luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Remove "permissions" from ACL

This commit is contained in:
Jeff Mitchell 2017-02-15 21:12:26 -05:00
parent 51f7114648
commit da9e62bc24
3 changed files with 213 additions and 246 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

297
vault/acl_test.go
View File

@ -214,7 +214,7 @@ func testLayeredACL(t *testing.T, acl *ACL) {
}
}
func TestPolicyMerge(t *testing.T) {
func TestACL_PolicyMerge(t *testing.T) {
policy, err := Parse(mergingPolicies)
if err != nil {
t.Fatalf("err: %v", err)
@ -256,7 +256,7 @@ func TestPolicyMerge(t *testing.T) {
}
}
func TestAllowOperation(t *testing.T) {
func TestACL_AllowOperation(t *testing.T) {
policy, err := Parse(permissionsPolicy)
if err != nil {
t.Fatalf("err: %v", err)
@ -306,7 +306,7 @@ func TestAllowOperation(t *testing.T) {
}
}
func TestValuePermissions(t *testing.T) {
func TestACL_ValuePermissions(t *testing.T) {
policy, err := Parse(valuePermissionsPolicy)
if err != nil {
t.Fatalf("err: %v", err)
@ -434,122 +434,93 @@ var mergingPolicies = `
name = "ops"
path "foo/bar" {
policy = "write"
permissions = {
denied_parameters = {
"baz" = []
}
denied_parameters = {
"baz" = []
}
}
path "foo/bar" {
policy = "write"
permissions = {
denied_parameters = {
"zip" = []
}
denied_parameters = {
"zip" = []
}
}
path "hello/universe" {
policy = "write"
permissions = {
allowed_parameters = {
"foo" = []
}
allowed_parameters = {
"foo" = []
}
}
path "hello/universe" {
policy = "write"
permissions = {
allowed_parameters = {
"bar" = []
}
}
}
path "allow/all" {
policy = "write"
permissions = {
allowed_parameters = {
"test" = []
}
allowed_parameters = {
"bar" = []
}
}
path "allow/all" {
policy = "write"
permissions = {
allowed_parameters = {
"*" = []
}
}
allowed_parameters = {
"test" = []
}
}
path "allow/all" {
policy = "write"
allowed_parameters = {
"*" = []
}
}
path "allow/all1" {
policy = "write"
permissions = {
allowed_parameters = {
"*" = []
}
}
allowed_parameters = {
"*" = []
}
}
path "allow/all1" {
policy = "write"
permissions = {
allowed_parameters = {
"test" = []
}
}
}
path "deny/all" {
policy = "write"
permissions = {
denied_parameters = {
"frank" = []
}
allowed_parameters = {
"test" = []
}
}
path "deny/all" {
policy = "write"
permissions = {
denied_parameters = {
"*" = []
}
}
denied_parameters = {
"frank" = []
}
}
path "deny/all" {
policy = "write"
denied_parameters = {
"*" = []
}
}
path "deny/all1" {
policy = "write"
permissions = {
denied_parameters = {
"*" = []
}
}
denied_parameters = {
"*" = []
}
}
path "deny/all1" {
policy = "write"
permissions = {
denied_parameters = {
"test" = []
}
}
}
path "value/merge" {
policy = "write"
permissions = {
allowed_parameters = {
"test" = [1, 2]
}
denied_parameters = {
"test" = [1, 2]
}
denied_parameters = {
"test" = []
}
}
path "value/merge" {
policy = "write"
permissions = {
allowed_parameters = {
"test" = [3, 4]
}
denied_parameters = {
"test" = [3, 4]
}
}
allowed_parameters = {
"test" = [1, 2]
}
denied_parameters = {
"test" = [1, 2]
}
}
path "value/merge" {
policy = "write"
allowed_parameters = {
"test" = [3, 4]
}
denied_parameters = {
"test" = [3, 4]
}
}
`
@ -559,93 +530,75 @@ name = "dev"
path "dev/*" {
policy = "write"
permissions = {
allowed_parameters = {
"zip" = []
}
}
allowed_parameters = {
"zip" = []
}
}
path "foo/bar" {
policy = "write"
permissions = {
denied_parameters = {
"zap" = []
}
}
denied_parameters = {
"zap" = []
}
}
path "foo/baz" {
policy = "write"
permissions = {
allowed_parameters = {
"hello" = []
}
denied_parameters = {
"zap" = []
}
}
allowed_parameters = {
"hello" = []
}
denied_parameters = {
"zap" = []
}
}
path "broken/phone" {
policy = "write"
permissions = {
allowed_parameters = {
"steve" = []
}
denied_parameters = {
"steve" = []
}
allowed_parameters = {
"steve" = []
}
denied_parameters = {
"steve" = []
}
}
path "hello/world" {
policy = "write"
permissions = {
allowed_parameters = {
"*" = []
}
denied_parameters = {
"*" = []
}
}
allowed_parameters = {
"*" = []
}
denied_parameters = {
"*" = []
}
}
path "tree/fort" {
policy = "write"
permissions = {
allowed_parameters = {
"*" = []
}
denied_parameters = {
"beer" = []
}
}
allowed_parameters = {
"*" = []
}
denied_parameters = {
"beer" = []
}
}
path "fruit/apple" {
policy = "write"
permissions = {
allowed_parameters = {
"pear" = []
}
denied_parameters = {
"*" = []
}
}
allowed_parameters = {
"pear" = []
}
denied_parameters = {
"*" = []
}
}
path "cold/weather" {
policy = "write"
permissions = {
allowed_parameters = {}
denied_parameters = {}
}
allowed_parameters = {}
denied_parameters = {}
}
path "var/aws" {
policy = "write"
permissions = {
allowed_parameters = {
"*" = []
}
denied_parameters = {
"soft" = []
"warm" = []
"kitty" = []
}
policy = "write"
allowed_parameters = {
"*" = []
}
denied_parameters = {
"soft" = []
"warm" = []
"kitty" = []
}
}
`
@ -656,53 +609,43 @@ name = "op"
path "dev/*" {
policy = "write"
permissions = {
allowed_parameters = {
"allow" = ["good"]
}
allowed_parameters = {
"allow" = ["good"]
}
}
path "foo/bar" {
policy = "write"
permissions = {
denied_parameters = {
"deny" = ["bad"]
}
denied_parameters = {
"deny" = ["bad"]
}
}
path "foo/baz" {
policy = "write"
permissions = {
allowed_parameters = {
"allow" = ["good"]
}
denied_parameters = {
"deny" = ["bad"]
}
allowed_parameters = {
"allow" = ["good"]
}
denied_parameters = {
"deny" = ["bad"]
}
}
path "fizz/buzz" {
policy = "write"
permissions = {
allowed_parameters = {
"allow_multi" = ["good", "good1", "good2"]
"allow" = ["good"]
}
denied_parameters = {
"deny_multi" = ["bad", "bad1", "bad2"]
}
allowed_parameters = {
"allow_multi" = ["good", "good1", "good2"]
"allow" = ["good"]
}
denied_parameters = {
"deny_multi" = ["bad", "bad1", "bad2"]
}
}
path "test/types" {
policy = "write"
permissions = {
allowed_parameters = {
"map" = [{"good" = "one"}]
"int" = [1, 2]
}
denied_parameters = {
"bool" = [false]
}
allowed_parameters = {
"map" = [{"good" = "one"}]
"int" = [1, 2]
}
denied_parameters = {
"bool" = [false]
}
}
`

