# Copyright 2015, Tresys Technology, LLC
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as
# published by the Free Software Foundation, either version 2.1 of
# the License, or (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with SETools. If not, see
# <http://www.gnu.org/licenses/>.
#
import logging
from PyQt5.QtCore import pyqtSignal, Qt, QObject, QSortFilterProxyModel, QStringListModel, QThread
from PyQt5.QtGui import QPalette, QTextCursor
from PyQt5.QtWidgets import QCompleter, QHeaderView, QMessageBox, QProgressDialog, QScrollArea
from setools import TERuleQuery
from ..widget import SEToolsWidget
from .rulemodels import TERuleListModel
from .models import PermListModel, SEToolsListModel, invert_list_selection
class TERuleQueryTab(SEToolsWidget, QScrollArea):
"""A Type Enforcement rule query."""
def __init__(self, parent, policy, perm_map):
super(TERuleQueryTab, self).__init__(parent)
self.log = logging.getLogger(self.__class__.__name__)
self.policy = policy
self.query = TERuleQuery(policy)
self.setupUi()
def __del__(self):
self.thread.quit()
self.thread.wait(5000)
def setupUi(self):
self.load_ui("terulequery.ui")
# set up source/target autocompletion
typeattr_completion_list = [str(t) for t in self.policy.types()]
typeattr_completion_list.extend(str(a) for a in self.policy.typeattributes())
typeattr_completer_model = QStringListModel(self)
typeattr_completer_model.setStringList(sorted(typeattr_completion_list))
self.typeattr_completion = QCompleter()
self.typeattr_completion.setModel(typeattr_completer_model)
self.source.setCompleter(self.typeattr_completion)
self.target.setCompleter(self.typeattr_completion)
# set up default autocompletion
type_completion_list = [str(t) for t in self.policy.types()]
type_completer_model = QStringListModel(self)
type_completer_model.setStringList(sorted(type_completion_list))
self.type_completion = QCompleter()
self.type_completion.setModel(type_completer_model)
self.default_type.setCompleter(self.type_completion)
# setup indications of errors on source/target/default
self.orig_palette = self.source.palette()
self.error_palette = self.source.palette()
self.error_palette.setColor(QPalette.Base, Qt.red)
self.clear_source_error()
self.clear_target_error()
self.clear_default_error()
# populate class list
self.class_model = SEToolsListModel(self)
self.class_model.item_list = sorted(self.policy.classes())
self.tclass.setModel(self.class_model)
# populate perm list
self.perms_model = PermListModel(self, self.policy)
self.perms.setModel(self.perms_model)
# populate bool list
self.bool_model = SEToolsListModel(self)
self.bool_model.item_list = sorted(self.policy.bools())
self.bool_criteria.setModel(self.bool_model)
# set up results
self.table_results_model = TERuleListModel(self)
self.sort_proxy = QSortFilterProxyModel(self)
self.sort_proxy.setSourceModel(self.table_results_model)
self.table_results.setModel(self.sort_proxy)
# set up processing thread
self.thread = QThread()
self.worker = ResultsUpdater(self.query, self.table_results_model)
self.worker.moveToThread(self.thread)
self.worker.raw_line.connect(self.raw_results.appendPlainText)
self.worker.finished.connect(self.update_complete)
self.worker.finished.connect(self.thread.quit)
self.thread.started.connect(self.worker.update)
# create a "busy, please wait" dialog
self.busy = QProgressDialog(self)
self.busy.setModal(True)
self.busy.setRange(0, 0)
self.busy.setMinimumDuration(0)
self.busy.canceled.connect(self.thread.requestInterruption)
# Ensure settings are consistent with the initial .ui state
self.set_source_regex(self.source_regex.isChecked())
self.set_target_regex(self.target_regex.isChecked())
self.set_default_regex(self.default_regex.isChecked())
self.criteria_frame.setHidden(not self.criteria_expander.isChecked())
self.results_frame.setHidden(not self.results_expander.isChecked())
self.notes.setHidden(not self.notes_expander.isChecked())
# connect signals
self.buttonBox.clicked.connect(self.run)
self.clear_ruletypes.clicked.connect(self.clear_all_ruletypes)
self.all_ruletypes.clicked.connect(self.set_all_ruletypes)
self.source.textEdited.connect(self.clear_source_error)
self.source.editingFinished.connect(self.set_source)
self.source_regex.toggled.connect(self.set_source_regex)
self.target.textEdited.connect(self.clear_target_error)
self.target.editingFinished.connect(self.set_target)
self.target_regex.toggled.connect(self.set_target_regex)
self.tclass.selectionModel().selectionChanged.connect(self.set_tclass)
self.invert_class.clicked.connect(self.invert_tclass_selection)
self.perms.selectionModel().selectionChanged.connect(self.set_perms)
self.invert_perms.clicked.connect(self.invert_perms_selection)
self.default_type.textEdited.connect(self.clear_default_error)
self.default_type.editingFinished.connect(self.set_default_type)
self.default_regex.toggled.connect(self.set_default_regex)
self.bool_criteria.selectionModel().selectionChanged.connect(self.set_bools)
#
# Ruletype criteria
#
def _set_ruletypes(self, value):
self.allow.setChecked(value)
self.auditallow.setChecked(value)
self.neverallow.setChecked(value)
self.dontaudit.setChecked(value)
self.type_transition.setChecked(value)
self.type_member.setChecked(value)
self.type_change.setChecked(value)
def set_all_ruletypes(self):
self._set_ruletypes(True)
def clear_all_ruletypes(self):
self._set_ruletypes(False)
#
# Source criteria
#
def clear_source_error(self):
self.source.setToolTip("Match the source type/attribute of the rule.")
