1 # Copyright 2014-2015, Tresys Technology, LLC 2 # 3 # This file is part of SETools. 4 # 5 # SETools is free software: you can redistribute it and/or modify 6 # it under the terms of the GNU Lesser General Public License as 7 # published by the Free Software Foundation, either version 2.1 of 8 # the License, or (at your option) any later version. 9 # 10 # SETools is distributed in the hope that it will be useful, 11 # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 # GNU Lesser General Public License for more details. 14 # 15 # You should have received a copy of the GNU Lesser General Public 16 # License along with SETools. If not, see 17 # <http://www.gnu.org/licenses/>. 18 # 19 import logging 20 import re 21 22 from . import mixins, query 23 from .descriptors import CriteriaDescriptor, CriteriaSetDescriptor 24 from .policyrep.exception import InvalidType, RuleUseError 25 from .util import match_indirect_regex 26 27 28 class RBACRuleQuery(mixins.MatchObjClass, query.PolicyQuery): 29 30 """ 31 Query the RBAC rules. 32 33 Parameter: 34 policy The policy to query. 35 36 Keyword Parameters/Class attributes: 37 ruletype The list of rule type(s) to match. 38 source The name of the source role/attribute to match. 39 source_indirect If true, members of an attribute will be 40 matched rather than the attribute itself. 41 source_regex If true, regular expression matching will 42 be used on the source role/attribute. 43 Obeys the source_indirect option. 44 target The name of the target role/attribute to match. 45 target_indirect If true, members of an attribute will be 46 matched rather than the attribute itself. 47 target_regex If true, regular expression matching will 48 be used on the target role/attribute. 49 Obeys target_indirect option. 50 tclass The object class(es) to match. 51 tclass_regex If true, use a regular expression for 52 matching the rule's object class. 53 default The name of the default role to match. 54 default_regex If true, regular expression matching will 55 be used on the default role. 56 """ 57 58 ruletype = CriteriaSetDescriptor(lookup_function="validate_rbac_ruletype") 59 source = CriteriaDescriptor("source_regex", "lookup_role") 60 source_regex = False 61 source_indirect = True 62 _target = None 63 target_regex = False 64 target_indirect = True 65 tclass = CriteriaSetDescriptor("tclass_regex", "lookup_class") 66 tclass_regex = False 67 default = CriteriaDescriptor("default_regex", "lookup_role") 68 default_regex = False 69 70 @property 71 def target(self): 72 return self._target 73 74 @target.setter 75 def target(self, value): 76 if not value: 77 self._target = None 78 elif self.target_regex: 79 self._target = re.compile(value) 80 else: 81 try: 82 self._target = self.policy.lookup_type_or_attr(value) 83 except InvalidType: 84 self._target = self.policy.lookup_role(value) 85 86 def __init__(self, policy, **kwargs): 87 super(RBACRuleQuery, self).__init__(policy, **kwargs) 88 self.log = logging.getLogger(__name__) 89 90 def results(self): 91 """Generator which yields all matching RBAC rules.""" 92 self.log.info("Generating RBAC rule results from {0.policy}".format(self)) 93 self.log.debug("Ruletypes: {0.ruletype}".format(self)) 94 self.log.debug("Source: {0.source!r}, indirect: {0.source_indirect}, " 95 "regex: {0.source_regex}".format(self)) 96 self.log.debug("Target: {0.target!r}, indirect: {0.target_indirect}, " 97 "regex: {0.target_regex}".format(self)) 98 self._match_object_class_debug(self.log) 99 self.log.debug("Default: {0.default!r}, regex: {0.default_regex}".format(self)) 100 101 for rule in self.policy.rbacrules(): 102 # 103 # Matching on rule type 104 # 105 if self.ruletype: 106 if rule.ruletype not in self.ruletype: 107 continue 108 109 # 110 # Matching on source role 111 # 112 if self.source and not match_indirect_regex( 113 rule.source, 114 self.source, 115 self.source_indirect, 116 self.source_regex): 117 continue 118 119 # 120 # Matching on target type (role_transition)/role(allow) 121 # 122 if self.target and not match_indirect_regex( 123 rule.target, 124 self.target, 125 self.target_indirect, 126 self.target_regex): 127 continue 128 129 # 130 # Matching on object class 131 # 132 try: 133 if not self._match_object_class(rule): 134 continue 135 except RuleUseError: 136 continue 137 138 # 139 # Matching on default role 140 # 141 if self.default: 142 try: 143 # because default role is always a single 144 # role, hard-code indirect to True 145 # so the criteria can be an attribute 146 if not match_indirect_regex( 147 rule.default, 148 self.default, 149 True, 150 self.default_regex): 151 continue 152 except RuleUseError: 153 continue 154 155 # if we get here, we have matched all available criteria 156 yield rule 157