18
vault/policy.go
View File

@ -60,15 +60,20 @@ type Policy struct {
type PathCapabilities struct {
Prefix string
Policy string
Capabilities []string
Permissions *Permissions
Glob bool
Capabilities []string
// These two keys are used at the top level to make the HCL nicer; we store
// in the Permissions object though
AllowedParametersHCL map[string][]interface{} `hcl:"allowed_parameters"`
DeniedParametersHCL map[string][]interface{} `hcl:"denied_parameters"`
}
type Permissions struct {
CapabilitiesBitmap uint32
AllowedParameters map[string][]interface{} `hcl:"allowed_parameters"`
DeniedParameters map[string][]interface{} `hcl:"denied_parameters"`
AllowedParameters map[string][]interface{}
DeniedParameters map[string][]interface{}
}
// Parse is used to parse the specified ACL rules into an
@ -122,7 +127,8 @@ func parsePaths(result *Policy, list *ast.ObjectList) error {
valid := []string{
"policy",
"capabilities",
"permissions",
"allowed_parameters",
"denied_parameters",
}
if err := checkHCLKeys(item.Val, valid); err != nil {
return multierror.Prefix(err, fmt.Sprintf("path %q:", key))
@ -181,8 +187,10 @@ func parsePaths(result *Policy, list *ast.ObjectList) error {
}
}
PathFinished:
pc.Permissions.AllowedParameters = pc.AllowedParametersHCL
pc.Permissions.DeniedParameters = pc.DeniedParametersHCL
PathFinished:
paths = append(paths, &pc)
}

