MatchPermission: implement subset permission criteria

Useful for matches where a matching rule has all of the permission criteria
but may have more.

Closes #57
This commit is contained in:
Chris PeBenito 2015-10-04 11:03:41 -04:00
parent a899206ab6
commit d66467f3b3
3 changed files with 31 additions and 1 deletions

View File

@ -75,6 +75,7 @@ class MatchPermission(object):
perms = CriteriaSetDescriptor("perms_regex")
perms_equal = False
perms_regex = False
perms_subset = False
def _match_perms(self, obj):
"""
@ -88,4 +89,8 @@ class MatchPermission(object):
# if there is no criteria, everything matches.
return True
return self._match_regex_or_set(obj.perms, self.perms, self.perms_equal, self.perms_regex)
if self.perms_subset:
return obj.perms >= self.perms
else:
return self._match_regex_or_set(obj.perms, self.perms, self.perms_equal,
self.perms_regex)

View File

@ -62,6 +62,10 @@ class TERuleQuery(mixins.MatchObjClass, mixins.MatchPermission, query.PolicyQuer
Default is false.
perms_regex If true, regular expression matching will be used
on the permission names instead of set logic.
Default is false.
perms_subset If true, the rule matches if the permissions criteria
is a subset of the rule's permission set.
Default is false.
default The name of the default type to match.
default_regex If true, regular expression matching will be
used on the default type.

View File

@ -176,6 +176,27 @@ class TERuleQueryTest(mixins.ValidateRule, unittest.TestCase):
self.validate_rule(r[1], "dontaudit", "test14", "test14", "infoflow7",
set(["super_unmapped"]))
def test_052_perms_subset1(self):
"""TE rule query with permission subset."""
q = TERuleQuery(self.p, perms=["super_none", "super_both"], perms_subset=True)
r = sorted(q.results())
self.assertEqual(len(r), 2)
self.validate_rule(r[0], "allow", "test13c", "test13c", "infoflow7",
set(["super_w", "super_none", "super_both"]))
self.validate_rule(r[1], "allow", "test13d", "test13d", "infoflow7",
set(["super_w", "super_none", "super_both", "super_unmapped"]))
def test_052_perms_subset2(self):
"""TE rule query with permission subset (equality)."""
q = TERuleQuery(self.p, perms=["super_w", "super_none", "super_both", "super_unmapped"],
perms_subset=True)
r = sorted(q.results())
self.assertEqual(len(r), 1)
self.validate_rule(r[0], "allow", "test13d", "test13d", "infoflow7",
set(["super_w", "super_none", "super_both", "super_unmapped"]))
def test_100_default(self):
"""TE rule query with default type exact match."""
q = TERuleQuery(self.p, default="test100d", default_regex=False)