Commit graph

50 commits

Author SHA1 Message Date
Jeff Mitchell c683315b67
Check allowed/denied/required params on read calls. (#4579)
We added support a bit ago for some read operations to take in
parameters, so we should now apply these checks against them.
2018-05-16 11:28:46 -04:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Jeff Mitchell 0f7e3bb79b Add context to performPolicyChecks 2018-01-19 02:43:39 -05:00
Chris Hoffman 3d8d887676
Add ability to require parameters in ACLs (#3510) 2017-11-02 07:18:49 -04:00
Jeff Mitchell d38a699c32 Make compile 2017-10-23 17:15:56 -04:00
Jeff Mitchell c144f95be0 Sync over 2017-10-23 16:43:07 -04:00
Jeff Mitchell ab5014534e Clone policy permissions and then use existing values rather than policy values for modifications (#2826)
Should fix #2804
2017-06-07 13:49:51 -04:00
Brian Kassouf e62f5dbc31 Allowed/Denied parameters support for globs (#2438)
* Add check for globbed strings

* Add tests for the acl globbing

* Fix bad test case
2017-03-03 14:50:55 -08:00
Jeff Mitchell 7f0a99e8eb Add max/min wrapping TTL ACL statements (#2411) 2017-02-27 14:42:00 -05:00
Brian Kassouf 9a9b89f16f Update confusing comment 2017-02-21 16:06:00 -08:00
Brian Kassouf a25132cec4 On merge favor values that have additive privileges 2017-02-21 15:53:27 -08:00
Brian Kassouf 9ec8dd3d17 PR feedback 2017-02-21 15:02:39 -08:00
Brian Kassouf 07799f665d Simplify the merging of two policies 2017-02-16 16:30:08 -08:00
Brian Kassouf 136730cb01 Update logic to fix a few edge cases: 2017-02-16 15:20:11 -08:00
Brian Kassouf f1d5b60b97 s/has/has been/ 2017-02-15 22:19:35 -08:00
Brian Kassouf c80593387c Remove unnecessary else condition 2017-02-15 22:18:20 -08:00
Brian Kassouf 24d8710233 Fix the issue of returning on the first paramater check. Added tests for this case. 2017-02-15 22:13:18 -08:00
Brian Kassouf e1424c631e Add logic to merge the two arrays and refactor the test around merging 2017-01-20 11:16:46 -08:00
Brian Kassouf 090736d4df Clean up logic a bit and add some comments 2017-01-19 18:41:15 -08:00
Brian Kassouf be10ef9d42 Use deepequals and write tests for the allow/disallow values 2017-01-17 16:40:21 -08:00
Brian Kassouf 1d3cae860b Start to check the values with allowed/dissallowed lists in policy. 2017-01-16 17:48:22 -08:00
mwoolsey 907e735541 Permissions were changed from a structure to and array of interfaces. Code optimization for acl.go. Fixed bug where multiple parameters would allow if second or following parameters were denied and there was a wildcard in allow. 2016-12-06 18:14:15 -08:00
ChaseLEngel e349d64dbc Finished merge testing. 2016-11-06 15:16:08 -08:00
mwoolsey 42e0ecb0b8 narrowed the problem to: the Permissions struct in the TestPolicyMerge method is not being initialized 2016-11-06 13:38:25 -08:00
mwoolsey 2add5dbf3a Started the testing on merged pathCapabilites 2016-11-01 21:27:33 -07:00
mwoolsey b5669d73db Had to change what a wildcard value in a parameter mapped to, from a nil value to an empty struct 2016-10-28 12:54:37 -07:00
mwoolsey 3a0e01a5d7 Added the merging of wildcards to allowed and denied parameters. 2016-10-28 12:33:50 -07:00
ChaseLEngel 2ea4caeffb Update acl and policy tests to use Permissions. 2016-10-21 23:45:39 -07:00
ChaseLEngel 353241e328 Fixing type assertions. 2016-10-21 21:12:02 -07:00
mwoolsey ed982675a1 permissions structure now holds a map of strings to empty structs. Modified acl.go to acommidate these changes 2016-10-21 19:35:55 -07:00
ChaseLEngel c6b63b5312 Implemented AllowOperation parameter permission checking for request data. 2016-10-21 18:38:05 -07:00
ChaseLEngel c2b512cf46 Changed AllowOperation to take logical.Request 2016-10-16 16:29:52 -07:00
ChaseLEngel bd7711bebf Merge allowed and disallowed parameters maps. 2016-10-16 15:24:32 -07:00
ChaseLEngel d480df7141 Fixed Policy Permissions intergration and spelling. 2016-10-14 10:22:00 -07:00
mwoolsey 4582f2268c working on modifying AllowOperation in acl.go 2016-10-10 11:21:25 -07:00
mwoolsey 6aa9a1d165 updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure 2016-10-09 15:39:58 -07:00
Sean Chittenden 7a4b31ce51
Speling police 2016-05-15 09:58:36 -07:00
vishalnayak 9946a2d8b5 refactoring changes due to acl.Capabilities 2016-03-04 18:55:48 -05:00
vishalnayak 9217c49184 Adding acl.Capabilities to do the path matching 2016-03-04 12:04:26 -05:00
Jeff Mitchell 7394f97439 Fix out-of-date comment 2016-03-03 13:37:51 -05:00
Jeff Mitchell f9bbe0fb04 Use logical operations instead of strings for comparison 2016-01-12 21:16:31 -05:00
Jeff Mitchell 4253299dfe Store uint32s in radix 2016-01-12 17:24:01 -05:00
Jeff Mitchell e58705b34c Cleanup 2016-01-12 17:10:48 -05:00
Jeff Mitchell 87fba5dad0 Convert map to bitmap 2016-01-12 17:08:10 -05:00
Jeff Mitchell ce5bd64244 Clean up HelpOperation 2016-01-12 14:34:49 -05:00
Jeff Mitchell 4f4ddbf017 Create more granular ACL capabilities.
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.

Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Armon Dadgar 05b3fa836e vault: Handle exact vs glob match, deny has highest precedence 2015-07-05 17:31:30 -06:00
Armon Dadgar fe402cdd87 vault: ignore a nil policy object, as it has no permissions 2015-03-24 15:49:17 -07:00
Armon Dadgar 99abc11ec5 vault: Adding ACL representation 2015-03-17 18:31:20 -07:00