Adding acl.Capabilities to do the path matching

2016-03-04 12:04:26 -05:00 · 2016-03-04 12:04:26 -05:00 · 9217c49184
parent 7fe871e60a
commit 9217c49184
2 changed files with 107 additions and 38 deletions
--- a/vault/acl.go
+++ b/vault/acl.go
@ -71,6 +71,56 @@ func NewACL(policies []*Policy) (*ACL, error) {
 	return a, nil
 }

+func (a *ACL) Capabilities(path string) (pathCapabilities []string) {
+	// Fast-path root
+	if a.root {
+		return []string{"root"}
+	}
+
+	// Find an exact matching rule, look for glob if no match
+	var capabilities uint32
+	raw, ok := a.exactRules.Get(path)
+	if ok {
+		capabilities = raw.(uint32)
+		goto CHECK
+	}
+
+	// Find a glob rule, default deny if no match
+	_, raw, ok = a.globRules.LongestPrefix(path)
+	if !ok {
+		return nil
+	} else {
+		capabilities = raw.(uint32)
+	}
+
+CHECK:
+
+	if capabilities&SudoCapabilityInt > 0 {
+		pathCapabilities = append(pathCapabilities, SudoCapability)
+	}
+	if capabilities&ReadCapabilityInt > 0 {
+		pathCapabilities = append(pathCapabilities, ReadCapability)
+	}
+	if capabilities&ListCapabilityInt > 0 {
+		pathCapabilities = append(pathCapabilities, ListCapability)
+	}
+	if capabilities&UpdateCapabilityInt > 0 {
+		pathCapabilities = append(pathCapabilities, UpdateCapability)
+	}
+	if capabilities&DeleteCapabilityInt > 0 {
+		pathCapabilities = append(pathCapabilities, DeleteCapability)
+	}
+	if capabilities&CreateCapabilityInt > 0 {
+		pathCapabilities = append(pathCapabilities, CreateCapability)
+	}
+	// If "deny" capability is explicitly set, then ignore all other capabilities
+	if capabilities&DenyCapabilityInt > 0 {
+		pathCapabilities = []string{DenyCapability}
+	}
+
+	return
+}
+
 // AllowOperation is used to check if the given operation is permitted. The
 // first bool indicates if an op is allowed, the second whether sudo priviliges
 // exist for that op and path.
--- a/vault/capabilities.go
+++ b/vault/capabilities.go
@ -1,10 +1,6 @@
 package vault

-import (
-	"fmt"
-	"sort"
-	"strings"
-)
+import "fmt"

 // CapabilitiesResponse holds the result of fetching the capabilities of token on a path
 type CapabilitiesResponse struct {
@ -34,52 +30,75 @@ func (c *Core) Capabilities(token, path string) (*CapabilitiesResponse, error) {
 		return nil, nil
 	}

-	var result CapabilitiesResponse
-	capabilities := make(map[string]bool)
+	var policies []*Policy
 	for _, tePolicy := range te.Policies {
-		if tePolicy == "root" {
-			capabilities = map[string]bool{
-				"root": true,
-			}
-			break
-		}
 		policy, err := c.policyStore.GetPolicy(tePolicy)
 		if err != nil {
 			return nil, err
 		}
-		if policy == nil || policy.Paths == nil {
-			continue
-		}
-		for _, pathCapability := range policy.Paths {
-			switch {
-			case pathCapability.Glob:
-				if strings.HasPrefix(path, pathCapability.Prefix) {
-					for _, capability := range pathCapability.Capabilities {
-						if _, ok := capabilities[capability]; !ok {
-							capabilities[capability] = true
+		policies = append(policies, policy)
+	}
+
+	if len(policies) == 0 {
+		return nil, nil
+	}
+
+	acl, err := NewACL(policies)
+	if err != nil {
+		return nil, err
+	}
+
+	caps := acl.Capabilities(path)
+	/*
+		log.Printf("vishal: caps:%#v\n", caps)
+
+		var result CapabilitiesResponse
+		capabilities := make(map[string]bool)
+		for _, tePolicy := range te.Policies {
+			if tePolicy == "root" {
+				capabilities = map[string]bool{
+					"root": true,
+				}
+				break
+			}
+			policy, err := c.policyStore.GetPolicy(tePolicy)
+			if err != nil {
+				return nil, err
+			}
+			if policy == nil || policy.Paths == nil {
+				continue
+			}
+			for _, pathCapability := range policy.Paths {
+				switch {
+				case pathCapability.Glob:
+					if strings.HasPrefix(path, pathCapability.Prefix) {
+						for _, capability := range pathCapability.Capabilities {
+							if _, ok := capabilities[capability]; !ok {
+								capabilities[capability] = true
+							}
 						}
 					}
-				}
-			default:
-				if path == pathCapability.Prefix {
-					for _, capability := range pathCapability.Capabilities {
-						if _, ok := capabilities[capability]; !ok {
-							capabilities[capability] = true
+				default:
+					if path == pathCapability.Prefix {
+						for _, capability := range pathCapability.Capabilities {
+							if _, ok := capabilities[capability]; !ok {
+								capabilities[capability] = true
+							}
 						}
 					}
 				}
 			}
 		}
-	}

-	if len(capabilities) == 0 {
-		result.Capabilities = []string{"deny"}
-		return &result, nil
-	}
+		if len(capabilities) == 0 {
+			result.Capabilities = []string{"deny"}
+			return &result, nil
+		}

-	for capability, _ := range capabilities {
-		result.Capabilities = append(result.Capabilities, capability)
-	}
-	sort.Strings(result.Capabilities)
+		for capability, _ := range capabilities {
+			result.Capabilities = append(result.Capabilities, capability)
+		}
+		sort.Strings(result.Capabilities)
+	*/
 	return &result, nil
 }