Implemented AllowOperation parameter permission checking for request data.
This commit is contained in:
ChaseLEngel
parent
c2b512cf46
commit
c6b63b5312
113
vault/acl.go
113
vault/acl.go
|
|
@ -1,6 +1,7 @@
|
|||
package vault
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"github.com/armon/go-radix"
|
||||
"github.com/hashicorp/vault/logical"
|
||||
)
|
||||
|
|
@ -20,6 +21,7 @@ type ACL struct {
|
|||
|
||||
// New is used to construct a policy based ACL from a set of policies.
|
||||
func NewACL(policies []*Policy) (*ACL, error) {
|
||||
fmt.Println("wakka")
|
||||
// Initialize
|
||||
a := &ACL{
|
||||
exactRules: radix.New(),
|
||||
|
|
@ -43,7 +45,7 @@ func NewACL(policies []*Policy) (*ACL, error) {
|
|||
if pc.Glob {
|
||||
tree = a.globRules
|
||||
}
|
||||
|
||||
|
||||
// Check for an existing policy
|
||||
raw, ok := tree.Get(pc.Prefix)
|
||||
if !ok {
|
||||
|
|
@ -70,46 +72,46 @@ func NewACL(policies []*Policy) (*ACL, error) {
|
|||
tree.Insert(pc.Prefix, pc.Permissions)
|
||||
}
|
||||
|
||||
// Merge allowed parameters
|
||||
for key, value := range permissions.AllowedParameters {
|
||||
// Add new parameter
|
||||
if _, ok := pc.Permissions.AllowedParameters[key]; !ok {
|
||||
pc.Permissions.AllowedParameters[key] = permissions.AllowedParameters[key];
|
||||
continue
|
||||
}
|
||||
// Merge allowed parameters
|
||||
for key, value := range permissions.AllowedParameters {
|
||||
// Add new parameter
|
||||
if _, ok := pc.Permissions.AllowedParameters[key]; !ok {
|
||||
pc.Permissions.AllowedParameters[key] = permissions.AllowedParameters[key]
|
||||
continue
|
||||
}
|
||||
|
||||
// Take more general allowed
|
||||
if (len(permissions.AllowedParameters[key]) == 0) || (len(pc.Permissions.AllowedParameters[key]) == 0) {
|
||||
pc.Permissions.AllowedParameters[key] = nil
|
||||
continue
|
||||
}
|
||||
// Take more general allowed
|
||||
if (len(permissions.AllowedParameters[key]) == 0) || (len(pc.Permissions.AllowedParameters[key]) == 0) {
|
||||
pc.Permissions.AllowedParameters[key] = nil
|
||||
continue
|
||||
}
|
||||
|
||||
// Merge allowed values for matching parameters
|
||||
for _, element := range value {
|
||||
pc.Permissions.AllowedParameters[key] = append(pc.Permissions.AllowedParameters[key], element)
|
||||
}
|
||||
}
|
||||
// Merge allowed values for matching parameters
|
||||
for _, element := range value {
|
||||
pc.Permissions.AllowedParameters[key] = append(pc.Permissions.AllowedParameters[key], element)
|
||||
}
|
||||
}
|
||||
|
||||
// Merge disallowed parameters
|
||||
for key, value := range permissions.DeniedParameters {
|
||||
// Add new parameter
|
||||
if _, ok := pc.Permissions.DeniedParameters[key]; !ok {
|
||||
pc.Permissions.DeniedParameters[key] = permissions.DeniedParameters[key];
|
||||
continue
|
||||
}
|
||||
// Merge disallowed parameters
|
||||
for key, value := range permissions.DeniedParameters {
|
||||
// Add new parameter
|
||||
if _, ok := pc.Permissions.DeniedParameters[key]; !ok {
|
||||
pc.Permissions.DeniedParameters[key] = permissions.DeniedParameters[key]
|
||||
continue
|
||||
}
|
||||
|
||||
// Take more general disallowed
|
||||
if (len(permissions.DeniedParameters[key]) == 0) || (len(pc.Permissions.DeniedParameters[key]) == 0) {
|
||||
pc.Permissions.DeniedParameters[key] = nil
|
||||
continue
|
||||
}
|
||||
// Take more general disallowed
|
||||
if (len(permissions.DeniedParameters[key]) == 0) || (len(pc.Permissions.DeniedParameters[key]) == 0) {
|
||||
pc.Permissions.DeniedParameters[key] = nil
|
||||
continue
|
||||
}
|
||||
|
||||
// Merge disallowed values for matching parameters
|
||||
for _, element := range value {
|
||||
pc.Permissions.DeniedParameters[key] = append(pc.Permissions.DeniedParameters[key], element)
|
||||
}
|
||||
}
|
||||
|
||||