144
vault/policy_test.go
View File

@ -40,50 +40,42 @@ path "foo/bar" {
# Check that only allowed_parameters are being added to foobar
path "foo/bar" {
capabilities = ["create", "sudo"]
permissions = {
allowed_parameters = {
"zip" = []
"zap" = []
}
allowed_parameters = {
"zip" = []
"zap" = []
}
}
# Check that only denied_parameters are being added to bazbar
path "baz/bar" {
capabilities = ["create", "sudo"]
permissions = {
denied_parameters = {
"zip" = []
"zap" = []
}
denied_parameters = {
"zip" = []
"zap" = []
}
}
# Check that both allowed and denied parameters are being added to bizbar
path "biz/bar" {
capabilities = ["create", "sudo"]
permissions = {
allowed_parameters = {
"zim" = []
"zam" = []
}
denied_parameters = {
"zip" = []
"zap" = []
}
allowed_parameters = {
"zim" = []
"zam" = []
}
denied_parameters = {
"zip" = []
"zap" = []
}
}
path "test/types" {
capabilities = ["create", "sudo"]
permissions = {
allowed_parameters = {
"map" = [{"good" = "one"}]
"int" = [1, 2]
}
denied_parameters = {
"string" = ["test"]
"bool" = [false]
}
allowed_parameters = {
"map" = [{"good" = "one"}]
"int" = [1, 2]
}
denied_parameters = {
"string" = ["test"]
"bool" = [false]
}
}
`)
@ -99,15 +91,19 @@ func TestPolicy_Parse(t *testing.T) {
}
expect := []*PathCapabilities{
&PathCapabilities{"", "deny",
[]string{
&PathCapabilities{
Prefix: "",
Policy: "deny",
Capabilities: []string{
"deny",
},
&Permissions{CapabilitiesBitmap: DenyCapabilityInt},
true,
Permissions: &Permissions{CapabilitiesBitmap: DenyCapabilityInt},
Glob: true,
},
&PathCapabilities{"stage/", "sudo",
[]string{
&PathCapabilities{
Prefix: "stage/",
Policy: "sudo",
Capabilities: []string{
"create",
"read",
"update",
@ -115,80 +111,100 @@ func TestPolicy_Parse(t *testing.T) {
"list",
"sudo",
},
&Permissions{
Permissions: &Permissions{
CapabilitiesBitmap: (CreateCapabilityInt | ReadCapabilityInt | UpdateCapabilityInt | DeleteCapabilityInt | ListCapabilityInt | SudoCapabilityInt),
},
true,
Glob: true,
},
&PathCapabilities{"prod/version", "read",
[]string{
&PathCapabilities{
Prefix: "prod/version",
Policy: "read",
Capabilities: []string{
"read",
"list",
},
&Permissions{CapabilitiesBitmap: (ReadCapabilityInt | ListCapabilityInt)},
false,
Permissions: &Permissions{CapabilitiesBitmap: (ReadCapabilityInt | ListCapabilityInt)},
Glob: false,
},
&PathCapabilities{"foo/bar", "read",
[]string{
&PathCapabilities{
Prefix: "foo/bar",
Policy: "read",
Capabilities: []string{
"read",
"list",
},
&Permissions{CapabilitiesBitmap: (ReadCapabilityInt | ListCapabilityInt)},
false,
Permissions: &Permissions{CapabilitiesBitmap: (ReadCapabilityInt | ListCapabilityInt)},
Glob: false,
},
&PathCapabilities{"foo/bar", "",
[]string{
&PathCapabilities{
Prefix: "foo/bar",
Policy: "",
Capabilities: []string{
"create",
"sudo",
},
&Permissions{CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt)},
false,
Permissions: &Permissions{CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt)},
Glob: false,
},
&PathCapabilities{"foo/bar", "",
[]string{
&PathCapabilities{
Prefix: "foo/bar",
Policy: "",
Capabilities: []string{
"create",
"sudo",
},
&Permissions{
AllowedParametersHCL: map[string][]interface{}{"zip": {}, "zap": {}},
Permissions: &Permissions{
CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt),
AllowedParameters: map[string][]interface{}{"zip": {}, "zap": {}},
},
false,
Glob: false,
},
&PathCapabilities{"baz/bar", "",
[]string{
&PathCapabilities{
Prefix: "baz/bar",
Policy: "",
Capabilities: []string{
"create",
"sudo",
},
&Permissions{
DeniedParametersHCL: map[string][]interface{}{"zip": []interface{}{}, "zap": []interface{}{}},
Permissions: &Permissions{
CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt),
DeniedParameters: map[string][]interface{}{"zip": []interface{}{}, "zap": []interface{}{}},
},
false,
Glob: false,
},
&PathCapabilities{"biz/bar", "",
[]string{
&PathCapabilities{
Prefix: "biz/bar",
Policy: "",
Capabilities: []string{
"create",
"sudo",
},
&Permissions{
AllowedParametersHCL: map[string][]interface{}{"zim": {}, "zam": {}},
DeniedParametersHCL: map[string][]interface{}{"zip": {}, "zap": {}},
Permissions: &Permissions{
CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt),
AllowedParameters: map[string][]interface{}{"zim": {}, "zam": {}},
DeniedParameters: map[string][]interface{}{"zip": {}, "zap": {}},
},
false,
Glob: false,
},
&PathCapabilities{"test/types", "",
[]string{
&PathCapabilities{
Prefix: "test/types",
Policy: "",
Capabilities: []string{
"create",
"sudo",
},
&Permissions{
AllowedParametersHCL: map[string][]interface{}{"map": []interface{}{map[string]interface{}{"good": "one"}}, "int": []interface{}{1, 2}},
DeniedParametersHCL: map[string][]interface{}{"string": []interface{}{"test"}, "bool": []interface{}{false}},
Permissions: &Permissions{
CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt),
AllowedParameters: map[string][]interface{}{"map": []interface{}{map[string]interface{}{"good": "one"}}, "int": []interface{}{1, 2}},
DeniedParameters: map[string][]interface{}{"string": []interface{}{"test"}, "bool": []interface{}{false}},
},
false,
Glob: false,
},
}
if !reflect.DeepEqual(p.Paths, expect) {