|
|
@ -8,17 +8,49 @@ import (
|
|
|
|
type Policy interface {
|
|
|
|
type Policy interface {
|
|
|
|
Node
|
|
|
|
Node
|
|
|
|
// Returns true if the policy allows the action on the given principal
|
|
|
|
// Returns true if the policy allows the action on the given principal
|
|
|
|
Allows(action string, principal NodeID) bool
|
|
|
|
Allows(action string, resource string, principal NodeID) bool
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
type NodeActions map[string][]string
|
|
|
|
|
|
|
|
func (actions NodeActions) Allows(action string, resource string) bool {
|
|
|
|
|
|
|
|
for _, a := range(actions[""]) {
|
|
|
|
|
|
|
|
if a == action {
|
|
|
|
|
|
|
|
return true
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
resource_actions, exists := actions[resource]
|
|
|
|
|
|
|
|
if exists == true {
|
|
|
|
|
|
|
|
for _, a := range(resource_actions) {
|
|
|
|
|
|
|
|
if a == action {
|
|
|
|
|
|
|
|
return true
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return false
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func NewNodeActions(wildcard_actions []string) NodeActions {
|
|
|
|
|
|
|
|
actions := NodeActions{}
|
|
|
|
|
|
|
|
// Wildcard actions, all actions in "" will be allowed on all resources
|
|
|
|
|
|
|
|
if wildcard_actions == nil {
|
|
|
|
|
|
|
|
wildcard_actions = []string{}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
actions[""] = wildcard_actions
|
|
|
|
|
|
|
|
return actions
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
type PerNodePolicy struct {
|
|
|
|
type PerNodePolicy struct {
|
|
|
|
GraphNode
|
|
|
|
GraphNode
|
|
|
|
AllowedActions map[NodeID][]string
|
|
|
|
NodeActions map[NodeID]NodeActions
|
|
|
|
|
|
|
|
WildcardActions NodeActions
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
type PerNodePolicyJSON struct {
|
|
|
|
type PerNodePolicyJSON struct {
|
|
|
|
GraphNodeJSON
|
|
|
|
GraphNodeJSON
|
|
|
|
AllowedActions map[string][]string `json:"allowed_actions"`
|
|
|
|
NodeActions map[string]map[string][]string `json:"allowed_actions"`
|
|
|
|
|
|
|
|
WildcardActions map[string][]string `json:"wildcard_actions"`
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (policy *PerNodePolicy) Type() NodeType {
|
|
|
|
func (policy *PerNodePolicy) Type() NodeType {
|
|
|
@ -26,25 +58,31 @@ func (policy *PerNodePolicy) Type() NodeType {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (policy *PerNodePolicy) Serialize() ([]byte, error) {
|
|
|
|
func (policy *PerNodePolicy) Serialize() ([]byte, error) {
|
|
|
|
allowed_actions := map[string][]string{}
|
|
|
|
allowed_actions := map[string]map[string][]string{}
|
|
|
|
for principal, actions := range(policy.AllowedActions) {
|
|
|
|
for principal, actions := range(policy.NodeActions) {
|
|
|
|
allowed_actions[principal.String()] = actions
|
|
|
|
allowed_actions[principal.String()] = actions
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return json.MarshalIndent(&PerNodePolicyJSON{
|
|
|
|
return json.MarshalIndent(&PerNodePolicyJSON{
|
|
|
|
GraphNodeJSON: NewGraphNodeJSON(&policy.GraphNode),
|
|
|
|
GraphNodeJSON: NewGraphNodeJSON(&policy.GraphNode),
|
|
|
|
AllowedActions: allowed_actions,
|
|
|
|
NodeActions: allowed_actions,
|
|
|
|
|
|
|
|
WildcardActions: policy.WildcardActions,
|
|
|
|
}, "", " ")
|
|
|
|
}, "", " ")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func NewPerNodePolicy(id NodeID, allowed_actions map[NodeID][]string) PerNodePolicy {
|
|
|
|
func NewPerNodePolicy(id NodeID, node_actions map[NodeID]NodeActions, wildcard_actions NodeActions) PerNodePolicy {
|
|
|
|
if allowed_actions == nil {
|
|
|
|
if node_actions == nil {
|
|
|
|
allowed_actions = map[NodeID][]string{}
|
|
|
|
node_actions = map[NodeID]NodeActions{}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if wildcard_actions == nil {
|
|
|
|
|
|
|
|
wildcard_actions = NewNodeActions(nil)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return PerNodePolicy{
|
|
|
|
return PerNodePolicy{
|
|
|
|
GraphNode: NewGraphNode(id),
|
|
|
|
GraphNode: NewGraphNode(id),
|
|
|
|
AllowedActions: allowed_actions,
|
|
|
|
NodeActions: node_actions,
|
|
|
|
|
|
|
|
WildcardActions: wildcard_actions,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
@ -55,8 +93,8 @@ func LoadPerNodePolicy(ctx *Context, id NodeID, data []byte, nodes NodeMap) (Nod
|
|
|
|
return nil, err
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
allowed_actions := map[NodeID][]string{}
|
|
|
|
allowed_actions := map[NodeID]NodeActions{}
|
|
|
|
for principal_str, actions := range(j.AllowedActions) {
|
|
|
|
for principal_str, actions := range(j.NodeActions) {
|
|
|
|
principal_id, err := ParseID(principal_str)
|
|
|
|
principal_id, err := ParseID(principal_str)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
return nil, err
|
|
|
@ -65,7 +103,7 @@ func LoadPerNodePolicy(ctx *Context, id NodeID, data []byte, nodes NodeMap) (Nod
|
|
|
|
allowed_actions[principal_id] = actions
|
|
|
|
allowed_actions[principal_id] = actions
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
policy := NewPerNodePolicy(id, allowed_actions)
|
|
|
|
policy := NewPerNodePolicy(id, allowed_actions, j.WildcardActions)
|
|
|
|
nodes[id] = &policy
|
|
|
|
nodes[id] = &policy
|
|
|
|
|
|
|
|
|
|
|
|
err = RestoreGraphNode(ctx, &policy.GraphNode, j.GraphNodeJSON, nodes)
|
|
|
|
err = RestoreGraphNode(ctx, &policy.GraphNode, j.GraphNodeJSON, nodes)
|
|
|
@ -76,77 +114,20 @@ func LoadPerNodePolicy(ctx *Context, id NodeID, data []byte, nodes NodeMap) (Nod
|
|
|
|
return &policy, nil
|
|
|
|
return &policy, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (policy *PerNodePolicy) Allows(action string, principal NodeID) bool {
|
|
|
|
func (policy *PerNodePolicy) Allows(action string, resource string, principal NodeID) bool {
|
|
|
|
actions, exists := policy.AllowedActions[principal]
|
|
|
|
// Check wildcard actions
|
|
|
|
if exists == false {
|
|
|
|
if policy.WildcardActions.Allows(action, resource) == true {
|
|
|
|
return false
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for _, a := range(actions) {
|
|
|
|
|
|
|
|
if a == action {
|
|
|
|
|
|
|
|
return true
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
node_actions, exists := policy.NodeActions[principal]
|
|
|
|
|
|
|
|
if exists == false {
|
|
|
|
return false
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
type AllNodePolicy struct {
|
|
|
|
if node_actions.Allows(action, resource) == true {
|
|
|
|
GraphNode
|
|
|
|
|
|
|
|
AllowedActions []string
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
type AllNodePolicyJSON struct {
|
|
|
|
|
|
|
|
GraphNodeJSON
|
|
|
|
|
|
|
|
AllowedActions []string `json:"allowed_actions"`
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func (policy *AllNodePolicy) Type() NodeType {
|
|
|
|
|
|
|
|
return NodeType("all_node_policy")
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func (policy *AllNodePolicy) Serialize() ([]byte, error) {
|
|
|
|
|
|
|
|
return json.MarshalIndent(&AllNodePolicyJSON{
|
|
|
|
|
|
|
|
GraphNodeJSON: NewGraphNodeJSON(&policy.GraphNode),
|
|
|
|
|
|
|
|
AllowedActions: policy.AllowedActions,
|
|
|
|
|
|
|
|
}, "", " ")
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func NewAllNodePolicy(id NodeID, allowed_actions []string) AllNodePolicy {
|
|
|
|
|
|
|
|
if allowed_actions == nil {
|
|
|
|
|
|
|
|
allowed_actions = []string{}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return AllNodePolicy{
|
|
|
|
|
|
|
|
GraphNode: NewGraphNode(id),
|
|
|
|
|
|
|
|
AllowedActions: allowed_actions,
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func LoadAllNodePolicy(ctx *Context, id NodeID, data []byte, nodes NodeMap) (Node, error) {
|
|
|
|
|
|
|
|
var j AllNodePolicyJSON
|
|
|
|
|
|
|
|
err := json.Unmarshal(data, &j)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
policy := NewAllNodePolicy(id, j.AllowedActions)
|
|
|
|
|
|
|
|
nodes[id] = &policy
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
err = RestoreGraphNode(ctx, &policy.GraphNode, j.GraphNodeJSON, nodes)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return &policy, nil
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func (policy *AllNodePolicy) Allows(action string, principal NodeID) bool {
|
|
|
|
|
|
|
|
for _, a := range(policy.AllowedActions) {
|
|
|
|
|
|
|
|
if a == action {
|
|
|
|
|
|
|
|
return true
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|