diff --git a/vault/acl_test.go b/vault/acl_test.go index e4ed67fa84..0eca30f765 100644 --- a/vault/acl_test.go +++ b/vault/acl_test.go @@ -214,7 +214,7 @@ func testLayeredACL(t *testing.T, acl *ACL) { } } -func TestPolicyMerge(t *testing.T) { +func TestACL_PolicyMerge(t *testing.T) { policy, err := Parse(mergingPolicies) if err != nil { t.Fatalf("err: %v", err) @@ -256,7 +256,7 @@ func TestPolicyMerge(t *testing.T) { } } -func TestAllowOperation(t *testing.T) { +func TestACL_AllowOperation(t *testing.T) { policy, err := Parse(permissionsPolicy) if err != nil { t.Fatalf("err: %v", err) @@ -306,7 +306,7 @@ func TestAllowOperation(t *testing.T) { } } -func TestValuePermissions(t *testing.T) { +func TestACL_ValuePermissions(t *testing.T) { policy, err := Parse(valuePermissionsPolicy) if err != nil { t.Fatalf("err: %v", err) @@ -434,122 +434,93 @@ var mergingPolicies = ` name = "ops" path "foo/bar" { policy = "write" - permissions = { - denied_parameters = { - "baz" = [] - } + denied_parameters = { + "baz" = [] } } path "foo/bar" { policy = "write" - permissions = { - denied_parameters = { - "zip" = [] - } + denied_parameters = { + "zip" = [] } } path "hello/universe" { policy = "write" - permissions = { - allowed_parameters = { - "foo" = [] - } + allowed_parameters = { + "foo" = [] } } path "hello/universe" { policy = "write" - permissions = { - allowed_parameters = { - "bar" = [] - } - } -} -path "allow/all" { - policy = "write" - permissions = { - allowed_parameters = { - "test" = [] - } + allowed_parameters = { + "bar" = [] } } path "allow/all" { policy = "write" - permissions = { - allowed_parameters = { - "*" = [] - } - } + allowed_parameters = { + "test" = [] + } +} +path "allow/all" { + policy = "write" + allowed_parameters = { + "*" = [] + } } path "allow/all1" { policy = "write" - permissions = { - allowed_parameters = { - "*" = [] - } - } + allowed_parameters = { + "*" = [] + } } path "allow/all1" { policy = "write" - permissions = { - allowed_parameters = { - "test" = [] - } - } -} -path "deny/all" { - policy = "write" - permissions = { - denied_parameters = { - "frank" = [] - } + allowed_parameters = { + "test" = [] } } path "deny/all" { policy = "write" - permissions = { - denied_parameters = { - "*" = [] - } - } + denied_parameters = { + "frank" = [] + } +} +path "deny/all" { + policy = "write" + denied_parameters = { + "*" = [] + } } path "deny/all1" { policy = "write" - permissions = { - denied_parameters = { - "*" = [] - } - } + denied_parameters = { + "*" = [] + } } path "deny/all1" { policy = "write" - permissions = { - denied_parameters = { - "test" = [] - } - } -} -path "value/merge" { - policy = "write" - permissions = { - allowed_parameters = { - "test" = [1, 2] - } - denied_parameters = { - "test" = [1, 2] - } - + denied_parameters = { + "test" = [] } } path "value/merge" { policy = "write" - permissions = { - allowed_parameters = { - "test" = [3, 4] - } - denied_parameters = { - "test" = [3, 4] - } - } + allowed_parameters = { + "test" = [1, 2] + } + denied_parameters = { + "test" = [1, 2] + } +} +path "value/merge" { + policy = "write" + allowed_parameters = { + "test" = [3, 4] + } + denied_parameters = { + "test" = [3, 4] + } } ` @@ -559,93 +530,75 @@ name = "dev" path "dev/*" { policy = "write" - permissions = { - allowed_parameters = { - "zip" = [] - } - } + allowed_parameters = { + "zip" = [] + } } path "foo/bar" { policy = "write" - permissions = { - denied_parameters = { - "zap" = [] - } - } + denied_parameters = { + "zap" = [] + } } path "foo/baz" { policy = "write" - permissions = { - allowed_parameters = { - "hello" = [] - } - denied_parameters = { - "zap" = [] - } - } + allowed_parameters = { + "hello" = [] + } + denied_parameters = { + "zap" = [] + } } path "broken/phone" { policy = "write" - permissions = { - allowed_parameters = { - "steve" = [] - } - denied_parameters = { - "steve" = [] - } + allowed_parameters = { + "steve" = [] + } + denied_parameters = { + "steve" = [] } } path "hello/world" { policy = "write" - permissions = { - allowed_parameters = { - "*" = [] - } - denied_parameters = { - "*" = [] - } - } + allowed_parameters = { + "*" = [] + } + denied_parameters = { + "*" = [] + } } path "tree/fort" { policy = "write" - permissions = { - allowed_parameters = { - "*" = [] - } - denied_parameters = { - "beer" = [] - } - } + allowed_parameters = { + "*" = [] + } + denied_parameters = { + "beer" = [] + } } path "fruit/apple" { policy = "write" - permissions = { - allowed_parameters = { - "pear" = [] - } - denied_parameters = { - "*" = [] - } - } + allowed_parameters = { + "pear" = [] + } + denied_parameters = { + "*" = [] + } } path "cold/weather" { policy = "write" - permissions = { - allowed_parameters = {} - denied_parameters = {} - } + allowed_parameters = {} + denied_parameters = {} } path "var/aws" { - policy = "write" - permissions = { - allowed_parameters = { - "*" = [] - } - denied_parameters = { - "soft" = [] - "warm" = [] - "kitty" = [] - } + policy = "write" + allowed_parameters = { + "*" = [] + } + denied_parameters = { + "soft" = [] + "warm" = [] + "kitty" = [] } } ` @@ -656,53 +609,43 @@ name = "op" path "dev/*" { policy = "write" - permissions = { - allowed_parameters = { - "allow" = ["good"] - } + allowed_parameters = { + "allow" = ["good"] } } path "foo/bar" { policy = "write" - permissions = { - denied_parameters = { - "deny" = ["bad"] - } + denied_parameters = { + "deny" = ["bad"] } } path "foo/baz" { policy = "write" - permissions = { - allowed_parameters = { - "allow" = ["good"] - } - denied_parameters = { - "deny" = ["bad"] - } + allowed_parameters = { + "allow" = ["good"] + } + denied_parameters = { + "deny" = ["bad"] } } path "fizz/buzz" { policy = "write" - permissions = { - allowed_parameters = { - "allow_multi" = ["good", "good1", "good2"] - "allow" = ["good"] - } - denied_parameters = { - "deny_multi" = ["bad", "bad1", "bad2"] - } + allowed_parameters = { + "allow_multi" = ["good", "good1", "good2"] + "allow" = ["good"] + } + denied_parameters = { + "deny_multi" = ["bad", "bad1", "bad2"] } } path "test/types" { policy = "write" - permissions = { - allowed_parameters = { - "map" = [{"good" = "one"}] - "int" = [1, 2] - } - denied_parameters = { - "bool" = [false] - } + allowed_parameters = { + "map" = [{"good" = "one"}] + "int" = [1, 2] + } + denied_parameters = { + "bool" = [false] } } ` diff --git a/vault/policy.go b/vault/policy.go index d8e2b76621..6a3cbeb173 100644 --- a/vault/policy.go +++ b/vault/policy.go @@ -60,15 +60,20 @@ type Policy struct { type PathCapabilities struct { Prefix string Policy string - Capabilities []string Permissions *Permissions Glob bool + Capabilities []string + + // These two keys are used at the top level to make the HCL nicer; we store + // in the Permissions object though + AllowedParametersHCL map[string][]interface{} `hcl:"allowed_parameters"` + DeniedParametersHCL map[string][]interface{} `hcl:"denied_parameters"` } type Permissions struct { CapabilitiesBitmap uint32 - AllowedParameters map[string][]interface{} `hcl:"allowed_parameters"` - DeniedParameters map[string][]interface{} `hcl:"denied_parameters"` + AllowedParameters map[string][]interface{} + DeniedParameters map[string][]interface{} } // Parse is used to parse the specified ACL rules into an @@ -122,7 +127,8 @@ func parsePaths(result *Policy, list *ast.ObjectList) error { valid := []string{ "policy", "capabilities", - "permissions", + "allowed_parameters", + "denied_parameters", } if err := checkHCLKeys(item.Val, valid); err != nil { return multierror.Prefix(err, fmt.Sprintf("path %q:", key)) @@ -181,8 +187,10 @@ func parsePaths(result *Policy, list *ast.ObjectList) error { } } - PathFinished: + pc.Permissions.AllowedParameters = pc.AllowedParametersHCL + pc.Permissions.DeniedParameters = pc.DeniedParametersHCL + PathFinished: paths = append(paths, &pc) } diff --git a/vault/policy_test.go b/vault/policy_test.go index 8d07fb3641..9044df6ea5 100644 --- a/vault/policy_test.go +++ b/vault/policy_test.go @@ -40,50 +40,42 @@ path "foo/bar" { # Check that only allowed_parameters are being added to foobar path "foo/bar" { capabilities = ["create", "sudo"] - permissions = { - allowed_parameters = { - "zip" = [] - "zap" = [] - } + allowed_parameters = { + "zip" = [] + "zap" = [] } } # Check that only denied_parameters are being added to bazbar path "baz/bar" { capabilities = ["create", "sudo"] - permissions = { - denied_parameters = { - "zip" = [] - "zap" = [] - } + denied_parameters = { + "zip" = [] + "zap" = [] } } # Check that both allowed and denied parameters are being added to bizbar path "biz/bar" { capabilities = ["create", "sudo"] - permissions = { - allowed_parameters = { - "zim" = [] - "zam" = [] - } - denied_parameters = { - "zip" = [] - "zap" = [] - } + allowed_parameters = { + "zim" = [] + "zam" = [] + } + denied_parameters = { + "zip" = [] + "zap" = [] } } path "test/types" { capabilities = ["create", "sudo"] - permissions = { - allowed_parameters = { - "map" = [{"good" = "one"}] - "int" = [1, 2] - } - denied_parameters = { - "string" = ["test"] - "bool" = [false] - } + allowed_parameters = { + "map" = [{"good" = "one"}] + "int" = [1, 2] + } + denied_parameters = { + "string" = ["test"] + "bool" = [false] } } `) @@ -99,15 +91,19 @@ func TestPolicy_Parse(t *testing.T) { } expect := []*PathCapabilities{ - &PathCapabilities{"", "deny", - []string{ + &PathCapabilities{ + Prefix: "", + Policy: "deny", + Capabilities: []string{ "deny", }, - &Permissions{CapabilitiesBitmap: DenyCapabilityInt}, - true, + Permissions: &Permissions{CapabilitiesBitmap: DenyCapabilityInt}, + Glob: true, }, - &PathCapabilities{"stage/", "sudo", - []string{ + &PathCapabilities{ + Prefix: "stage/", + Policy: "sudo", + Capabilities: []string{ "create", "read", "update", @@ -115,80 +111,100 @@ func TestPolicy_Parse(t *testing.T) { "list", "sudo", }, - &Permissions{ + Permissions: &Permissions{ CapabilitiesBitmap: (CreateCapabilityInt | ReadCapabilityInt | UpdateCapabilityInt | DeleteCapabilityInt | ListCapabilityInt | SudoCapabilityInt), }, - true, + Glob: true, }, - &PathCapabilities{"prod/version", "read", - []string{ + &PathCapabilities{ + Prefix: "prod/version", + Policy: "read", + Capabilities: []string{ "read", "list", }, - &Permissions{CapabilitiesBitmap: (ReadCapabilityInt | ListCapabilityInt)}, - false, + Permissions: &Permissions{CapabilitiesBitmap: (ReadCapabilityInt | ListCapabilityInt)}, + Glob: false, }, - &PathCapabilities{"foo/bar", "read", - []string{ + &PathCapabilities{ + Prefix: "foo/bar", + Policy: "read", + Capabilities: []string{ "read", "list", }, - &Permissions{CapabilitiesBitmap: (ReadCapabilityInt | ListCapabilityInt)}, - false, + Permissions: &Permissions{CapabilitiesBitmap: (ReadCapabilityInt | ListCapabilityInt)}, + Glob: false, }, - &PathCapabilities{"foo/bar", "", - []string{ + &PathCapabilities{ + Prefix: "foo/bar", + Policy: "", + Capabilities: []string{ "create", "sudo", }, - &Permissions{CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt)}, - false, + Permissions: &Permissions{CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt)}, + Glob: false, }, - &PathCapabilities{"foo/bar", "", - []string{ + &PathCapabilities{ + Prefix: "foo/bar", + Policy: "", + Capabilities: []string{ "create", "sudo", }, - &Permissions{ + AllowedParametersHCL: map[string][]interface{}{"zip": {}, "zap": {}}, + Permissions: &Permissions{ CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt), AllowedParameters: map[string][]interface{}{"zip": {}, "zap": {}}, }, - false, + Glob: false, }, - &PathCapabilities{"baz/bar", "", - []string{ + &PathCapabilities{ + Prefix: "baz/bar", + Policy: "", + Capabilities: []string{ "create", "sudo", }, - &Permissions{ + DeniedParametersHCL: map[string][]interface{}{"zip": []interface{}{}, "zap": []interface{}{}}, + Permissions: &Permissions{ CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt), DeniedParameters: map[string][]interface{}{"zip": []interface{}{}, "zap": []interface{}{}}, }, - false, + Glob: false, }, - &PathCapabilities{"biz/bar", "", - []string{ + &PathCapabilities{ + Prefix: "biz/bar", + Policy: "", + Capabilities: []string{ "create", "sudo", }, - &Permissions{ + AllowedParametersHCL: map[string][]interface{}{"zim": {}, "zam": {}}, + DeniedParametersHCL: map[string][]interface{}{"zip": {}, "zap": {}}, + Permissions: &Permissions{ CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt), AllowedParameters: map[string][]interface{}{"zim": {}, "zam": {}}, DeniedParameters: map[string][]interface{}{"zip": {}, "zap": {}}, }, - false, + Glob: false, }, - &PathCapabilities{"test/types", "", - []string{ + &PathCapabilities{ + Prefix: "test/types", + Policy: "", + Capabilities: []string{ "create", "sudo", }, - &Permissions{ + AllowedParametersHCL: map[string][]interface{}{"map": []interface{}{map[string]interface{}{"good": "one"}}, "int": []interface{}{1, 2}}, + DeniedParametersHCL: map[string][]interface{}{"string": []interface{}{"test"}, "bool": []interface{}{false}}, + Permissions: &Permissions{ CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt), AllowedParameters: map[string][]interface{}{"map": []interface{}{map[string]interface{}{"good": "one"}}, "int": []interface{}{1, 2}}, DeniedParameters: map[string][]interface{}{"string": []interface{}{"test"}, "bool": []interface{}{false}}, }, - false, + Glob: false, }, } if !reflect.DeepEqual(p.Paths, expect) {