def check_security_access_check(ctxt: IDLCompatibilityContext, old_access_checks: syntax.AccessChecks, new_access_checks: syntax.AccessChecks, cmd_name: str, new_idl_file_path: str) -> None: """Check the compatibility between security access checks of the old and new command.""" if old_access_checks is not None and new_access_checks is not None: old_simple_check = old_access_checks.simple new_simple_check = new_access_checks.simple if old_simple_check is not None and new_simple_check is not None: if old_simple_check.check != new_simple_check.check: ctxt.add_check_not_equal_error(cmd_name, old_simple_check.check, new_simple_check.check, new_idl_file_path) else: old_privilege = old_simple_check.privilege new_privilege = new_simple_check.privilege if old_privilege is not None and new_privilege is not None: if old_privilege.resource_pattern != new_privilege.resource_pattern: ctxt.add_resource_pattern_not_equal_error( cmd_name, old_privilege.resource_pattern, new_privilege.resource_pattern, new_idl_file_path) if not set(new_privilege.action_type).issubset( old_privilege.action_type): ctxt.add_new_action_types_not_subset_error( cmd_name, new_idl_file_path)
def check_security_access_checks(ctxt: IDLCompatibilityContext, old_access_checks: syntax.AccessChecks, new_access_checks: syntax.AccessChecks, cmd: syntax.Command, new_idl_file_path: str) -> None: """Check the compatibility between security access checks of the old and new command.""" # pylint:disable=too-many-locals,too-many-branches,too-many-nested-blocks cmd_name = cmd.command_name if old_access_checks is not None and new_access_checks is not None: old_access_check_type = old_access_checks.get_access_check_type() new_access_check_type = new_access_checks.get_access_check_type() if old_access_check_type != new_access_check_type: ctxt.add_access_check_type_not_equal_error(cmd_name, old_access_check_type, new_access_check_type, new_idl_file_path) else: old_simple_check = old_access_checks.simple new_simple_check = new_access_checks.simple if old_simple_check is not None and new_simple_check is not None: if old_simple_check.check != new_simple_check.check: ctxt.add_check_not_equal_error(cmd_name, old_simple_check.check, new_simple_check.check, new_idl_file_path) else: old_privilege = old_simple_check.privilege new_privilege = new_simple_check.privilege if old_privilege is not None and new_privilege is not None: if old_privilege.resource_pattern != new_privilege.resource_pattern: ctxt.add_resource_pattern_not_equal_error( cmd_name, old_privilege.resource_pattern, new_privilege.resource_pattern, new_idl_file_path) if not set(new_privilege.action_type).issubset(old_privilege.action_type): ctxt.add_new_action_types_not_subset_error(cmd_name, new_idl_file_path) old_complex_checks = old_access_checks.complex new_complex_checks = new_access_checks.complex if old_complex_checks is not None and new_complex_checks is not None: if len(new_complex_checks) > len(old_complex_checks): ctxt.add_new_additional_complex_access_check_error(cmd_name, new_idl_file_path) else: old_checks, old_privileges = split_complex_checks(old_complex_checks) new_checks, new_privileges = split_complex_checks(new_complex_checks) if not set(new_checks).issubset(old_checks): ctxt.add_new_complex_checks_not_subset_error(cmd_name, new_idl_file_path) if len(new_privileges) > len(old_privileges): ctxt.add_new_complex_privileges_not_subset_error( cmd_name, new_idl_file_path) else: # Check that each new_privilege matches an old_privilege (the resource_pattern is # equal and the action_types are a subset of the old action_types). for new_privilege in new_privileges: for old_privilege in old_privileges: if (new_privilege.resource_pattern == old_privilege.resource_pattern and set(new_privilege.action_type).issubset( old_privilege.action_type)): old_privileges.remove(old_privilege) break else: ctxt.add_new_complex_privileges_not_subset_error( cmd_name, new_idl_file_path) elif new_access_checks is None and old_access_checks is not None: ctxt.add_removed_access_check_field_error(cmd_name, new_idl_file_path) elif old_access_checks is None and new_access_checks is not None and cmd.api_version == '1': ctxt.add_added_access_check_field_error(cmd_name, new_idl_file_path)