Commit graph

47 commits

Author SHA1 Message Date
mgritter be2f69bc4a Check nil parameter value when processing an ACL. 2019-04-26 15:57:00 -07:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Jeff Mitchell aa6fafced9 Fix hasMountPath for segment wildcard mounts; introduce priority order (#6532)
* Add prioritization when multiple segment/glob rules can match.

* Disallow ambiguous "+*" in policy paths.
2019-04-10 17:46:17 -04:00
Brian Kassouf ad3605e657
Revert "filtered-path endpoint (#6132)" (#6337)
This reverts commit dfdbb0bad975fab447f49766baaa5a6c956f8e3d.
2019-03-04 14:08:21 -08:00
ncabatoff 8814fe1ba5 filtered-path endpoint (#6132)
* First pass at filtered-path endpoint.  It seems to be working, but there are tests missing, and possibly some optimization to handle large key sets.

* Vendor go-cmp.

* Fix incomplete vendoring of go-cmp.

* Improve test coverage.  Fix bug whereby access to a subtree named X would expose existence of a the key named X at the same level.

* Add benchmarks, which showed that hasNonDenyCapability would be "expensive" to call for every member of a large folder.  Made a couple of minor tweaks so that now it can be done without allocations.

* Comment cleanup.

* Review requested changes: rename some funcs, use routeCommon instead of
querying storage directly.

* Keep the same endpoint for now, but move it from a LIST to a POST and allow multiple paths to be queried in one operation.

* Modify test to pass multiple paths in at once.

* Add endpoint to default policy.

* Move endpoint to /sys/access/filtered-path.
2019-03-04 11:04:29 -08:00
Jeff Mitchell 3dfa30acb4 Add ability to use path wildcard segments (#6164)
* Path globbing

* Add glob support at the beginning

* Ensure when evaluating an ACL that our path never has a leading slash. This already happens in the normal request path but not in tests; putting it here provides it for tests and extra safety in case the request path changes

* Simplify the algorithm, we don't really need to validate the prefix first as glob won't apply if it doesn't

* Add path segment wildcarding

* Disable path globbing for now

* Remove now-unneeded test

* Remove commented out globbing bits

* Remove more holdover glob bits

* Rename k var to something more clear
2019-02-14 18:31:43 -08:00
Vishal Nayak 332e32294a
Remove namespace.TestContext and namespace.TestNamespace (#5682) 2018-11-05 11:11:32 -05:00
Jeff Mitchell 919b968c27
The big one (#5346) 2018-09-17 23:03:00 -04:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Chris Hoffman 3d8d887676
Add ability to require parameters in ACLs (#3510) 2017-11-02 07:18:49 -04:00
Jeff Mitchell c144f95be0 Sync over 2017-10-23 16:43:07 -04:00
Jeff Mitchell 654e7d92ac Properly lowercase policy names. (#3210)
Previously we lowercased names on ingress but not on lookup or delete
which could cause unexpected results. Now, just unilaterally lowercase
policy names on write and delete. On get, to avoid the performance hit
of always lowercasing when not necessary since it's in the critical
path, we have a minor optimization -- we check the LRU first before
normalizing. For tokens, because they're already normalized when adding
policies during creation, this should always work; it might just be
slower for API calls.

Fixes #3187
2017-08-18 19:47:23 -04:00
Jeff Mitchell ab5014534e Clone policy permissions and then use existing values rather than policy values for modifications (#2826)
Should fix #2804
2017-06-07 13:49:51 -04:00
Brian Kassouf e62f5dbc31 Allowed/Denied parameters support for globs (#2438)
* Add check for globbed strings

* Add tests for the acl globbing

* Fix bad test case
2017-03-03 14:50:55 -08:00
Jeff Mitchell 7f0a99e8eb Add max/min wrapping TTL ACL statements (#2411) 2017-02-27 14:42:00 -05:00
Brian Kassouf dd5b541db6 Added test for the empty values array case 2017-02-21 16:02:00 -08:00
Brian Kassouf 9ec8dd3d17 PR feedback 2017-02-21 15:02:39 -08:00
Brian Kassouf 1c5264c66c ToLower parameter strings 2017-02-16 17:50:10 -08:00
Brian Kassouf 07799f665d Simplify the merging of two policies 2017-02-16 16:30:08 -08:00
Brian Kassouf 7229bdfd38 Remove debug code 2017-02-16 16:14:30 -08:00
Brian Kassouf 136730cb01 Update logic to fix a few edge cases: 2017-02-16 15:20:11 -08:00
Brian Kassouf 8d880f5181 Remove duplicate test case 2017-02-15 22:38:33 -08:00
Brian Kassouf 24d8710233 Fix the issue of returning on the first paramater check. Added tests for this case. 2017-02-15 22:13:18 -08:00
Jeff Mitchell da9e62bc24 Remove "permissions" from ACL 2017-02-15 21:12:26 -05:00
Brian Kassouf e1424c631e Add logic to merge the two arrays and refactor the test around merging 2017-01-20 11:16:46 -08:00
Brian Kassouf 1580296ae5 Update tests to check parsing of types 2017-01-19 18:13:39 -08:00
Brian Kassouf 5ccb3e052b Add tests for boolean values 2017-01-19 17:41:02 -08:00
Brian Kassouf f3870061ee fix some of the tests and rename allowed/dissallowed paramaters 2017-01-19 16:40:19 -08:00
Brian Kassouf 25b49b8bae Add test cases for map and integer types 2017-01-18 17:11:25 -08:00
Brian Kassouf be10ef9d42 Use deepequals and write tests for the allow/disallow values 2017-01-17 16:40:21 -08:00
mwoolsey 907e735541 Permissions were changed from a structure to and array of interfaces. Code optimization for acl.go. Fixed bug where multiple parameters would allow if second or following parameters were denied and there was a wildcard in allow. 2016-12-06 18:14:15 -08:00
lemondrank c63d9e9f24 added AllowOperation tests 2016-11-07 12:28:41 -08:00
ChaseLEngel a847caa4ae Moved Operations out of test cases variable. 2016-11-07 12:08:17 -08:00
ChaseLEngel e349d64dbc Finished merge testing. 2016-11-06 15:16:08 -08:00
mwoolsey 42e0ecb0b8 narrowed the problem to: the Permissions struct in the TestPolicyMerge method is not being initialized 2016-11-06 13:38:25 -08:00
mwoolsey 2add5dbf3a Started the testing on merged pathCapabilites 2016-11-01 21:27:33 -07:00
ChaseLEngel 482ed0a659 Add merge testcases 2016-11-01 19:48:00 -07:00
lemondrank 975ac72822 started acl_test updates 2016-10-30 15:09:45 -07:00
ChaseLEngel 2ea4caeffb Update acl and policy tests to use Permissions. 2016-10-21 23:45:39 -07:00
vishalnayak 9947b33498 Added tests for disallowed_policies 2016-08-02 15:21:15 -04:00
vishalnayak aab24113b0 test cases for capabilities endpoint 2016-03-05 00:03:55 -05:00
Jeff Mitchell 4f4ddbf017 Create more granular ACL capabilities.
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.

Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Armon Dadgar 3d2fa8818e vault: adding another ACL test 2015-07-05 17:34:34 -06:00
Armon Dadgar 05b3fa836e vault: Handle exact vs glob match, deny has highest precedence 2015-07-05 17:31:30 -06:00
Armon Dadgar 51ce336753 vault: Adding PolicyStore 2015-03-18 12:17:03 -07:00
Armon Dadgar 99abc11ec5 vault: Adding ACL representation 2015-03-17 18:31:20 -07:00