open-vault/api/output_policy.go

97 lines
2.2 KiB
Go

package api
import (
"fmt"
"net/http"
"net/url"
"strconv"
"strings"
)
const (
ErrOutputPolicyRequest = "output a policy, please"
)
var LastOutputPolicyError *OutputPolicyError
type OutputPolicyError struct {
method string
path string
params url.Values
finalHCLString string
}
func (d *OutputPolicyError) Error() string {
if d.finalHCLString == "" {
p, err := d.buildSamplePolicy()
if err != nil {
return err.Error()
}
d.finalHCLString = p
}
return ErrOutputPolicyRequest
}
func (d *OutputPolicyError) HCLString() (string, error) {
if d.finalHCLString == "" {
p, err := d.buildSamplePolicy()
if err != nil {
return "", err
}
d.finalHCLString = p
}
return d.finalHCLString, nil
}
// Builds a sample policy document from the request
func (d *OutputPolicyError) buildSamplePolicy() (string, error) {
operation := d.method
// List is often defined as a URL param instead of as an http.Method
// this will check for the header and properly switch off of the intended functionality
if d.params.Has("list") {
isList, err := strconv.ParseBool(d.params.Get("list"))
if err != nil {
return "", fmt.Errorf("the value of the list url param is not a bool: %v", err)
}
if isList {
operation = "LIST"
}
}
var capabilities []string
switch operation {
case http.MethodGet, "":
capabilities = append(capabilities, "read")
case http.MethodPost, http.MethodPut:
capabilities = append(capabilities, "create")
capabilities = append(capabilities, "update")
case http.MethodPatch:
capabilities = append(capabilities, "patch")
case http.MethodDelete:
capabilities = append(capabilities, "delete")
case "LIST":
capabilities = append(capabilities, "list")
}
// determine whether to add sudo capability
if IsSudoPath(d.path) {
capabilities = append(capabilities, "sudo")
}
return formatOutputPolicy(d.path, capabilities), nil
}
func formatOutputPolicy(path string, capabilities []string) string {
// the OpenAPI response has a / in front of each path,
// but policies need the path without that leading slash
path = strings.TrimLeft(path, "/")
capStr := strings.Join(capabilities, `", "`)
return fmt.Sprintf(
`path "%s" {
capabilities = ["%s"]
}`, path, capStr)
}