self.source.setPalette(self.orig_palette)
def set_source(self):
try:
self.query.source = self.source.text()
except Exception as ex:
self.source.setToolTip("Error: " + str(ex))
self.source.setPalette(self.error_palette)
def set_source_regex(self, state):
self.log.debug("Setting source_regex {0}".format(state))
self.query.source_regex = state
self.clear_source_error()
self.set_source()
#
# Target criteria
#
def clear_target_error(self):
self.target.setToolTip("Match the target type/attribute of the rule.")
self.target.setPalette(self.orig_palette)
def set_target(self):
try:
self.query.target = self.target.text()
except Exception as ex:
self.target.setToolTip("Error: " + str(ex))
self.target.setPalette(self.error_palette)
def set_target_regex(self, state):
self.log.debug("Setting target_regex {0}".format(state))
self.query.target_regex = state
self.clear_target_error()
self.set_target()
#
# Class criteria
#
def set_tclass(self):
selected_classes = []
for index in self.tclass.selectionModel().selectedIndexes():
selected_classes.append(self.class_model.data(index, Qt.UserRole))
self.query.tclass = selected_classes
self.perms_model.set_classes(selected_classes)
def invert_tclass_selection(self):
invert_list_selection(self.tclass.selectionModel())
#
# Permissions criteria
#
def set_perms(self):
selected_perms = []
for index in self.perms.selectionModel().selectedIndexes():
selected_perms.append(self.perms_model.data(index, Qt.UserRole))
self.query.perms = selected_perms
def invert_perms_selection(self):
invert_list_selection(self.perms.selectionModel())
#
# Default criteria
#
def clear_default_error(self):
self.default_type.setToolTip("Match the default type the rule.")
self.default_type.setPalette(self.orig_palette)
def set_default_type(self):
self.query.default_regex = self.default_regex.isChecked()
try:
self.query.default = self.default_type.text()
except Exception as ex:
self.default_type.setToolTip("Error: " + str(ex))
self.default_type.setPalette(self.error_palette)
def set_default_regex(self, state):
self.log.debug("Setting default_regex {0}".format(state))
self.query.default_regex = state
self.clear_default_error()
self.set_default_type()
#
# Boolean criteria
#
def set_bools(self):
selected_bools = []
for index in self.bool_criteria.selectionModel().selectedIndexes():
selected_bools.append(self.bool_model.data(index, Qt.UserRole))
self.query.boolean = selected_bools
#
# Results runner
#
def run(self, button):
# right now there is only one button.
rule_types = []
max_results = 0
if self.allow.isChecked():
rule_types.append("allow")
max_results += self.policy.allow_count
if self.auditallow.isChecked():
rule_types.append("auditallow")
max_results += self.policy.auditallow_count
if self.neverallow.isChecked():
rule_types.append("neverallow")
max_results += self.policy.neverallow_count
if self.dontaudit.isChecked():
rule_types.append("dontaudit")
max_results += self.policy.dontaudit_count
if self.type_transition.isChecked():
rule_types.append("type_transition")
max_results += self.policy.type_transition_count
if self.type_member.isChecked():
rule_types.append("type_member")
max_results += self.policy.type_member_count
if self.type_change.isChecked():
rule_types.append("type_change")
max_results += self.policy.type_change_count
self.query.ruletype = rule_types
self.query.source_indirect = self.source_indirect.isChecked()
self.query.target_indirect = self.target_indirect.isChecked()
self.query.perms_equal = self.perms_equal.isChecked()
self.query.boolean_equal = self.bools_equal.isChecked()
# if query is broad, show warning.
if not self.query.source and not self.query.target and not self.query.tclass and \
not self.query.perms and not self.query.default and not self.query.boolean:
reply = QMessageBox.question(
self, "Continue?",
"This is a broad query, estimated to return {0} results. Continue?".
format(max_results), QMessageBox.Yes | QMessageBox.No)
if reply == QMessageBox.No:
return
# start processing
self.busy.setLabelText("Processing query...")
self.busy.show()
self.raw_results.clear()
self.thread.start()
def update_complete(self):
# update sizes/location of result displays
if not self.busy.wasCanceled():
self.busy.setLabelText("Resizing the result table's columns; GUI may be unresponsive")
self.busy.repaint()
self.table_results.resizeColumnsToContents()
# If the permissions column width is too long, pull back
# to a reasonable size
header = self.table_results.horizontalHeader()
if header.sectionSize(4) > 400:
header.resizeSection(4, 400)
if not self.busy.wasCanceled():
self.busy.setLabelText("Resizing the result table's rows; GUI may be unresponsive")
self.busy.repaint()
self.table_results.resizeRowsToContents()
if not self.busy.wasCanceled():
self.busy.setLabelText("Moving the raw result to top; GUI may be unresponsive")
self.busy.repaint()
self.raw_results.moveCursor(QTextCursor.Start)
self.busy.reset()
class ResultsUpdater(QObject):
"""
Thread for processing queries and updating result widgets.
Parameters:
query The query object
model The model for the results
Qt signals:
finished The update has completed.
raw_line (str) A string to be appended to the raw results.
"""
finished = pyqtSignal()
raw_line = pyqtSignal(str)
def __init__(self, query, model):
super(ResultsUpdater, self).__init__()
self.query = query
self.table_results_model = model
def update(self):
"""Run the query and update results."""
self.table_results_model.beginResetModel()
results = []
counter = 0
for counter, item in enumerate(self.query.results(), start=1):
results.append(item)
self.raw_line.emit(str(item))
if QThread.currentThread().isInterruptionRequested():
break
elif not counter % 10:
# yield execution every 10 rules
QThread.yieldCurrentThread()
self.table_results_model.resultlist = results
self.table_results_model.endResetModel()
self.finished.emit()