initial commit for nonAssignablePolicies

2025-08-30 02:51:07 +02:00 · 2016-07-24 22:27:41 -04:00 · 2016-07-24 22:27:41 -04:00 · 4235173d78
commit 4235173d78
parent 5a454e1afa
2 changed files with 32 additions and 4 deletions
--- a/vault/policy_store.go
+++ b/vault/policy_store.go
@ -36,6 +36,9 @@ var (
 		"root",
 		cubbyholeResponseWrappingPolicyName,
 	}
+	nonAssignablePolicies = []string{
+		cubbyholeResponseWrappingPolicyName,
+	}
 )

 // PolicyStore is used to provide durable storage of policy, and to
@ -89,7 +92,7 @@ func (c *Core) setupPolicyStore() error {
 	// Ensure that the cubbyhole response wrapping policy exists
 	policy, err = c.policyStore.GetPolicy(cubbyholeResponseWrappingPolicyName)
 	if err != nil {
-		return errwrap.Wrapf("error fetching default policy from store: {{err}}", err)
+		return errwrap.Wrapf("error fetching cubbyhole response wrapping policy from store: {{err}}", err)
 	}
 	if policy == nil || policy.Raw != cubbyholeResponseWrappingPolicy {
 		err := c.policyStore.createCubbyholeResponseWrappingPolicy()
@ -114,7 +117,7 @@ func (ps *PolicyStore) SetPolicy(p *Policy) error {
 	if p.Name == "" {
 		return fmt.Errorf("policy name missing")
 	}
-	if strutil.StrListContains(immutablePolicies, p.Name) {
+	if strutil.StrListContains(immutablePolicies, p.Name) || strutil.StrListContains(nonAssignablePolicies, p.Name) {
 		return fmt.Errorf("cannot update %s policy", p.Name)
 	}

@ -210,13 +213,31 @@ func (ps *PolicyStore) ListPolicies() ([]string, error) {
 	defer metrics.MeasureSince([]string{"policy", "list_policies"}, time.Now())
 	// Scan the view, since the policy names are the same as the
 	// key names.
-	return CollectKeys(ps.view)
+	keys, err = CollectKeys(ps.view)
+
+	for _, nonAssignable := range nonAssignablePolicies {
+		deleteIndex := -1
+		//Find indices of non-assignable policies in keys
+		for index, key := range keys {
+			if key == nonAssignable {
+				// Delete collection outside the loop
+				deleteIndex = index
+				break
+			}
+		}
+		// Remove non-assignable policies when found
+		if deleteIndex != -1 {
+			keys = append(keys[:deleteIndex], keys[deleteIndex+1:]...)
+		}
+	}
+
+	return keys, err
 }

 // DeletePolicy is used to delete the named policy
 func (ps *PolicyStore) DeletePolicy(name string) error {
 	defer metrics.MeasureSince([]string{"policy", "delete_policy"}, time.Now())
-	if strutil.StrListContains(immutablePolicies, name) {
+	if strutil.StrListContains(immutablePolicies, name) || strutil.StrListContains(nonAssignablePolicies, name) {
 		return fmt.Errorf("cannot delete %s policy", name)
 	}
 	if name == "default" {
--- a/vault/token_store.go
+++ b/vault/token_store.go
@ -1193,6 +1193,13 @@ func (ts *TokenStore) handleCreateCommon(
 		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
 	}

+	// Prevent internasl policies from being assigned to tokens
+	for _, policy := range te.Policies {
+		if strutil.StrListContains(nonAssignablePolicies, policy) {
+			return logical.ErrorResponse(fmt.Sprintf("cannot assign %s policy", policy)), nil
+		}
+	}
+
 	// Generate the response
 	resp.Auth = &logical.Auth{
 		DisplayName: te.DisplayName,