graphvent/policy.go

package graphvent

import (
  "encoding/json"
  "fmt"
)

type PolicyType string
func (policy PolicyType) Prefix() string { return "POLICY: " }
func (policy PolicyType) String() string { return string(policy) }

const (
  RequirementOfPolicyType = PolicyType("REQUIREMENT_OF")
  PerNodePolicyType = PolicyType("PER_NODE")
  AllNodesPolicyType = PolicyType("ALL_NODES")
)

type Policy interface {
  Serializable[PolicyType]
  Allows(principal_id NodeID, action Action, node *Node) error
  // Merge with another policy of the same underlying type
  Merge(Policy) Policy
}

func (policy AllNodesPolicy) Allows(principal_id NodeID, action Action, node *Node) error {
  return policy.Actions.Allows(action)
}

func (policy PerNodePolicy) Allows(principal_id NodeID, action Action, node *Node) error {
  for id, actions := range(policy.NodeActions) {
    if id != principal_id {
      continue
    }
    return actions.Allows(action)
  }
  return fmt.Errorf("%s is not in per node policy of %s", principal_id, node.ID)
}

func (policy RequirementOfPolicy) Allows(principal_id NodeID, action Action, node *Node) error {
  lockable_ext, err := GetExt[*LockableExt](node)
  if err != nil {
    return err
  }

  for id, _ := range(lockable_ext.Requirements) {
    if id == principal_id {
      return policy.Actions.Allows(action)
    }
  }

  return fmt.Errorf("%s is not a requirement of %s", principal_id, node.ID)
}

type RequirementOfPolicy struct {
  AllNodesPolicy
}
func (policy RequirementOfPolicy) Type() PolicyType {
  return RequirementOfPolicyType
}

func NewRequirementOfPolicy(actions Actions) RequirementOfPolicy {
  return RequirementOfPolicy{
    AllNodesPolicy: NewAllNodesPolicy(actions),
  }
}

func MergeActions(first Actions, second Actions) Actions {
  ret := second
  for _, action := range(first) {
    ret = append(ret, action)
  }
  return ret
}

func MergeNodeActions(modified NodeActions, read NodeActions) {
  for id, actions := range(read) {
    existing, exists := modified[id]
    if exists {
      modified[id] = MergeActions(existing, actions)
    } else {
      modified[id] = actions
    }
  }
}

func (policy PerNodePolicy) Merge(p Policy) Policy {
  other := p.(PerNodePolicy)
  MergeNodeActions(policy.NodeActions, other.NodeActions)
  return policy
}

func (policy AllNodesPolicy) Merge(p Policy) Policy {
  other := p.(AllNodesPolicy)
  policy.Actions = MergeActions(policy.Actions, other.Actions)
  return policy
}

func (policy RequirementOfPolicy) Merge(p Policy) Policy {
  other := p.(RequirementOfPolicy)
  policy.Actions = MergeActions(policy.Actions, other.Actions)
  return policy
}

type Action []string

func MakeAction(parts ...interface{}) Action {
  action := make(Action, len(parts))
  for i, part := range(parts) {
    stringer, ok := part.(fmt.Stringer)
    if ok == false {
      switch p := part.(type) {
      case string:
        action[i] = p
      default:
        panic("%s can not be part of an action")
      }
    } else {
      action[i] = stringer.String()
    }
  }
  return action
}

func (action Action) Allows(test Action) bool {
  action_len := len(action)
  for i, part := range(test) {
    if i >= action_len {
      return false
    } else if action[i] == part || action[i] == "*" {
      continue
    } else if action[i] == "+" {
      break
    } else {
      return false
    }
  }

  return true
}

type Actions []Action

func (actions Actions) Allows(action Action) error {
  for _, a := range(actions) {
    if a.Allows(action) == true {
      return nil
    }
  }
  return fmt.Errorf("%s not in allows list", action)
}

type NodeActions map[NodeID]Actions

func (actions NodeActions) MarshalJSON() ([]byte, error) {
  tmp := map[string]Actions{}
  for id, a := range(actions) {
    tmp[id.String()] = a
  }
  return json.Marshal(tmp)
}

func (actions *NodeActions) UnmarshalJSON(data []byte) error {
  tmp := map[string]Actions{}
  err := json.Unmarshal(data, &tmp)
  if err != nil {
    return err
  }

  for id_str, a := range(tmp) {
    id, err := ParseID(id_str)
    if err != nil {
      return err
    }
    ac := *actions
    ac[id] = a
  }

  return nil
}

type AllNodesPolicyJSON struct {
  Actions Actions `json:"actions"`
}

func AllNodesPolicyLoad(init_fn func(Actions)(Policy, error)) func(*Context, []byte)(Policy, error) {
  return func(ctx *Context, data []byte)(Policy, error){
    var j AllNodesPolicyJSON
    err := json.Unmarshal(data, &j)

    if err != nil {
      return nil, err
    }

    return init_fn(j.Actions)
  }
}

func PerNodePolicyLoad(init_fn func(NodeActions)(Policy, error)) func(*Context, []byte)(Policy, error) {
  return func(ctx *Context, data []byte)(Policy, error){
    policy := PerNodePolicy{
      NodeActions: NodeActions{},
    }
    err := json.Unmarshal(data, &policy)
    if err != nil {
      return nil, err
    }
    return init_fn(policy.NodeActions)
  }
}

