PR feedback
This commit is contained in:
Brian Kassouf
parent
f992103615
commit
9ec8dd3d17
19
vault/acl.go
19
vault/acl.go
|
|
@ -78,25 +78,26 @@ func NewACL(policies []*Policy) (*ACL, error) {
|
||||||
|
|
||||||
if len(existingPerms.AllowedParameters) > 0 {
|
if len(existingPerms.AllowedParameters) > 0 {
|
||||||
if pc.Permissions.AllowedParameters == nil {
|
if pc.Permissions.AllowedParameters == nil {
|
||||||
pc.Permissions.AllowedParameters = make(map[string][]interface{}, len(existingPerms.AllowedParameters))
|
pc.Permissions.AllowedParameters = existingPerms.AllowedParameters
|
||||||
}
|
} else {
|
||||||
|
|
||||||
// Merge the two maps, appending values on key conflict.
|
// Merge the two maps, appending values on key conflict.
|
||||||
for key, value := range existingPerms.AllowedParameters {
|
for key, value := range existingPerms.AllowedParameters {
|
||||||
pc.Permissions.AllowedParameters[key] = append(value, pc.Permissions.AllowedParameters[key]...)
|
pc.Permissions.AllowedParameters[key] = append(value, pc.Permissions.AllowedParameters[key]...)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if len(existingPerms.DeniedParameters) > 0 {
|
if len(existingPerms.DeniedParameters) > 0 {
|
||||||
if pc.Permissions.DeniedParameters == nil {
|
if pc.Permissions.DeniedParameters == nil {
|
||||||
pc.Permissions.DeniedParameters = make(map[string][]interface{}, len(existingPerms.DeniedParameters))
|
pc.Permissions.DeniedParameters = existingPerms.DeniedParameters
|
||||||
}
|
} else {
|
||||||
|
|
||||||
// Merge the two maps, appending values on key conflict.
|
// Merge the two maps, appending values on key conflict.
|
||||||
for key, value := range existingPerms.DeniedParameters {
|
for key, value := range existingPerms.DeniedParameters {
|
||||||
pc.Permissions.DeniedParameters[key] = append(value, pc.Permissions.DeniedParameters[key]...)
|
pc.Permissions.DeniedParameters[key] = append(value, pc.Permissions.DeniedParameters[key]...)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
INSERT:
|
INSERT:
|
||||||
|
|
||||||
|
|
@ -163,7 +164,7 @@ CHECK:
|
||||||
// AllowOperation is used to check if the given operation is permitted. The
|
// AllowOperation is used to check if the given operation is permitted. The
|
||||||
// first bool indicates if an op is allowed, the second whether sudo priviliges
|
// first bool indicates if an op is allowed, the second whether sudo priviliges
|
||||||
// exist for that op and path.
|
// exist for that op and path.
|
||||||
func (a *ACL) AllowOperation(req *logical.Request) (allowed bool, sudo bool) {
|
func (a *ACL) AllowOperation(req *logical.Request) (bool, bool) {
|
||||||
// Fast-path root
|
// Fast-path root
|
||||||
if a.root {
|
if a.root {
|
||||||
return true, true
|
return true, true
|
||||||
|
|
@ -200,7 +201,7 @@ CHECK:
|
||||||
// Check if the minimum permissions are met
|
// Check if the minimum permissions are met
|
||||||
// If "deny" has been explicitly set, only deny will be in the map, so we
|
// If "deny" has been explicitly set, only deny will be in the map, so we
|
||||||
// only need to check for the existence of other values
|
// only need to check for the existence of other values
|
||||||
sudo = capabilities&SudoCapabilityInt > 0
|
sudo := capabilities&SudoCapabilityInt > 0
|
||||||
operationAllowed := false
|
operationAllowed := false
|
||||||
switch op {
|
switch op {
|
||||||
case logical.ReadOperation:
|
case logical.ReadOperation:
|
||||||
|
|
@ -229,7 +230,8 @@ CHECK:
|
||||||
|
|
||||||
// Only check parameter permissions for operations that can modify
|
// Only check parameter permissions for operations that can modify
|
||||||
// parameters.
|
// parameters.
|
||||||
if op == logical.UpdateOperation || op == logical.DeleteOperation || op == logical.CreateOperation {
|
if op == logical.UpdateOperation || op == logical.CreateOperation {
|
||||||
|
// If there are no data fields, allow
|
||||||
if len(req.Data) == 0 {
|
if len(req.Data) == 0 {
|
||||||
return true, sudo
|
return true, sudo
|
||||||
}
|
}
|
||||||
|
|
@ -283,6 +285,7 @@ CHECK:
|
||||||
}
|
}
|
||||||
|
|
||||||
func valueInParameterList(v interface{}, list []interface{}) bool {
|
func valueInParameterList(v interface{}, list []interface{}) bool {
|
||||||
|
// Empty list is equivalent to the item always existing in the list and "*"
|
||||||
if len(list) == 0 {
|
if len(list) == 0 {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -267,7 +267,6 @@ func TestACL_AllowOperation(t *testing.T) {
|
||||||
}
|
}
|
||||||
toperations := []logical.Operation{
|
toperations := []logical.Operation{
|
||||||
logical.UpdateOperation,
|
logical.UpdateOperation,
|
||||||
logical.DeleteOperation,
|
|
||||||
logical.CreateOperation,
|
logical.CreateOperation,
|
||||||
}
|
}
|
||||||
type tcase struct {
|
type tcase struct {
|
||||||
|
|
@ -319,7 +318,6 @@ func TestACL_ValuePermissions(t *testing.T) {
|
||||||
|
|
||||||
toperations := []logical.Operation{
|
toperations := []logical.Operation{
|
||||||
logical.UpdateOperation,
|
logical.UpdateOperation,
|
||||||
logical.DeleteOperation,
|
|
||||||
logical.CreateOperation,
|
logical.CreateOperation,
|
||||||
}
|
}
|
||||||
type tcase struct {
|
type tcase struct {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue