diff --git a/vault/acl.go b/vault/acl.go index 09f1d7a71..9366640f1 100644 --- a/vault/acl.go +++ b/vault/acl.go @@ -1,6 +1,7 @@ package vault import ( + "fmt" "github.com/armon/go-radix" "github.com/hashicorp/vault/logical" ) @@ -20,6 +21,7 @@ type ACL struct { // New is used to construct a policy based ACL from a set of policies. func NewACL(policies []*Policy) (*ACL, error) { + fmt.Println("wakka") // Initialize a := &ACL{ exactRules: radix.New(), @@ -43,7 +45,7 @@ func NewACL(policies []*Policy) (*ACL, error) { if pc.Glob { tree = a.globRules } - + // Check for an existing policy raw, ok := tree.Get(pc.Prefix) if !ok { @@ -70,46 +72,46 @@ func NewACL(policies []*Policy) (*ACL, error) { tree.Insert(pc.Prefix, pc.Permissions) } - // Merge allowed parameters - for key, value := range permissions.AllowedParameters { - // Add new parameter - if _, ok := pc.Permissions.AllowedParameters[key]; !ok { - pc.Permissions.AllowedParameters[key] = permissions.AllowedParameters[key]; - continue - } + // Merge allowed parameters + for key, value := range permissions.AllowedParameters { + // Add new parameter + if _, ok := pc.Permissions.AllowedParameters[key]; !ok { + pc.Permissions.AllowedParameters[key] = permissions.AllowedParameters[key] + continue + } - // Take more general allowed - if (len(permissions.AllowedParameters[key]) == 0) || (len(pc.Permissions.AllowedParameters[key]) == 0) { - pc.Permissions.AllowedParameters[key] = nil - continue - } + // Take more general allowed + if (len(permissions.AllowedParameters[key]) == 0) || (len(pc.Permissions.AllowedParameters[key]) == 0) { + pc.Permissions.AllowedParameters[key] = nil + continue + } - // Merge allowed values for matching parameters - for _, element := range value { - pc.Permissions.AllowedParameters[key] = append(pc.Permissions.AllowedParameters[key], element) - } - } + // Merge allowed values for matching parameters + for _, element := range value { + pc.Permissions.AllowedParameters[key] = append(pc.Permissions.AllowedParameters[key], element) + } + } - // Merge disallowed parameters - for key, value := range permissions.DeniedParameters { - // Add new parameter - if _, ok := pc.Permissions.DeniedParameters[key]; !ok { - pc.Permissions.DeniedParameters[key] = permissions.DeniedParameters[key]; - continue - } + // Merge disallowed parameters + for key, value := range permissions.DeniedParameters { + // Add new parameter + if _, ok := pc.Permissions.DeniedParameters[key]; !ok { + pc.Permissions.DeniedParameters[key] = permissions.DeniedParameters[key] + continue + } - // Take more general disallowed - if (len(permissions.DeniedParameters[key]) == 0) || (len(pc.Permissions.DeniedParameters[key]) == 0) { - pc.Permissions.DeniedParameters[key] = nil - continue - } + // Take more general disallowed + if (len(permissions.DeniedParameters[key]) == 0) || (len(pc.Permissions.DeniedParameters[key]) == 0) { + pc.Permissions.DeniedParameters[key] = nil + continue + } + + // Merge disallowed values for matching parameters + for _, element := range value { + pc.Permissions.DeniedParameters[key] = append(pc.Permissions.DeniedParameters[key], element) + } + } - // Merge disallowed values for matching parameters - for _, element := range value { - pc.Permissions.DeniedParameters[key] = append(pc.Permissions.DeniedParameters[key], element) - } - } - tree.Insert(pc.Prefix, pc.Permissions) } @@ -128,8 +130,8 @@ func (a *ACL) Capabilities(path string) (pathCapabilities []string) { raw, ok := a.exactRules.Get(path) if ok { - perm := raw.(Permissions) - capabilities = perm.CapabilitiesBitmap + perm := raw.(Permissions) + capabilities = perm.CapabilitiesBitmap goto CHECK } @@ -138,7 +140,7 @@ func (a *ACL) Capabilities(path string) (pathCapabilities []string) { if !ok { return []string{DenyCapability} } else { - perm := raw.(Permissions) + perm := raw.(Permissions) capabilities = perm.CapabilitiesBitmap } @@ -177,6 +179,8 @@ CHECK: // change arguments to hold a full request that holds the operation, path, and parameter // that is to be modified. func (a *ACL) AllowOperation(req *logical.Request) (allowed bool, sudo bool) { + fmt.Println(req.Operation) + fmt.Println(req.Data) // Fast-path root if a.root { return true, true @@ -185,8 +189,8 @@ func (a *ACL) AllowOperation(req *logical.Request) (allowed bool, sudo bool) { /////////////////////////////////////////////////////////////////////////////////// // Parse Request and set variables to check on /////////////////////////////////////////////////////////////////////////////////// - op := req.Operation - path := req.Path + op := req.Operation + path := req.Path // Help is always allowed if op == logical.HelpOperation { @@ -238,13 +242,28 @@ CHECK: if !operationAllowed { return false, sudo } - /////////////////////////////////////////////////////////////////////////////////////////////////////// - // need to know how to access parameter/parameters. If only one it is trivial to look it up, - // if there are many, have to loop through and check each one. - /////////////////////////////////////////////////////////////////////////////////////////////////////// - //check whether parameter change is allowed - //if raw.AllowOperation[param_trying_to_be_set] + // Check parameter permissions for operations that can modify only. + if op == logical.UpdateOperation || op == logical.DeleteOperation || op == logical.CreateOperation { + // Check if all parameters have been denied + if _, ok := raw.DeniedParameter["*"]; ok { + return false, sudo + } + for _, value := range req.Data { + // Check if parameter has explictly been denied + if _, ok := raw.DeniedParameters[value]; ok { + return false, sudo + } + // Specfic parameters have been allowed + if len(raw.AllowedParameters) > 0 { + // Requested parameter is not in allowed list + if _, ok := raw.AllowedParameter[value]; !ok { + return false, sudo + } + } + } + return true, sudo + } return } diff --git a/vault/policy.go b/vault/policy.go index e21d0a784..925bf0b2e 100644 --- a/vault/policy.go +++ b/vault/policy.go @@ -63,14 +63,14 @@ type PathCapabilities struct { Prefix string Policy string Capabilities []string - Permissions *Permissions + Permissions *Permissions Glob bool } type Permissions struct { - CapabilitiesBitmap uint32 - AllowedParameters map[string][]string - DeniedParameters map[string][]string + CapabilitiesBitmap uint32 + AllowedParameters map[string][]string + DeniedParameters map[string][]string } // Parse is used to parse the specified ACL rules into an