mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-09-01 20:11:09 +02:00
Code Issues Projects Releases Wiki Activity

Remove "permissions" from ACL

Browse Source
This commit is contained in:
Jeff Mitchell 2017-02-15 21:12:26 -05:00
parent e2b7d43e01
commit d6cf46759e
3 changed files with 213 additions and 246 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

297
vault/acl_test.go
View File

@ -214,7 +214,7 @@ func testLayeredACL(t *testing.T, acl *ACL) {
} }
} }
func TestPolicyMerge(t *testing.T) { func TestACL_PolicyMerge(t *testing.T) {
policy, err := Parse(mergingPolicies) policy, err := Parse(mergingPolicies)
if err != nil { if err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
@ -256,7 +256,7 @@ func TestPolicyMerge(t *testing.T) {
} }
} }
func TestAllowOperation(t *testing.T) { func TestACL_AllowOperation(t *testing.T) {
policy, err := Parse(permissionsPolicy) policy, err := Parse(permissionsPolicy)
if err != nil { if err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
@ -306,7 +306,7 @@ func TestAllowOperation(t *testing.T) {
} }
} }
func TestValuePermissions(t *testing.T) { func TestACL_ValuePermissions(t *testing.T) {
policy, err := Parse(valuePermissionsPolicy) policy, err := Parse(valuePermissionsPolicy)
if err != nil { if err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
@ -434,122 +434,93 @@ var mergingPolicies = `
name = "ops" name = "ops"
path "foo/bar" { path "foo/bar" {
policy = "write" policy = "write"
permissions = { denied_parameters = {
denied_parameters = { "baz" = []
"baz" = []
}
} }
} }
path "foo/bar" { path "foo/bar" {
policy = "write" policy = "write"
permissions = { denied_parameters = {
denied_parameters = { "zip" = []
"zip" = []
}
} }
} }
path "hello/universe" { path "hello/universe" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "foo" = []
"foo" = []
}
} }
} }
path "hello/universe" { path "hello/universe" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "bar" = []
"bar" = []
}
}
}
path "allow/all" {
policy = "write"
permissions = {
allowed_parameters = {
"test" = []
}
} }
} }
path "allow/all" { path "allow/all" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "test" = []
"*" = [] }
} }
} path "allow/all" {
policy = "write"
allowed_parameters = {
"*" = []
}
} }
path "allow/all1" { path "allow/all1" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "*" = []
"*" = [] }
}
}
} }
path "allow/all1" { path "allow/all1" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "test" = []
"test" = []
}
}
}
path "deny/all" {
policy = "write"
permissions = {
denied_parameters = {
"frank" = []
}
} }
} }
path "deny/all" { path "deny/all" {
policy = "write" policy = "write"
permissions = { denied_parameters = {
denied_parameters = { "frank" = []
"*" = [] }
} }
} path "deny/all" {
policy = "write"
denied_parameters = {
"*" = []
}
} }
path "deny/all1" { path "deny/all1" {
policy = "write" policy = "write"
permissions = { denied_parameters = {
denied_parameters = { "*" = []
"*" = [] }
}
}
} }
path "deny/all1" { path "deny/all1" {
policy = "write" policy = "write"
permissions = { denied_parameters = {
denied_parameters = { "test" = []
"test" = []
}
}
}
path "value/merge" {
policy = "write"
permissions = {
allowed_parameters = {
"test" = [1, 2]
}
denied_parameters = {
"test" = [1, 2]
}
} }
} }
path "value/merge" { path "value/merge" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "test" = [1, 2]
"test" = [3, 4] }
} denied_parameters = {
denied_parameters = { "test" = [1, 2]
"test" = [3, 4] }
} }
} path "value/merge" {
policy = "write"
allowed_parameters = {
"test" = [3, 4]
}
denied_parameters = {
"test" = [3, 4]
}
} }
` `
@ -559,93 +530,75 @@ name = "dev"
path "dev/*" { path "dev/*" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "zip" = []
"zip" = [] }
}
}
} }
path "foo/bar" { path "foo/bar" {
policy = "write" policy = "write"
permissions = { denied_parameters = {
denied_parameters = { "zap" = []
"zap" = [] }
}
}
} }
path "foo/baz" { path "foo/baz" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "hello" = []
"hello" = [] }
} denied_parameters = {
denied_parameters = { "zap" = []
"zap" = [] }
}
}
} }
path "broken/phone" { path "broken/phone" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "steve" = []
"steve" = [] }
} denied_parameters = {
denied_parameters = { "steve" = []
"steve" = []
}
} }
} }
path "hello/world" { path "hello/world" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "*" = []
"*" = [] }
} denied_parameters = {
denied_parameters = { "*" = []
"*" = [] }
}
}
} }
path "tree/fort" { path "tree/fort" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "*" = []
"*" = [] }
} denied_parameters = {
denied_parameters = { "beer" = []
"beer" = [] }
}
}
} }
path "fruit/apple" { path "fruit/apple" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "pear" = []
"pear" = [] }
} denied_parameters = {
denied_parameters = { "*" = []
"*" = [] }
}
}
} }
path "cold/weather" { path "cold/weather" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {}
allowed_parameters = {} denied_parameters = {}
denied_parameters = {}
}
} }
path "var/aws" { path "var/aws" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "*" = []
"*" = [] }
} denied_parameters = {
denied_parameters = { "soft" = []
"soft" = [] "warm" = []
"warm" = [] "kitty" = []
"kitty" = []
}
} }
} }
` `
@ -656,53 +609,43 @@ name = "op"
path "dev/*" { path "dev/*" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "allow" = ["good"]
"allow" = ["good"]
}
} }
} }
path "foo/bar" { path "foo/bar" {
policy = "write" policy = "write"
permissions = { denied_parameters = {
denied_parameters = { "deny" = ["bad"]
"deny" = ["bad"]
}
} }
} }
path "foo/baz" { path "foo/baz" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "allow" = ["good"]
"allow" = ["good"] }
} denied_parameters = {
denied_parameters = { "deny" = ["bad"]
"deny" = ["bad"]
}
} }
} }
path "fizz/buzz" { path "fizz/buzz" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "allow_multi" = ["good", "good1", "good2"]
"allow_multi" = ["good", "good1", "good2"] "allow" = ["good"]
"allow" = ["good"] }
} denied_parameters = {
denied_parameters = { "deny_multi" = ["bad", "bad1", "bad2"]
"deny_multi" = ["bad", "bad1", "bad2"]
}
} }
} }
path "test/types" { path "test/types" {
policy = "write" policy = "write"
permissions = { allowed_parameters = {
allowed_parameters = { "map" = [{"good" = "one"}]
"map" = [{"good" = "one"}] "int" = [1, 2]
"int" = [1, 2] }
} denied_parameters = {
denied_parameters = { "bool" = [false]
"bool" = [false]
}
} }
} }
` `

