luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure

This commit is contained in:
mwoolsey 2016-10-09 15:39:58 -07:00
parent 21e1f38e6a
commit 6aa9a1d165
2 changed files with 50 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
vault/acl.go
View File

@ -47,24 +47,27 @@ func NewACL(policies []*Policy) (*ACL, error) {
// Check for an existing policy // Check for an existing policy
raw, ok := tree.Get(pc.Prefix) raw, ok := tree.Get(pc.Prefix)
if !ok { if !ok {
tree.Insert(pc.Prefix, pc.CapabilitiesBitmap) tree.Insert(pc.Prefix, pc.Permissions)
continue continue
} }
existing := raw.(uint32) perm := raw.(Permissions)
existing := perm.CapabilitiesBitmap
switch { switch {
case existing&DenyCapabilityInt > 0: case existing&DenyCapabilityInt > 0:
// If we are explicitly denied in the existing capability set, // If we are explicitly denied in the existing capability set,
// don't save anything else // don't save anything else
case pc.CapabilitiesBitmap&DenyCapabilityInt > 0: case pc.Permissions.CapabilitiesBitmap&DenyCapabilityInt > 0:
// If this new policy explicitly denies, only save the deny value // If this new policy explicitly denies, only save the deny value
tree.Insert(pc.Prefix, DenyCapabilityInt) pc.Permissions.CapabilitesBitmap = DenyCapabilityInt
tree.Insert(pc.Prefix, pc.Permissions)
default: default:
// Insert the capabilities in this new policy into the existing // Insert the capabilities in this new policy into the existing
// value // value
tree.Insert(pc.Prefix, existing|pc.CapabilitiesBitmap) pc.Permissions.CapabilitesBitmap = existing | pc.Permissions.CapabilitesBitmap
tree.Insert(pc.Prefix, pc.Permissions)
} }
} }
} }
@ -80,8 +83,10 @@ func (a *ACL) Capabilities(path string) (pathCapabilities []string) {
// Find an exact matching rule, look for glob if no match // Find an exact matching rule, look for glob if no match
var capabilities uint32 var capabilities uint32
raw, ok := a.exactRules.Get(path) raw, ok := a.exactRules.Get(path)
if ok { if ok {
capabilities = raw.(uint32) perm := raw.(Permissions)
capbilities := perm.CapabilitiesBitmap
goto CHECK goto CHECK
} }
@ -90,7 +95,8 @@ func (a *ACL) Capabilities(path string) (pathCapabilities []string) {
if !ok { if !ok {
return []string{DenyCapability} return []string{DenyCapability}
} else { } else {
capabilities = raw.(uint32) perm := raw.(Permissions)
capbilities := perm.CapabilitiesBitmap
} }
CHECK: CHECK:
@ -124,12 +130,19 @@ CHECK:
// AllowOperation is used to check if the given operation is permitted. The // AllowOperation is used to check if the given operation is permitted. The
// first bool indicates if an op is allowed, the second whether sudo priviliges // first bool indicates if an op is allowed, the second whether sudo priviliges
// exist for that op and path. // exist for that op and path.
// change arguments to hold a full request that holds the operation, path, and parameter
// that is to be modified.
func (a *ACL) AllowOperation(op logical.Operation, path string) (allowed bool, sudo bool) { func (a *ACL) AllowOperation(op logical.Operation, path string) (allowed bool, sudo bool) {
// Fast-path root // Fast-path root
if a.root { if a.root {
return true, true return true, true
} }
///////////////////////////////////////////////////////////////////////////////////
// Parse Request and set variables
///////////////////////////////////////////////////////////////////////////////////
// Help is always allowed // Help is always allowed
if op == logical.HelpOperation { if op == logical.HelpOperation {
return true, false return true, false

31
vault/policy.go
View File

@ -56,12 +56,21 @@ type Policy struct {
Raw string Raw string
} }
type Permissions struct {
CapabilitiesBitmap uint32 `hcl:"-"`
AllowedParams map[string]bool
DisallowedParams map[string]bool
}
/*
*/
// PathCapabilities represents a policy for a path in the namespace. // PathCapabilities represents a policy for a path in the namespace.
type PathCapabilities struct { type PathCapabilities struct {
Prefix string Prefix string
Policy string Policy string
Capabilities []string Capabilities []string
CapabilitiesBitmap uint32 `hcl:"-"` //CapabilitiesBitmap uint32 `hcl:"-"`
AclCapabilites *Permissions
Glob bool Glob bool
} }
@ -107,16 +116,19 @@ func Parse(rules string) (*Policy, error) {
} }
func parsePaths(result *Policy, list *ast.ObjectList) error { func parsePaths(result *Policy, list *ast.ObjectList) error {
// specifically how can we access the key value pairs for
// permissions
paths := make([]*PathCapabilities, 0, len(list.Items)) paths := make([]*PathCapabilities, 0, len(list.Items))
for _, item := range list.Items { for _, item := range list.Items {
key := "path" key := "path"
if len(item.Keys) > 0 { if len(item.Keys) > 0 {
key = item.Keys[0].Token.Value().(string) key = item.Keys[0].Token.Value().(string) // "secret/foo"
} }
valid := []string{ valid := []string{
"policy", "policy",
"capabilities", "capabilities",
"permissions", // added here to validate
} }
if err := checkHCLKeys(item.Val, valid); err != nil { if err := checkHCLKeys(item.Val, valid); err != nil {
return multierror.Prefix(err, fmt.Sprintf("path %q:", key)) return multierror.Prefix(err, fmt.Sprintf("path %q:", key))
@ -156,21 +168,30 @@ func parsePaths(result *Policy, list *ast.ObjectList) error {
} }
// Initialize the map // Initialize the map
pc.CapabilitiesBitmap = 0 pc.Permissions.CapabilitiesBitmap = 0
for _, cap := range pc.Capabilities { for _, cap := range pc.Capabilities {
switch cap { switch cap {
// If it's deny, don't include any other capability // If it's deny, don't include any other capability
case DenyCapability: case DenyCapability:
pc.Capabilities = []string{DenyCapability} pc.Capabilities = []string{DenyCapability}
pc.CapabilitiesBitmap = DenyCapabilityInt pc.Permissions.CapabilitiesBitmap = DenyCapabilityInt
goto PathFinished goto PathFinished
case CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability: case CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability:
pc.CapabilitiesBitmap |= cap2Int[cap] pc.Permissions.CapabilitiesBitmap |= cap2Int[cap]
default: default:
return fmt.Errorf("path %q: invalid capability '%s'", key, cap) return fmt.Errorf("path %q: invalid capability '%s'", key, cap)
} }
} }
//////////////////////////////////////////////////////////////////////////////
// filter out permissions from list object
// if p := item.Filter("permissions"); len(p.Whatever) > 0 {
// }
// go through p and initialize pc.Permissions.Allowed/Disallowed
//////////////////////////////////////////////////////////////////////////////
PathFinished: PathFinished:
paths = append(paths, &pc) paths = append(paths, &pc)