Jeff Mitchell
3dfa30acb4
Add ability to use path wildcard segments ( #6164 )
...
* Path globbing
* Add glob support at the beginning
* Ensure when evaluating an ACL that our path never has a leading slash. This already happens in the normal request path but not in tests; putting it here provides it for tests and extra safety in case the request path changes
* Simplify the algorithm, we don't really need to validate the prefix first as glob won't apply if it doesn't
* Add path segment wildcarding
* Disable path globbing for now
* Remove now-unneeded test
* Remove commented out globbing bits
* Remove more holdover glob bits
* Rename k var to something more clear
2019-02-14 18:31:43 -08:00
Jeff Mitchell
c5d8391c38
Prefix path rename ( #6089 )
...
* Rename Prefix -> Path in internal struct
* Update test
2019-01-23 15:04:49 -05:00
Jeff Mitchell
a11f2a3ba2
Rename glob -> prefix in ACL internals ( #6086 )
...
Really, it's a prefix
2019-01-23 13:55:40 -05:00
Jeff Mitchell
59bc9dd361
Add missing value to policy ShallowClone
...
Not related to a bug, just happened to notice it.
2019-01-23 13:20:04 -05:00
Jim Kalafut
d0e2badbae
Run goimports across the repository ( #6010 )
...
The result will still pass gofmtcheck and won't trigger additional
changes if someone isn't using goimports, but it will avoid the
piecemeal imports changes we've been seeing.
2019-01-08 16:48:57 -08:00
Jeff Mitchell
919b968c27
The big one ( #5346 )
2018-09-17 23:03:00 -04:00
Chris Hoffman
716fb03ab7
perform policy templating on each path ( #5229 )
2018-08-30 18:45:11 -04:00
Jeff Mitchell
f5024770dc
Allow comment key in policies
2018-08-24 09:42:47 -04:00
Jeff Mitchell
ba0d029247
Restricts ACL templating to paths but allows failures ( #5167 )
...
When a templating failure happens, we now simply ignore that path,
rather than fail all access to all policies
2018-08-23 12:15:02 -04:00
Jeff Mitchell
71d92ef093
ACL Templating ( #4994 )
...
* Initial work on templating
* Add check for unbalanced closing in front
* Add missing templated assignment
* Add first cut of end-to-end test on templating.
* Make template errors be 403s and finish up testing
* Review feedback
2018-08-15 11:42:56 -07:00
Calvin Leung Huang
c4abeb9ea5
Move checkHCLKeys into hclutil ( #4749 )
2018-06-12 12:38:08 -04:00
Vishal Nayak
28e3eb9e2c
Errwrap everywhere ( #4252 )
...
* package api
* package builtin/credential
* package builtin/logical
* package command
* package helper
* package http and logical
* package physical
* package shamir
* package vault
* package vault
* address feedback
* more fixes
2018-04-05 11:49:21 -04:00
Chris Hoffman
3d8d887676
Add ability to require parameters in ACLs ( #3510 )
2017-11-02 07:18:49 -04:00
Jeff Mitchell
8e9317792d
Fix some merge/update bugs
2017-10-23 16:49:46 -04:00
Jeff Mitchell
47dae8ffc7
Sync
2017-10-23 14:59:37 -04:00
Jeff Mitchell
ab5014534e
Clone policy permissions and then use existing values rather than policy values for modifications ( #2826 )
...
Should fix #2804
2017-06-07 13:49:51 -04:00
Jeff Mitchell
5119b173c4
Rename helper 'duration' to 'parseutil'. ( #2449 )
...
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.
Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Jeff Mitchell
7f0a99e8eb
Add max/min wrapping TTL ACL statements ( #2411 )
2017-02-27 14:42:00 -05:00
Brian Kassouf
1c5264c66c
ToLower parameter strings
2017-02-16 17:50:10 -08:00
Jeff Mitchell
da9e62bc24
Remove "permissions" from ACL
2017-02-15 21:12:26 -05:00
Brian Kassouf
7ec19459a7
Remove extra comments
2017-01-20 11:38:40 -08:00
Brian Kassouf
df800198e0
Remove some extra comments
2017-01-20 11:32:58 -08:00
Brian Kassouf
37f393ff94
Remove unneeded comment block
2017-01-19 18:18:06 -08:00
Brian Kassouf
f3870061ee
fix some of the tests and rename allowed/dissallowed paramaters
2017-01-19 16:40:19 -08:00
mwoolsey
907e735541
Permissions were changed from a structure to and array of interfaces. Code optimization for acl.go. Fixed bug where multiple parameters would allow if second or following parameters were denied and there was a wildcard in allow.
