open-vault/vault/policy.go

540 lines
16 KiB
Go

package vault
import (
"errors"
"fmt"
"strings"
"time"
multierror "github.com/hashicorp/go-multierror"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/hcl"
"github.com/hashicorp/hcl/hcl/ast"
"github.com/hashicorp/vault/helper/identity"
"github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/sdk/helper/hclutil"
"github.com/hashicorp/vault/sdk/helper/identitytpl"
"github.com/hashicorp/vault/sdk/logical"
"github.com/mitchellh/copystructure"
)
const (
DenyCapability = "deny"
CreateCapability = "create"
ReadCapability = "read"
UpdateCapability = "update"
DeleteCapability = "delete"
ListCapability = "list"
SudoCapability = "sudo"
RootCapability = "root"
PatchCapability = "patch"
// Backwards compatibility
OldDenyPathPolicy = "deny"
OldReadPathPolicy = "read"
OldWritePathPolicy = "write"
OldSudoPathPolicy = "sudo"
)
const (
DenyCapabilityInt uint32 = 1 << iota
CreateCapabilityInt
ReadCapabilityInt
UpdateCapabilityInt
DeleteCapabilityInt
ListCapabilityInt
SudoCapabilityInt
PatchCapabilityInt
)
// Error constants for testing
const (
// ControlledCapabilityPolicySubsetError is thrown when a control group's controlled capabilities
// are not a subset of the policy's capabilities.
ControlledCapabilityPolicySubsetError = "control group factor capabilities must be a subset of the policy's capabilities"
)
type PolicyType uint32
const (
PolicyTypeACL PolicyType = iota
PolicyTypeRGP
PolicyTypeEGP
// Triggers a lookup in the map to figure out if ACL or RGP
PolicyTypeToken
)
func (p PolicyType) String() string {
switch p {
case PolicyTypeACL:
return "acl"
case PolicyTypeRGP:
return "rgp"
case PolicyTypeEGP:
return "egp"
}
return ""
}
var cap2Int = map[string]uint32{
DenyCapability: DenyCapabilityInt,
CreateCapability: CreateCapabilityInt,
ReadCapability: ReadCapabilityInt,
UpdateCapability: UpdateCapabilityInt,
DeleteCapability: DeleteCapabilityInt,
ListCapability: ListCapabilityInt,
SudoCapability: SudoCapabilityInt,
PatchCapability: PatchCapabilityInt,
}
type egpPath struct {
Path string `json:"path"`
Glob bool `json:"glob"`
}
// Policy is used to represent the policy specified by an ACL configuration.
type Policy struct {
sentinelPolicy
Name string `hcl:"name"`
Paths []*PathRules `hcl:"-"`
Raw string
Type PolicyType
Templated bool
namespace *namespace.Namespace
}
// ShallowClone returns a shallow clone of the policy. This should not be used
// if any of the reference-typed fields are going to be modified
func (p *Policy) ShallowClone() *Policy {
return &Policy{
sentinelPolicy: p.sentinelPolicy,
Name: p.Name,
Paths: p.Paths,
Raw: p.Raw,
Type: p.Type,
Templated: p.Templated,
namespace: p.namespace,
}
}
// PathRules represents a policy for a path in the namespace.
