From dcb7f00bcc748ded0e89a02df77f0d5499471e15 Mon Sep 17 00:00:00 2001
From: vishalnayak <vishalnayakv@gmail.com>
Date: Thu, 17 Mar 2016 13:33:49 -0400
Subject: [PATCH] Move sys/capabilities to logical_system along with business
 logic from core

---
 http/sys_capabilities.go | 23 ++++++-----
 vault/logical_system.go  | 86 ++++++++++++++++++++++++++++++++++++----
 2 files changed, 92 insertions(+), 17 deletions(-)

diff --git a/http/sys_capabilities.go b/http/sys_capabilities.go
index f43b8f8d6..235006a04 100644
--- a/http/sys_capabilities.go
+++ b/http/sys_capabilities.go
@@ -1,6 +1,7 @@
 package http
 
 import (
+	"log"
 	"net/http"
 	"strings"
 
@@ -79,9 +80,11 @@ func handleSysCapabilities(core *vault.Core) http.Handler {
 			return
 		}
 
-		if strings.HasPrefix(r.URL.Path, "/v1/sys/capabilities-self") {
+		log.Printf("path: %s\n", path)
+		if path == "sys/capabilities-self" {
 			// Get the auth for the request so we can access the token directly
 			req := requestAuth(r, &logical.Request{})
+			path = "sys/capabilities"
 			data["token"] = req.ClientToken
 		}
 
@@ -99,15 +102,17 @@ func handleSysCapabilities(core *vault.Core) http.Handler {
 
 		respondLogical(w, r, path, false, resp)
 
-		capabilities, err := core.Capabilities(data["token"].(string), data["path"].(string))
-		if err != nil {
-			respondErrorStatus(w, err)
-			return
-		}
+		/*
+			capabilities, err := core.Capabilities(data["token"].(string), data["path"].(string))
+			if err != nil {
+				respondErrorStatus(w, err)
+				return
+			}
 
-		respondOk(w, &capabilitiesResponse{
-			Capabilities: capabilities,
-		})
+			respondOk(w, &capabilitiesResponse{
+				Capabilities: capabilities,
+			})
+		*/
 	})
 
 }
diff --git a/vault/logical_system.go b/vault/logical_system.go
index 610cbb2f5..28f97c11b 100644
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@@ -56,12 +56,33 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) logical.Backend
 				},
 
 				Callbacks: map[logical.Operation]framework.OperationFunc{
-					logical.UpdateOperation: b.handleCapabilitiesAccessorUpdate,
+					logical.UpdateOperation: b.handleCapabilitiesAccessor,
 				},
 
 				HelpSynopsis:    "help_synopsis_capabilities_accessor",
 				HelpDescription: "help_description_capabilities_accessor",
 			},
+			&framework.Path{
+				Pattern: "capabilities$",
+
+				Fields: map[string]*framework.FieldSchema{
+					"token": &framework.FieldSchema{
+						Type:        framework.TypeString,
+						Description: "Token",
+					},
+					"path": &framework.FieldSchema{
+						Type:        framework.TypeString,
+						Description: "Path for which capabilities are being queried.",
+					},
+				},
+
+				Callbacks: map[logical.Operation]framework.OperationFunc{
+					logical.UpdateOperation: b.handleCapabilities,
+				},
+
+				HelpSynopsis:    "help_synopsis_capabilities",
+				HelpDescription: "help_description_capabilities",
+			},
 
 			&framework.Path{
 				Pattern: "rekey/backup$",
@@ -438,17 +459,66 @@ type SystemBackend struct {
 	Backend *framework.Backend
 }
 
-func (b *SystemBackend) handleCapabilitiesAccessorUpdate(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	log.Printf("handleCapabilitiesAccessorUpdate: request: %#v\n data:%#v\n", req, d)
-	accessor := d.Get("accessor").(string)
-	if accessor == "" {
-		return logical.ErrorResponse("missing accessor"), nil
+func (b *SystemBackend) handleCapabilities(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	log.Printf("handleCapabilities: request: %#v\n data:%#v\n", req, d)
+	token := d.Get("token").(string)
+	if token == "" {
+		return logical.ErrorResponse("missing token"), nil
 	}
+
 	path := d.Get("path").(string)
-	if accessor == "" {
+	if path == "" {
 		return logical.ErrorResponse("missing path"), nil
 	}
-	capabilities, err := b.Core.CapabilitiesAccessor(accessor, path)
+
+	te, err := b.Core.tokenStore.Lookup(token)
+	if err != nil {
+		return nil, err
+	}
+	if te == nil {
+		return logical.ErrorResponse("invalid token"), nil
+	}
+
+	if te.Policies == nil {
+		return &logical.Response{
+			Data: map[string]interface{}{
+				"capabilities": []string{DenyCapability},
+			},
+		}, nil
+	}
+
+	var policies []*Policy
+	for _, tePolicy := range te.Policies {
+		policy, err := b.Core.policyStore.GetPolicy(tePolicy)
+		if err != nil {
+			return nil, err
+		}
+		policies = append(policies, policy)
+	}
+
+	if len(policies) == 0 {
+		return &logical.Response{
+			Data: map[string]interface{}{
+				"capabilities": []string{DenyCapability},
+			},
+		}, nil
+	}
+
+	acl, err := NewACL(policies)
+	if err != nil {
+		return nil, err
+	}
+
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"capabilities": acl.Capabilities(path),
+		},
+	}, nil
+}
+
+func (b *SystemBackend) handleCapabilitiesAccessor(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	log.Printf("handleCapabilitiesAccessor: request: %#v\n data:%#v\n", req, d)
+	capabilities, err := b.Core.CapabilitiesAccessor(d.Get("accessor").(string), d.Get("path").(string))
 	if err != nil {
 		return nil, err
 	}