Added policy.go

2023-07-20 23:19:10 -06:00 · 2023-07-20 23:19:10 -06:00 · 61fd7d61aa
parent a88c704c57
commit 61fd7d61aa
5 changed files with 259 additions and 6 deletions
--- a/context.go
+++ b/context.go
@ -188,6 +188,14 @@ func NewContext(db * badger.DB, log Logger) * Context {
  if err != nil {
    panic(err)
  }
+  err = ctx.RegisterNodeType(NewNodeDef((*PerNodePolicy)(nil), LoadPerNodePolicy, GQLTypeGraphNode()))
+  if err != nil {
+    panic(err)
+  }
+  err = ctx.RegisterNodeType(NewNodeDef((*AllNodePolicy)(nil), LoadAllNodePolicy, GQLTypeGraphNode()))
+  if err != nil {
+    panic(err)
+  }

  ctx.AddGQLType(GQLTypeSignal())

--- a/gql_test.go
+++ b/gql_test.go
@ -70,15 +70,22 @@ func TestGQLDBLoad(t * testing.T) {
  u1_r := NewUser("Test User", time.Now(), &u1_key.PublicKey, u1_shared)
  u1 := &u1_r

+  p1_r := NewAllNodePolicy(RandID(), []string{"*"})
+  p1 := &p1_r
+
  key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
  fatalErr(t, err)
  gql_r := NewGQLThread(RandID(), "GQL Thread", "init", ":0", ecdh.P256(), key)
  gql := &gql_r

  info := NewParentThreadInfo(true, "start", "restore")
-  err = UpdateStates(ctx, []Node{gql, t1, l1, u1}, func(nodes NodeMap) error {
+  err = UpdateStates(ctx, []Node{gql, t1, l1, u1, p1}, func(nodes NodeMap) error {
+    err := u1.AddPolicy(p1)
+    if err != nil {
+      return err
+    }
    gql.Users[KeyID(&u1_key.PublicKey)] = u1
-    err := LinkLockables(ctx, gql, []Lockable{l1}, nodes)
+    err = LinkLockables(ctx, gql, []Lockable{l1}, nodes)
    if err != nil {
      return err
    }
--- a/lockable.go
+++ b/lockable.go
@ -60,6 +60,7 @@ func (state * SimpleLockable) Type() NodeType {
 }

 type SimpleLockableJSON struct {
+  GraphNodeJSON
  Name string `json:"name"`
  Owner *NodeID `json:"owner"`
  Dependencies []NodeID `json:"dependencies"`
@ -98,7 +99,11 @@ func NewSimpleLockableJSON(lockable *SimpleLockable) SimpleLockableJSON {
      locks_held[lockable_id.String()] = &str
    }
  }
+
+  node_json := NewGraphNodeJSON(&lockable.GraphNode)
+
  return SimpleLockableJSON{
+    GraphNodeJSON: node_json,
    Name: lockable.name,
    Owner: owner_id,
    Dependencies: dependency_ids,
@ -560,7 +565,7 @@ func RestoreSimpleLockable(ctx * Context, lockable Lockable, j SimpleLockableJSO
    }
    o_l, ok := o.(Lockable)
    if ok == false {
-      return fmt.Errorf("%s is not a Lockable", o.ID())
+      return fmt.Errorf("%s is not a Lockable", *j.Owner)
    }
    lockable.SetOwner(o_l)
  }
@ -615,5 +620,5 @@ func RestoreSimpleLockable(ctx * Context, lockable Lockable, j SimpleLockableJSO
    lockable.RecordLock(l_l, h_l)
  }