type PathRules struct {
Path string
Policy string
Permissions *ACLPermissions
IsPrefix bool
HasSegmentWildcards bool
Capabilities []string
// These keys are used at the top level to make the HCL nicer; we store in
// the ACLPermissions object though
MinWrappingTTLHCL interface{} `hcl:"min_wrapping_ttl"`
MaxWrappingTTLHCL interface{} `hcl:"max_wrapping_ttl"`
AllowedParametersHCL map[string][]interface{} `hcl:"allowed_parameters"`
DeniedParametersHCL map[string][]interface{} `hcl:"denied_parameters"`
RequiredParametersHCL []string `hcl:"required_parameters"`
MFAMethodsHCL []string `hcl:"mfa_methods"`
ControlGroupHCL *ControlGroupHCL `hcl:"control_group"`
}
type ControlGroupHCL struct {
TTL interface{} `hcl:"ttl"`
Factors map[string]*ControlGroupFactor `hcl:"factor"`
}
type ControlGroup struct {
TTL time.Duration
Factors []*ControlGroupFactor
}
type ControlGroupFactor struct {
Name string
Identity *IdentityFactor `hcl:"identity"`
ControlledCapabilities []string `hcl:"controlled_capabilities"`
}
type IdentityFactor struct {
GroupIDs []string `hcl:"group_ids"`
GroupNames []string `hcl:"group_names"`
ApprovalsRequired int `hcl:"approvals"`
}
type ACLPermissions struct {
CapabilitiesBitmap uint32
MinWrappingTTL time.Duration
MaxWrappingTTL time.Duration
AllowedParameters map[string][]interface{}
DeniedParameters map[string][]interface{}
RequiredParameters []string
MFAMethods []string
ControlGroup *ControlGroup
GrantingPoliciesMap map[uint32][]logical.PolicyInfo
}
func (p *ACLPermissions) Clone() (*ACLPermissions, error) {
ret := &ACLPermissions{
CapabilitiesBitmap: p.CapabilitiesBitmap,
MinWrappingTTL: p.MinWrappingTTL,
MaxWrappingTTL: p.MaxWrappingTTL,
RequiredParameters: p.RequiredParameters[:],
}
switch {
case p.AllowedParameters == nil:
case len(p.AllowedParameters) == 0:
ret.AllowedParameters = make(map[string][]interface{})
default:
clonedAllowed, err := copystructure.Copy(p.AllowedParameters)
if err != nil {
return nil, err
}
ret.AllowedParameters = clonedAllowed.(map[string][]interface{})
}
switch {
case p.DeniedParameters == nil:
case len(p.DeniedParameters) == 0:
ret.DeniedParameters = make(map[string][]interface{})
default:
clonedDenied, err := copystructure.Copy(p.DeniedParameters)
if err != nil {
return nil, err
}
ret.DeniedParameters = clonedDenied.(map[string][]interface{})
}
switch {
case p.MFAMethods == nil:
case len(p.MFAMethods) == 0:
ret.MFAMethods = []string{}
default:
clonedMFAMethods, err := copystructure.Copy(p.MFAMethods)
if err != nil {
return nil, err
}
ret.MFAMethods = clonedMFAMethods.([]string)
}
switch {
case p.ControlGroup == nil:
default:
clonedControlGroup, err := copystructure.Copy(p.ControlGroup)
if err != nil {
return nil, err
}
ret.ControlGroup = clonedControlGroup.(*ControlGroup)
}
switch {
case p.GrantingPoliciesMap == nil:
case len(p.GrantingPoliciesMap) == 0:
ret.GrantingPoliciesMap = make(map[uint32][]logical.PolicyInfo)
default:
clonedGrantingPoliciesMap, err := copystructure.Copy(p.GrantingPoliciesMap)
if err != nil {
return nil, err
}
ret.GrantingPoliciesMap = clonedGrantingPoliciesMap.(map[uint32][]logical.PolicyInfo)
}
return ret, nil
}
func addGrantingPoliciesToMap(m map[uint32][]logical.PolicyInfo, policy *Policy, capabilitiesBitmap uint32) map[uint32][]logical.PolicyInfo {
if m == nil {
m = make(map[uint32][]logical.PolicyInfo)
}
// For all possible policies, check if the provided capabilities include
// them
for _, capability := range cap2Int {
if capabilitiesBitmap&capability == 0 {
continue
}
m[capability] = append(m[capability], logical.PolicyInfo{
Name: policy.Name,
NamespaceId: policy.namespace.ID,
Type: "acl",
})
}
return m
}
// ParseACLPolicy is used to parse the specified ACL rules into an
// intermediary set of policies, before being compiled into
// the ACL
func ParseACLPolicy(ns *namespace.Namespace, rules string) (*Policy, error) {
return parseACLPolicyWithTemplating(ns, rules, false, nil, nil)
}
// parseACLPolicyWithTemplating performs the actual work and checks whether we
// should perform substitutions. If performTemplating is true we know that it
// is templated so we don't check again, otherwise we check to see if it's a
// templated policy.
