1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128
use crate::{ error::{ModelError, PolicyError}, rbac::{DefaultRoleManager, RoleManager}, Result, }; #[cfg(feature = "incremental")] use crate::emitter::EventData; use indexmap::{IndexMap, IndexSet}; use std::sync::{Arc, RwLock}; pub type AssertionMap = IndexMap<String, Assertion>; #[derive(Clone)] pub struct Assertion { pub(crate) key: String, pub(crate) value: String, pub(crate) tokens: Vec<String>, pub(crate) policy: IndexSet<Vec<String>>, pub(crate) rm: Arc<RwLock<dyn RoleManager>>, } impl Default for Assertion { fn default() -> Self { Assertion { key: String::new(), value: String::new(), tokens: vec![], policy: IndexSet::new(), rm: Arc::new(RwLock::new(DefaultRoleManager::new(0))), } } } impl Assertion { #[inline] pub fn get_policy(&self) -> &IndexSet<Vec<String>> { &self.policy } #[inline] pub fn get_mut_policy(&mut self) -> &mut IndexSet<Vec<String>> { &mut self.policy } pub fn build_role_links(&mut self, rm: Arc<RwLock<dyn RoleManager>>) -> Result<()> { let count = self.value.chars().filter(|&c| c == '_').count(); for rule in &self.policy { if count < 2 { return Err(ModelError::P( r#"the number of "_" in role definition should be at least 2"#.to_owned(), ) .into()); } if rule.len() < count { return Err(PolicyError::UnmatchPolicyDefinition(count, rule.len()).into()); } if count == 2 { rm.write().unwrap().add_link(&rule[0], &rule[1], None); } else if count == 3 { rm.write() .unwrap() .add_link(&rule[0], &rule[1], Some(&rule[2])); } else if count >= 4 { return Err(ModelError::P("Multiple domains are not supported".to_owned()).into()); } } self.rm = Arc::clone(&rm); Ok(()) } #[cfg(feature = "incremental")] pub fn build_incremental_role_links( &mut self, rm: Arc<RwLock<dyn RoleManager>>, d: EventData, ) -> Result<()> { let count = self.value.chars().filter(|&c| c == '_').count(); if let Some((insert, rules)) = match d { EventData::AddPolicy(_, _, rule) => Some((true, vec![rule])), EventData::AddPolicies(_, _, rules) => Some((true, rules)), EventData::RemovePolicy(_, _, rule) => Some((false, vec![rule])), EventData::RemovePolicies(_, _, rules) => Some((false, rules)), EventData::RemoveFilteredPolicy(_, _, rules) => Some((false, rules)), _ => None, } { for rule in rules { if count < 2 { return Err(ModelError::P( r#"the number of "_" in role definition should be at least 2"#.to_owned(), ) .into()); } if rule.len() < count { return Err(PolicyError::UnmatchPolicyDefinition(count, rule.len()).into()); } if count == 2 { if insert { rm.write().unwrap().add_link(&rule[0], &rule[1], None); } else { rm.write().unwrap().delete_link(&rule[0], &rule[1], None)?; } } else if count == 3 { if insert { rm.write() .unwrap() .add_link(&rule[0], &rule[1], Some(&rule[2])); } else { rm.write() .unwrap() .delete_link(&rule[0], &rule[1], Some(&rule[2]))?; } } else if count >= 4 { return Err( ModelError::P("Multiple domains are not supported".to_owned()).into(), ); } } self.rm = Arc::clone(&rm); } Ok(()) } }