graphvent/policy.go

package graphvent

import (
  "encoding/json"
)

// A policy represents a set of rules attached to a Node that allow principals to perform actions on it
type Policy interface {
  Node
  // Returns true if the principal is allowed to perform the action on the resource
  Allows(node Node, resource string, action string, principal Node) bool
}

type NodeActions map[string][]string
func (actions NodeActions) Allows(resource string, action string) bool {
  for _, a := range(actions[""]) {
    if a == action || a == "*" {
      return true
    }
  }

  resource_actions, exists := actions[resource]
  if exists == true {
    for _, a := range(resource_actions) {
      if a == action || a == "*" {
        return true
      }
    }
  }

  return false
}

func NewNodeActions(resource_actions NodeActions, wildcard_actions []string) NodeActions {
  if resource_actions == nil {
    resource_actions = NodeActions{}
  }
  // Wildcard actions, all actions in "" will be allowed on all resources
  if wildcard_actions == nil {
    wildcard_actions = []string{}
  }
  resource_actions[""] = wildcard_actions
  return resource_actions
}

type PerNodePolicy struct {
  SimpleNode
  Actions map[NodeID]NodeActions
}

type PerNodePolicyJSON struct {
  SimpleNodeJSON
  Actions map[string]map[string][]string `json:"actions"`
}

func (policy *PerNodePolicy) Type() NodeType {
  return NodeType("per_node_policy")
}

func (policy *PerNodePolicy) Serialize() ([]byte, error) {
  actions := map[string]map[string][]string{}
  for principal, resource_actions := range(policy.Actions) {
    actions[principal.String()] = resource_actions
  }

  return json.MarshalIndent(&PerNodePolicyJSON{
    SimpleNodeJSON: NewSimpleNodeJSON(&policy.SimpleNode),
    Actions: actions,
  }, "", "  ")
}

func NewPerNodePolicy(id NodeID, actions map[NodeID]NodeActions) PerNodePolicy {
  if actions == nil {
    actions = map[NodeID]NodeActions{}
  }

  return PerNodePolicy{
    SimpleNode: NewSimpleNode(id),
    Actions: actions,
  }
}

func LoadPerNodePolicy(ctx *Context, id NodeID, data []byte, nodes NodeMap) (Node, error) {
  var j PerNodePolicyJSON
  err := json.Unmarshal(data, &j)
  if err != nil {
    return nil, err
  }

  actions := map[NodeID]NodeActions{}
  for principal_str, node_actions := range(j.Actions) {
    principal_id, err := ParseID(principal_str)
    if err != nil {
      return nil, err
    }

    actions[principal_id] = node_actions
  }

  policy := NewPerNodePolicy(id, actions)
  nodes[id] = &policy

  err = RestoreSimpleNode(ctx, &policy.SimpleNode, j.SimpleNodeJSON, nodes)
  if err != nil {
    return nil, err
  }

  return &policy, nil
}

func (policy *PerNodePolicy) Allows(node Node, resource string, action string, principal Node) bool {
  node_actions, exists := policy.Actions[principal.ID()]
  if exists == false {
    return false
  }

  if node_actions.Allows(resource, action) == true {
    return true
  }

  return false
}

type SimplePolicy struct {
  SimpleNode
  Actions NodeActions
}

type SimplePolicyJSON struct {
  SimpleNodeJSON
  Actions map[string][]string `json:"actions"`
}

func (policy *SimplePolicy) Type() NodeType {
  return NodeType("simple_policy")
}

func (policy *SimplePolicy) Serialize() ([]byte, error) {
  return json.MarshalIndent(&SimplePolicyJSON{
    SimpleNodeJSON: NewSimpleNodeJSON(&policy.SimpleNode),
    Actions: policy.Actions,
  }, "", "  ")
}

func NewSimplePolicy(id NodeID, actions NodeActions) SimplePolicy {
  if actions == nil {
    actions = NodeActions{}
  }

  return SimplePolicy{
    SimpleNode: NewSimpleNode(id),
    Actions: actions,
  }
}

func LoadSimplePolicy(ctx *Context, id NodeID, data []byte, nodes NodeMap) (Node, error) {
  var j SimplePolicyJSON
  err := json.Unmarshal(data, &j)
  if err != nil {
    return nil, err
  }

  policy := NewSimplePolicy(id, j.Actions)
  nodes[id] = &policy

  err = RestoreSimpleNode(ctx, &policy.SimpleNode, j.SimpleNodeJSON, nodes)
  if err != nil {
    return nil, err
  }

