luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
11,135 Commits 1 Branch 0 Tags 214 MiB
Commit Graph

65 Commits

Author SHA1 Message Date
mgritter be2f69bc4a Check nil parameter value when processing an ACL. 2019-04-26 15:57:00 -07:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Jeff Mitchell aa6fafced9 Fix hasMountPath for segment wildcard mounts; introduce priority order (#6532) 
* Add prioritization when multiple segment/glob rules can match.

* Disallow ambiguous "+*" in policy paths.
 2019-04-10 17:46:17 -04:00
Brian Kassouf ad3605e657
Revert "filtered-path endpoint (#6132)" (#6337) 
This reverts commit dfdbb0bad975fab447f49766baaa5a6c956f8e3d.
 2019-03-04 14:08:21 -08:00
ncabatoff 8814fe1ba5 filtered-path endpoint (#6132) 
* First pass at filtered-path endpoint.  It seems to be working, but there are tests missing, and possibly some optimization to handle large key sets.

* Vendor go-cmp.

* Fix incomplete vendoring of go-cmp.

* Improve test coverage.  Fix bug whereby access to a subtree named X would expose existence of a the key named X at the same level.

* Add benchmarks, which showed that hasNonDenyCapability would be "expensive" to call for every member of a large folder.  Made a couple of minor tweaks so that now it can be done without allocations.

* Comment cleanup.

* Review requested changes: rename some funcs, use routeCommon instead of
querying storage directly.

* Keep the same endpoint for now, but move it from a LIST to a POST and allow multiple paths to be queried in one operation.

* Modify test to pass multiple paths in at once.

* Add endpoint to default policy.

* Move endpoint to /sys/access/filtered-path.
 2019-03-04 11:04:29 -08:00
Jeff Mitchell 3dfa30acb4 Add ability to use path wildcard segments (#6164) 
* Path globbing

* Add glob support at the beginning

* Ensure when evaluating an ACL that our path never has a leading slash. This already happens in the normal request path but not in tests; putting it here provides it for tests and extra safety in case the request path changes

* Simplify the algorithm, we don't really need to validate the prefix first as glob won't apply if it doesn't

* Add path segment wildcarding

* Disable path globbing for now

* Remove now-unneeded test

* Remove commented out globbing bits

* Remove more holdover glob bits

* Rename k var to something more clear
 2019-02-14 18:31:43 -08:00
Jeff Mitchell c5d8391c38
Prefix path rename (#6089) 
* Rename Prefix -> Path in internal struct

* Update test
 2019-01-23 15:04:49 -05:00
Jeff Mitchell a11f2a3ba2
Rename glob -> prefix in ACL internals (#6086) 
Really, it's a prefix
 2019-01-23 13:55:40 -05:00
Jeff Mitchell 919b968c27
The big one (#5346) 2018-09-17 23:03:00 -04:00
Jeff Mitchell 4761209331 Fix build 2018-08-27 19:59:59 -04:00
Jeff Mitchell b44b25d816
Allow fallback to non /-suffixed path for list acling (#5197) 
This works around a very, very common error where people write policies
to affect listing but forget the slash at the end. If there is no exact
rule with a slash at the end when doing a list, we look to see if there
is a rule without it, and if so, use those capabilities.

Fixes #mass-user-confusion
 2018-08-27 16:44:07 -07:00
Vishal Nayak ee07e6ae59
Checks for assigning root policy (#5152) 
* Fail if other policies present along with root

* disallow entity/group to contain root policy
 2018-08-21 16:12:23 -04:00
Jeff Mitchell 4798af88f9
Fix some cases where unauthorized calls could return 400 (#5083) 2018-08-10 08:59:58 -05:00
Jeff Mitchell 575a606db7
Move TokenEntry into logical. (#4729) 
This allows the HTTP logicalAuth handler to cache the value in the
logical.Request, avoiding a lookup later when performing acl
checks/counting a use.
 2018-06-08 17:24:27 -04:00
Jeff Mitchell 6b345ccdef
Use copystructure when assigning allowed/denied params from nil check (#4585) 
Fixes #4582
 2018-05-18 13:33:49 -07:00
Jeff Mitchell c683315b67
Check allowed/denied/required params on read calls. (#4579) 
We added support a bit ago for some read operations to take in
parameters, so we should now apply these checks against them.
 2018-05-16 11:28:46 -04:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Jeff Mitchell 0f7e3bb79b Add context to performPolicyChecks 2018-01-19 02:43:39 -05:00
Chris Hoffman 3d8d887676
Add ability to require parameters in ACLs (#3510) 2017-11-02 07:18:49 -04:00
Jeff Mitchell d38a699c32 Make compile 2017-10-23 17:15:56 -04:00
Jeff Mitchell c144f95be0 Sync over 2017-10-23 16:43:07 -04:00
Jeff Mitchell ab5014534e Clone policy permissions and then use existing values rather than policy values for modifications (#2826) 
Should fix #2804
 2017-06-07 13:49:51 -04:00
Brian Kassouf e62f5dbc31 Allowed/Denied parameters support for globs (#2438) 
* Add check for globbed strings