18
vault/policy.go
View File

@ -60,15 +60,20 @@ type Policy struct {
type PathCapabilities struct { type PathCapabilities struct {
Prefix string Prefix string
Policy string Policy string
Capabilities []string
Permissions *Permissions Permissions *Permissions
Glob bool Glob bool
Capabilities []string
// These two keys are used at the top level to make the HCL nicer; we store
// in the Permissions object though
AllowedParametersHCL map[string][]interface{} `hcl:"allowed_parameters"`
DeniedParametersHCL map[string][]interface{} `hcl:"denied_parameters"`
} }
type Permissions struct { type Permissions struct {
CapabilitiesBitmap uint32 CapabilitiesBitmap uint32
AllowedParameters map[string][]interface{} `hcl:"allowed_parameters"` AllowedParameters map[string][]interface{}
DeniedParameters map[string][]interface{} `hcl:"denied_parameters"` DeniedParameters map[string][]interface{}
} }
// Parse is used to parse the specified ACL rules into an // Parse is used to parse the specified ACL rules into an
@ -122,7 +127,8 @@ func parsePaths(result *Policy, list *ast.ObjectList) error {
valid := []string{ valid := []string{
"policy", "policy",
"capabilities", "capabilities",
"permissions", "allowed_parameters",
"denied_parameters",
} }
if err := checkHCLKeys(item.Val, valid); err != nil { if err := checkHCLKeys(item.Val, valid); err != nil {
return multierror.Prefix(err, fmt.Sprintf("path %q:", key)) return multierror.Prefix(err, fmt.Sprintf("path %q:", key))
@ -181,8 +187,10 @@ func parsePaths(result *Policy, list *ast.ObjectList) error {
} }
} }
PathFinished: pc.Permissions.AllowedParameters = pc.AllowedParametersHCL
pc.Permissions.DeniedParameters = pc.DeniedParametersHCL
PathFinished:
paths = append(paths, &pc) paths = append(paths, &pc)
} }

144
vault/policy_test.go
View File

@ -40,50 +40,42 @@ path "foo/bar" {
# Check that only allowed_parameters are being added to foobar # Check that only allowed_parameters are being added to foobar
path "foo/bar" { path "foo/bar" {
capabilities = ["create", "sudo"] capabilities = ["create", "sudo"]
permissions = { allowed_parameters = {
allowed_parameters = { "zip" = []
"zip" = [] "zap" = []
"zap" = []
}
} }
} }
# Check that only denied_parameters are being added to bazbar # Check that only denied_parameters are being added to bazbar
path "baz/bar" { path "baz/bar" {
capabilities = ["create", "sudo"] capabilities = ["create", "sudo"]
permissions = { denied_parameters = {
denied_parameters = { "zip" = []
"zip" = [] "zap" = []
"zap" = []
}
} }
} }
# Check that both allowed and denied parameters are being added to bizbar # Check that both allowed and denied parameters are being added to bizbar
path "biz/bar" { path "biz/bar" {
capabilities = ["create", "sudo"] capabilities = ["create", "sudo"]
permissions = { allowed_parameters = {
allowed_parameters = { "zim" = []
"zim" = [] "zam" = []
"zam" = [] }
} denied_parameters = {
denied_parameters = { "zip" = []
"zip" = [] "zap" = []
"zap" = []
}
} }
} }
path "test/types" { path "test/types" {
capabilities = ["create", "sudo"] capabilities = ["create", "sudo"]
permissions = { allowed_parameters = {
allowed_parameters = { "map" = [{"good" = "one"}]
"map" = [{"good" = "one"}] "int" = [1, 2]
"int" = [1, 2] }
} denied_parameters = {
denied_parameters = { "string" = ["test"]
"string" = ["test"] "bool" = [false]
"bool" = [false]
}
} }
} }
`) `)
@ -99,15 +91,19 @@ func TestPolicy_Parse(t *testing.T) {
} }
expect := []*PathCapabilities{ expect := []*PathCapabilities{
&PathCapabilities{"", "deny", &PathCapabilities{
[]string{ Prefix: "",
Policy: "deny",
Capabilities: []string{
"deny", "deny",
}, },
&Permissions{CapabilitiesBitmap: DenyCapabilityInt}, Permissions: &Permissions{CapabilitiesBitmap: DenyCapabilityInt},
true, Glob: true,
}, },
&PathCapabilities{"stage/", "sudo", &PathCapabilities{
[]string{ Prefix: "stage/",
Policy: "sudo",
Capabilities: []string{
"create", "create",
"read", "read",
"update", "update",
@ -115,80 +111,100 @@ func TestPolicy_Parse(t *testing.T) {
"list", "list",
"sudo", "sudo",
}, },
&Permissions{ Permissions: &Permissions{
CapabilitiesBitmap: (CreateCapabilityInt | ReadCapabilityInt | UpdateCapabilityInt | DeleteCapabilityInt | ListCapabilityInt | SudoCapabilityInt), CapabilitiesBitmap: (CreateCapabilityInt | ReadCapabilityInt | UpdateCapabilityInt | DeleteCapabilityInt | ListCapabilityInt | SudoCapabilityInt),
}, },
true, Glob: true,
}, },
&PathCapabilities{"prod/version", "read", &PathCapabilities{
[]string{ Prefix: "prod/version",
Policy: "read",
Capabilities: []string{
"read", "read",
"list", "list",
}, },
&Permissions{CapabilitiesBitmap: (ReadCapabilityInt | ListCapabilityInt)}, Permissions: &Permissions{CapabilitiesBitmap: (ReadCapabilityInt | ListCapabilityInt)},
false, Glob: false,
}, },
&PathCapabilities{"foo/bar", "read", &PathCapabilities{
[]string{ Prefix: "foo/bar",
Policy: "read",
Capabilities: []string{
"read", "read",
"list", "list",
}, },
&Permissions{CapabilitiesBitmap: (ReadCapabilityInt | ListCapabilityInt)}, Permissions: &Permissions{CapabilitiesBitmap: (ReadCapabilityInt | ListCapabilityInt)},
false, Glob: false,
}, },
&PathCapabilities{"foo/bar", "", &PathCapabilities{
