def _load_policy_file(self, model):
log.log_print("********* _load_policy_file **********")
with open(self._file_path, "rb") as file:
line = file.readline()
while line:
persist.load_policy_line(line.decode().strip(), model)
line = file.readline()
def _save_policy_file(self, model):
log.log_print(
"********* _save_policy_file {} **********".format(model))
with open(self._file_path, "w") as file:
lines = []
if "p" in model.model.keys():
for key, ast in model.model["p"].items():
for pvals in ast.policy:
lines.append(key + ", " + ", ".join(pvals))
if "g" in model.model.keys():
for key, ast in model.model["g"].items():
for pvals in ast.policy:
lines.append(key + ", " + ", ".join(pvals))
if "d" in model.model.keys():
for key, ast in model.model["d"].items():
for pvals in ast.policy:
lines.append(key + ", " + ", ".join(pvals))
for i, line in enumerate(lines):
if i != len(lines) - 1:
lines[i] += "\n"
file.writelines(lines)
def print_policy(self):
log.log_print("Policy:")
for sec in ["p", "g"]:
if sec not in self.model.keys():
continue
for key, ast in self.model[sec].items():
log.log_print(key, ": ", ast.value, ": ", ast.policy)
def print_roles(self):
line = []
for role in self.all_roles.values():
text = role.to_string()
if text:
line.append(text)
log.log_print(", ".join(line))
def build_role_links(self, rm):
self.rm = rm
count = self.value.count("_")
for rule in self.policy:
if count < 2:
raise RuntimeError(
'the number of "_" in role definition should be at least 2'
)
if len(rule) < count:
raise RuntimeError(
"grouping policy elements do not meet role definition")
self.rm.add_link(*rule[:count])
log.log_print("Role links for: " + self.key)
self.rm.print_roles()
def build_role_links(self, rm):
self.rm = rm
count = self.value.count("_")
for rule in self.policy:
if count < 2:
raise RuntimeError(
'the number of "_" in role definition should be at least 2'
)
if len(rule) < count:
raise RuntimeError(
"grouping policy elements do not meet role definition")
self.rm.add_link(*rule[:count])
for domain in self.rm.domain_groups:
log.log_print("[dwang] domain: {} rule: {}".format(
domain[1], rule[2]))
if (domain[1] == rule[2]):
log.log_print("[dwang] add_link {} {} {}".format(
rule[0], rule[1], domain[0]))
self.rm.add_link(rule[0], rule[1], domain[0])
log.log_print("Role links for: " + self.key)
self.rm.print_roles()
def enforce(self, *rvals):
"""decides whether a "subject" can access a "object" with the operation "action",
input parameters are usually: (sub, obj, act).
"""
if not self.enabled:
return False
functions = self.fm.get_functions()
if "g" in self.model.model.keys():
for key, ast in self.model.model["g"].items():
rm = ast.rm
functions[key] = generate_g_function(rm)
if "m" not in self.model.model.keys():
raise RuntimeError("model is undefined")
if "m" not in self.model.model["m"].keys():
raise RuntimeError("model is undefined")
r_tokens = self.model.model["r"]["r"].tokens
p_tokens = self.model.model["p"]["p"].tokens
if len(r_tokens) != len(rvals):
raise RuntimeError("invalid request size")
exp_string = self.model.model["m"]["m"].value
has_eval = util.has_eval(exp_string)
if not has_eval:
expression = self._get_expression(exp_string, functions)
policy_effects = set()
matcher_results = set()
r_parameters = dict(zip(r_tokens, rvals))
policy_len = len(self.model.model["p"]["p"].policy)
if not 0 == policy_len:
for i, pvals in enumerate(self.model.model["p"]["p"].policy):
if len(p_tokens) != len(pvals):
raise RuntimeError("invalid policy size")
p_parameters = dict(zip(p_tokens, pvals))
parameters = dict(r_parameters, **p_parameters)
if util.has_eval(exp_string):
rule_names = util.get_eval_value(exp_string)
rules = [util.escape_assertion(p_parameters[rule_name]) for rule_name in rule_names]
exp_with_rule = util.replace_eval(exp_string, rules)
expression = self._get_expression(exp_with_rule, functions)
result = expression.eval(parameters)
if isinstance(result, bool):
if not result:
policy_effects.add(Effector.INDETERMINATE)
continue
elif isinstance(result, float):
if 0 == result:
policy_effects.add(Effector.INDETERMINATE)
continue
else:
matcher_results.add(result)
else:
raise RuntimeError("matcher result should be bool, int or float")
if "p_eft" in parameters.keys():
eft = parameters["p_eft"]
if "allow" == eft:
policy_effects.add(Effector.ALLOW)
elif "deny" == eft:
policy_effects.add(Effector.DENY)
else:
policy_effects.add(Effector.INDETERMINATE)
else:
policy_effects.add(Effector.ALLOW)
if "priority(p_eft) || deny" == self.model.model["e"]["e"].value:
break
else:
if has_eval:
raise RuntimeError("please make sure rule exists in policy when using eval() in matcher")
parameters = r_parameters.copy()
for token in self.model.model["p"]["p"].tokens:
parameters[token] = ""
result = expression.eval(parameters)
if result:
policy_effects.add(Effector.ALLOW)
else:
policy_effects.add(Effector.INDETERMINATE)
result = self.eft.merge_effects(self.model.model["e"]["e"].value, policy_effects, matcher_results)
# Log request.
if log.get_logger().is_enabled():
req_str = "Request: "
req_str = req_str + ", ".join([str(v) for v in rvals])
req_str = req_str + " ---> %s" % result
log.log_print(req_str)
return result
def enforce(self, *rvals):
"""decides whether a "subject" can access a "object" with the operation "action",
input parameters are usually: (sub, obj, act).
"""
if not self.enabled:
return False
functions = {}
for key, val in self.fm.get_functions().items():
functions[key] = val
if "g" in self.model.model.keys():
for key, ast in self.model.model["g"].items():
rm = ast.rm
functions[key] = generate_g_function(rm)
if "m" not in self.model.model.keys():
return RuntimeError("model is undefined")
if "m" not in self.model.model["m"].keys():
return RuntimeError("model is undefined")
exp_string = self.model.model["m"]["m"].value
policy_effects = []
matcher_results = []
policy_len = len(self.model.model["p"]["p"].policy)
if not 0 == policy_len:
for i, pvals in enumerate(self.model.model["p"]["p"].policy):
parameters = dict()
for j, token in enumerate(self.model.model["r"]["r"].tokens):
parameters[token] = rvals[j]
for j, token in enumerate(self.model.model["p"]["p"].tokens):
parameters[token] = pvals[j]
result = expression.evaluate(exp_string, parameters, functions)
if isinstance(result, bool):
if not result:
policy_effects.append(Effector.INDETERMINATE)
continue
elif isinstance(result, float):
if 0 == result:
policy_effects.append(Effector.INDETERMINATE)
continue
else:
matcher_results.append(result)
else:
raise RuntimeError(
"matcher result should be bool, int or float")
if "p_eft" in parameters.keys():
eft = parameters["p_eft"]
if "allow" == eft:
policy_effects.append(Effector.ALLOW)
elif "deny" == eft:
policy_effects.append(Effector.DENY)
else:
policy_effects.append(Effector.INDETERMINATE)
else:
policy_effects.append(Effector.ALLOW)
if "priority(p_eft) || deny" == self.model.model["e"][
"e"].value:
break
else:
parameters = dict()
for j, token in enumerate(self.model.model["r"]["r"].tokens):
parameters[token] = rvals[j]
for token in self.model.model["p"]["p"].tokens:
parameters[token] = ""
result = expression.evaluate(exp_string, parameters, functions)
if result:
policy_effects.append(Effector.ALLOW)
else:
policy_effects.append(Effector.INDETERMINATE)
result = self.eft.merge_effects(self.model.model["e"]["e"].value,
policy_effects, matcher_results)
# Log request.
if log.get_logger().is_enabled():
req_str = "Request: "
req_str = req_str + ", ".join([str(v) for v in rvals])
req_str = req_str + " ---> %s" % result
log.log_print(req_str)
return result
def add_domain_groups(self, domain_groups):
self.domain_groups = domain_groups
log.log_print("[dwang] domain groups: {}".format(self.domain_groups))
def print_model(self):
log.log_print("Model:")
for k, v in self.model.items():
for i, j in v.items():
log.log_printf("%s.%s: %s", k, i, j.value)
def test_log(self):
log.get_logger().enable_log(True)
log.log_print("test log", "print")
log.log_printf("test log %s", "print")
self.assertTrue(log.get_logger().is_enabled())