func parseACLPolicyWithTemplating(ns *namespace.Namespace, rules string, performTemplating bool, entity *identity.Entity, groups []*identity.Group) (*Policy, error) {
// Parse the rules
root, err := hcl.Parse(rules)
if err != nil {
return nil, fmt.Errorf("failed to parse policy: %w", err)
}
// Top-level item should be the object list
list, ok := root.Node.(*ast.ObjectList)
if !ok {
return nil, fmt.Errorf("failed to parse policy: does not contain a root object")
}
// Check for invalid top-level keys
valid := []string{
"name",
"path",
}
if err := hclutil.CheckHCLKeys(list, valid); err != nil {
return nil, fmt.Errorf("failed to parse policy: %w", err)
}
// Create the initial policy and store the raw text of the rules
p := Policy{
Raw: rules,
Type: PolicyTypeACL,
namespace: ns,
}
if err := hcl.DecodeObject(&p, list); err != nil {
return nil, fmt.Errorf("failed to parse policy: %w", err)
}
if o := list.Filter("path"); len(o.Items) > 0 {
if err := parsePaths(&p, o, performTemplating, entity, groups); err != nil {
return nil, fmt.Errorf("failed to parse policy: %w", err)
}
}
return &p, nil
}
func parsePaths(result *Policy, list *ast.ObjectList, performTemplating bool, entity *identity.Entity, groups []*identity.Group) error {
paths := make([]*PathRules, 0, len(list.Items))
for _, item := range list.Items {
key := "path"
if len(item.Keys) > 0 {
key = item.Keys[0].Token.Value().(string)
}
// Check the path
if performTemplating {
_, templated, err := identitytpl.PopulateString(identitytpl.PopulateStringInput{
Mode: identitytpl.ACLTemplating,
String: key,
Entity: identity.ToSDKEntity(entity),
Groups: identity.ToSDKGroups(groups),
NamespaceID: result.namespace.ID,
})
if err != nil {
continue
}
key = templated
} else {
hasTemplating, _, err := identitytpl.PopulateString(identitytpl.PopulateStringInput{
Mode: identitytpl.ACLTemplating,
ValidityCheckOnly: true,
String: key,
})
if err != nil {
return fmt.Errorf("failed to validate policy templating: %w", err)
}
if hasTemplating {
result.Templated = true
}
}
valid := []string{
"comment",
"policy",
"capabilities",
"allowed_parameters",
"denied_parameters",
"required_parameters",
"min_wrapping_ttl",
"max_wrapping_ttl",
"mfa_methods",
"control_group",
}
if err := hclutil.CheckHCLKeys(item.Val, valid); err != nil {
return multierror.Prefix(err, fmt.Sprintf("path %q:", key))
}
var pc PathRules
// allocate memory so that DecodeObject can initialize the ACLPermissions struct
pc.Permissions = new(ACLPermissions)
pc.Path = key
if err := hcl.DecodeObject(&pc, item.Val); err != nil {
return multierror.Prefix(err, fmt.Sprintf("path %q:", key))
}
// Strip a leading '/' as paths in Vault start after the / in the API path
if len(pc.Path) > 0 && pc.Path[0] == '/' {
pc.Path = pc.Path[1:]
}
// Ensure we are using the full request path internally
pc.Path = result.namespace.Path + pc.Path
if strings.Contains(pc.Path, "+*") {
return fmt.Errorf("path %q: invalid use of wildcards ('+*' is forbidden)", pc.Path)
}
if pc.Path == "+" || strings.Count(pc.Path, "/+") > 0 || strings.HasPrefix(pc.Path, "+/") {
pc.HasSegmentWildcards = true
}
if strings.HasSuffix(pc.Path, "*") {
// If there are segment wildcards, don't actually strip the
// trailing asterisk, but don't want to hit the default case
if !pc.HasSegmentWildcards {
// Strip the glob character if found
pc.Path = strings.TrimSuffix(pc.Path, "*")
pc.IsPrefix = true
}
}
// Map old-style policies into capabilities
if len(pc.Policy) > 0 {
switch pc.Policy {
case OldDenyPathPolicy:
pc.Capabilities = []string{DenyCapability}
case OldReadPathPolicy:
pc.Capabilities = append(pc.Capabilities, []string{ReadCapability, ListCapability}...)
case OldWritePathPolicy:
pc.Capabilities = append(pc.Capabilities, []string{CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability}...)
case OldSudoPathPolicy:
pc.Capabilities = append(pc.Capabilities, []string{CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability}...)
