mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-09-17 03:41:07 +02:00
Code Issues Projects Releases Wiki Activity

Added the merging of wildcards to allowed and denied parameters.

Browse Source
This commit is contained in:
mwoolsey 2016-10-28 12:33:50 -07:00
parent 821b7723ee
commit c4f3d87ac4
1 changed files with 35 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
vault/acl.go
View File

@ -1,6 +1,7 @@
package vault package vault
import ( import (
"fmt"
"github.com/armon/go-radix" "github.com/armon/go-radix"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
) )
@ -50,6 +51,8 @@ func NewACL(policies []*Policy) (*ACL, error) {
tree.Insert(pc.Prefix, pc.Permissions) tree.Insert(pc.Prefix, pc.Permissions)
continue continue
} }
// these are the ones already in the tree
permissions := raw.(*Permissions) permissions := raw.(*Permissions)
existing := permissions.CapabilitiesBitmap existing := permissions.CapabilitiesBitmap
@ -70,7 +73,19 @@ func NewACL(policies []*Policy) (*ACL, error) {
tree.Insert(pc.Prefix, pc.Permissions) tree.Insert(pc.Prefix, pc.Permissions)
} }
// look for a * in allowed parameters // look for a * in allowed parameters for the node already in the tree
if _, ok := permissions.AllowedParameters["*"]; ok {
pc.Permissions.AllowedParameters = make(map[string]struct{})
pc.Permissions.AllowedParameters["*"] = nil
goto CHECK_DENIED
}
// look for a * in allowed parameters for the path capability we are merging
if _, ok := pc.Permissions.AllowedParameters["*"]; ok {
pc.Permissions.AllowedParameters = make(map[string]struct{})
pc.Permissions.AllowedParameters["*"] = nil
goto CHECK_DENIED
}
// Merge allowed parameters // Merge allowed parameters
for key, _ := range permissions.AllowedParameters { for key, _ := range permissions.AllowedParameters {
@ -81,7 +96,23 @@ func NewACL(policies []*Policy) (*ACL, error) {
} }
} }
// Merge disallowed parameters CHECK_DENIED:
// look for a * in denied parameters for the node already in the tree
if _, ok := permissions.DeniedParameters["*"]; ok {
pc.Permissions.DeniedParameters = make(map[string]struct{})
pc.Permissions.DeniedParameters["*"] = nil
goto INSERT
}
// look for a * in denied parameters for the path capability we are merging
if _, ok := pc.Permissions.DeniedParameters["*"]; ok {
pc.Permissions.DeniedParameters = make(map[string]struct{})
pc.Permissions.DeniedParameters["*"] = nil
goto INSERT
}
// Merge denied parameters
for key, _ := range permissions.DeniedParameters { for key, _ := range permissions.DeniedParameters {
// Add new parameter // Add new parameter
if _, ok := pc.Permissions.DeniedParameters[key]; !ok { if _, ok := pc.Permissions.DeniedParameters[key]; !ok {
@ -91,6 +122,8 @@ func NewACL(policies []*Policy) (*ACL, error) {
} }
INSERT:
tree.Insert(pc.Prefix, pc.Permissions) tree.Insert(pc.Prefix, pc.Permissions)
} }
@ -154,15 +187,11 @@ CHECK:
// AllowOperation is used to check if the given operation is permitted. The // AllowOperation is used to check if the given operation is permitted. The
// first bool indicates if an op is allowed, the second whether sudo priviliges // first bool indicates if an op is allowed, the second whether sudo priviliges
// exist for that op and path. // exist for that op and path.
// change arguments to hold a full request that holds the operation, path, and parameter
// that is to be modified.
func (a *ACL) AllowOperation(req *logical.Request) (allowed bool, sudo bool) { func (a *ACL) AllowOperation(req *logical.Request) (allowed bool, sudo bool) {
// Fast-path root // Fast-path root
if a.root { if a.root {
return true, true return true, true
} }
op := req.Operation op := req.Operation
path := req.Path path := req.Path