open-vault/api/output_policy.go
Leland Ursu 1b3083c98c
address various issues with the output-policy flag (#19160)
* update error message and properly handle list requests

* since we do agressive sanitizes we need to optionally check trailing slash

* added changelog record

* remove redundant path formating

* Update changelog/13106.txt

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* addressed comments from review

* also remove code that duplicates efforts in kv_list

* abstracted helper func for testing

* added test cases for the policy builder

* updated the changelog to the correct one

* removed calls that apear not to do anything given test case results

* fixed spacing issue in output string

* remove const representation of list url param

* addressed comments for pr

---------

Co-authored-by: lursu <leland.ursu@hashicorp.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-02-21 10:12:45 -05:00

97 lines
2.2 KiB
Go

package api
import (
"fmt"
"net/http"
"net/url"
"strconv"
"strings"
)
const (
ErrOutputPolicyRequest = "output a policy, please"
)
var LastOutputPolicyError *OutputPolicyError
type OutputPolicyError struct {
method string
path string
params url.Values
finalHCLString string
}
func (d *OutputPolicyError) Error() string {
if d.finalHCLString == "" {
p, err := d.buildSamplePolicy()
if err != nil {
return err.Error()
}
d.finalHCLString = p
}
return ErrOutputPolicyRequest
}
func (d *OutputPolicyError) HCLString() (string, error) {
if d.finalHCLString == "" {
p, err := d.buildSamplePolicy()
if err != nil {
return "", err
}
d.finalHCLString = p
}
return d.finalHCLString, nil
}
// Builds a sample policy document from the request
func (d *OutputPolicyError) buildSamplePolicy() (string, error) {
operation := d.method
// List is often defined as a URL param instead of as an http.Method
// this will check for the header and properly switch off of the intended functionality
if d.params.Has("list") {
isList, err := strconv.ParseBool(d.params.Get("list"))
if err != nil {
return "", fmt.Errorf("the value of the list url param is not a bool: %v", err)
}
if isList {
operation = "LIST"
}
}
var capabilities []string
switch operation {
case http.MethodGet, "":
capabilities = append(capabilities, "read")
case http.MethodPost, http.MethodPut:
capabilities = append(capabilities, "create")
capabilities = append(capabilities, "update")
case http.MethodPatch:
capabilities = append(capabilities, "patch")
case http.MethodDelete:
capabilities = append(capabilities, "delete")
case "LIST":
capabilities = append(capabilities, "list")
}
// determine whether to add sudo capability
if IsSudoPath(d.path) {
capabilities = append(capabilities, "sudo")
}
return formatOutputPolicy(d.path, capabilities), nil
}
func formatOutputPolicy(path string, capabilities []string) string {
// the OpenAPI response has a / in front of each path,
// but policies need the path without that leading slash
path = strings.TrimLeft(path, "/")
capStr := strings.Join(capabilities, `", "`)
return fmt.Sprintf(
`path "%s" {
capabilities = ["%s"]
}`, path, capStr)
}