default:
return fmt.Errorf("path %q: invalid policy %q", key, pc.Policy)
}
}
// Initialize the map
pc.Permissions.CapabilitiesBitmap = 0
for _, cap := range pc.Capabilities {
switch cap {
// If it's deny, don't include any other capability
case DenyCapability:
pc.Capabilities = []string{DenyCapability}
pc.Permissions.CapabilitiesBitmap = DenyCapabilityInt
goto PathFinished
case CreateCapability, ReadCapability, UpdateCapability, DeleteCapability, ListCapability, SudoCapability, PatchCapability:
pc.Permissions.CapabilitiesBitmap |= cap2Int[cap]
default:
return fmt.Errorf("path %q: invalid capability %q", key, cap)
}
}
if pc.AllowedParametersHCL != nil {
pc.Permissions.AllowedParameters = make(map[string][]interface{}, len(pc.AllowedParametersHCL))
for key, val := range pc.AllowedParametersHCL {
pc.Permissions.AllowedParameters[strings.ToLower(key)] = val
}
}
if pc.DeniedParametersHCL != nil {
pc.Permissions.DeniedParameters = make(map[string][]interface{}, len(pc.DeniedParametersHCL))
for key, val := range pc.DeniedParametersHCL {
pc.Permissions.DeniedParameters[strings.ToLower(key)] = val
}
}
if pc.MinWrappingTTLHCL != nil {
dur, err := parseutil.ParseDurationSecond(pc.MinWrappingTTLHCL)
if err != nil {
return fmt.Errorf("error parsing min_wrapping_ttl: %w", err)
}
pc.Permissions.MinWrappingTTL = dur
}
if pc.MaxWrappingTTLHCL != nil {
dur, err := parseutil.ParseDurationSecond(pc.MaxWrappingTTLHCL)
if err != nil {
return fmt.Errorf("error parsing max_wrapping_ttl: %w", err)
}
pc.Permissions.MaxWrappingTTL = dur
}
if pc.MFAMethodsHCL != nil {
pc.Permissions.MFAMethods = make([]string, len(pc.MFAMethodsHCL))
for idx, item := range pc.MFAMethodsHCL {
pc.Permissions.MFAMethods[idx] = item
}
}
if pc.ControlGroupHCL != nil {
pc.Permissions.ControlGroup = new(ControlGroup)
if pc.ControlGroupHCL.TTL != nil {
dur, err := parseutil.ParseDurationSecond(pc.ControlGroupHCL.TTL)
if err != nil {
return fmt.Errorf("error parsing control group max ttl: %w", err)
}
pc.Permissions.ControlGroup.TTL = dur
}
var factors []*ControlGroupFactor
if pc.ControlGroupHCL.Factors != nil {
for key, factor := range pc.ControlGroupHCL.Factors {
// Although we only have one factor here, we need to check to make sure there is at least
// one factor defined in this factor block.
if factor.Identity == nil {
return errors.New("no control_group factor provided")
}
if factor.Identity.ApprovalsRequired <= 0 ||
(len(factor.Identity.GroupIDs) == 0 && len(factor.Identity.GroupNames) == 0) {
return errors.New("must provide more than one identity group and approvals > 0")
}
// Ensure that configured ControlledCapabilities for factor are a subset of the
// Capabilities of the policy.
if len(factor.ControlledCapabilities) > 0 {
var found bool
for _, controlledCapability := range factor.ControlledCapabilities {
found = false
for _, policyCap := range pc.Capabilities {
if controlledCapability == policyCap {
found = true
}
}
if !found {
return errors.New(ControlledCapabilityPolicySubsetError)
}
}
}
factors = append(factors, &ControlGroupFactor{
Name: key,
Identity: factor.Identity,
ControlledCapabilities: factor.ControlledCapabilities,
})
}
}
if len(factors) == 0 {
return errors.New("no control group factors provided")
}
pc.Permissions.ControlGroup.Factors = factors
}
if pc.Permissions.MinWrappingTTL != 0 &&
pc.Permissions.MaxWrappingTTL != 0 &&
pc.Permissions.MaxWrappingTTL < pc.Permissions.MinWrappingTTL {
return errors.New("max_wrapping_ttl cannot be less than min_wrapping_ttl")
}
if len(pc.RequiredParametersHCL) > 0 {
pc.Permissions.RequiredParameters = pc.RequiredParametersHCL[:]
}
PathFinished:
paths = append(paths, &pc)
}
result.Paths = paths
return nil
}