[]string{ Prefix: "foo/bar",
Policy: "",
Capabilities: []string{
"create", "create",
"sudo", "sudo",
}, },
&Permissions{CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt)}, Permissions: &Permissions{CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt)},
false, Glob: false,
}, },
&PathCapabilities{"foo/bar", "", &PathCapabilities{
[]string{ Prefix: "foo/bar",
Policy: "",
Capabilities: []string{
"create", "create",
"sudo", "sudo",
}, },
&Permissions{ AllowedParametersHCL: map[string][]interface{}{"zip": {}, "zap": {}},
Permissions: &Permissions{
CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt), CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt),
AllowedParameters: map[string][]interface{}{"zip": {}, "zap": {}}, AllowedParameters: map[string][]interface{}{"zip": {}, "zap": {}},
}, },
false, Glob: false,
}, },
&PathCapabilities{"baz/bar", "", &PathCapabilities{
[]string{ Prefix: "baz/bar",
Policy: "",
Capabilities: []string{
"create", "create",
"sudo", "sudo",
}, },
&Permissions{ DeniedParametersHCL: map[string][]interface{}{"zip": []interface{}{}, "zap": []interface{}{}},
Permissions: &Permissions{
CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt), CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt),
DeniedParameters: map[string][]interface{}{"zip": []interface{}{}, "zap": []interface{}{}}, DeniedParameters: map[string][]interface{}{"zip": []interface{}{}, "zap": []interface{}{}},
}, },
false, Glob: false,
}, },
&PathCapabilities{"biz/bar", "", &PathCapabilities{
[]string{ Prefix: "biz/bar",
Policy: "",
Capabilities: []string{
"create", "create",
"sudo", "sudo",
}, },
&Permissions{ AllowedParametersHCL: map[string][]interface{}{"zim": {}, "zam": {}},
DeniedParametersHCL: map[string][]interface{}{"zip": {}, "zap": {}},
Permissions: &Permissions{
CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt), CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt),
AllowedParameters: map[string][]interface{}{"zim": {}, "zam": {}}, AllowedParameters: map[string][]interface{}{"zim": {}, "zam": {}},
DeniedParameters: map[string][]interface{}{"zip": {}, "zap": {}}, DeniedParameters: map[string][]interface{}{"zip": {}, "zap": {}},
}, },
false, Glob: false,
}, },
&PathCapabilities{"test/types", "", &PathCapabilities{
[]string{ Prefix: "test/types",
Policy: "",
Capabilities: []string{
"create", "create",
"sudo", "sudo",
}, },
&Permissions{ AllowedParametersHCL: map[string][]interface{}{"map": []interface{}{map[string]interface{}{"good": "one"}}, "int": []interface{}{1, 2}},
DeniedParametersHCL: map[string][]interface{}{"string": []interface{}{"test"}, "bool": []interface{}{false}},
Permissions: &Permissions{
CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt), CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt),
AllowedParameters: map[string][]interface{}{"map": []interface{}{map[string]interface{}{"good": "one"}}, "int": []interface{}{1, 2}}, AllowedParameters: map[string][]interface{}{"map": []interface{}{map[string]interface{}{"good": "one"}}, "int": []interface{}{1, 2}},
DeniedParameters: map[string][]interface{}{"string": []interface{}{"test"}, "bool": []interface{}{false}}, DeniedParameters: map[string][]interface{}{"string": []interface{}{"test"}, "bool": []interface{}{false}},
}, },
false, Glob: false,
}, },
} }
if !reflect.DeepEqual(p.Paths, expect) { if !reflect.DeepEqual(p.Paths, expect) {