def _load_policy_file(self, model): log.log_print("********* _load_policy_file **********") with open(self._file_path, "rb") as file: line = file.readline() while line: persist.load_policy_line(line.decode().strip(), model) line = file.readline()
def _save_policy_file(self, model): log.log_print( "********* _save_policy_file {} **********".format(model)) with open(self._file_path, "w") as file: lines = [] if "p" in model.model.keys(): for key, ast in model.model["p"].items(): for pvals in ast.policy: lines.append(key + ", " + ", ".join(pvals)) if "g" in model.model.keys(): for key, ast in model.model["g"].items(): for pvals in ast.policy: lines.append(key + ", " + ", ".join(pvals)) if "d" in model.model.keys(): for key, ast in model.model["d"].items(): for pvals in ast.policy: lines.append(key + ", " + ", ".join(pvals)) for i, line in enumerate(lines): if i != len(lines) - 1: lines[i] += "\n" file.writelines(lines)
def print_policy(self): log.log_print("Policy:") for sec in ["p", "g"]: if sec not in self.model.keys(): continue for key, ast in self.model[sec].items(): log.log_print(key, ": ", ast.value, ": ", ast.policy)
def print_roles(self): line = [] for role in self.all_roles.values(): text = role.to_string() if text: line.append(text) log.log_print(", ".join(line))
def build_role_links(self, rm): self.rm = rm count = self.value.count("_") for rule in self.policy: if count < 2: raise RuntimeError( 'the number of "_" in role definition should be at least 2' ) if len(rule) < count: raise RuntimeError( "grouping policy elements do not meet role definition") self.rm.add_link(*rule[:count]) log.log_print("Role links for: " + self.key) self.rm.print_roles()
def build_role_links(self, rm): self.rm = rm count = self.value.count("_") for rule in self.policy: if count < 2: raise RuntimeError( 'the number of "_" in role definition should be at least 2' ) if len(rule) < count: raise RuntimeError( "grouping policy elements do not meet role definition") self.rm.add_link(*rule[:count]) for domain in self.rm.domain_groups: log.log_print("[dwang] domain: {} rule: {}".format( domain[1], rule[2])) if (domain[1] == rule[2]): log.log_print("[dwang] add_link {} {} {}".format( rule[0], rule[1], domain[0])) self.rm.add_link(rule[0], rule[1], domain[0]) log.log_print("Role links for: " + self.key) self.rm.print_roles()
def enforce(self, *rvals): """decides whether a "subject" can access a "object" with the operation "action", input parameters are usually: (sub, obj, act). """ if not self.enabled: return False functions = self.fm.get_functions() if "g" in self.model.model.keys(): for key, ast in self.model.model["g"].items(): rm = ast.rm functions[key] = generate_g_function(rm) if "m" not in self.model.model.keys(): raise RuntimeError("model is undefined") if "m" not in self.model.model["m"].keys(): raise RuntimeError("model is undefined") r_tokens = self.model.model["r"]["r"].tokens p_tokens = self.model.model["p"]["p"].tokens if len(r_tokens) != len(rvals): raise RuntimeError("invalid request size") exp_string = self.model.model["m"]["m"].value has_eval = util.has_eval(exp_string) if not has_eval: expression = self._get_expression(exp_string, functions) policy_effects = set() matcher_results = set() r_parameters = dict(zip(r_tokens, rvals)) policy_len = len(self.model.model["p"]["p"].policy) if not 0 == policy_len: for i, pvals in enumerate(self.model.model["p"]["p"].policy): if len(p_tokens) != len(pvals): raise RuntimeError("invalid policy size") p_parameters = dict(zip(p_tokens, pvals)) parameters = dict(r_parameters, **p_parameters) if util.has_eval(exp_string): rule_names = util.get_eval_value(exp_string) rules = [util.escape_assertion(p_parameters[rule_name]) for rule_name in rule_names] exp_with_rule = util.replace_eval(exp_string, rules) expression = self._get_expression(exp_with_rule, functions) result = expression.eval(parameters) if isinstance(result, bool): if not result: policy_effects.add(Effector.INDETERMINATE) continue elif isinstance(result, float): if 0 == result: policy_effects.add(Effector.INDETERMINATE) continue else: matcher_results.add(result) else: raise RuntimeError("matcher result should be bool, int or float") if "p_eft" in parameters.keys(): eft = parameters["p_eft"] if "allow" == eft: policy_effects.add(Effector.ALLOW) elif "deny" == eft: policy_effects.add(Effector.DENY) else: policy_effects.add(Effector.INDETERMINATE) else: policy_effects.add(Effector.ALLOW) if "priority(p_eft) || deny" == self.model.model["e"]["e"].value: break else: if has_eval: raise RuntimeError("please make sure rule exists in policy when using eval() in matcher") parameters = r_parameters.copy() for token in self.model.model["p"]["p"].tokens: parameters[token] = "" result = expression.eval(parameters) if result: policy_effects.add(Effector.ALLOW) else: policy_effects.add(Effector.INDETERMINATE) result = self.eft.merge_effects(self.model.model["e"]["e"].value, policy_effects, matcher_results) # Log request. if log.get_logger().is_enabled(): req_str = "Request: " req_str = req_str + ", ".join([str(v) for v in rvals]) req_str = req_str + " ---> %s" % result log.log_print(req_str) return result
def enforce(self, *rvals): """decides whether a "subject" can access a "object" with the operation "action", input parameters are usually: (sub, obj, act). """ if not self.enabled: return False functions = {} for key, val in self.fm.get_functions().items(): functions[key] = val if "g" in self.model.model.keys(): for key, ast in self.model.model["g"].items(): rm = ast.rm functions[key] = generate_g_function(rm) if "m" not in self.model.model.keys(): return RuntimeError("model is undefined") if "m" not in self.model.model["m"].keys(): return RuntimeError("model is undefined") exp_string = self.model.model["m"]["m"].value policy_effects = [] matcher_results = [] policy_len = len(self.model.model["p"]["p"].policy) if not 0 == policy_len: for i, pvals in enumerate(self.model.model["p"]["p"].policy): parameters = dict() for j, token in enumerate(self.model.model["r"]["r"].tokens): parameters[token] = rvals[j] for j, token in enumerate(self.model.model["p"]["p"].tokens): parameters[token] = pvals[j] result = expression.evaluate(exp_string, parameters, functions) if isinstance(result, bool): if not result: policy_effects.append(Effector.INDETERMINATE) continue elif isinstance(result, float): if 0 == result: policy_effects.append(Effector.INDETERMINATE) continue else: matcher_results.append(result) else: raise RuntimeError( "matcher result should be bool, int or float") if "p_eft" in parameters.keys(): eft = parameters["p_eft"] if "allow" == eft: policy_effects.append(Effector.ALLOW) elif "deny" == eft: policy_effects.append(Effector.DENY) else: policy_effects.append(Effector.INDETERMINATE) else: policy_effects.append(Effector.ALLOW) if "priority(p_eft) || deny" == self.model.model["e"][ "e"].value: break else: parameters = dict() for j, token in enumerate(self.model.model["r"]["r"].tokens): parameters[token] = rvals[j] for token in self.model.model["p"]["p"].tokens: parameters[token] = "" result = expression.evaluate(exp_string, parameters, functions) if result: policy_effects.append(Effector.ALLOW) else: policy_effects.append(Effector.INDETERMINATE) result = self.eft.merge_effects(self.model.model["e"]["e"].value, policy_effects, matcher_results) # Log request. if log.get_logger().is_enabled(): req_str = "Request: " req_str = req_str + ", ".join([str(v) for v in rvals]) req_str = req_str + " ---> %s" % result log.log_print(req_str) return result
def add_domain_groups(self, domain_groups): self.domain_groups = domain_groups log.log_print("[dwang] domain groups: {}".format(self.domain_groups))
def print_model(self): log.log_print("Model:") for k, v in self.model.items(): for i, j in v.items(): log.log_printf("%s.%s: %s", k, i, j.value)
def test_log(self): log.get_logger().enable_log(True) log.log_print("test log", "print") log.log_printf("test log %s", "print") self.assertTrue(log.get_logger().is_enabled())