luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/vault/acl.go
Jeff Mitchell 4f4ddbf017 Create more granular ACL capabilities. 
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.

Fixes #724 (and others).
2016-01-08 13:05:14 -05:00

128 lines
3.4 KiB
Go
Raw Blame History

package vault
import (
"github.com/armon/go-radix"
"github.com/hashicorp/vault/logical"
)
var (
// permittedPolicyLevel is used to map each logical operation
// into the set of capabilities that allow the operation.
permittedPolicyLevels = map[logical.Operation][]string{
logical.CreateOperation: []string{CreateCapability},
logical.ReadOperation: []string{ReadCapability},
logical.UpdateOperation: []string{UpdateCapability},
logical.DeleteOperation: []string{DeleteCapability},
logical.ListOperation: []string{ListCapability},
logical.HelpOperation: []string{CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability, DenyCapability},
logical.RevokeOperation: []string{UpdateCapability},
logical.RenewOperation: []string{UpdateCapability},
logical.RollbackOperation: []string{UpdateCapability},
}
)
// ACL is used to wrap a set of policies to provide
// an efficient interface for access control.
type ACL struct {
// exactRules contains the path policies that are exact
exactRules *radix.Tree
// globRules contains the path policies that glob
globRules *radix.Tree
// root is enabled if the "root" named policy is present.
root bool
}
// New is used to construct a policy based ACL from a set of policies.
func NewACL(policies []*Policy) (*ACL, error) {
// Initialize
a := &ACL{
exactRules: radix.New(),
globRules: radix.New(),
root: false,
}
// Inject each policy
for _, policy := range policies {
// Ignore a nil policy object
if policy == nil {
continue
}
// Check if this is root
if policy.Name == "root" {
a.root = true
}
for _, pc := range policy.Paths {
// Check which tree to use
tree := a.exactRules
if pc.Glob {
tree = a.globRules
}
// Check for an existing policy
raw, ok := tree.Get(pc.Prefix)
if !ok {
tree.Insert(pc.Prefix, pc)
continue
}
existing := raw.(*PathCapabilities)
switch {
case existing.CapabilitiesMap[DenyCapability]:
// If we are explicitly denied in the existing capability set,
// don't save anything else
case pc.CapabilitiesMap[DenyCapability]:
// If this new policy explicitly denies, only save the deny value
tree.Insert(pc.Prefix, pc)
default:
// Insert the capabilities in this new policy into the existing
// value; since it's a pointer we can just modify the
// underlying data
for k, _ := range pc.CapabilitiesMap {
existing.CapabilitiesMap[k] = true
}
}
}
}
return a, nil
}
// AllowOperation is used to check if the given operation is permitted
func (a *ACL) AllowOperation(op logical.Operation, path string) (opAllowed bool, sudoPriv bool) {
// Fast-path root
if a.root {
return true, true
}
// Help is always allowed
if op == logical.HelpOperation {
return true, false
}
// Find an exact matching rule, look for glob if no match
var policy *PathCapabilities
raw, ok := a.exactRules.Get(path)
if ok {
policy = raw.(*PathCapabilities)
goto CHECK
}
// Find a glob rule, default deny if no match
_, raw, ok = a.globRules.LongestPrefix(path)
if !ok {
return false, false
} else {
policy = raw.(*PathCapabilities)
}
CHECK:
// Check if the minimum permissions are met
// If "deny" has been explicitly set, only deny will be in the map, so we
// only need to check for the existence of other values
return policy.CapabilitiesMap[op.String()], policy.CapabilitiesMap[SudoCapability]
}
Reference in a new issue View git blame Copy permalink