graphvent/policy.go

311 lines
7.0 KiB
Go

2023-07-20 23:19:10 -06:00
package graphvent
import (
"encoding/json"
)
const (
2023-08-10 23:43:10 -06:00
MemberOfPolicyType = PolicyType("USER_OF")
PerNodePolicyType = PolicyType("PER_NODE")
AllNodesPolicyType = PolicyType("ALL_NODES")
)
2023-07-20 23:19:10 -06:00
type Policy interface {
Serializable[PolicyType]
2023-08-10 23:43:10 -06:00
Allows(principal_id NodeID, action Tree, node *Node)(Messages, RuleResult)
ContinueAllows(current PendingACL, signal Signal)RuleResult
// Merge with another policy of the same underlying type
Merge(Policy) Policy
2023-08-01 20:55:15 -06:00
// Make a copy of this policy
Copy() Policy
}
2023-08-10 23:43:10 -06:00
func (policy *AllNodesPolicy) Allows(principal_id NodeID, action Tree, node *Node)(Messages, RuleResult) {
return nil, policy.Rules.Allows(action)
}
2023-08-10 23:43:10 -06:00
func (policy *AllNodesPolicy) ContinueAllows(current PendingACL, signal Signal) RuleResult {
return Deny
}
func (policy *PerNodePolicy) Allows(principal_id NodeID, action Tree, node *Node)(Messages, RuleResult) {
for id, actions := range(policy.NodeRules) {
if id != principal_id {
continue
}
return nil, actions.Allows(action)
}
2023-08-10 23:43:10 -06:00
return nil, Deny
}
2023-08-10 23:43:10 -06:00
func (policy *PerNodePolicy) ContinueAllows(current PendingACL, signal Signal) RuleResult {
return Deny
}
2023-08-10 23:43:10 -06:00
type MemberOfPolicy struct {
PerNodePolicy
}
2023-08-10 23:43:10 -06:00
func (policy *MemberOfPolicy) Type() PolicyType {
return MemberOfPolicyType
}
func NewMemberOfPolicy(group_rules NodeRules) MemberOfPolicy {
return MemberOfPolicy{
PerNodePolicy: NewPerNodePolicy(group_rules),
}
}
2023-08-10 23:43:10 -06:00
func (policy *MemberOfPolicy) ContinueAllows(current PendingACL, signal Signal) RuleResult {
sig, ok := signal.(*ReadResultSignal)
if ok == false {
return Deny
}
group_ext_data, ok := sig.Extensions[GroupExtType]
if ok == false {
return Deny
}
members, ok := group_ext_data["members"].(map[NodeID]string)
if ok == false {
return Deny
}
for member, _ := range(members) {
if member == current.Principal {
return policy.NodeRules[sig.NodeID].Allows(current.Action)
}
}
2023-08-10 23:43:10 -06:00
return Deny
}
// Send a read signal to Group to check if principal_id is a member of it
2023-08-10 23:43:10 -06:00
func (policy *MemberOfPolicy) Allows(principal_id NodeID, action Tree, node *Node) (Messages, RuleResult) {
msgs := Messages{}
for id, rule := range(policy.NodeRules) {
if id == node.ID {
ext, err := GetExt[*GroupExt](node)
if err == nil {
for member, _ := range(ext.Members) {
if member == principal_id {
if rule.Allows(action) == Allow {
return nil, Allow
}
}
}
}
} else {
msgs = msgs.Add(node.ID, node.Key, NewReadSignal(map[ExtType][]string{
GroupExtType: []string{"members"},
}), id)
}
}
return msgs, Pending
}
2023-08-10 23:43:10 -06:00
func (policy *MemberOfPolicy) Merge(p Policy) Policy {
other := p.(*MemberOfPolicy)
policy.NodeRules = MergeNodeRules(policy.NodeRules, other.NodeRules)
return policy
}
2023-08-10 23:43:10 -06:00
func (policy *MemberOfPolicy) Copy() Policy {
new_rules := CopyNodeRules(policy.NodeRules)
return &MemberOfPolicy{
PerNodePolicy: NewPerNodePolicy(new_rules),
}
}
2023-08-10 23:43:10 -06:00
func CopyTree(tree Tree) Tree {
if tree == nil {
return nil
}
2023-08-10 23:43:10 -06:00
ret := Tree{}
for name, sub := range(tree) {
ret[name] = CopyTree(sub)
}
2023-08-10 23:43:10 -06:00
return ret
}
2023-08-10 23:43:10 -06:00
func MergeTrees(first Tree, second Tree) Tree {
if first == nil || second == nil {
return nil
}
ret := CopyTree(first)
for name, sub := range(second) {
current, exists := ret[name]
if exists == true {
ret[name] = MergeTrees(current, sub)
} else {
ret[name] = CopyTree(sub)
}
}
return ret
}
2023-08-10 23:43:10 -06:00
func CopyNodeRules(rules NodeRules) NodeRules {
ret := NodeRules{}
for id, r := range(rules) {
ret[id] = r
2023-08-01 20:55:15 -06:00
}
return ret
}
2023-08-10 23:43:10 -06:00
func MergeNodeRules(first NodeRules, second NodeRules) NodeRules {
merged := NodeRules{}
for id, actions := range(first) {
merged[id] = actions
}
for id, actions := range(second) {
existing, exists := merged[id]
if exists {
2023-08-10 23:43:10 -06:00
merged[id] = MergeTrees(existing, actions)
} else {
merged[id] = actions
}
}
return merged
}
2023-08-01 20:55:15 -06:00
func (policy *PerNodePolicy) Merge(p Policy) Policy {
other := p.(*PerNodePolicy)
2023-08-10 23:43:10 -06:00
policy.NodeRules = MergeNodeRules(policy.NodeRules, other.NodeRules)
return policy
}
2023-08-01 20:55:15 -06:00
func (policy *PerNodePolicy) Copy() Policy {
2023-08-10 23:43:10 -06:00
new_rules := CopyNodeRules(policy.NodeRules)
2023-08-01 20:55:15 -06:00
return &PerNodePolicy{
2023-08-10 23:43:10 -06:00
NodeRules: new_rules,
2023-08-01 20:55:15 -06:00
}
}
func (policy *AllNodesPolicy) Merge(p Policy) Policy {
other := p.(*AllNodesPolicy)
2023-08-10 23:43:10 -06:00
policy.Rules = MergeTrees(policy.Rules, other.Rules)
return policy
}
2023-08-01 20:55:15 -06:00
func (policy *AllNodesPolicy) Copy() Policy {
2023-08-10 23:43:10 -06:00
new_rules := policy.Rules
2023-08-01 20:55:15 -06:00
return &AllNodesPolicy {
2023-08-10 23:43:10 -06:00
Rules: new_rules,
2023-08-01 20:55:15 -06:00
}
}
2023-08-10 23:43:10 -06:00
type Tree map[string]Tree
func (rule Tree) Allows(action Tree) RuleResult {
// If the current rule is nil, it's a wildcard and any action being processed is allowed
if rule == nil {
return Allow
// If the rule isn't "allow all" but the action is "request all", deny
} else if action == nil {
return Deny
// If the current action has no children, it's allowed
} else if len(action) == 0 {
return Allow
// If the current rule has no children but the action goes further, it's not allowed
} else if len(rule) == 0 {
return Deny
// If the current rule and action have children, all the children of action must be allowed by rule
} else {
for sub, subtree := range(action) {
subrule, exists := rule[sub]
if exists == false {
return Deny
} else if subrule.Allows(subtree) == Deny {
return Deny
}
}
2023-08-10 23:43:10 -06:00
return Allow
}
}
2023-08-10 23:43:10 -06:00
type NodeRules map[NodeID]Tree
2023-08-10 23:43:10 -06:00
func (rules NodeRules) MarshalJSON() ([]byte, error) {
tmp := map[string]Tree{}
for id, r := range(rules) {
tmp[id.String()] = r
}
return json.Marshal(tmp)
}
2023-08-10 23:43:10 -06:00
func (rules *NodeRules) UnmarshalJSON(data []byte) error {
tmp := map[string]Tree{}
err := json.Unmarshal(data, &tmp)
if err != nil {
return err
}
2023-08-10 23:43:10 -06:00
for id_str, r := range(tmp) {
id, err := ParseID(id_str)
if err != nil {
return err
}
2023-08-10 23:43:10 -06:00
ru := *rules
ru[id] = r
}
return nil
}
2023-08-10 23:43:10 -06:00
func NewPerNodePolicy(node_actions NodeRules) PerNodePolicy {
2023-07-26 13:28:03 -06:00
if node_actions == nil {
2023-08-10 23:43:10 -06:00
node_actions = NodeRules{}
2023-07-26 13:28:03 -06:00
}
return PerNodePolicy{
2023-08-10 23:43:10 -06:00
NodeRules: node_actions,
2023-07-26 13:28:03 -06:00
}
}
type PerNodePolicy struct {
2023-08-10 23:43:10 -06:00
NodeRules NodeRules `json:"node_actions"`
2023-07-26 13:28:03 -06:00
}
2023-08-01 20:55:15 -06:00
func (policy *PerNodePolicy) Type() PolicyType {
2023-07-26 13:28:03 -06:00
return PerNodePolicyType
}
2023-08-01 20:55:15 -06:00
func (policy *PerNodePolicy) Serialize() ([]byte, error) {
return json.MarshalIndent(policy, "", " ")
2023-07-26 13:28:03 -06:00
}
2023-08-01 20:55:15 -06:00
func (policy *PerNodePolicy) Deserialize(ctx *Context, data []byte) error {
return json.Unmarshal(data, policy)
}
2023-08-10 23:43:10 -06:00
func NewAllNodesPolicy(rules Tree) AllNodesPolicy {
2023-07-27 00:30:24 -06:00
return AllNodesPolicy{
2023-08-10 23:43:10 -06:00
Rules: rules,
2023-07-27 00:30:24 -06:00
}
}
type AllNodesPolicy struct {
2023-08-10 23:43:10 -06:00
Rules Tree
2023-07-27 00:30:24 -06:00
}
2023-08-01 20:55:15 -06:00
func (policy *AllNodesPolicy) Type() PolicyType {
2023-07-27 00:30:24 -06:00
return AllNodesPolicyType
}
2023-08-01 20:55:15 -06:00
func (policy *AllNodesPolicy) Serialize() ([]byte, error) {
2023-07-27 00:30:24 -06:00
return json.MarshalIndent(policy, "", " ")
}
2023-08-01 20:55:15 -06:00
func (policy *AllNodesPolicy) Deserialize(ctx *Context, data []byte) error {
return json.Unmarshal(data, policy)
}
2023-08-10 23:43:10 -06:00
var DefaultPolicy = NewAllNodesPolicy(Tree{
ErrorSignalType.String(): nil,
ReadResultSignalType.String(): nil,
})