search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.12k stars 4.21k forks source link

Policy Regex Support #5501

Closed trmz closed 6 years ago

trmz commented 6 years ago

Is your feature request related to a problem? Please describe. I want to restrict what key values are permitted, but too many to generate a static list of.

Describe the solution you'd like Regex support would be ideal, and offer enough flexibility for probably nearly any data I might accept.

For example : 

  allowed_parameters = {

    "some_natural_number_identifier" = /^\d+$/

    "phone_number" = /^(\+0?1\s)?\(?\d{3}\)?[\s.-]\d{3}[\s.-]\d{4}$/

    "ip_address" = /^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/

    "credit_card" = /
        ^(?:4[0-9]{12}(?:[0-9]{3})?          # Visa
         |  (?:5[1-5][0-9]{2}                # MasterCard
             | 222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12}
         |  3[47][0-9]{13}                   # American Express
         |  3(?:0[0-5]|[68][0-9])[0-9]{11}   # Diners Club
         |  6(?:011|5[0-9]{2})[0-9]{12}      # Discover
         |  (?:2131|1800|35\d{3})\d{11}      # JCB
        )$
      /x

    "email_address" = /(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])/

  }

Obviously in the above examples, no LUHN check occurs against cc, and ip_address technically accepts non-routable addresses, and phone_number is NA-centric. But there is still tremendous value in being able to enforce regex constraints in policies.

Describe alternatives you've considered Could generate massive lists of allowed values, but not feasible / maintainable when there's millions of possible combinations.

Explain any additional use-cases Literally any (full or partial) data validation.

Additional context

Yes, data sanitization and validation should occur in the code which communicates with Vault. I get that. But having regex constraints in Vault policy aids defense-in-depth and offers sanity checks in case of programming bugs, oversights, compromise, etc..

jefferai commented 6 years ago

We have no plans to add regexes to ACLs (and in fact we deeply regret adding allowed_parameters). Sorry!