* Add tests for the acl globbing

* Fix bad test case
 2017-03-03 14:50:55 -08:00
Jeff Mitchell 7f0a99e8eb Add max/min wrapping TTL ACL statements (#2411) 2017-02-27 14:42:00 -05:00
Brian Kassouf 9a9b89f16f Update confusing comment 2017-02-21 16:06:00 -08:00
Brian Kassouf a25132cec4 On merge favor values that have additive privileges 2017-02-21 15:53:27 -08:00
Brian Kassouf 9ec8dd3d17 PR feedback 2017-02-21 15:02:39 -08:00
Brian Kassouf 07799f665d Simplify the merging of two policies 2017-02-16 16:30:08 -08:00
Brian Kassouf 136730cb01 Update logic to fix a few edge cases: 2017-02-16 15:20:11 -08:00
Brian Kassouf f1d5b60b97 s/has/has been/ 2017-02-15 22:19:35 -08:00
Brian Kassouf c80593387c Remove unnecessary else condition 2017-02-15 22:18:20 -08:00
Brian Kassouf 24d8710233 Fix the issue of returning on the first paramater check. Added tests for this case. 2017-02-15 22:13:18 -08:00
Brian Kassouf e1424c631e Add logic to merge the two arrays and refactor the test around merging 2017-01-20 11:16:46 -08:00
Brian Kassouf 090736d4df Clean up logic a bit and add some comments 2017-01-19 18:41:15 -08:00
Brian Kassouf be10ef9d42 Use deepequals and write tests for the allow/disallow values 2017-01-17 16:40:21 -08:00
Brian Kassouf 1d3cae860b Start to check the values with allowed/dissallowed lists in policy. 2017-01-16 17:48:22 -08:00
mwoolsey 907e735541 Permissions were changed from a structure to and array of interfaces. Code optimization for acl.go. Fixed bug where multiple parameters would allow if second or following parameters were denied and there was a wildcard in allow. 2016-12-06 18:14:15 -08:00
ChaseLEngel e349d64dbc Finished merge testing. 2016-11-06 15:16:08 -08:00
mwoolsey 42e0ecb0b8 narrowed the problem to: the Permissions struct in the TestPolicyMerge method is not being initialized 2016-11-06 13:38:25 -08:00
mwoolsey 2add5dbf3a Started the testing on merged pathCapabilites 2016-11-01 21:27:33 -07:00
mwoolsey b5669d73db Had to change what a wildcard value in a parameter mapped to, from a nil value to an empty struct 2016-10-28 12:54:37 -07:00
mwoolsey 3a0e01a5d7 Added the merging of wildcards to allowed and denied parameters. 2016-10-28 12:33:50 -07:00
ChaseLEngel 2ea4caeffb Update acl and policy tests to use Permissions. 2016-10-21 23:45:39 -07:00
ChaseLEngel 353241e328 Fixing type assertions. 2016-10-21 21:12:02 -07:00
mwoolsey ed982675a1 permissions structure now holds a map of strings to empty structs. Modified acl.go to acommidate these changes 2016-10-21 19:35:55 -07:00
ChaseLEngel c6b63b5312 Implemented AllowOperation parameter permission checking for request data. 2016-10-21 18:38:05 -07:00
ChaseLEngel c2b512cf46 Changed AllowOperation to take logical.Request 2016-10-16 16:29:52 -07:00
ChaseLEngel bd7711bebf Merge allowed and disallowed parameters maps. 2016-10-16 15:24:32 -07:00
ChaseLEngel d480df7141 Fixed Policy Permissions intergration and spelling. 2016-10-14 10:22:00 -07:00
mwoolsey 4582f2268c working on modifying AllowOperation in acl.go 2016-10-10 11:21:25 -07:00