Adding acl.Capabilities to do the path matching
This commit is contained in:
vishalnayak
parent
7fe871e60a
commit
9217c49184
50
vault/acl.go
50
vault/acl.go
|
|
@ -71,6 +71,56 @@ func NewACL(policies []*Policy) (*ACL, error) {
|
|||
return a, nil
|
||||
}
|
||||
|
||||
func (a *ACL) Capabilities(path string) (pathCapabilities []string) {
|
||||
// Fast-path root
|
||||
if a.root {
|
||||
return []string{"root"}
|
||||
}
|
||||
|
||||
// Find an exact matching rule, look for glob if no match
|
||||
var capabilities uint32
|
||||
raw, ok := a.exactRules.Get(path)
|
||||
if ok {
|
||||
capabilities = raw.(uint32)
|
||||
goto CHECK
|
||||
}
|
||||
|
||||
// Find a glob rule, default deny if no match
|
||||
_, raw, ok = a.globRules.LongestPrefix(path)
|
||||
if !ok {
|
||||
return nil
|
||||
} else {
|
||||
capabilities = raw.(uint32)
|
||||
}
|
||||
|
||||
CHECK:
|
||||
|
||||
if capabilities&SudoCapabilityInt > 0 {
|
||||
pathCapabilities = append(pathCapabilities, SudoCapability)
|
||||
}
|
||||
if capabilities&ReadCapabilityInt > 0 {
|
||||
pathCapabilities = append(pathCapabilities, ReadCapability)
|
||||
}
|
||||
if capabilities&ListCapabilityInt > 0 {
|
||||
pathCapabilities = append(pathCapabilities, ListCapability)
|
||||
}
|
||||
if capabilities&UpdateCapabilityInt > 0 {
|
||||
pathCapabilities = append(pathCapabilities, UpdateCapability)
|
||||
}
|
||||
if capabilities&DeleteCapabilityInt > 0 {
|
||||
pathCapabilities = append(pathCapabilities, DeleteCapability)
|
||||
}
|
||||
if capabilities&CreateCapabilityInt > 0 {
|
||||
pathCapabilities = append(pathCapabilities, CreateCapability)
|
||||
}
|
||||
// If "deny" capability is explicitly set, then ignore all other capabilities
|
||||
if capabilities&DenyCapabilityInt > 0 {
|
||||
pathCapabilities = []string{DenyCapability}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// AllowOperation is used to check if the given operation is permitted. The
|
||||
// first bool indicates if an op is allowed, the second whether sudo priviliges
|
||||
// exist for that op and path.
|
||||
|
|
|
|||
|
|
@ -1,10 +1,6 @@
|
|||
package vault
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"sort"
|
||||
"strings"
|
||||
)
|
||||
import "fmt"
|
||||
|
||||
// CapabilitiesResponse holds the result of fetching the capabilities of token on a path
|
||||
type CapabilitiesResponse struct {
|
||||
|
|
@ -34,6 +30,28 @@ func (c *Core) Capabilities(token, path string) (*CapabilitiesResponse, error) {
|
|||
return nil, nil
|
||||
}
|
||||
|
||||
var policies []*Policy
|
||||
for _, tePolicy := range te.Policies {
|
||||
policy, err := c.policyStore.GetPolicy(tePolicy)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
policies = append(policies, policy)
|
||||
}
|
||||
|
||||
if len(policies) == 0 {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
acl, err := NewACL(policies)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
caps := acl.Capabilities(path)
|
||||
/*
|
||||
log.Printf("vishal: caps:%#v\n", caps)
|
||||
|
||||
var result CapabilitiesResponse
|
||||
capabilities := make(map[string]bool)
|
||||
for _, tePolicy := range te.Policies {
|
||||
|
|
@ -81,5 +99,6 @@ func (c *Core) Capabilities(token, path string) (*CapabilitiesResponse, error) {
|
|||
result.Capabilities = append(result.Capabilities, capability)
|
||||
}
|
||||
sort.Strings(result.Capabilities)
|
||||
*/
|
||||
return &result, nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue