forked from hashicorp/vault
-
Notifications
You must be signed in to change notification settings - Fork 1
/
capabilities.go
75 lines (62 loc) · 1.71 KB
/
capabilities.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
package vault
import (
"context"
"sort"
"github.com/hashicorp/vault/logical"
)
// Capabilities is used to fetch the capabilities of the given token on the given path
func (c *Core) Capabilities(ctx context.Context, token, path string) ([]string, error) {
if path == "" {
return nil, &logical.StatusBadRequest{Err: "missing path"}
}
if token == "" {
return nil, &logical.StatusBadRequest{Err: "missing token"}
}
te, err := c.tokenStore.Lookup(ctx, token)
if err != nil {
return nil, err
}
if te == nil {
return nil, &logical.StatusBadRequest{Err: "invalid token"}
}
if te.Policies == nil {
return []string{DenyCapability}, nil
}
var policies []*Policy
for _, tePolicy := range te.Policies {
policy, err := c.policyStore.GetPolicy(ctx, tePolicy, PolicyTypeToken)
if err != nil {
return nil, err
}
policies = append(policies, policy)
}
entity, derivedPolicies, err := c.fetchEntityAndDerivedPolicies(te.EntityID)
if err != nil {
return nil, err
}
if entity != nil && entity.Disabled {
c.logger.Warn("permission denied as the entity on the token is disabled")
return nil, logical.ErrPermissionDenied
}
if te != nil && te.EntityID != "" && entity == nil {
c.logger.Warn("permission denied as the entity on the token is invalid")
return nil, logical.ErrPermissionDenied
}
for _, item := range derivedPolicies {
policy, err := c.policyStore.GetPolicy(ctx, item, PolicyTypeToken)
if err != nil {
return nil, err
}
policies = append(policies, policy)
}
if len(policies) == 0 {
return []string{DenyCapability}, nil
}
acl, err := NewACL(policies)
if err != nil {
return nil, err
}
capabilities := acl.Capabilities(path)
sort.Strings(capabilities)
return capabilities, nil
}