2016-12-06 18:14:15 -08:00
ChaseLEngel
2ea4caeffb
Update acl and policy tests to use Permissions.
2016-10-21 23:45:39 -07:00
mwoolsey
ed982675a1
permissions structure now holds a map of strings to empty structs. Modified acl.go to acommidate these changes
2016-10-21 19:35:55 -07:00
ChaseLEngel
c6b63b5312
Implemented AllowOperation parameter permission checking for request data.
2016-10-21 18:38:05 -07:00
ChaseLEngel
c2b512cf46
Changed AllowOperation to take logical.Request
2016-10-16 16:29:52 -07:00
ChaseLEngel
bd7711bebf
Merge allowed and disallowed parameters maps.
2016-10-16 15:24:32 -07:00
mwoolsey
93bb52b733
policy now includes whether a certain parameter can be updated
2016-10-15 16:44:57 -07:00
mwoolsey
231d3e7758
policy now includes whether a certain parameter can be updated
2016-10-15 16:43:55 -07:00
ChaseLEngel
119dd9653e
Adding permissions to hcl config and decoding it.
2016-10-14 14:24:45 -07:00
ChaseLEngel
bd5235960c
Fixed permission conflicts
2016-10-14 10:33:12 -07:00
ChaseLEngel
d480df7141
Fixed Policy Permissions intergration and spelling.
2016-10-14 10:22:00 -07:00
mwoolsey
eb8b8a1def
created structure for permissions and modified parsePaths in policy.go and newAcl/AllowOperation in acl.go
2016-10-14 10:17:25 -07:00
mwoolsey
6aa9a1d165
updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure
2016-10-09 15:39:58 -07:00
Seth Vargo
f6adea85ce
Preserve pointer
2016-03-10 15:55:47 -05:00
Seth Vargo
ad7049eed1
Parse policy HCL syntax and keys
2016-03-10 15:25:25 -05:00
vishalnayak
9946a2d8b5
refactoring changes due to acl.Capabilities
2016-03-04 18:55:48 -05:00
Jeff Mitchell
9717ca5931
Strip leading paths in policies.
...
It appears to be a common mistake, but they won't ever match.
Fixes #1167
2016-03-03 11:32:48 -05:00
Jeff Mitchell
87fba5dad0
Convert map to bitmap
2016-01-12 17:08:10 -05:00
Jeff Mitchell
4f4ddbf017
Create more granular ACL capabilities.
...
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.
Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
Jesse Szwedko
6ef455af89
Fix warnings returned by make vet
...
$GOPATH/src/github.com/hashicorp/vault/vault/policy.go:69: unreachable code
$GOPATH/src/github.com/hashicorp/vault/vault/policy_store_test.go:139: github.com/hashicorp/vault/logical.StorageEntry composite literal uses unkeyed fields
2015-09-26 21:17:39 -07:00
Armon Dadgar
eda88c18ff
vault: Adding precedence logic for conflicting policy
2015-07-05 17:30:19 -06:00
Armon Dadgar
27d01270c8
vault: look for glob character in policy
2015-07-05 14:58:38 -07:00
Armon Dadgar
f40ed182c4
vault: Support policy CRUD
2015-03-23 14:43:31 -07:00
Armon Dadgar
061b6b24f1
vault: Refactor to use CollectKeys
2015-03-18 12:06:18 -07:00
Armon Dadgar
99abc11ec5
vault: Adding ACL representation
2015-03-17 18:31:20 -07:00
Armon Dadgar
ddab671bf4
vault: Adding policy parsing
2015-03-17 15:53:29 -07:00