lib/python2.7/site-packages/setools/policyrep/rbacrule.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154

# Copyright 2014, 2016, Tresys Technology, LLC
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as
# published by the Free Software Foundation, either version 2.1 of
# the License, or (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with SETools.  If not, see
# <http://www.gnu.org/licenses/>.
#
import itertools

from . import exception
from . import qpol
from . import rule
from . import role
from . import typeattr


def rbac_rule_factory(policy, name):
    """Factory function for creating RBAC rule objects."""

    if isinstance(name, qpol.qpol_role_allow_t):
        return RoleAllow(policy, name)
    elif isinstance(name, qpol.qpol_role_trans_t):
        return RoleTransition(policy, name)
    else:
        raise TypeError("RBAC rules cannot be looked up.")


def expanded_rbac_rule_factory(original, source, target):
    """
    Factory function for creating expanded RBAC rules.

    original    The RBAC rule the expanded rule originates from.
    source      The source type of the expanded rule.
    target      The target type of the expanded rule.
    """

    if isinstance(original, (ExpandedRoleAllow, ExpandedRoleTransition)):
        return original
    elif isinstance(original, RoleAllow):
        rule = ExpandedRoleAllow(original.policy, original.qpol_symbol)
    elif isinstance(original, RoleTransition):
        rule = ExpandedRoleTransition(original.policy, original.qpol_symbol)
    else:
        raise TypeError("The original rule must be an RBAC rule class.")

    rule.source = source
    rule.target = target
    rule.origin = original
    return rule


def validate_ruletype(t):
    """Validate RBAC rule types."""
    if t not in ["allow", "role_transition"]:
        raise exception.InvalidRBACRuleType("{0} is not a valid RBAC rule type.".format(t))

    return t


class RoleAllow(rule.PolicyRule):

    """A role allow rule."""

    def __str__(self):
        return "{0.ruletype} {0.source} {0.target};".format(self)

    def __hash__(self):
        return hash("{0.ruletype}|{0.source}|{0.target}".format(self))

    ruletype = "allow"

    @property
    def source(self):
        """The rule's source role."""
        return role.role_factory(self.policy, self.qpol_symbol.source_role(self.policy))

    @property
    def target(self):
        """The rule's target role."""
        return role.role_factory(self.policy, self.qpol_symbol.target_role(self.policy))

    @property
    def tclass(self):
        """The rule's object class."""
        raise exception.RuleUseError("Role allow rules do not have an object class.")

    @property
    def default(self):
        """The rule's default role."""
        raise exception.RuleUseError("Role allow rules do not have a default role.")

    def expand(self):
        """Expand the rule into an equivalent set of rules without attributes."""
        for s, t in itertools.product(self.source.expand(), self.target.expand()):
            yield expanded_rbac_rule_factory(self, s, t)


class RoleTransition(rule.PolicyRule):

    """A role_transition rule."""

    def __str__(self):
        return "{0.ruletype} {0.source} {0.target}:{0.tclass} {0.default};".format(self)

    ruletype = "role_transition"

    @property
    def source(self):
        """The rule's source role."""
        return role.role_factory(self.policy, self.qpol_symbol.source_role(self.policy))

    @property
    def target(self):
        """The rule's target type/attribute."""
        return typeattr.type_or_attr_factory(self.policy, self.qpol_symbol.target_type(self.policy))

    @property
    def default(self):
        """The rule's default role."""
        return role.role_factory(self.policy, self.qpol_symbol.default_role(self.policy))

    def expand(self):
        """Expand the rule into an equivalent set of rules without attributes."""
        for s, t in itertools.product(self.source.expand(), self.target.expand()):
            yield expanded_rbac_rule_factory(self, s, t)


class ExpandedRoleAllow(RoleAllow):

    """An expanded role allow rule."""

    source = None
    target = None
    origin = None


class ExpandedRoleTransition(RoleTransition):

    """An expanded role_transition rule."""

    source = None
    target = None
    origin = None