func NewPerNodePolicy(node_actions NodeActions) PerNodePolicy {
  if node_actions == nil {
    node_actions = NodeActions{}
  }

  return PerNodePolicy{
    NodeActions: node_actions,
  }
}

type PerNodePolicy struct {
  NodeActions NodeActions `json:"node_actions"`
}

func (policy PerNodePolicy) Type() PolicyType {
  return PerNodePolicyType
}

func (policy PerNodePolicy) Serialize() ([]byte, error) {
  return json.MarshalIndent(policy, "", "  ")
}

func NewAllNodesPolicy(actions Actions) AllNodesPolicy {
  if actions == nil {
    actions = Actions{}
  }

  return AllNodesPolicy{
    Actions: actions,
  }
}

type AllNodesPolicy struct {
  Actions Actions
}

func (policy AllNodesPolicy) Type() PolicyType {
  return AllNodesPolicyType
}

func (policy AllNodesPolicy) Serialize() ([]byte, error) {
  return json.MarshalIndent(policy, "", "  ")
}

// Extension to allow a node to hold ACL policies
type ACLExt struct {
  Policies map[PolicyType]Policy
}


func NodeList(nodes ...*Node) NodeMap {
  m := NodeMap{}
  for _, node := range(nodes) {
    m[node.ID] = node
  }
  return m
}

type PolicyLoadFunc func(*Context, []byte) (Policy, error)
type PolicyInfo struct {
  Load PolicyLoadFunc
}

type ACLExtContext struct {
  Types map[PolicyType]PolicyInfo
}

func NewACLExtContext() *ACLExtContext {
  return &ACLExtContext{
    Types: map[PolicyType]PolicyInfo{
      AllNodesPolicyType: PolicyInfo{
        Load: AllNodesPolicyLoad(func(actions Actions)(Policy, error){
          policy := NewAllNodesPolicy(actions)
          return &policy, nil
        }),
      },
      PerNodePolicyType: PolicyInfo{
        Load: PerNodePolicyLoad(func(nodes NodeActions)(Policy,error){
          policy := NewPerNodePolicy(nodes)
          return &policy, nil
        }),
      },
      RequirementOfPolicyType: PolicyInfo{
        Load: AllNodesPolicyLoad(func(actions Actions)(Policy, error){
          policy := NewRequirementOfPolicy(actions)
          return &policy, nil
        }),
      },
    },
  }
}

func (ext *ACLExt) Serialize() ([]byte, error) {
  policies := map[string][]byte{}
  for name, policy := range(ext.Policies) {
    ser, err := policy.Serialize()
    if err != nil {
      return nil, err
    }
    policies[string(name)] = ser
  }

  return json.MarshalIndent(&struct{
    Policies map[string][]byte `json:"policies"`
  }{
    Policies: policies,
  }, "", "  ")
}

func (ext *ACLExt) Process(ctx *Context, princ_id NodeID, node *Node, signal Signal) {
}

func (ext *ACLExt) Field(name string) interface{} {
  return ResolveFields(ext, name, map[string]func(*ACLExt)interface{}{
    "policies": func(ext *ACLExt) interface{} {
      return ext.Policies
    },
  })
}

var ErrorSignalAction = Action{"ERROR_RESP"}
var ReadResultSignalAction = Action{"READ_RESULT"}
var DefaultACLPolicies = []Policy{
  NewAllNodesPolicy(Actions{ErrorSignalAction, ReadResultSignalAction}),
}

func NewACLExt(policies ...Policy) *ACLExt {
  policy_map := map[PolicyType]Policy{}
  for _, policy := range(append(policies, DefaultACLPolicies...)) {
    existing, exists := policy_map[policy.Type()]
    if exists == true {
      policy = existing.Merge(policy)
    }

    policy_map[policy.Type()] = policy
  }

  return &ACLExt{
    Policies: policy_map,
  }
}

func LoadACLExt(ctx *Context, data []byte) (Extension, error) {
  var j struct {
    Policies map[string][]byte `json:"policies"`
  }
  err := json.Unmarshal(data, &j)
  if err != nil {
    return nil, err
  }

  policies := make([]Policy, len(j.Policies))
  i := 0
  acl_ctx, err := GetCtx[*ACLExt, *ACLExtContext](ctx)
  if err != nil {
    return nil, err
  }
  for name, ser := range(j.Policies) {
    policy_def, exists := acl_ctx.Types[PolicyType(name)]
    if exists == false {
      return nil, fmt.Errorf("%s is not a known policy type", name)
    }
    policy, err := policy_def.Load(ctx, ser)
    if err != nil {
      return nil, err
    }

    policies[i] = policy
    i++
  }

  return NewACLExt(policies...), nil
}

func (ext *ACLExt) Type() ExtType {
  return ACLExtType
}

// Check if the extension allows the principal to perform action on node
func (ext *ACLExt) Allows(ctx *Context, principal_id NodeID, action Action, node *Node) error {
  errs := []error{}
  for _, policy := range(ext.Policies) {
    err := policy.Allows(principal_id, action, node)
    if err == nil {
      return nil
    }
    errs = append(errs, err)
  }
  return fmt.Errorf("POLICY_CHECK_ERRORS: %s %s.%s - %+v", principal_id, node.ID, action, errs)
}