Make experiments API authenticated (#18966)

2023-02-09 20:18:14 +00:00 · 2023-02-09 20:18:14 +00:00 · 78d83c9136
parent 219d77ace8
commit 78d83c9136
3 changed files with 43 additions and 2 deletions
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@ -144,7 +144,6 @@ func NewSystemBackend(core *Core, logger log.Logger) *SystemBackend {
 				"unseal",
 				"leader",
 				"health",
-				"experiments",
 				"generate-root/attempt",
 				"generate-root/update",
 				"rekey/init",
--- a/vault/policy_store.go
+++ b/vault/policy_store.go
@ -153,7 +153,7 @@ path "sys/control-group/request" {

 # Allow a token to make requests to the Authorization Endpoint for OIDC providers.
 path "identity/oidc/provider/+/authorize" {
-	capabilities = ["read", "update"]
+    capabilities = ["read", "update"]
 }
 `
 )
--- a/vault/policy_store_test.go
+++ b/vault/policy_store_test.go
@ -6,6 +6,7 @@ import (
 	"testing"

 	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/sdk/logical"
 )

 func mockPolicyWithCore(t *testing.T, disableCache bool) (*Core, *PolicyStore) {
@ -274,3 +275,44 @@ func testPolicyStoreACL(t *testing.T, ps *PolicyStore, ns *namespace.Namespace)
 	}
 	testLayeredACL(t, acl, ns)
 }
+
+func TestDefaultPolicy(t *testing.T) {
+	ctx := namespace.ContextWithNamespace(context.Background(), namespace.RootNamespace)
+
+	policy, err := ParseACLPolicy(namespace.RootNamespace, defaultPolicy)
+	if err != nil {
+		t.Fatal(err)
+	}
+	acl, err := NewACL(ctx, []*Policy{policy})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for name, tc := range map[string]struct {
+		op            logical.Operation
+		path          string
+		expectAllowed bool
+	}{
+		"lookup self":            {logical.ReadOperation, "auth/token/lookup-self", true},
+		"renew self":             {logical.UpdateOperation, "auth/token/renew-self", true},
+		"revoke self":            {logical.UpdateOperation, "auth/token/revoke-self", true},
+		"check own capabilities": {logical.UpdateOperation, "sys/capabilities-self", true},
+
+		"read arbitrary path":     {logical.ReadOperation, "foo/bar", false},
+		"login at arbitrary path": {logical.UpdateOperation, "auth/foo", false},
+	} {
+		t.Run(name, func(t *testing.T) {
+			request := new(logical.Request)
+			request.Operation = tc.op
+			request.Path = tc.path
+
+			result := acl.AllowOperation(ctx, request, false)
+			if result.RootPrivs {
+				t.Fatal("unexpected root")
+			}
+			if tc.expectAllowed != result.Allowed {
+				t.Fatalf("Expected %v, got %v", tc.expectAllowed, result.Allowed)
+			}
+		})
+	}
+}