2023-03-28 20:12:41 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
2023-08-11 13:12:13 +00:00
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
2023-03-28 20:12:41 +00:00
|
|
|
|
2019-10-15 20:58:50 +00:00
|
|
|
package acl
|
|
|
|
|
|
|
|
var (
|
|
|
|
// allowAll is a singleton policy which allows all
|
|
|
|
// non-management actions
|
2019-12-18 18:44:32 +00:00
|
|
|
allowAll Authorizer = &staticAuthorizer{
|
2019-10-15 20:58:50 +00:00
|
|
|
allowManage: false,
|
|
|
|
defaultAllow: true,
|
|
|
|
}
|
|
|
|
|
|
|
|
// denyAll is a singleton policy which denies all actions
|
2019-12-18 18:44:32 +00:00
|
|
|
denyAll Authorizer = &staticAuthorizer{
|
2019-10-15 20:58:50 +00:00
|
|
|
allowManage: false,
|
|
|
|
defaultAllow: false,
|
|
|
|
}
|
|
|
|
|
|
|
|
// manageAll is a singleton policy which allows all
|
|
|
|
// actions, including management
|
2019-12-18 18:44:32 +00:00
|
|
|
manageAll Authorizer = &staticAuthorizer{
|
2019-10-15 20:58:50 +00:00
|
|
|
allowManage: true,
|
|
|
|
defaultAllow: true,
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
// StaticAuthorizer is used to implement a base ACL policy. It either
|
|
|
|
// allows or denies all requests. This can be used as a parent
|
2020-05-29 18:19:16 +00:00
|
|
|
// ACL to act in a denylist or allowlist mode.
|
2019-12-18 18:44:32 +00:00
|
|
|
type staticAuthorizer struct {
|
2019-10-15 20:58:50 +00:00
|
|
|
allowManage bool
|
|
|
|
defaultAllow bool
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.allowManage {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.allowManage {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2023-09-12 21:22:51 +00:00
|
|
|
func (s *staticAuthorizer) IdentityRead(string, *AuthorizerContext) EnforcementDecision {
|
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *staticAuthorizer) IdentityReadAll(*AuthorizerContext) EnforcementDecision {
|
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *staticAuthorizer) IdentityWrite(string, *AuthorizerContext) EnforcementDecision {
|
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *staticAuthorizer) IdentityWriteAny(*AuthorizerContext) EnforcementDecision {
|
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2020-11-04 18:50:03 +00:00
|
|
|
func (s *staticAuthorizer) NodeReadAll(*AuthorizerContext) EnforcementDecision {
|
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
2021-08-20 22:11:01 +00:00
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *staticAuthorizer) MeshRead(*AuthorizerContext) EnforcementDecision {
|
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *staticAuthorizer) MeshWrite(*AuthorizerContext) EnforcementDecision {
|
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
2019-10-15 20:58:50 +00:00
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2022-07-22 20:42:23 +00:00
|
|
|
func (s *staticAuthorizer) PeeringRead(*AuthorizerContext) EnforcementDecision {
|
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *staticAuthorizer) PeeringWrite(*AuthorizerContext) EnforcementDecision {
|
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2020-11-04 18:50:03 +00:00
|
|
|
func (s *staticAuthorizer) ServiceReadAll(*AuthorizerContext) EnforcementDecision {
|
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2022-03-24 11:25:05 +00:00
|
|
|
func (s *staticAuthorizer) ServiceWriteAny(*AuthorizerContext) EnforcementDecision {
|
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.defaultAllow {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:44:32 +00:00
|
|
|
func (s *staticAuthorizer) Snapshot(_ *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
if s.allowManage {
|
|
|
|
return Allow
|
|
|
|
}
|
|
|
|
return Deny
|
|
|
|
}
|
|
|
|
|
2022-03-11 02:48:27 +00:00
|
|
|
func (s *staticAuthorizer) ToAllowAuthorizer() AllowAuthorizer {
|
|
|
|
return AllowAuthorizer{Authorizer: s}
|
|
|
|
}
|
|
|
|
|
2019-10-15 20:58:50 +00:00
|
|
|
// AllowAll returns an Authorizer that allows all operations
|
|
|
|
func AllowAll() Authorizer {
|
|
|
|
return allowAll
|
|
|
|
}
|
|
|
|
|
|
|
|
// DenyAll returns an Authorizer that denies all operations
|
|
|
|
func DenyAll() Authorizer {
|
|
|
|
return denyAll
|
|
|
|
}
|
|
|
|
|
|
|
|
// ManageAll returns an Authorizer that can manage all resources
|
|
|
|
func ManageAll() Authorizer {
|
|
|
|
return manageAll
|
|
|
|
}
|
|
|
|
|
2021-09-23 22:11:16 +00:00
|
|
|
// RootAuthorizer returns a possible Authorizer if the ID matches a root policy.
|
|
|
|
//
|
|
|
|
// TODO: rename this function. While the returned authorizer is used as a root
|
|
|
|
// authorizer in some cases, in others it is not. A more appropriate name might
|
|
|
|
// be NewAuthorizerFromPolicyName.
|
2019-10-15 20:58:50 +00:00
|
|
|
func RootAuthorizer(id string) Authorizer {
|
|
|
|
switch id {
|
|
|
|
case "allow":
|
|
|
|
return allowAll
|
|
|
|
case "deny":
|
|
|
|
return denyAll
|
|
|
|
case "manage":
|
|
|
|
return manageAll
|
|
|
|
default:
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|