From c549d438a8f488a678091dc8667b60a7a1e681db Mon Sep 17 00:00:00 2001 From: Hong Ooi Date: Tue, 2 Apr 2019 13:14:44 +1100 Subject: [PATCH] rework policy code --- R/add_methods.R | 9 +----- R/az_vault.R | 73 ++++++++++++++++++++++++++++++++++--------------- README.md | 3 +- 3 files changed, 54 insertions(+), 31 deletions(-) diff --git a/R/add_methods.R b/R/add_methods.R index 7f5b8c4..f20ee37 100644 --- a/R/add_methods.R +++ b/R/add_methods.R @@ -11,14 +11,7 @@ add_methods <- function() default_access=function() { principal <- creds$payload$oid - list(vault_access_policy(principal, tenant, - c("Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore"), - c("Get", "List", "Set", "Delete", "Recover", "Backup", "Restore"), - c("Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", - "ManageContacts", "ManageIssuers", "GetIssuers", "ListIssuers", "SetIssuers", "DeleteIssuers"), - c("Get", "List", "Update", "Set", "Delete", "Recover", "Backup", "Restore", - "GetSas", "ListSas", "SetSas", "DeleteSas", "RegenerateKey") - )) + list(unclass(vault_access_policy(principal, tenant, "all", "all", "all"))) } props <- utils::modifyList( diff --git a/R/az_vault.R b/R/az_vault.R index 521a602..a74a91e 100644 --- a/R/az_vault.R +++ b/R/az_vault.R @@ -3,17 +3,23 @@ az_key_vault=R6::R6Class("az_key_vault", inherit=AzureRMR::az_resource, public=list( - add_principal=function(principal, + add_principal=function(principal, tenant=self$properties$tenantId, key_permissions="all", secret_permissions="all", certificate_permissions="all", storage_permissions="all") { - principal <- find_principal(principal) - tenant <- self$properties$tenantId - - props <- list(accessPolicies=list( - # need to unclass to satisfy toJSON - unclass(vault_access_policy(principal, - tenant, key_permissions, secret_permissions, certificate_permissions, storage_permissions)) - )) + props <- list(accessPolicies=list(unclass(if(inherits(principal, "vault_access_policy")) + principal + else vault_access_policy( + find_principal(principal), + tenant, + key_permissions, + secret_permissions, + certificate_permissions, + storage_permissions + )))) + + # un-nullify tenant ID using tenant of resource + if(is.null(props$accessPolicies$tenantId)) + props$accessPolicies$tenantId <- self$tenantId self$do_operation("accessPolicies/add", body=list(properties=props), encode="json", http_verb="PUT") @@ -78,13 +84,16 @@ find_principal=function(principal) #' @export -vault_access_policy <- function(principal, tenant, - key_permissions, secret_permissions, certificate_permissions, storage_permissions) +vault_access_policy <- function(principal, tenant=NULL, + key_permissions="all", + secret_permissions="all", + certificate_permissions="all", + storage_permissions="all") { - key_permissions <- verify_permissions(unlist(key_permissions), "key") - secret_permissions <- verify_permissions(unlist(secret_permissions), "secret") - certificate_permissions <- verify_permissions(unlist(certificate_permissions), "certificate") - storage_permissions <- verify_permissions(unlist(storage_permissions), "storage") + key_permissions <- verify_key_permissions(key_permissions) + secret_permissions <- verify_secret_permissions(secret_permissions) + certificate_permissions <- verify_certificate_permissions(certificate_permissions) + storage_permissions <- verify_storage_permissions(storage_permissions) obj <- list( tenantId=tenant, @@ -104,7 +113,7 @@ vault_access_policy <- function(principal, tenant, print.vault_access_policy <- function(x, ...) { cat("Tenant:", x$tenantId, "\n") - cat("Principal:", x$objectId, "\n") + cat("Principal:", if(is.null(x$objectId)) "" else x$objectId, "\n") cat("Key permissions:\n") cat(strwrap(paste(x$permissions$keys, collapse=", "), indent=4, exdent=4), sep="\n") cat("Secret permissions:\n") @@ -116,26 +125,46 @@ print.vault_access_policy <- function(x, ...) } -verify_permissions <- function(perms, type=c("key", "secret", "certificate")) +verify_key_permissions <- function(perms) { key_perms <- c("get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "decrypt", "encrypt", "unwrapkey", "wrapkey", "verify", "sign", "purge") + verify_permissions(perms, key_perms) +} + + +verify_secret_permissions <- function(perms) +{ secret_perms <- c("get", "list", "set", "delete", "recover", "backup", "restore", "purge") + verify_permissions(perms, secret_perms) +} + + +verify_certificate_permissions <- function(perms) +{ certificate_perms <- c("get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "managecontacts", "manageissuers", "getissuers", "listissuers", "setissuers", "deleteissuers", "purge") + verify_permissions(perms, certificate_perms) +} + + +verify_storage_permissions <- function(perms) +{ storage_perms <- c("backup", "delete", "deletesas", "get", "getsas", "list", "listsas", "purge", "recover", "regeneratekey", "restore", "set", "setsas", "update") - all_perms <- switch(match.arg(type), - key=key_perms, - secret=secret_perms, - certificate=certificate_perms) + verify_permissions(perms, storage_perms) +} + + +verify_permissions <- function(perms, all_perms) +{ + perms <- tolower(unlist(perms)) - perms <- tolower(perms) if(length(perms) == 1 && perms == "all") return(all_perms) else if(!all(perms %in% all_perms)) diff --git a/README.md b/README.md index b94eaa7..d0fc5f1 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,8 @@ svc <- AzureGraph::get_graph_login()$ kv$add_principal(svc, key_permissions=c("get", "list", "backup"), secret_permissions=c("get", "list", "backup"), - certificate_permissions=NULL) + certificate_permissions=NULL, + storage_permissions=NULL) ``` ## Client interface