Create more granular ACL capabilities.

This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others).
2025-11-22 21:05:03 +00:00 · 2016-01-07 15:10:05 -05:00
parent 45e32756ea
commit f3ef23318d
25 changed files with 655 additions and 275 deletions
--- a/logical/framework/path_struct.go
+++ b/logical/framework/path_struct.go
@@ -64,10 +64,13 @@ func (p *PathStruct) Paths() []*Path {
 		Fields:  p.Schema,

 		Callbacks: map[logical.Operation]OperationFunc{
-			logical.UpdateOperation:  p.pathWrite,
+			logical.CreateOperation: p.pathWrite,
+			logical.UpdateOperation: p.pathWrite,
 			logical.DeleteOperation: p.pathDelete,
 		},

+		ExistenceCheck: p.pathExistenceCheck,
+
 		HelpSynopsis:    p.HelpSynopsis,
 		HelpDescription: p.HelpDescription,
 	}
@@ -103,3 +106,13 @@ func (p *PathStruct) pathDelete(
 	err := p.Delete(req.Storage)
 	return nil, err
 }
+
+func (p *PathStruct) pathExistenceCheck(
+	req *logical.Request, d *FieldData) (bool, error) {
+	v, err := p.Get(req.Storage)
+	if err != nil {
+		return false, err
+	}
+
+	return v != nil, nil
+}