  return &policy, nil
}

func (policy *SimplePolicy) Allows(node Node, resource string, action string, principal Node) bool {
  return policy.Actions.Allows(resource, action)
}


type DependencyPolicy struct {
  SimplePolicy
}


func (policy *DependencyPolicy) Type() NodeType {
  return NodeType("dependency_policy")
}

func NewDependencyPolicy(id NodeID, actions NodeActions) DependencyPolicy {
  return DependencyPolicy{
    SimplePolicy: NewSimplePolicy(id, actions),
  }
}

func (policy *DependencyPolicy) Allows(node Node, resource string, action string, principal Node) bool {
  lockable, ok := node.(LockableNode)
  if ok == false {
    return false
  }

  for _, dep := range(lockable.LockableHandle().Dependencies) {
    if dep.ID() == principal.ID() {
      return policy.Actions.Allows(resource, action)
    }
  }

  return false
}

type RequirementPolicy struct {
  SimplePolicy
}


func (policy *RequirementPolicy) Type() NodeType {
  return NodeType("dependency_policy")
}

func NewRequirementPolicy(id NodeID, actions NodeActions) RequirementPolicy {
  return RequirementPolicy{
    SimplePolicy: NewSimplePolicy(id, actions),
  }
}

func (policy *RequirementPolicy) Allows(node Node, resource string, action string, principal Node) bool {
  lockable_node, ok := node.(LockableNode)
  if ok == false {
    return false
  }
  lockable := lockable_node.LockableHandle()

  for _, req := range(lockable.Requirements) {
    if req.ID() == principal.ID() {
      return policy.Actions.Allows(resource, action)
    }
  }

  return false
}

type ParentPolicy struct {
  SimplePolicy
}


func (policy *ParentPolicy) Type() NodeType {
  return NodeType("parent_policy")
}

func NewParentPolicy(id NodeID, actions NodeActions) ParentPolicy {
  return ParentPolicy{
    SimplePolicy: NewSimplePolicy(id, actions),
  }
}

func (policy *ParentPolicy) Allows(node Node, resource string, action string, principal Node) bool {
  thread_node, ok := node.(ThreadNode)
  if ok == false {
    return false
  }
  thread := thread_node.ThreadHandle()

  if thread.Owner != nil {
    if thread.Owner.ID() == principal.ID() {
      return policy.Actions.Allows(resource, action)
    }
  }

  return false
}

type ChildrenPolicy struct {
  SimplePolicy
}


func (policy *ChildrenPolicy) Type() NodeType {
  return NodeType("children_policy")
}

func NewChildrenPolicy(id NodeID, actions NodeActions) ChildrenPolicy {
  return ChildrenPolicy{
    SimplePolicy: NewSimplePolicy(id, actions),
  }
}

func (policy *ChildrenPolicy) Allows(node Node, resource string, action string, principal Node) bool {
  thread_node, ok := node.(ThreadNode)
  if ok == false {
    return false
  }
  thread := thread_node.ThreadHandle()

  for _, info := range(thread.Children) {
    if info.Child.ID() == principal.ID() {
      return policy.Actions.Allows(resource, action)
    }
  }

  return false
}
Added policy.go 2023-07-20 23:19:10 -06:00			`package graphvent`

			`import (`
			`"encoding/json"`
			`)`

First implementation of policies 2023-07-21 12:09:29 -06:00			`// A policy represents a set of rules attached to a Node that allow principals to perform actions on it`
Added policy.go 2023-07-20 23:19:10 -06:00			`type Policy interface {`
			`Node`
First implementation of policies 2023-07-21 12:09:29 -06:00			`// Returns true if the principal is allowed to perform the action on the resource`
Added DependencyPolicy 2023-07-24 01:12:30 -06:00			`Allows(node Node, resource string, action string, principal Node) bool`
Added more to policy, and updated lockable to use better IDs 2023-07-21 00:02:53 -06:00			`}`

			`type NodeActions map[string][]string`
start maniacal rewrite, main goal is to combine node and lockable to remove any sync mutex deadlocks. Another goal is to make read contexts get copies of the state to ensure they don't modify and no lock is required to ensure no value changes, and write contexts use the lockable locks instead of mutex 2023-07-22 20:21:17 -06:00			`func (actions NodeActions) Allows(resource string, action string) bool {`
Added more to policy, and updated lockable to use better IDs 2023-07-21 00:02:53 -06:00			`for _, a := range(actions[""]) {`
First implementation of policies 2023-07-21 12:09:29 -06:00			`if a == action \|\| a == "*" {`
Added more to policy, and updated lockable to use better IDs 2023-07-21 00:02:53 -06:00			`return true`
			`}`
			`}`

