updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure
This commit is contained in:
mwoolsey
parent
21e1f38e6a
commit
6aa9a1d165
27
vault/acl.go
27
vault/acl.go
|
|
@ -47,24 +47,27 @@ func NewACL(policies []*Policy) (*ACL, error) {
|
|||
// Check for an existing policy
|
||||
raw, ok := tree.Get(pc.Prefix)
|
||||
if !ok {
|
||||
tree.Insert(pc.Prefix, pc.CapabilitiesBitmap)
|
||||
tree.Insert(pc.Prefix, pc.Permissions)
|
||||
continue
|
||||
}
|
||||
existing := raw.(uint32)
|
||||
perm := raw.(Permissions)
|
||||
existing := perm.CapabilitiesBitmap
|
||||
|
||||
switch {
|
||||
case existing&DenyCapabilityInt > 0:
|
||||
// If we are explicitly denied in the existing capability set,
|
||||
// don't save anything else
|
||||
|
||||
case pc.CapabilitiesBitmap&DenyCapabilityInt > 0:
|
||||
case pc.Permissions.CapabilitiesBitmap&DenyCapabilityInt > 0:
|
||||
// If this new policy explicitly denies, only save the deny value
|
||||
tree.Insert(pc.Prefix, DenyCapabilityInt)
|
||||
pc.Permissions.CapabilitesBitmap = DenyCapabilityInt
|
||||
tree.Insert(pc.Prefix, pc.Permissions)
|
||||
|
||||
default:
|
||||
// Insert the capabilities in this new policy into the existing
|
||||
// value
|
||||
tree.Insert(pc.Prefix, existing|pc.CapabilitiesBitmap)
|
||||
pc.Permissions.CapabilitesBitmap = existing | pc.Permissions.CapabilitesBitmap
|
||||
tree.Insert(pc.Prefix, pc.Permissions)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -80,8 +83,10 @@ func (a *ACL) Capabilities(path string) (pathCapabilities []string) {
|
|||
// Find an exact matching rule, look for glob if no match
|
||||
var capabilities uint32
|
||||
raw, ok := a.exactRules.Get(path)
|
||||
|
||||
if ok {
|
||||
capabilities = raw.(uint32)
|
||||
perm := raw.(Permissions)
|
||||
capbilities := perm.CapabilitiesBitmap
|
||||
goto CHECK
|
||||
}
|
||||
|
||||
|
|
@ -90,7 +95,8 @@ func (a *ACL) Capabilities(path string) (pathCapabilities []string) {
|
|||
if !ok {
|
||||
return []string{DenyCapability}
|
||||
} else {
|
||||
capabilities = raw.(uint32)
|
||||
perm := raw.(Permissions)
|
||||
capbilities := perm.CapabilitiesBitmap
|
||||
}
|
||||
|
||||
CHECK:
|
||||
|
|
@ -124,12 +130,19 @@ CHECK:
|
|||
// AllowOperation is used to check if the given operation is permitted. The
|
||||
// first bool indicates if an op is allowed, the second whether sudo priviliges
|
||||
// exist for that op and path.
|
||||
|
||||
// change arguments to hold a full request that holds the operation, path, and parameter
|
||||
// that is to be modified.
|
||||
func (a *ACL) AllowOperation(op logical.Operation, path string) (allowed bool, sudo bool) {
|
||||
// Fast-path root
|
||||
if a.root {
|
||||
return true, true
|
||||
}
|
||||
|
||||
///////////////////////////////////////////////////////////////////////////////////
|
||||
// Parse Request and set variables
|
||||
///////////////////////////////////////////////////////////////////////////////////
|
||||
|
||||
// Help is always allowed
|
||||
if op == logical.HelpOperation {
|
||||
return true, false
|
||||
|
|
|
|||
|
|
@ -56,12 +56,21 @@ type Policy struct {
|
|||
Raw string
|
||||
}
|
||||
|
||||
type Permissions struct {
|
||||
CapabilitiesBitmap uint32 `hcl:"-"`
|
||||
AllowedParams map[string]bool
|
||||
DisallowedParams map[string]bool
|
||||
}
|
||||
|
||||
/*
|
||||
*/
|
||||
// PathCapabilities represents a policy for a path in the namespace.
|
||||
type PathCapabilities struct {
|
||||
Prefix string
|
||||
Policy string
|
||||
Capabilities []string
|
||||
CapabilitiesBitmap uint32 `hcl:"-"`
|
||||
//CapabilitiesBitmap uint32 `hcl:"-"`
|
||||
AclCapabilites *Permissions
|
||||
Glob bool
|
||||
}
|
||||
|
||||
|
|
@ -107,16 +116,19 @@ func Parse(rules string) (*Policy, error) {
|
|||
}
|
||||
|
||||
func parsePaths(result *Policy, list *ast.ObjectList) error {
|
||||
// specifically how can we access the key value pairs for
|
||||
// permissions
|
||||
paths := make([]*PathCapabilities, 0, len(list.Items))
|
||||
for _, item := range list.Items {
|
||||
key := "path"
|
||||
if len(item.Keys) > 0 {
|
||||
key = item.Keys[0].Token.Value().(string)
|
||||
key = item.Keys[0].Token.Value().(string) // "secret/foo"
|
||||
}
|
||||
|
||||
valid := []string{
|
||||
"policy",
|
||||
"capabilities",
|
||||
"permissions", // added here to validate
|
||||
}
|
||||
if err := checkHCLKeys(item.Val, valid); err != nil {
|
||||
return multierror.Prefix(err, fmt.Sprintf("path %q:", key))
|
||||
|
|
@ -156,21 +168,30 @@ func parsePaths(result *Policy, list *ast.ObjectList) error {
|
|||
}
|
||||
|
||||
// Initialize the map
|
||||
pc.CapabilitiesBitmap = 0
|
||||
pc.Permissions.CapabilitiesBitmap = 0
|
||||
for _, cap := range pc.Capabilities {
|
||||
switch cap {
|
||||
// If it's deny, don't include any other capability
|
||||
case DenyCapability:
|
||||
pc.Capabilities = []string{DenyCapability}
|
||||
pc.CapabilitiesBitmap = DenyCapabilityInt
|
||||
pc.Permissions.CapabilitiesBitmap = DenyCapabilityInt
|
||||
goto PathFinished
|
||||
case CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability:
|
||||
pc.CapabilitiesBitmap |= cap2Int[cap]
|
||||
pc.Permissions.CapabilitiesBitmap |= cap2Int[cap]
|
||||
default:
|
||||
return fmt.Errorf("path %q: invalid capability '%s'", key, cap)
|
||||
}
|
||||
}
|
||||
|
||||
//////////////////////////////////////////////////////////////////////////////
|
||||
|
||||
// filter out permissions from list object
|
||||
// if p := item.Filter("permissions"); len(p.Whatever) > 0 {
|
||||
// }
|
||||
|
||||
// go through p and initialize pc.Permissions.Allowed/Disallowed
|
||||
|
||||
//////////////////////////////////////////////////////////////////////////////
|
||||
PathFinished:
|
||||
|
||||
paths = append(paths, &pc)
|
||||
|
|
|
|||
Loading…
Reference in New Issue