Refactoring the capabilities function

2016-03-17 14:07:55 -04:00 · 2016-03-17 14:07:55 -04:00 · a5d79d587a
parent dcb7f00bcc
commit a5d79d587a
4 changed files with 18 additions and 79 deletions
--- a/api/sys_capabilities.go
+++ b/api/sys_capabilities.go
@ -1,5 +1,7 @@
 package api

+import "log"
+
 func (c *Sys) CapabilitiesSelf(path string) ([]string, error) {
 	body := map[string]string{
 		"path": path,
@ -16,6 +18,7 @@ func (c *Sys) CapabilitiesSelf(path string) ([]string, error) {
 	}
 	defer resp.Body.Close()

+	log.Printf("capabilities self: resp: %#v\n", resp.Body)
 	var result CapabilitiesResponse
 	err = resp.DecodeJSON(&result)
 	return result.Capabilities, err
@ -38,6 +41,7 @@ func (c *Sys) Capabilities(token, path string) ([]string, error) {
 	}
 	defer resp.Body.Close()

+	log.Printf("capabilities: resp: %#v\n", resp.Body)
 	var result CapabilitiesResponse
 	err = resp.DecodeJSON(&result)
 	return result.Capabilities, err
--- a/http/sys_capabilities.go
+++ b/http/sys_capabilities.go
@ -1,7 +1,6 @@
 package http

 import (
-	"log"
 	"net/http"
 	"strings"

@ -80,7 +79,6 @@ func handleSysCapabilities(core *vault.Core) http.Handler {
 			return
 		}

-		log.Printf("path: %s\n", path)
 		if path == "sys/capabilities-self" {
 			// Get the auth for the request so we can access the token directly
 			req := requestAuth(r, &logical.Request{})
@ -101,18 +99,6 @@ func handleSysCapabilities(core *vault.Core) http.Handler {
 		}

 		respondLogical(w, r, path, false, resp)
-
-		/*
-			capabilities, err := core.Capabilities(data["token"].(string), data["path"].(string))
-			if err != nil {
-				respondErrorStatus(w, err)
-				return
-			}
-
-			respondOk(w, &capabilitiesResponse{
-				Capabilities: capabilities,
-			})
-		*/
 	})

 }
--- a/vault/capabilities.go
+++ b/vault/capabilities.go
@ -12,25 +12,6 @@ func (s *StatusBadRequest) Error() string {
 	return s.Err
 }

-// CapabilitiesAccessor is used to fetch the capabilities of the token
-// which associated with the given accessor on the given path
-func (c *Core) CapabilitiesAccessor(accessor, path string) ([]string, error) {
-	if path == "" {
-		return nil, &StatusBadRequest{Err: "missing path"}
-	}
-
-	if accessor == "" {
-		return nil, &StatusBadRequest{Err: "missing accessor"}
-	}
-
-	token, err := c.tokenStore.lookupByAccessor(accessor)
-	if err != nil {
-		return nil, err
-	}
-
-	return c.Capabilities(token, path)
-}
-
 // Capabilities is used to fetch the capabilities of the given token on the given path
 func (c *Core) Capabilities(token, path string) ([]string, error) {
 	if path == "" {
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@ -461,67 +461,35 @@ type SystemBackend struct {

 func (b *SystemBackend) handleCapabilities(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	log.Printf("handleCapabilities: request: %#v\n data:%#v\n", req, d)
-	token := d.Get("token").(string)
-	if token == "" {
-		return logical.ErrorResponse("missing token"), nil
-	}
-
-	path := d.Get("path").(string)
-	if path == "" {
-		return logical.ErrorResponse("missing path"), nil
-	}
-
-	te, err := b.Core.tokenStore.Lookup(token)
-	if err != nil {
-		return nil, err
-	}
-	if te == nil {
-		return logical.ErrorResponse("invalid token"), nil
-	}
-
-	if te.Policies == nil {
-		return &logical.Response{
-			Data: map[string]interface{}{
-				"capabilities": []string{DenyCapability},
-			},
-		}, nil
-	}
-
-	var policies []*Policy
-	for _, tePolicy := range te.Policies {
-		policy, err := b.Core.policyStore.GetPolicy(tePolicy)
-		if err != nil {
-			return nil, err
-		}
-		policies = append(policies, policy)
-	}
-
-	if len(policies) == 0 {
-		return &logical.Response{
-			Data: map[string]interface{}{
-				"capabilities": []string{DenyCapability},
-			},
-		}, nil
-	}
-
-	acl, err := NewACL(policies)
+	capabilities, err := b.Core.Capabilities(d.Get("token").(string), d.Get("path").(string))
 	if err != nil {
 		return nil, err
 	}

 	return &logical.Response{
 		Data: map[string]interface{}{
-			"capabilities": acl.Capabilities(path),
+			"capabilities": capabilities,
 		},
 	}, nil
 }

 func (b *SystemBackend) handleCapabilitiesAccessor(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	log.Printf("handleCapabilitiesAccessor: request: %#v\n data:%#v\n", req, d)
-	capabilities, err := b.Core.CapabilitiesAccessor(d.Get("accessor").(string), d.Get("path").(string))
+	accessor := d.Get("accessor").(string)
+	if accessor == "" {
+		return nil, &StatusBadRequest{Err: "missing accessor"}
+	}
+
+	token, err := b.Core.tokenStore.lookupByAccessor(accessor)
 	if err != nil {
 		return nil, err
 	}
+
+	capabilities, err := b.Core.Capabilities(token, d.Get("path").(string))
+	if err != nil {
+		return nil, err
+	}
+
 	return &logical.Response{
 		Data: map[string]interface{}{
 			"capabilities": capabilities,