// Merge disallowed values for matching parameters
|
||||
for _, element := range value {
|
||||
pc.Permissions.DeniedParameters[key] = append(pc.Permissions.DeniedParameters[key], element)
|
||||
}
|
||||
}
|
||||
|
||||
tree.Insert(pc.Prefix, pc.Permissions)
|
||||
|
||||
}
|
||||
|
|
@ -128,8 +130,8 @@ func (a *ACL) Capabilities(path string) (pathCapabilities []string) {
|
|||
raw, ok := a.exactRules.Get(path)
|
||||
|
||||
if ok {
|
||||
perm := raw.(Permissions)
|
||||
capabilities = perm.CapabilitiesBitmap
|
||||
perm := raw.(Permissions)
|
||||
capabilities = perm.CapabilitiesBitmap
|
||||
goto CHECK
|
||||
}
|
||||
|
||||
|
|
@ -138,7 +140,7 @@ func (a *ACL) Capabilities(path string) (pathCapabilities []string) {
|
|||
if !ok {
|
||||
return []string{DenyCapability}
|
||||
} else {
|
||||
perm := raw.(Permissions)
|
||||
perm := raw.(Permissions)
|
||||
capabilities = perm.CapabilitiesBitmap
|
||||
}
|
||||
|
||||
|
|
@ -177,6 +179,8 @@ CHECK:
|
|||
// change arguments to hold a full request that holds the operation, path, and parameter
|
||||
// that is to be modified.
|
||||
func (a *ACL) AllowOperation(req *logical.Request) (allowed bool, sudo bool) {
|
||||
fmt.Println(req.Operation)
|
||||
fmt.Println(req.Data)
|
||||
// Fast-path root
|
||||
if a.root {
|
||||
return true, true
|
||||
|
|
@ -185,8 +189,8 @@ func (a *ACL) AllowOperation(req *logical.Request) (allowed bool, sudo bool) {
|
|||
///////////////////////////////////////////////////////////////////////////////////
|
||||
// Parse Request and set variables to check on
|
||||
///////////////////////////////////////////////////////////////////////////////////
|
||||
op := req.Operation
|
||||
path := req.Path
|
||||
op := req.Operation
|
||||
path := req.Path
|
||||
|
||||
// Help is always allowed
|
||||
if op == logical.HelpOperation {
|
||||
|
|
@ -238,13 +242,28 @@ CHECK:
|
|||
if !operationAllowed {
|
||||
return false, sudo
|
||||
}
|
||||
///////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
// need to know how to access parameter/parameters. If only one it is trivial to look it up,
|
||||
// if there are many, have to loop through and check each one.
|
||||
///////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
//check whether parameter change is allowed
|
||||
|
||||
//if raw.AllowOperation[param_trying_to_be_set]
|
||||
// Check parameter permissions for operations that can modify only.
|
||||
if op == logical.UpdateOperation || op == logical.DeleteOperation || op == logical.CreateOperation {
|
||||
// Check if all parameters have been denied
|
||||
if _, ok := raw.DeniedParameter["*"]; ok {
|
||||
return false, sudo
|
||||
}
|
||||
for _, value := range req.Data {
|
||||
// Check if parameter has explictly been denied
|
||||
if _, ok := raw.DeniedParameters[value]; ok {
|
||||
return false, sudo
|
||||
}
|
||||
// Specfic parameters have been allowed
|
||||
if len(raw.AllowedParameters) > 0 {
|
||||
// Requested parameter is not in allowed list
|
||||
if _, ok := raw.AllowedParameter[value]; !ok {
|
||||
return false, sudo
|
||||
}
|
||||
}
|
||||
}
|
||||
return true, sudo
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
|
|
|||
|
|
@ -63,14 +63,14 @@ type PathCapabilities struct {
|
|||
Prefix string
|
||||
Policy string
|
||||
Capabilities []string
|
||||
Permissions *Permissions
|
||||
Permissions *Permissions
|
||||
Glob bool
|
||||
}
|
||||
|
||||
type Permissions struct {
|
||||
CapabilitiesBitmap uint32
|
||||
AllowedParameters map[string][]string
|
||||
DeniedParameters map[string][]string
|
||||
CapabilitiesBitmap uint32
|
||||
AllowedParameters map[string][]string
|
||||
DeniedParameters map[string][]string
|
||||
}
|
||||
|
||||
// Parse is used to parse the specified ACL rules into an
|
||||
|
|
|
|||
Loading…
Reference in New Issue