixes #732 2015-11-06 22:27:15 +00:00			`if name == "default" {`
			`return fmt.Errorf("cannot delete default policy")`
			`}`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`if err := ps.view.Delete(name); err != nil {`
			`return fmt.Errorf("failed to delete policy: %v", err)`
			`}`
vault: Adding policy LRU cache 2015-04-06 23:41:48 +00:00
Make a non-caching but still locking variant of transit for when caches are disabled 2016-04-21 20:32:06 +00:00			`if !ps.system.CachingDisabled() {`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`// Clear the cache`
			`ps.lru.Remove(name)`
			`}`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`return nil`
			`}`

			`// ACL is used to return an ACL which is built using the`
			`// named policies.`
			`func (ps PolicyStore) ACL(names ...string) (ACL, error) {`
			`// Fetch the policies`
			`var policy []*Policy`
			`for _, name := range names {`
			`p, err := ps.GetPolicy(name)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to get policy '%s': %v", name, err)`
			`}`
			`policy = append(policy, p)`
			`}`

			`// Construct the ACL`
			`acl, err := NewACL(policy)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to construct ACL: %v", err)`
			`}`
			`return acl, nil`
			`}`
Rename core's 'policy' to 'policyStore' for clarification 2015-11-06 16:52:26 +00:00
			`func (ps *PolicyStore) createDefaultPolicy() error {`
Create a "default" policy with sensible rules. It is forced to be included with each token, but can be changed (but not deleted). Fixes #732 2015-11-06 22:27:15 +00:00			policy, err := Parse(`
			`path "auth/token/lookup-self" {`
Use capabilities rather than policies in default policy. Also add cubbyhole to it. 2016-01-16 23:02:31 +00:00			`capabilities = ["read"]`
Create a "default" policy with sensible rules. It is forced to be included with each token, but can be changed (but not deleted). Fixes #732 2015-11-06 22:27:15 +00:00			`}`

			`path "auth/token/renew-self" {`
Use capabilities rather than policies in default policy. Also add cubbyhole to it. 2016-01-16 23:02:31 +00:00			`capabilities = ["update"]`
Create a "default" policy with sensible rules. It is forced to be included with each token, but can be changed (but not deleted). Fixes #732 2015-11-06 22:27:15 +00:00			`}`

			`path "auth/token/revoke-self" {`
Use capabilities rather than policies in default policy. Also add cubbyhole to it. 2016-01-16 23:02:31 +00:00			`capabilities = ["update"]`
			`}`

			`path "cubbyhole/*" {`
			`capabilities = ["create", "read", "update", "delete", "list"]`
Create a "default" policy with sensible rules. It is forced to be included with each token, but can be changed (but not deleted). Fixes #732 2015-11-06 22:27:15 +00:00			`}`
Add listing of cubbyhole's root to the default policy. This allows `vault list cubbyhole` to behave as expected rather than requiring `vault list cubbyhole/`. It could be special cased in logic, but it also serves as a model for the same behavior in e.g. `generic` mounts where special casing is not possible due to unforeseen mount paths. 2016-02-03 18:50:47 +00:00
			`path "cubbyhole" {`
			`capabilities = ["list"]`
			`}`
Create a "default" policy with sensible rules. It is forced to be included with each token, but can be changed (but not deleted). Fixes #732 2015-11-06 22:27:15 +00:00			`)
			`if err != nil {`
			`return errwrap.Wrapf("error parsing default policy: {{err}}", err)`
			`}`

			`if policy == nil {`
			`return fmt.Errorf("parsing default policy resulted in nil policy")`
			`}`

			`policy.Name = "default"`
			`return ps.SetPolicy(policy)`
Rename core's 'policy' to 'policyStore' for clarification 2015-11-06 16:52:26 +00:00			`}`