Brian Kassouf
ad3605e657
Revert "filtered-path endpoint ( #6132 )" ( #6337 )
...
This reverts commit dfdbb0bad975fab447f49766baaa5a6c956f8e3d.
2019-03-04 14:08:21 -08:00
ncabatoff
8814fe1ba5
filtered-path endpoint ( #6132 )
...
* First pass at filtered-path endpoint. It seems to be working, but there are tests missing, and possibly some optimization to handle large key sets.
* Vendor go-cmp.
* Fix incomplete vendoring of go-cmp.
* Improve test coverage. Fix bug whereby access to a subtree named X would expose existence of a the key named X at the same level.
* Add benchmarks, which showed that hasNonDenyCapability would be "expensive" to call for every member of a large folder. Made a couple of minor tweaks so that now it can be done without allocations.
* Comment cleanup.
* Review requested changes: rename some funcs, use routeCommon instead of
querying storage directly.
* Keep the same endpoint for now, but move it from a LIST to a POST and allow multiple paths to be queried in one operation.
* Modify test to pass multiple paths in at once.
* Add endpoint to default policy.
* Move endpoint to /sys/access/filtered-path.
2019-03-04 11:04:29 -08:00
Jeff Mitchell
3dfa30acb4
Add ability to use path wildcard segments ( #6164 )
...
* Path globbing
* Add glob support at the beginning
* Ensure when evaluating an ACL that our path never has a leading slash. This already happens in the normal request path but not in tests; putting it here provides it for tests and extra safety in case the request path changes
* Simplify the algorithm, we don't really need to validate the prefix first as glob won't apply if it doesn't
* Add path segment wildcarding
* Disable path globbing for now
* Remove now-unneeded test
* Remove commented out globbing bits
* Remove more holdover glob bits
* Rename k var to something more clear
2019-02-14 18:31:43 -08:00
Jeff Mitchell
c5d8391c38
Prefix path rename ( #6089 )
...
* Rename Prefix -> Path in internal struct
* Update test
2019-01-23 15:04:49 -05:00
Jeff Mitchell
a11f2a3ba2
Rename glob -> prefix in ACL internals ( #6086 )
...
Really, it's a prefix
2019-01-23 13:55:40 -05:00
Jeff Mitchell
919b968c27
The big one ( #5346 )
2018-09-17 23:03:00 -04:00
Jeff Mitchell
4761209331
Fix build
2018-08-27 19:59:59 -04:00
Jeff Mitchell
b44b25d816
Allow fallback to non /-suffixed path for list acling ( #5197 )
...
This works around a very, very common error where people write policies
to affect listing but forget the slash at the end. If there is no exact
rule with a slash at the end when doing a list, we look to see if there
is a rule without it, and if so, use those capabilities.
Fixes #mass-user-confusion
2018-08-27 16:44:07 -07:00
Vishal Nayak
ee07e6ae59
Checks for assigning root policy ( #5152 )
...
* Fail if other policies present along with root
* disallow entity/group to contain root policy
2018-08-21 16:12:23 -04:00
Jeff Mitchell
4798af88f9
Fix some cases where unauthorized calls could return 400 ( #5083 )
2018-08-10 08:59:58 -05:00
Jeff Mitchell
575a606db7
Move TokenEntry into logical. ( #4729 )
...
This allows the HTTP logicalAuth handler to cache the value in the
logical.Request, avoiding a lookup later when performing acl
checks/counting a use.
2018-06-08 17:24:27 -04:00
Jeff Mitchell
6b345ccdef
Use copystructure when assigning allowed/denied params from nil check ( #4585 )
...
Fixes #4582
2018-05-18 13:33:49 -07:00
Jeff Mitchell
c683315b67
Check allowed/denied/required params on read calls. ( #4579 )
...
We added support a bit ago for some read operations to take in
parameters, so we should now apply these checks against them.
2018-05-16 11:28:46 -04:00
Josh Soref
73b1fde82f
Spelling ( #4119 )
2018-03-20 14:54:10 -04:00
Jeff Mitchell
0f7e3bb79b
Add context to performPolicyChecks
2018-01-19 02:43:39 -05:00
Chris Hoffman
3d8d887676
Add ability to require parameters in ACLs ( #3510 )
2017-11-02 07:18:49 -04:00
Jeff Mitchell
d38a699c32
Make compile
2017-10-23 17:15:56 -04:00
Jeff Mitchell
c144f95be0
Sync over
2017-10-23 16:43:07 -04:00
Jeff Mitchell
ab5014534e
Clone policy permissions and then use existing values rather than policy values for modifications ( #2826 )
...
Should fix #2804
2017-06-07 13:49:51 -04:00
Brian Kassouf
e62f5dbc31
Allowed/Denied parameters support for globs ( #2438 )
...
* Add check for globbed strings
* Add tests for the acl globbing
* Fix bad test case
2017-03-03 14:50:55 -08:00
Jeff Mitchell
7f0a99e8eb
Add max/min wrapping TTL ACL statements ( #2411 )
2017-02-27 14:42:00 -05:00
Brian Kassouf
9a9b89f16f
Update confusing comment
2017-02-21 16:06:00 -08:00
Brian Kassouf
a25132cec4
On merge favor values that have additive privileges
2017-02-21 15:53:27 -08:00
Brian Kassouf
9ec8dd3d17
PR feedback
2017-02-21 15:02:39 -08:00
Brian Kassouf
07799f665d
Simplify the merging of two policies
2017-02-16 16:30:08 -08:00
Brian Kassouf
136730cb01
Update logic to fix a few edge cases:
2017-02-16 15:20:11 -08:00
Brian Kassouf
f1d5b60b97
s/has/has been/
2017-02-15 22:19:35 -08:00
Brian Kassouf
c80593387c
Remove unnecessary else condition
2017-02-15 22:18:20 -08:00
Brian Kassouf
24d8710233
Fix the issue of returning on the first paramater check. Added tests for this case.
2017-02-15 22:13:18 -08:00
Brian Kassouf
e1424c631e
Add logic to merge the two arrays and refactor the test around merging
2017-01-20 11:16:46 -08:00
Brian Kassouf
090736d4df
Clean up logic a bit and add some comments
2017-01-19 18:41:15 -08:00
Brian Kassouf
be10ef9d42
Use deepequals and write tests for the allow/disallow values
2017-01-17 16:40:21 -08:00
Brian Kassouf
1d3cae860b
Start to check the values with allowed/dissallowed lists in policy.
2017-01-16 17:48:22 -08:00
mwoolsey
907e735541
Permissions were changed from a structure to and array of interfaces. Code optimization for acl.go. Fixed bug where multiple parameters would allow if second or following parameters were denied and there was a wildcard in allow.
2016-12-06 18:14:15 -08:00
ChaseLEngel
e349d64dbc
Finished merge testing.
2016-11-06 15:16:08 -08:00
mwoolsey
42e0ecb0b8
narrowed the problem to: the Permissions struct in the TestPolicyMerge method is not being initialized
2016-11-06 13:38:25 -08:00
mwoolsey
2add5dbf3a
Started the testing on merged pathCapabilites
2016-11-01 21:27:33 -07:00
mwoolsey
b5669d73db
Had to change what a wildcard value in a parameter mapped to, from a nil value to an empty struct
2016-10-28 12:54:37 -07:00
mwoolsey
3a0e01a5d7
Added the merging of wildcards to allowed and denied parameters.
2016-10-28 12:33:50 -07:00
ChaseLEngel
2ea4caeffb
Update acl and policy tests to use Permissions.
2016-10-21 23:45:39 -07:00
ChaseLEngel
353241e328
Fixing type assertions.
2016-10-21 21:12:02 -07:00
mwoolsey
ed982675a1
permissions structure now holds a map of strings to empty structs. Modified acl.go to acommidate these changes
2016-10-21 19:35:55 -07:00
ChaseLEngel
c6b63b5312
Implemented AllowOperation parameter permission checking for request data.
2016-10-21 18:38:05 -07:00
ChaseLEngel
c2b512cf46
Changed AllowOperation to take logical.Request
2016-10-16 16:29:52 -07:00
ChaseLEngel
bd7711bebf
Merge allowed and disallowed parameters maps.
2016-10-16 15:24:32 -07:00
ChaseLEngel
d480df7141
Fixed Policy Permissions intergration and spelling.
2016-10-14 10:22:00 -07:00
mwoolsey
4582f2268c
working on modifying AllowOperation in acl.go
2016-10-10 11:21:25 -07:00
mwoolsey
6aa9a1d165
updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure
2016-10-09 15:39:58 -07:00
Sean Chittenden
7a4b31ce51
Speling police
2016-05-15 09:58:36 -07:00
vishalnayak
9946a2d8b5
refactoring changes due to acl.Capabilities
2016-03-04 18:55:48 -05:00