-  return nil
+  return RestoreGraphNode(ctx, lockable, j.GraphNodeJSON, nodes)
 }
--- a/node.go
+++ b/node.go
@ -6,6 +6,7 @@ import (
  badger "github.com/dgraph-io/badger/v3"
  "fmt"
  "encoding/binary"
+  "encoding/json"
  "crypto/sha512"
  "crypto/ecdsa"
  "crypto/elliptic"
@ -56,13 +57,22 @@ func RandID() NodeID {
 // A Node represents data that can be read by multiple goroutines and written to by one, with a unique ID attached, and a method to process updates(including propagating them to connected nodes)
 // RegisterChannel and UnregisterChannel are used to connect arbitrary listeners to the node
 type Node interface {
+  // State Locking interface
  sync.Locker
  RLock()
  RUnlock()
+
  // Serialize the Node for the database
  Serialize() ([]byte, error)
+
+  // Nodes have an ID, type, and ACL policies
  ID() NodeID
  Type() NodeType
+
+  Allowed(action string, principal NodeID) bool
+  AddPolicy(Policy) error
+  RemovePolicy(Policy) error
+
  // Send a GraphSignal to the node, requires that the node is locked for read so that it can propagate
  Signal(ctx *Context, signal GraphSignal, nodes NodeMap) error
  // Register a channel to receive updates sent to the node
@ -78,11 +88,81 @@ type GraphNode struct {

  id NodeID
  listeners map[NodeID]chan GraphSignal
+  policies map[NodeID]Policy
+}
+
+type GraphNodeJSON struct {
+  Policies []NodeID `json:"policies"`
 }

-// GraphNode doesn't serialize any additional information by default
 func (node * GraphNode) Serialize() ([]byte, error) {
-  return nil, nil
+  node_json := NewGraphNodeJSON(node)
+  return json.MarshalIndent(&node_json, "", "  ")
+}
+
+func (node *GraphNode) Allowed(action string, principal NodeID) bool {
+  for _, policy := range(node.policies) {
+    if policy.Allows(action, principal) == true {
+      return true
+    }
+  }
+  return false
+}
+
+func (node *GraphNode) AddPolicy(policy Policy) error {
+  if policy == nil {
+    return fmt.Errorf("Cannot add nil as a policy")
+  }
+
+  _, exists := node.policies[policy.ID()]
+  if exists == true {
+    return fmt.Errorf("%s is already a policy for %s", policy.ID().String(), node.ID().String())
+  }
+
+  node.policies[policy.ID()] = policy
+  return nil
+}
+
+func (node *GraphNode) RemovePolicy(policy Policy) error {
+  if policy == nil {
+    return fmt.Errorf("Cannot add nil as a policy")
+  }
+
+  _, exists := node.policies[policy.ID()]
+  if exists == false {
+    return fmt.Errorf("%s is not a policy for %s", policy.ID().String(), node.ID().String())
+  }
+
+  delete(node.policies, policy.ID())
+  return nil
+}
+
+func NewGraphNodeJSON(node *GraphNode) GraphNodeJSON {
+  policies := make([]NodeID, len(node.policies))
+  i := 0
+  for _, policy := range(node.policies) {
+    policies[i] = policy.ID()
+    i += 1
+  }
+  return GraphNodeJSON{
+    Policies: policies,
+  }
+}
+
+func RestoreGraphNode(ctx *Context, node Node, j GraphNodeJSON, nodes NodeMap) error {
+  for _, policy_id := range(j.Policies) {
+    policy_ptr, err := LoadNodeRecurse(ctx, policy_id, nodes)
+    if err != nil {
+      return err
+    }
+
+    policy, ok := policy_ptr.(Policy)
+    if ok == false {
+      return fmt.Errorf("%s is not a Policy", policy_id)
+    }
+    node.AddPolicy(policy)
+  }
+  return nil
 }

 func LoadGraphNode(ctx * Context, id NodeID, data []byte, nodes NodeMap)(Node, error) {
@ -153,6 +233,7 @@ func NewGraphNode(id NodeID) GraphNode {
  return GraphNode{
    id: id,
    listeners: map[NodeID]chan GraphSignal{},
+    policies: map[NodeID]Policy{},
  }
 }

--- a/policy.go
+++ b/policy.go
@ -0,0 +1,152 @@
+package graphvent
+
+import (
+  "encoding/json"
+)
+
+// A policy represents a set of rules attached to a Node that allow it to preform actions
+type Policy interface {
+  Node
+  // Returns true if the policy allows the action on the given principal
+  Allows(action string, principal NodeID) bool
+}
+
+type PerNodePolicy struct {
+  GraphNode
+  AllowedActions map[NodeID][]string
+}
+
+type PerNodePolicyJSON struct {
+  GraphNodeJSON
+  AllowedActions map[string][]string `json:"allowed_actions"`
+}
+
+func (policy *PerNodePolicy) Type() NodeType {
+  return NodeType("per_node_policy")
+}
+
+func (policy *PerNodePolicy) Serialize() ([]byte, error) {
+  allowed_actions := map[string][]string{}
+  for principal, actions := range(policy.AllowedActions) {
+    allowed_actions[principal.String()] = actions
+  }
+
+  return json.MarshalIndent(&PerNodePolicyJSON{
+    GraphNodeJSON: NewGraphNodeJSON(&policy.GraphNode),
+    AllowedActions: allowed_actions,
+  }, "", "  ")
+}
+
+func NewPerNodePolicy(id NodeID, allowed_actions map[NodeID][]string) PerNodePolicy {
+  if allowed_actions == nil {
+    allowed_actions = map[NodeID][]string{}
+  }
+
+  return PerNodePolicy{
+    GraphNode: NewGraphNode(id),
+    AllowedActions: allowed_actions,
+  }
+}
+
+func LoadPerNodePolicy(ctx *Context, id NodeID, data []byte, nodes NodeMap) (Node, error) {
+  var j PerNodePolicyJSON
+  err := json.Unmarshal(data, &j)
+  if err != nil {
+    return nil, err
+  }
+
+  allowed_actions := map[NodeID][]string{}
+  for principal_str, actions := range(j.AllowedActions) {
+    principal_id, err := ParseID(principal_str)
+    if err != nil {
+      return nil, err
+    }
+
+    allowed_actions[principal_id] = actions
+  }
+
+  policy := NewPerNodePolicy(id, allowed_actions)
+  nodes[id] = &policy
+
+  err = RestoreGraphNode(ctx, &policy.GraphNode, j.GraphNodeJSON, nodes)
+  if err != nil {
+    return nil, err
+  }
+
+  return &policy, nil
+}
+
+func (policy *PerNodePolicy) Allows(action string, principal NodeID) bool {
+  actions, exists := policy.AllowedActions[principal]
+  if exists == false {
+    return false
+  }
+
+  for _, a := range(actions) {
+    if a == action {
+      return true
+    }
+  }
+
+  return false
+}
+
+type AllNodePolicy struct {
+  GraphNode
+  AllowedActions []string
+}
+
+type AllNodePolicyJSON struct {
+  GraphNodeJSON
+  AllowedActions []string `json:"allowed_actions"`
+}
+
+func (policy *AllNodePolicy) Type() NodeType {
+  return NodeType("all_node_policy")
+}
+
+func (policy *AllNodePolicy) Serialize() ([]byte, error) {
+  return json.MarshalIndent(&AllNodePolicyJSON{
+    GraphNodeJSON: NewGraphNodeJSON(&policy.GraphNode),
+    AllowedActions: policy.AllowedActions,
+  }, "", "  ")
+}
+
+func NewAllNodePolicy(id NodeID, allowed_actions []string) AllNodePolicy {
+  if allowed_actions == nil {
+    allowed_actions = []string{}
+  }
+
+  return AllNodePolicy{
+    GraphNode: NewGraphNode(id),
+    AllowedActions: allowed_actions,
+  }
+}
+
+func LoadAllNodePolicy(ctx *Context, id NodeID, data []byte, nodes NodeMap) (Node, error) {
+  var j AllNodePolicyJSON
+  err := json.Unmarshal(data, &j)
+  if err != nil {
+    return nil, err
+  }
+
+  policy := NewAllNodePolicy(id, j.AllowedActions)
+  nodes[id] = &policy
+
+  err = RestoreGraphNode(ctx, &policy.GraphNode, j.GraphNodeJSON, nodes)
+  if err != nil {
+    return nil, err
+  }
+
+  return &policy, nil
+}
+
+func (policy *AllNodePolicy) Allows(action string, principal NodeID) bool {
+  for _, a := range(policy.AllowedActions) {
+    if a == action {
+      return true
+    }
+  }
+  return false
+}
+