			`resource_actions, exists := actions[resource]`
			`if exists == true {`
			`for _, a := range(resource_actions) {`
First implementation of policies 2023-07-21 12:09:29 -06:00			`if a == action \|\| a == "*" {`
Added more to policy, and updated lockable to use better IDs 2023-07-21 00:02:53 -06:00			`return true`
			`}`
			`}`
			`}`

			`return false`
			`}`

First implementation of policies 2023-07-21 12:09:29 -06:00			`func NewNodeActions(resource_actions NodeActions, wildcard_actions []string) NodeActions {`
			`if resource_actions == nil {`
			`resource_actions = NodeActions{}`
			`}`
Added more to policy, and updated lockable to use better IDs 2023-07-21 00:02:53 -06:00			`// Wildcard actions, all actions in "" will be allowed on all resources`
			`if wildcard_actions == nil {`
			`wildcard_actions = []string{}`
			`}`
First implementation of policies 2023-07-21 12:09:29 -06:00			`resource_actions[""] = wildcard_actions`
			`return resource_actions`
Added policy.go 2023-07-20 23:19:10 -06:00			`}`

			`type PerNodePolicy struct {`
Tests compile and run 2023-07-24 16:04:56 -06:00			`SimpleNode`
Added SimplePolicy 2023-07-21 13:33:04 -06:00			`Actions map[NodeID]NodeActions`
Added policy.go 2023-07-20 23:19:10 -06:00			`}`

			`type PerNodePolicyJSON struct {`
Tests compile and run 2023-07-24 16:04:56 -06:00			`SimpleNodeJSON`
Added SimplePolicy 2023-07-21 13:33:04 -06:00			Actions map[string]map[string][]string `json:"actions"`
Added policy.go 2023-07-20 23:19:10 -06:00			`}`

			`func (policy *PerNodePolicy) Type() NodeType {`
			`return NodeType("per_node_policy")`
			`}`

			`func (policy *PerNodePolicy) Serialize() ([]byte, error) {`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00			`actions := map[string]map[string][]string{}`
			`for principal, resource_actions := range(policy.Actions) {`
			`actions[principal.String()] = resource_actions`
Added policy.go 2023-07-20 23:19:10 -06:00			`}`

			`return json.MarshalIndent(&PerNodePolicyJSON{`
Tests compile and run 2023-07-24 16:04:56 -06:00			`SimpleNodeJSON: NewSimpleNodeJSON(&policy.SimpleNode),`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00			`Actions: actions,`
Added policy.go 2023-07-20 23:19:10 -06:00			`}, "", " ")`
			`}`

Added SimplePolicy 2023-07-21 13:33:04 -06:00			`func NewPerNodePolicy(id NodeID, actions map[NodeID]NodeActions) PerNodePolicy {`
			`if actions == nil {`
			`actions = map[NodeID]NodeActions{}`
Added policy.go 2023-07-20 23:19:10 -06:00			`}`

			`return PerNodePolicy{`
Tests compile and run 2023-07-24 16:04:56 -06:00			`SimpleNode: NewSimpleNode(id),`
Added SimplePolicy 2023-07-21 13:33:04 -06:00			`Actions: actions,`
Added policy.go 2023-07-20 23:19:10 -06:00			`}`
			`}`

			`func LoadPerNodePolicy(ctx *Context, id NodeID, data []byte, nodes NodeMap) (Node, error) {`
			`var j PerNodePolicyJSON`
			`err := json.Unmarshal(data, &j)`
			`if err != nil {`
			`return nil, err`
			`}`

Added SimplePolicy 2023-07-21 13:33:04 -06:00			`actions := map[NodeID]NodeActions{}`
			`for principal_str, node_actions := range(j.Actions) {`
Added policy.go 2023-07-20 23:19:10 -06:00			`principal_id, err := ParseID(principal_str)`
			`if err != nil {`
			`return nil, err`
			`}`

Added SimplePolicy 2023-07-21 13:33:04 -06:00			`actions[principal_id] = node_actions`
Added policy.go 2023-07-20 23:19:10 -06:00			`}`

Added SimplePolicy 2023-07-21 13:33:04 -06:00			`policy := NewPerNodePolicy(id, actions)`
Added policy.go 2023-07-20 23:19:10 -06:00			`nodes[id] = &policy`

Tests compile and run 2023-07-24 16:04:56 -06:00			`err = RestoreSimpleNode(ctx, &policy.SimpleNode, j.SimpleNodeJSON, nodes)`
Added policy.go 2023-07-20 23:19:10 -06:00			`if err != nil {`
			`return nil, err`
			`}`

			`return &policy, nil`
			`}`

Added DependencyPolicy 2023-07-24 01:12:30 -06:00			`func (policy *PerNodePolicy) Allows(node Node, resource string, action string, principal Node) bool {`
Changed ACL to get passed entire node attempting action instead of just ID 2023-07-21 13:34:47 -06:00			`node_actions, exists := policy.Actions[principal.ID()]`
Added more to policy, and updated lockable to use better IDs 2023-07-21 00:02:53 -06:00			`if exists == false {`
			`return false`
Added policy.go 2023-07-20 23:19:10 -06:00			`}`

start maniacal rewrite, main goal is to combine node and lockable to remove any sync mutex deadlocks. Another goal is to make read contexts get copies of the state to ensure they don't modify and no lock is required to ensure no value changes, and write contexts use the lockable locks instead of mutex 2023-07-22 20:21:17 -06:00			`if node_actions.Allows(resource, action) == true {`
Added more to policy, and updated lockable to use better IDs 2023-07-21 00:02:53 -06:00			`return true`
Added policy.go 2023-07-20 23:19:10 -06:00			`}`

			`return false`
			`}`
Added SimplePolicy 2023-07-21 13:33:04 -06:00
			`type SimplePolicy struct {`
Tests compile and run 2023-07-24 16:04:56 -06:00			`SimpleNode`
Added SimplePolicy 2023-07-21 13:33:04 -06:00			`Actions NodeActions`
			`}`

			`type SimplePolicyJSON struct {`
Tests compile and run 2023-07-24 16:04:56 -06:00			`SimpleNodeJSON`
Added SimplePolicy 2023-07-21 13:33:04 -06:00			Actions map[string][]string `json:"actions"`
			`}`

			`func (policy *SimplePolicy) Type() NodeType {`
			`return NodeType("simple_policy")`
			`}`

			`func (policy *SimplePolicy) Serialize() ([]byte, error) {`
			`return json.MarshalIndent(&SimplePolicyJSON{`
Tests compile and run 2023-07-24 16:04:56 -06:00			`SimpleNodeJSON: NewSimpleNodeJSON(&policy.SimpleNode),`
Added SimplePolicy 2023-07-21 13:33:04 -06:00			`Actions: policy.Actions,`
			`}, "", " ")`
			`}`

			`func NewSimplePolicy(id NodeID, actions NodeActions) SimplePolicy {`
			`if actions == nil {`
			`actions = NodeActions{}`
			`}`

			`return SimplePolicy{`
Tests compile and run 2023-07-24 16:04:56 -06:00			`SimpleNode: NewSimpleNode(id),`
Added SimplePolicy 2023-07-21 13:33:04 -06:00			`Actions: actions,`
			`}`
			`}`

			`func LoadSimplePolicy(ctx *Context, id NodeID, data []byte, nodes NodeMap) (Node, error) {`
			`var j SimplePolicyJSON`
			`err := json.Unmarshal(data, &j)`
			`if err != nil {`
			`return nil, err`
			`}`

			`policy := NewSimplePolicy(id, j.Actions)`
			`nodes[id] = &policy`

Tests compile and run 2023-07-24 16:04:56 -06:00			`err = RestoreSimpleNode(ctx, &policy.SimpleNode, j.SimpleNodeJSON, nodes)`
Added SimplePolicy 2023-07-21 13:33:04 -06:00			`if err != nil {`
			`return nil, err`
			`}`

			`return &policy, nil`
			`}`

Added DependencyPolicy 2023-07-24 01:12:30 -06:00			`func (policy *SimplePolicy) Allows(node Node, resource string, action string, principal Node) bool {`
start maniacal rewrite, main goal is to combine node and lockable to remove any sync mutex deadlocks. Another goal is to make read contexts get copies of the state to ensure they don't modify and no lock is required to ensure no value changes, and write contexts use the lockable locks instead of mutex 2023-07-22 20:21:17 -06:00			`return policy.Actions.Allows(resource, action)`
Added SimplePolicy 2023-07-21 13:33:04 -06:00			`}`

Added more policy types, removed tags 2023-07-24 22:52:15 -06:00
			`type DependencyPolicy struct {`
			`SimplePolicy`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00			`}`

Added more policy types, removed tags 2023-07-24 22:52:15 -06:00
			`func (policy *DependencyPolicy) Type() NodeType {`
			`return NodeType("dependency_policy")`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00			`}`

Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`func NewDependencyPolicy(id NodeID, actions NodeActions) DependencyPolicy {`
			`return DependencyPolicy{`
			`SimplePolicy: NewSimplePolicy(id, actions),`
			`}`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00			`}`

Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`func (policy *DependencyPolicy) Allows(node Node, resource string, action string, principal Node) bool {`
			`lockable, ok := node.(LockableNode)`
			`if ok == false {`
			`return false`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00			`}`

Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`for _, dep := range(lockable.LockableHandle().Dependencies) {`
			`if dep.ID() == principal.ID() {`
			`return policy.Actions.Allows(resource, action)`
			`}`
			`}`

			`return false`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00			`}`

Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`type RequirementPolicy struct {`
			`SimplePolicy`
			`}`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00
Added more policy types, removed tags 2023-07-24 22:52:15 -06:00
			`func (policy *RequirementPolicy) Type() NodeType {`
			`return NodeType("dependency_policy")`
			`}`

			`func NewRequirementPolicy(id NodeID, actions NodeActions) RequirementPolicy {`
			`return RequirementPolicy{`
			`SimplePolicy: NewSimplePolicy(id, actions),`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00			`}`
			`}`

Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`func (policy *RequirementPolicy) Allows(node Node, resource string, action string, principal Node) bool {`
			`lockable_node, ok := node.(LockableNode)`
			`if ok == false {`
			`return false`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00			`}`
Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`lockable := lockable_node.LockableHandle()`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00
Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`for _, req := range(lockable.Requirements) {`
			`if req.ID() == principal.ID() {`
			`return policy.Actions.Allows(resource, action)`
			`}`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00			`}`

Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`return false`
			`}`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00
Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`type ParentPolicy struct {`
			`SimplePolicy`
			`}`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00
Added more policy types, removed tags 2023-07-24 22:52:15 -06:00
			`func (policy *ParentPolicy) Type() NodeType {`
			`return NodeType("parent_policy")`
			`}`

			`func NewParentPolicy(id NodeID, actions NodeActions) ParentPolicy {`
			`return ParentPolicy{`
			`SimplePolicy: NewSimplePolicy(id, actions),`
			`}`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00			`}`

Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`func (policy *ParentPolicy) Allows(node Node, resource string, action string, principal Node) bool {`
			`thread_node, ok := node.(ThreadNode)`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00			`if ok == false {`
			`return false`
			`}`
Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`thread := thread_node.ThreadHandle()`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00
Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`if thread.Owner != nil {`
			`if thread.Owner.ID() == principal.ID() {`
			`return policy.Actions.Allows(resource, action)`
Added PerTagPolicy 2023-07-21 13:55:27 -06:00			`}`
			`}`
Added more policy types, removed tags 2023-07-24 22:52:15 -06:00
Added PerTagPolicy 2023-07-21 13:55:27 -06:00			`return false`
			`}`

Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`type ChildrenPolicy struct {`
Added DependencyPolicy 2023-07-24 01:12:30 -06:00			`SimplePolicy`
			`}`


Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`func (policy *ChildrenPolicy) Type() NodeType {`
			`return NodeType("children_policy")`
Added DependencyPolicy 2023-07-24 01:12:30 -06:00			`}`

Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`func NewChildrenPolicy(id NodeID, actions NodeActions) ChildrenPolicy {`
			`return ChildrenPolicy{`
Added DependencyPolicy 2023-07-24 01:12:30 -06:00			`SimplePolicy: NewSimplePolicy(id, actions),`
			`}`
			`}`

Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`func (policy *ChildrenPolicy) Allows(node Node, resource string, action string, principal Node) bool {`
			`thread_node, ok := node.(ThreadNode)`
Added DependencyPolicy 2023-07-24 01:12:30 -06:00			`if ok == false {`
			`return false`
			`}`
Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`thread := thread_node.ThreadHandle()`
Added DependencyPolicy 2023-07-24 01:12:30 -06:00
Added more policy types, removed tags 2023-07-24 22:52:15 -06:00			`for _, info := range(thread.Children) {`
			`if info.Child.ID() == principal.ID() {`
Added DependencyPolicy 2023-07-24 01:12:30 -06:00			`return policy.Actions.Allows(resource, action)`
			`}`
			`}`

			`return false`
			`}`