0ef529b710
* WIP: output policy
* Outputs example policy HCL for given request
* Simplify conditional
* Add PATCH capability
* Use OpenAPI spec and regex patterns to determine if path is sudo
* Add test for isSudoPath
* Add changelog
* Fix broken CLI tests
* Add output-policy to client cloning code
* Smaller fixes from PR comments
* Clone client instead of saving and restoring custom values
* Fix test
* Address comments
* Don't unset output-policy flag on KV requests otherwise the preflight request will fail and not populate LastOutputPolicyError
* Print errors saved in buffer from preflight KV requests
* Unescape characters in request URL
* Rename methods and properties to improve readability
* Put KV-specificness at front of KV-specific error
* Simplify logic by doing more direct returns of strings and errors
* Use precompiled regexes and move OpenAPI call to tests
* Remove commented out code
* Remove legacy MFA paths
* Remove unnecessary use of client
* Move sudo paths map to plugin helper
* Remove unused error return
* Add explanatory comment
* Remove need to pass in address
* Make {name} regex less greedy
* Use method and path instead of info from retryablerequest
* Add test for IsSudoPaths, use more idiomatic naming
* Use precompiled regexes and move OpenAPI call to tests (#15170)
* Use precompiled regexes and move OpenAPI call to tests
* Remove commented out code
* Remove legacy MFA paths
* Remove unnecessary use of client
* Move sudo paths map to plugin helper
* Remove unused error return
* Add explanatory comment
* Remove need to pass in address
* Make {name} regex less greedy
* Use method and path instead of info from retryablerequest
* Add test for IsSudoPaths, use more idiomatic naming
* Make stderr writing more obvious, fix nil pointer deref
83 lines
1.9 KiB
Go
83 lines
1.9 KiB
Go
package api
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
)
|
|
|
|
const (
|
|
ErrOutputPolicyRequest = "output a policy, please"
|
|
)
|
|
|
|
var LastOutputPolicyError *OutputPolicyError
|
|
|
|
type OutputPolicyError struct {
|
|
method string
|
|
path string
|
|
finalHCLString string
|
|
}
|
|
|
|
func (d *OutputPolicyError) Error() string {
|
|
if d.finalHCLString == "" {
|
|
p, err := d.buildSamplePolicy()
|
|
if err != nil {
|
|
return err.Error()
|
|
}
|
|
d.finalHCLString = p
|
|
}
|
|
|
|
return ErrOutputPolicyRequest
|
|
}
|
|
|
|
func (d *OutputPolicyError) HCLString() (string, error) {
|
|
if d.finalHCLString == "" {
|
|
p, err := d.buildSamplePolicy()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
d.finalHCLString = p
|
|
}
|
|
return d.finalHCLString, nil
|
|
}
|
|
|
|
// Builds a sample policy document from the request
|
|
func (d *OutputPolicyError) buildSamplePolicy() (string, error) {
|
|
var capabilities []string
|
|
switch d.method {
|
|
case http.MethodGet, "":
|
|
capabilities = append(capabilities, "read")
|
|
case http.MethodPost, http.MethodPut:
|
|
capabilities = append(capabilities, "create")
|
|
capabilities = append(capabilities, "update")
|
|
case http.MethodPatch:
|
|
capabilities = append(capabilities, "patch")
|
|
case http.MethodDelete:
|
|
capabilities = append(capabilities, "delete")
|
|
case "LIST":
|
|
capabilities = append(capabilities, "list")
|
|
}
|
|
|
|
// sanitize, then trim the Vault address and v1 from the front of the path
|
|
path, err := url.PathUnescape(d.path)
|
|
if err != nil {
|
|
return "", fmt.Errorf("failed to unescape request URL characters: %v", err)
|
|
}
|
|
|
|
// determine whether to add sudo capability
|
|
if IsSudoPath(path) {
|
|
capabilities = append(capabilities, "sudo")
|
|
}
|
|
|
|
// the OpenAPI response has a / in front of each path,
|
|
// but policies need the path without that leading slash
|
|
path = strings.TrimLeft(path, "/")
|
|
|
|
capStr := strings.Join(capabilities, `", "`)
|
|
return fmt.Sprintf(
|
|
`path "%s" {
|
|
capabilities = ["%s"]
|
|
}`, path, capStr), nil
|
|
}
|