e4e4a7ba67
* Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint
66 lines
1.3 KiB
Go
66 lines
1.3 KiB
Go
package vault
|
|
|
|
import (
|
|
"sort"
|
|
|
|
"github.com/hashicorp/vault/logical"
|
|
)
|
|
|
|
// Capabilities is used to fetch the capabilities of the given token on the given path
|
|
func (c *Core) Capabilities(token, path string) ([]string, error) {
|
|
if path == "" {
|
|
return nil, &logical.StatusBadRequest{Err: "missing path"}
|
|
}
|
|
|
|
if token == "" {
|
|
return nil, &logical.StatusBadRequest{Err: "missing token"}
|
|
}
|
|
|
|
te, err := c.tokenStore.Lookup(token)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if te == nil {
|
|
return nil, &logical.StatusBadRequest{Err: "invalid token"}
|
|
}
|
|
|
|
if te.Policies == nil {
|
|
return []string{DenyCapability}, nil
|
|
}
|
|
|
|
var policies []*Policy
|
|
for _, tePolicy := range te.Policies {
|
|
policy, err := c.policyStore.GetPolicy(tePolicy, PolicyTypeToken)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
policies = append(policies, policy)
|
|
}
|
|
|
|
_, derivedPolicies, err := c.fetchEntityAndDerivedPolicies(te.EntityID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
for _, item := range derivedPolicies {
|
|
policy, err := c.policyStore.GetPolicy(item, PolicyTypeToken)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
policies = append(policies, policy)
|
|
}
|
|
|
|
if len(policies) == 0 {
|
|
return []string{DenyCapability}, nil
|
|
}
|
|
|
|
acl, err := NewACL(policies)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
capabilities := acl.Capabilities(path)
|
|
sort.Strings(capabilities)
|
|
return capabilities, nil
|
|
}
|