Authorize logical root API paths against vault storage
This commit is contained in:
+39
-2
@@ -291,7 +291,7 @@ func (s *Server) FindBrowserLogins(ctx context.Context, req *keepassgov1.FindBro
|
||||
},
|
||||
score: score,
|
||||
resource: resource,
|
||||
decision: apitokens.Evaluate(token, apitokens.OperationListEntries, resource),
|
||||
decision: evaluateAuthorization(model, token, apitokens.OperationListEntries, resource),
|
||||
})
|
||||
}
|
||||
slices.SortFunc(matches, func(a, b rankedBrowserMatch) int {
|
||||
@@ -1220,7 +1220,8 @@ func (s *Server) authorizeTemplateRequest(ctx context.Context, op apitokens.Oper
|
||||
}
|
||||
|
||||
func (s *Server) authorizeResourceRequest(ctx context.Context, token apitokens.Token, op apitokens.Operation, resource apitokens.Resource) (apitokens.Token, error) {
|
||||
switch apitokens.Evaluate(token, op, resource) {
|
||||
model, _ := s.snapshotModel()
|
||||
switch evaluateAuthorization(model, token, op, resource) {
|
||||
case apitokens.DecisionAllow:
|
||||
return token, nil
|
||||
case apitokens.DecisionDeny:
|
||||
@@ -1337,6 +1338,42 @@ func hasPolicyRule(rules []apitokens.PolicyRule, target apitokens.PolicyRule) bo
|
||||
return false
|
||||
}
|
||||
|
||||
func evaluateAuthorization(model vault.Model, token apitokens.Token, op apitokens.Operation, resource apitokens.Resource) apitokens.Decision {
|
||||
return apitokens.Evaluate(canonicalizeTokenForAuthorization(model, token), op, canonicalizeAuthorizationResource(model, resource))
|
||||
}
|
||||
|
||||
func canonicalizeTokenForAuthorization(model vault.Model, token apitokens.Token) apitokens.Token {
|
||||
token.Policies = append([]apitokens.PolicyRule(nil), token.Policies...)
|
||||
for i := range token.Policies {
|
||||
token.Policies[i].Resource = canonicalizeAuthorizationResource(model, token.Policies[i].Resource)
|
||||
}
|
||||
return token
|
||||
}
|
||||
|
||||
func canonicalizeAuthorizationResource(model vault.Model, resource apitokens.Resource) apitokens.Resource {
|
||||
resource.Path = canonicalAuthorizationPath(model, resource.Path)
|
||||
return resource
|
||||
}
|
||||
|
||||
func canonicalAuthorizationPath(model vault.Model, path []string) []string {
|
||||
if len(path) == 0 {
|
||||
return nil
|
||||
}
|
||||
if path[0] == vaultview.KeepassRoot {
|
||||
return append([]string(nil), path...)
|
||||
}
|
||||
if path[0] == "Root" {
|
||||
if len(path) > 1 && (path[1] == "Templates" || path[1] == "API Tokens") {
|
||||
return append([]string(nil), path...)
|
||||
}
|
||||
return vaultview.VaultRoot(model).ToPhysicalPath(path[1:])
|
||||
}
|
||||
if path[0] == "Templates" || path[0] == "API Tokens" {
|
||||
return append([]string(nil), path...)
|
||||
}
|
||||
return vaultview.VaultRoot(model).ToPhysicalPath(path)
|
||||
}
|
||||
|
||||
func copyOperation(target string) apitokens.Operation {
|
||||
switch clipboard.Target(target) {
|
||||
case clipboard.TargetUsername:
|
||||
|
||||
Reference in New Issue
Block a user