From c4f3d87ac45e9ebfc683ce7e68604a0b5f16cc44 Mon Sep 17 00:00:00 2001 From: mwoolsey Date: Fri, 28 Oct 2016 12:33:50 -0700 Subject: [PATCH] Added the merging of wildcards to allowed and denied parameters. --- vault/acl.go | 41 +++++++++++++++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/vault/acl.go b/vault/acl.go index 3fb217e42e..1f26fae968 100644 --- a/vault/acl.go +++ b/vault/acl.go @@ -1,6 +1,7 @@ package vault import ( + "fmt" "github.com/armon/go-radix" "github.com/hashicorp/vault/logical" ) @@ -50,6 +51,8 @@ func NewACL(policies []*Policy) (*ACL, error) { tree.Insert(pc.Prefix, pc.Permissions) continue } + + // these are the ones already in the tree permissions := raw.(*Permissions) existing := permissions.CapabilitiesBitmap @@ -70,7 +73,19 @@ func NewACL(policies []*Policy) (*ACL, error) { tree.Insert(pc.Prefix, pc.Permissions) } - // look for a * in allowed parameters + // look for a * in allowed parameters for the node already in the tree + if _, ok := permissions.AllowedParameters["*"]; ok { + pc.Permissions.AllowedParameters = make(map[string]struct{}) + pc.Permissions.AllowedParameters["*"] = nil + goto CHECK_DENIED + } + + // look for a * in allowed parameters for the path capability we are merging + if _, ok := pc.Permissions.AllowedParameters["*"]; ok { + pc.Permissions.AllowedParameters = make(map[string]struct{}) + pc.Permissions.AllowedParameters["*"] = nil + goto CHECK_DENIED + } // Merge allowed parameters for key, _ := range permissions.AllowedParameters { @@ -81,7 +96,23 @@ func NewACL(policies []*Policy) (*ACL, error) { } } - // Merge disallowed parameters + CHECK_DENIED: + + // look for a * in denied parameters for the node already in the tree + if _, ok := permissions.DeniedParameters["*"]; ok { + pc.Permissions.DeniedParameters = make(map[string]struct{}) + pc.Permissions.DeniedParameters["*"] = nil + goto INSERT + } + + // look for a * in denied parameters for the path capability we are merging + if _, ok := pc.Permissions.DeniedParameters["*"]; ok { + pc.Permissions.DeniedParameters = make(map[string]struct{}) + pc.Permissions.DeniedParameters["*"] = nil + goto INSERT + } + + // Merge denied parameters for key, _ := range permissions.DeniedParameters { // Add new parameter if _, ok := pc.Permissions.DeniedParameters[key]; !ok { @@ -91,6 +122,8 @@ func NewACL(policies []*Policy) (*ACL, error) { } + INSERT: + tree.Insert(pc.Prefix, pc.Permissions) } @@ -154,15 +187,11 @@ CHECK: // AllowOperation is used to check if the given operation is permitted. The // first bool indicates if an op is allowed, the second whether sudo priviliges // exist for that op and path. - -// change arguments to hold a full request that holds the operation, path, and parameter -// that is to be modified. func (a *ACL) AllowOperation(req *logical.Request) (allowed bool, sudo bool) { // Fast-path root if a.root { return true, true } - op := req.Operation path := req.Path