1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155
use crate::{ error::{ModelError, PolicyError}, rbac::{DefaultRoleManager, RoleManager}, Result, }; #[cfg(feature = "incremental")] use crate::emitter::EventData; use indexmap::{IndexMap, IndexSet}; use std::sync::{Arc, RwLock}; pub type AssertionMap = IndexMap<String, Assertion>; #[derive(Clone)] pub struct Assertion { pub(crate) key: String, pub(crate) value: String, pub(crate) tokens: Vec<String>, pub(crate) policy: IndexSet<Vec<String>>, pub(crate) rm: Arc<RwLock<dyn RoleManager>>, } impl Default for Assertion { fn default() -> Self { Assertion { key: String::new(), value: String::new(), tokens: vec![], policy: IndexSet::new(), rm: Arc::new(RwLock::new(DefaultRoleManager::new(0))), } } } impl Assertion { #[inline] pub fn get_policy(&self) -> &IndexSet<Vec<String>> { &self.policy } #[inline] pub fn get_mut_policy(&mut self) -> &mut IndexSet<Vec<String>> { &mut self.policy } pub fn build_role_links( &mut self, rm: Arc<RwLock<dyn RoleManager>>, ) -> Result<()> { let count = self.value.matches('_').count(); if count < 2 { return Err(ModelError::P( r#"the number of "_" in role definition should be at least 2"# .to_owned(), ) .into()); } for rule in &self.policy { if rule.len() < count { return Err(PolicyError::UnmatchPolicyDefinition( count, rule.len(), ) .into()); } if count == 2 { rm.write().unwrap().add_link(&rule[0], &rule[1], None); } else if count == 3 { rm.write().unwrap().add_link( &rule[0], &rule[1], Some(&rule[2]), ); } else if count >= 4 { return Err(ModelError::P( "Multiple domains are not supported".to_owned(), ) .into()); } } self.rm = Arc::clone(&rm); Ok(()) } #[cfg(feature = "incremental")] pub fn build_incremental_role_links( &mut self, rm: Arc<RwLock<dyn RoleManager>>, d: EventData, ) -> Result<()> { let count = self.value.matches('_').count(); if count < 2 { return Err(ModelError::P( r#"the number of "_" in role definition should be at least 2"# .to_owned(), ) .into()); } if let Some((insert, rules)) = match d { EventData::AddPolicy(_, _, rule) => Some((true, vec![rule])), EventData::AddPolicies(_, _, rules) => Some((true, rules)), EventData::RemovePolicy(_, _, rule) => Some((false, vec![rule])), EventData::RemovePolicies(_, _, rules) => Some((false, rules)), EventData::RemoveFilteredPolicy(_, _, rules) => { Some((false, rules)) } _ => None, } { for rule in rules { if rule.len() < count { return Err(PolicyError::UnmatchPolicyDefinition( count, rule.len(), ) .into()); } if count == 2 { if insert { rm.write().unwrap().add_link(&rule[0], &rule[1], None); } else { rm.write() .unwrap() .delete_link(&rule[0], &rule[1], None)?; } } else if count == 3 { if insert { rm.write().unwrap().add_link( &rule[0], &rule[1], Some(&rule[2]), ); } else { rm.write().unwrap().delete_link( &rule[0], &rule[1], Some(&rule[2]), )?; } } else if count >= 4 { return Err(ModelError::P( "Multiple domains are not supported".to_owned(), ) .into()); } } self.rm = Arc::clone(&rm); } Ok(()) } }