Added the merging of wildcards to allowed and denied parameters.
This commit is contained in:
mwoolsey
parent
bcd0618623
commit
3a0e01a5d7
41
vault/acl.go
41
vault/acl.go
|
|
@ -1,6 +1,7 @@
|
|||
package vault
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"github.com/armon/go-radix"
|
||||
"github.com/hashicorp/vault/logical"
|
||||
)
|
||||
|
|
@ -50,6 +51,8 @@ func NewACL(policies []*Policy) (*ACL, error) {
|
|||
tree.Insert(pc.Prefix, pc.Permissions)
|
||||
continue
|
||||
}
|
||||
|
||||
// these are the ones already in the tree
|
||||
permissions := raw.(*Permissions)
|
||||
existing := permissions.CapabilitiesBitmap
|
||||
|
||||
|
|
@ -70,7 +73,19 @@ func NewACL(policies []*Policy) (*ACL, error) {
|
|||
tree.Insert(pc.Prefix, pc.Permissions)
|
||||
}
|
||||
|
||||
// look for a * in allowed parameters
|
||||
// look for a * in allowed parameters for the node already in the tree
|
||||
if _, ok := permissions.AllowedParameters["*"]; ok {
|
||||
pc.Permissions.AllowedParameters = make(map[string]struct{})
|
||||
pc.Permissions.AllowedParameters["*"] = nil
|
||||
goto CHECK_DENIED
|
||||
}
|
||||
|
||||
// look for a * in allowed parameters for the path capability we are merging
|
||||
if _, ok := pc.Permissions.AllowedParameters["*"]; ok {
|
||||
pc.Permissions.AllowedParameters = make(map[string]struct{})
|
||||
pc.Permissions.AllowedParameters["*"] = nil
|
||||
goto CHECK_DENIED
|
||||
}
|
||||
|
||||
// Merge allowed parameters
|
||||
for key, _ := range permissions.AllowedParameters {
|
||||
|
|
@ -81,7 +96,23 @@ func NewACL(policies []*Policy) (*ACL, error) {
|
|||
}
|
||||
}
|
||||
|
||||
// Merge disallowed parameters
|
||||
CHECK_DENIED:
|
||||
|
||||
// look for a * in denied parameters for the node already in the tree
|
||||
if _, ok := permissions.DeniedParameters["*"]; ok {
|
||||
pc.Permissions.DeniedParameters = make(map[string]struct{})
|
||||
pc.Permissions.DeniedParameters["*"] = nil
|
||||
goto INSERT
|
||||
}
|
||||
|
||||
// look for a * in denied parameters for the path capability we are merging
|
||||
if _, ok := pc.Permissions.DeniedParameters["*"]; ok {
|
||||
pc.Permissions.DeniedParameters = make(map[string]struct{})
|
||||
pc.Permissions.DeniedParameters["*"] = nil
|
||||
goto INSERT
|
||||
}
|
||||
|
||||
// Merge denied parameters
|
||||
for key, _ := range permissions.DeniedParameters {
|
||||
// Add new parameter
|
||||
if _, ok := pc.Permissions.DeniedParameters[key]; !ok {
|
||||
|
|
@ -91,6 +122,8 @@ func NewACL(policies []*Policy) (*ACL, error) {
|
|||
|
||||
}
|
||||
|
||||
INSERT:
|
||||
|
||||
tree.Insert(pc.Prefix, pc.Permissions)
|
||||
|
||||
}
|
||||
|
|
@ -154,15 +187,11 @@ CHECK:
|
|||
// AllowOperation is used to check if the given operation is permitted. The
|
||||
// first bool indicates if an op is allowed, the second whether sudo priviliges
|
||||
// exist for that op and path.
|
||||
|
||||
// change arguments to hold a full request that holds the operation, path, and parameter
|
||||
// that is to be modified.
|
||||
func (a *ACL) AllowOperation(req *logical.Request) (allowed bool, sudo bool) {
|
||||
// Fast-path root
|
||||
if a.root {
|
||||
return true, true
|
||||
}
|
||||
|
||||
op := req.Operation
|
||||
path := req.Path
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue