graphvent/policy.go

package graphvent

import (
  "github.com/google/uuid"
)

type Policy interface {
  Allows(ctx *Context, principal_id NodeID, action Tree, node *Node)(Messages, RuleResult)
  ContinueAllows(ctx *Context, current PendingACL, signal Signal)RuleResult
  ID() uuid.UUID
}

type PolicyHeader struct {
  UUID uuid.UUID `gv:"uuid"`
}

func (header PolicyHeader) ID() uuid.UUID {
  return header.UUID
}

func (policy AllNodesPolicy) Allows(ctx *Context, principal_id NodeID, action Tree, node *Node)(Messages, RuleResult) {
  return nil, policy.Rules.Allows(action)
}

func (policy AllNodesPolicy) ContinueAllows(ctx *Context, current PendingACL, signal Signal) RuleResult {
  return Deny
}

func (policy PerNodePolicy) Allows(ctx *Context, principal_id NodeID, action Tree, node *Node)(Messages, RuleResult) {
  for id, actions := range(policy.NodeRules) {
    if id != principal_id {
      continue
    }
    return nil, actions.Allows(action)
  }
  return nil, Deny
}

func (policy PerNodePolicy) ContinueAllows(ctx *Context, current PendingACL, signal Signal) RuleResult {
  return Deny
}

type RequirementOfPolicy struct {
  PerNodePolicy
}

func NewRequirementOfPolicy(dep_rules map[NodeID]Tree) RequirementOfPolicy {
  return RequirementOfPolicy {
    PerNodePolicy: NewPerNodePolicy(dep_rules),
  }
}

func (policy RequirementOfPolicy) ContinueAllows(ctx *Context, current PendingACL, signal Signal) RuleResult {
  sig, ok := signal.(*ReadResultSignal)
  if ok == false {
    return Deny
  }

  ext, ok := sig.Extensions[LockableExtType]
  if ok == false {
    return Deny
  }

  reqs_ser, ok := ext["requirements"]
  if ok == false {
    return Deny
  }

  _, reqs_if, _, err := DeserializeValue(ctx, reqs_ser)
  if err != nil {
    return Deny
  }

  requirements, ok := reqs_if.Interface().(map[NodeID]ReqState)
  if ok == false {
    return Deny
  }

  for req, _ := range(requirements) {
    if req == current.Principal {
      return policy.NodeRules[sig.NodeID].Allows(current.Action)
    }
  }

  return Deny
}

type MemberOfPolicy struct {
  PerNodePolicy
}

func NewMemberOfPolicy(group_rules map[NodeID]Tree) MemberOfPolicy {
  return MemberOfPolicy{
    PerNodePolicy: NewPerNodePolicy(group_rules),
  }
}

func (policy MemberOfPolicy) ContinueAllows(ctx *Context, current PendingACL, signal Signal) RuleResult {
  sig, ok := signal.(*ReadResultSignal)
  if ok == false {
    return Deny
  }
  ctx.Log.Logf("group", "member_of_read_result: %+v", sig.Extensions)

  group_ext_data, ok := sig.Extensions[GroupExtType]
  if ok == false {
    return Deny
  }

  members_ser, ok := group_ext_data["members"]
  if ok == false {
    return Deny
  }

  _, members_if, _, err := DeserializeValue(ctx, members_ser)
  if err != nil {
    return Deny
  }

  members, ok := members_if.Interface().([]NodeID)
  if ok == false {
    return Deny
  }

  for _, member := range(members) {
    if member == current.Principal {
      return policy.NodeRules[sig.NodeID].Allows(current.Action)
    }
  }

  return Deny
}

// Send a read signal to Group to check if principal_id is a member of it
func (policy MemberOfPolicy) Allows(ctx *Context, principal_id NodeID, action Tree, node *Node) (Messages, RuleResult) {
  msgs := Messages{}
  for id, rule := range(policy.NodeRules) {
    if id == node.ID {
      ext, err := GetExt[*GroupExt](node, GroupExtType)
      if err == nil {
        for _, member := range(ext.Members) {
          if member == principal_id {
            if rule.Allows(action) == Allow {
              return nil, Allow
            }
          }
        }
      }
    } else {
      msgs = msgs.Add(ctx, id, node, nil, NewReadSignal(map[ExtType][]string{
        GroupExtType: []string{"members"},
      }))
    }
  }
  return msgs, Pending
}

func CopyTree(tree Tree) Tree {
  if tree == nil {
    return nil
  }

  ret := Tree{}
  for name, sub := range(tree) {
    ret[name] = CopyTree(sub)
  }

  return ret
}

func MergeTrees(first Tree, second Tree) Tree {
  if first == nil || second == nil {
    return nil
  }

  ret := CopyTree(first)
  for name, sub := range(second) {
    current, exists := ret[name]
    if exists == true {
      ret[name] = MergeTrees(current, sub)
    } else {
      ret[name] = CopyTree(sub)
    }
  }
  return ret
}

type Tree map[SerializedType]Tree

func (rule Tree) Allows(action Tree) RuleResult {
  // If the current rule is nil, it's a wildcard and any action being processed is allowed
  if rule == nil {
    return Allow
    // If the rule isn't "allow all" but the action is "request all", deny
  } else if action == nil {
    return Deny
    // If the current action has no children, it's allowed
  } else if len(action) == 0 {
    return Allow
    // If the current rule has no children but the action goes further, it's not allowed
  } else if len(rule) == 0 {
    return Deny
    // If the current rule and action have children, all the children of action must be allowed by rule
  } else {
    for sub, subtree := range(action) {
      subrule, exists := rule[sub]
      if exists == false {
        return Deny
      } else if subrule.Allows(subtree) == Deny {
        return Deny
      }
    }
    return Allow
  }
}

func NewPolicyHeader() PolicyHeader {
  return PolicyHeader{
    UUID: uuid.New(),
  }
}

func NewPerNodePolicy(node_actions map[NodeID]Tree) PerNodePolicy {
  if node_actions == nil {
    node_actions = map[NodeID]Tree{}
  }

  return PerNodePolicy{
    PolicyHeader: NewPolicyHeader(),
    NodeRules: node_actions,
  }
}

type PerNodePolicy struct {
  PolicyHeader
  NodeRules map[NodeID]Tree `gv:"node_rules"`
}

func NewAllNodesPolicy(rules Tree) AllNodesPolicy {
  return AllNodesPolicy{
    PolicyHeader: NewPolicyHeader(),
    Rules: rules,
  }
}

type AllNodesPolicy struct {
  PolicyHeader
  Rules Tree `gv:"rules"`
}

var DefaultPolicy = NewAllNodesPolicy(Tree{
  ResponseType: nil,
  StatusType: nil,
})
Added policy.go 2023-07-20 23:19:10 -06:00			`package graphvent`

			`import (`
Added serialization for Tree and SerializedType. Changed policies to an array instead of a map 2023-09-20 19:14:28 -06:00			`"github.com/google/uuid"`
Moved ExtType and PolicyType definitions to one block 2023-07-27 23:15:58 -06:00			`)`

Added policy.go 2023-07-20 23:19:10 -06:00			`type Policy interface {`
Cleanup and move away from capnp to custom TLV serialization 2023-08-31 19:50:32 -06:00			`Allows(ctx Context, principal_id NodeID, action Tree, node Node)(Messages, RuleResult)`
			`ContinueAllows(ctx *Context, current PendingACL, signal Signal)RuleResult`
Added serialization for Tree and SerializedType. Changed policies to an array instead of a map 2023-09-20 19:14:28 -06:00			`ID() uuid.UUID`
			`}`

			`type PolicyHeader struct {`
			UUID uuid.UUID `gv:"uuid"`
			`}`

			`func (header PolicyHeader) ID() uuid.UUID {`
			`return header.UUID`
Changed SendUpdate to Node.Process, and changed principal to ID to prepare for decoupling nodes 2023-07-27 01:30:32 -06:00			`}`

Moved type registration to signal/extension/policy registration 2023-09-12 20:30:18 -06:00			`func (policy AllNodesPolicy) Allows(ctx Context, principal_id NodeID, action Tree, node Node)(Messages, RuleResult) {`
Policy fun 2023-08-10 23:43:10 -06:00			`return nil, policy.Rules.Allows(action)`
Changed SendUpdate to Node.Process, and changed principal to ID to prepare for decoupling nodes 2023-07-27 01:30:32 -06:00			`}`

Moved type registration to signal/extension/policy registration 2023-09-12 20:30:18 -06:00			`func (policy AllNodesPolicy) ContinueAllows(ctx *Context, current PendingACL, signal Signal) RuleResult {`
Policy fun 2023-08-10 23:43:10 -06:00			`return Deny`
			`}`

Moved type registration to signal/extension/policy registration 2023-09-12 20:30:18 -06:00			`func (policy PerNodePolicy) Allows(ctx Context, principal_id NodeID, action Tree, node Node)(Messages, RuleResult) {`
Policy fun 2023-08-10 23:43:10 -06:00			`for id, actions := range(policy.NodeRules) {`
Changed SendUpdate to Node.Process, and changed principal to ID to prepare for decoupling nodes 2023-07-27 01:30:32 -06:00			`if id != principal_id {`
			`continue`
			`}`
Added signature to all signals(signature of serialized signal + source + dest so technically vulnerable to replay) to use for ACL 2023-08-08 14:00:17 -06:00			`return nil, actions.Allows(action)`
Changed SendUpdate to Node.Process, and changed principal to ID to prepare for decoupling nodes 2023-07-27 01:30:32 -06:00			`}`
Policy fun 2023-08-10 23:43:10 -06:00			`return nil, Deny`
Changed SendUpdate to Node.Process, and changed principal to ID to prepare for decoupling nodes 2023-07-27 01:30:32 -06:00			`}`

Moved type registration to signal/extension/policy registration 2023-09-12 20:30:18 -06:00			`func (policy PerNodePolicy) ContinueAllows(ctx *Context, current PendingACL, signal Signal) RuleResult {`
Policy fun 2023-08-10 23:43:10 -06:00			`return Deny`
Changed SendUpdate to Node.Process, and changed principal to ID to prepare for decoupling nodes 2023-07-27 01:30:32 -06:00			`}`

Test updates 2023-08-11 16:00:36 -06:00			`type RequirementOfPolicy struct {`
			`PerNodePolicy`
			`}`

			`func NewRequirementOfPolicy(dep_rules map[NodeID]Tree) RequirementOfPolicy {`
			`return RequirementOfPolicy {`
			`PerNodePolicy: NewPerNodePolicy(dep_rules),`
			`}`
			`}`

Moved type registration to signal/extension/policy registration 2023-09-12 20:30:18 -06:00			`func (policy RequirementOfPolicy) ContinueAllows(ctx *Context, current PendingACL, signal Signal) RuleResult {`
Test updates 2023-08-11 16:00:36 -06:00			`sig, ok := signal.(*ReadResultSignal)`
			`if ok == false {`
			`return Deny`
			`}`

			`ext, ok := sig.Extensions[LockableExtType]`
			`if ok == false {`
			`return Deny`
			`}`

Cleanup and move away from capnp to custom TLV serialization 2023-08-31 19:50:32 -06:00			`reqs_ser, ok := ext["requirements"]`
			`if ok == false {`
			`return Deny`
			`}`

Moved serialization to serialize.go and removed n parameter from DeserializeValue 2023-09-05 00:08:09 -06:00			`_, reqs_if, _, err := DeserializeValue(ctx, reqs_ser)`
Cleanup and move away from capnp to custom TLV serialization 2023-08-31 19:50:32 -06:00			`if err != nil {`
			`return Deny`
			`}`

Moved serialization to serialize.go and removed n parameter from DeserializeValue 2023-09-05 00:08:09 -06:00			`requirements, ok := reqs_if.Interface().(map[NodeID]ReqState)`
Test updates 2023-08-11 16:00:36 -06:00			`if ok == false {`
			`return Deny`
			`}`

			`for req, _ := range(requirements) {`
			`if req == current.Principal {`
			`return policy.NodeRules[sig.NodeID].Allows(current.Action)`
			`}`
			`}`

			`return Deny`
			`}`

Policy fun 2023-08-10 23:43:10 -06:00			`type MemberOfPolicy struct {`
Moved policies to node instead of an extension, need to fix gql tests 2023-08-07 20:26:02 -06:00			`PerNodePolicy`
			`}`

Test updates 2023-08-11 16:00:36 -06:00			`func NewMemberOfPolicy(group_rules map[NodeID]Tree) MemberOfPolicy {`
Policy fun 2023-08-10 23:43:10 -06:00			`return MemberOfPolicy{`
			`PerNodePolicy: NewPerNodePolicy(group_rules),`
			`}`
Moved policies to node instead of an extension, need to fix gql tests 2023-08-07 20:26:02 -06:00			`}`

Moved type registration to signal/extension/policy registration 2023-09-12 20:30:18 -06:00			`func (policy MemberOfPolicy) ContinueAllows(ctx *Context, current PendingACL, signal Signal) RuleResult {`
Policy fun 2023-08-10 23:43:10 -06:00			`sig, ok := signal.(*ReadResultSignal)`
			`if ok == false {`
			`return Deny`
			`}`
Added ACLExt and tests 2023-10-13 00:32:24 -06:00			`ctx.Log.Logf("group", "member_of_read_result: %+v", sig.Extensions)`
Policy fun 2023-08-10 23:43:10 -06:00
			`group_ext_data, ok := sig.Extensions[GroupExtType]`
			`if ok == false {`
			`return Deny`
			`}`

Cleanup and move away from capnp to custom TLV serialization 2023-08-31 19:50:32 -06:00			`members_ser, ok := group_ext_data["members"]`
			`if ok == false {`
			`return Deny`
			`}`

Moved serialization to serialize.go and removed n parameter from DeserializeValue 2023-09-05 00:08:09 -06:00			`_, members_if, _, err := DeserializeValue(ctx, members_ser)`
Cleanup and move away from capnp to custom TLV serialization 2023-08-31 19:50:32 -06:00			`if err != nil {`
			`return Deny`
			`}`

Added ACLExt and tests 2023-10-13 00:32:24 -06:00			`members, ok := members_if.Interface().([]NodeID)`
Policy fun 2023-08-10 23:43:10 -06:00			`if ok == false {`
			`return Deny`
			`}`

Added ACLExt and tests 2023-10-13 00:32:24 -06:00			`for _, member := range(members) {`
Policy fun 2023-08-10 23:43:10 -06:00			`if member == current.Principal {`
			`return policy.NodeRules[sig.NodeID].Allows(current.Action)`
			`}`
Moved policies to node instead of an extension, need to fix gql tests 2023-08-07 20:26:02 -06:00			`}`
Policy fun 2023-08-10 23:43:10 -06:00
			`return Deny`
Moved policies to node instead of an extension, need to fix gql tests 2023-08-07 20:26:02 -06:00			`}`

			`// Send a read signal to Group to check if principal_id is a member of it`
Moved type registration to signal/extension/policy registration 2023-09-12 20:30:18 -06:00			`func (policy MemberOfPolicy) Allows(ctx Context, principal_id NodeID, action Tree, node Node) (Messages, RuleResult) {`
Policy fun 2023-08-10 23:43:10 -06:00			`msgs := Messages{}`
			`for id, rule := range(policy.NodeRules) {`
			`if id == node.ID {`
Cleanup and move away from capnp to custom TLV serialization 2023-08-31 19:50:32 -06:00			`ext, err := GetExt[*GroupExt](node, GroupExtType)`
Policy fun 2023-08-10 23:43:10 -06:00			`if err == nil {`
Added default group policy 2023-10-03 21:18:06 -06:00			`for _, member := range(ext.Members) {`
Policy fun 2023-08-10 23:43:10 -06:00			`if member == principal_id {`
			`if rule.Allows(action) == Allow {`
			`return nil, Allow`
			`}`
			`}`
			`}`
			`}`
			`} else {`
Added Authorization to not pass node private keys 2023-10-14 15:05:23 -06:00			`msgs = msgs.Add(ctx, id, node, nil, NewReadSignal(map[ExtType][]string{`
Policy fun 2023-08-10 23:43:10 -06:00			`GroupExtType: []string{"members"},`
Added Authorization to not pass node private keys 2023-10-14 15:05:23 -06:00			`}))`
Policy fun 2023-08-10 23:43:10 -06:00			`}`
			`}`
			`return msgs, Pending`
Moved policies to node instead of an extension, need to fix gql tests 2023-08-07 20:26:02 -06:00			`}`

Policy fun 2023-08-10 23:43:10 -06:00			`func CopyTree(tree Tree) Tree {`
			`if tree == nil {`
			`return nil`
			`}`
Changed NewNode to return a pointer and add the node to the context 2023-07-26 15:08:14 -06:00
Policy fun 2023-08-10 23:43:10 -06:00			`ret := Tree{}`
			`for name, sub := range(tree) {`
			`ret[name] = CopyTree(sub)`
Changed NewNode to return a pointer and add the node to the context 2023-07-26 15:08:14 -06:00			`}`
Policy fun 2023-08-10 23:43:10 -06:00
			`return ret`
Changed NewNode to return a pointer and add the node to the context 2023-07-26 15:08:14 -06:00			`}`

Policy fun 2023-08-10 23:43:10 -06:00			`func MergeTrees(first Tree, second Tree) Tree {`
			`if first == nil \|\| second == nil {`
			`return nil`
			`}`

			`ret := CopyTree(first)`
			`for name, sub := range(second) {`
			`current, exists := ret[name]`
			`if exists == true {`
			`ret[name] = MergeTrees(current, sub)`
			`} else {`
			`ret[name] = CopyTree(sub)`
			`}`
Added merging to policies, need to make another interface for the shared all/per node policies to make a shared loading function 2023-07-28 00:32:43 -06:00			`}`
			`return ret`
			`}`

Moved serialization to serialize.go and removed n parameter from DeserializeValue 2023-09-05 00:08:09 -06:00			`type Tree map[SerializedType]Tree`
Policy fun 2023-08-10 23:43:10 -06:00
			`func (rule Tree) Allows(action Tree) RuleResult {`
			`// If the current rule is nil, it's a wildcard and any action being processed is allowed`
			`if rule == nil {`
			`return Allow`
Cleanup and move away from capnp to custom TLV serialization 2023-08-31 19:50:32 -06:00			`// If the rule isn't "allow all" but the action is "request all", deny`
Policy fun 2023-08-10 23:43:10 -06:00			`} else if action == nil {`
			`return Deny`
Cleanup and move away from capnp to custom TLV serialization 2023-08-31 19:50:32 -06:00			`// If the current action has no children, it's allowed`
Policy fun 2023-08-10 23:43:10 -06:00			`} else if len(action) == 0 {`
			`return Allow`
Cleanup and move away from capnp to custom TLV serialization 2023-08-31 19:50:32 -06:00			`// If the current rule has no children but the action goes further, it's not allowed`
Policy fun 2023-08-10 23:43:10 -06:00			`} else if len(rule) == 0 {`
			`return Deny`
Cleanup and move away from capnp to custom TLV serialization 2023-08-31 19:50:32 -06:00			`// If the current rule and action have children, all the children of action must be allowed by rule`
Policy fun 2023-08-10 23:43:10 -06:00			`} else {`
			`for sub, subtree := range(action) {`
			`subrule, exists := rule[sub]`
			`if exists == false {`
			`return Deny`
			`} else if subrule.Allows(subtree) == Deny {`
			`return Deny`
Reworked actions to be lists of parts, and added wildcards for both multi-level and single-level 2023-07-28 10:04:31 -06:00			`}`
			`}`
Policy fun 2023-08-10 23:43:10 -06:00			`return Allow`
Reworked actions to be lists of parts, and added wildcards for both multi-level and single-level 2023-07-28 10:04:31 -06:00			`}`
			`}`

Added serialization for Tree and SerializedType. Changed policies to an array instead of a map 2023-09-20 19:14:28 -06:00			`func NewPolicyHeader() PolicyHeader {`
			`return PolicyHeader{`
			`UUID: uuid.New(),`
			`}`
			`}`

Test updates 2023-08-11 16:00:36 -06:00			`func NewPerNodePolicy(node_actions map[NodeID]Tree) PerNodePolicy {`
Added ParentOfPolicy and ChildOfPolicy 2023-07-26 13:28:03 -06:00			`if node_actions == nil {`
Test updates 2023-08-11 16:00:36 -06:00			`node_actions = map[NodeID]Tree{}`
Added ParentOfPolicy and ChildOfPolicy 2023-07-26 13:28:03 -06:00			`}`

Changed NewNode to return a pointer and add the node to the context 2023-07-26 15:08:14 -06:00			`return PerNodePolicy{`
Added serialization for Tree and SerializedType. Changed policies to an array instead of a map 2023-09-20 19:14:28 -06:00			`PolicyHeader: NewPolicyHeader(),`
Policy fun 2023-08-10 23:43:10 -06:00			`NodeRules: node_actions,`
Added ParentOfPolicy and ChildOfPolicy 2023-07-26 13:28:03 -06:00			`}`
			`}`

			`type PerNodePolicy struct {`
Added serialization for Tree and SerializedType. Changed policies to an array instead of a map 2023-09-20 19:14:28 -06:00			`PolicyHeader`
			NodeRules map[NodeID]Tree `gv:"node_rules"`
Added ParentOfPolicy and ChildOfPolicy 2023-07-26 13:28:03 -06:00			`}`

Policy fun 2023-08-10 23:43:10 -06:00			`func NewAllNodesPolicy(rules Tree) AllNodesPolicy {`
Added SimpleListenerNode to test suite 2023-07-27 00:30:24 -06:00			`return AllNodesPolicy{`
Added serialization for Tree and SerializedType. Changed policies to an array instead of a map 2023-09-20 19:14:28 -06:00			`PolicyHeader: NewPolicyHeader(),`
Policy fun 2023-08-10 23:43:10 -06:00			`Rules: rules,`
Added SimpleListenerNode to test suite 2023-07-27 00:30:24 -06:00			`}`
			`}`

			`type AllNodesPolicy struct {`
Added serialization for Tree and SerializedType. Changed policies to an array instead of a map 2023-09-20 19:14:28 -06:00			`PolicyHeader`
			Rules Tree `gv:"rules"`
Added SimpleListenerNode to test suite 2023-07-27 00:30:24 -06:00			`}`

Policy fun 2023-08-10 23:43:10 -06:00			`var DefaultPolicy = NewAllNodesPolicy(Tree{`
Lots of stuff, but mostly sped up NodeID and UUID serialization, can probably generalize to speed up all fixed size arrays 2023-10-01 20:45:44 -06:00			`ResponseType: nil,`
Fixed bugs found developing tm 2023-09-27 18:28:56 -06:00			`StatusType: nil,`
Policy fun 2023-08-10 23:43:10 -06:00			`})`