2023-10-17 14:10:48 +00:00
|
|
|
package policyengine
|
|
|
|
|
|
|
|
type inmemory struct {
|
2023-10-30 23:03:28 +00:00
|
|
|
namespace map[Name][]chain
|
|
|
|
resource map[Name][]chain
|
|
|
|
local map[Name][]*Chain
|
2023-10-17 14:10:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
type chain struct {
|
|
|
|
object string
|
|
|
|
chain *Chain
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewInMemory returns new inmemory instance of chain storage.
|
|
|
|
func NewInMemory() CachedChainStorage {
|
|
|
|
return &inmemory{
|
|
|
|
namespace: make(map[Name][]chain),
|
|
|
|
resource: make(map[Name][]chain),
|
|
|
|
local: make(map[Name][]*Chain),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-11-01 08:02:16 +00:00
|
|
|
// IsAllowed implements the Engine interface.
|
2023-10-17 14:10:48 +00:00
|
|
|
func (s *inmemory) IsAllowed(name Name, namespace string, r Request) (Status, bool) {
|
|
|
|
var ruleFound bool
|
|
|
|
if local, ok := s.local[name]; ok {
|
|
|
|
for _, c := range local {
|
|
|
|
if status, matched := c.Match(r); matched && status != Allow {
|
|
|
|
return status, true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if cs, ok := s.namespace[name]; ok {
|
|
|
|
status, ok := matchArray(cs, namespace, r)
|
|
|
|
if ok && status != Allow {
|
|
|
|
return status, true
|
|
|
|
}
|
|
|
|
ruleFound = ruleFound || ok
|
|
|
|
}
|
|
|
|
if cs, ok := s.resource[name]; ok {
|
|
|
|
status, ok := matchArray(cs, r.Resource().Name(), r)
|
|
|
|
if ok {
|
|
|
|
return status, true
|
|
|
|
}
|
|
|
|
ruleFound = ruleFound || ok
|
|
|
|
}
|
|
|
|
if ruleFound {
|
|
|
|
return Allow, true
|
|
|
|
}
|
|
|
|
return NoRuleFound, false
|
|
|
|
}
|
|
|
|
|
|
|
|
func matchArray(cs []chain, object string, r Request) (Status, bool) {
|
|
|
|
for _, c := range cs {
|
|
|
|
if !globMatch(object, c.object) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if status, matched := c.chain.Match(r); matched {
|
|
|
|
return status, true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return NoRuleFound, false
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *inmemory) AddResourceChain(name Name, resource string, c *Chain) {
|
|
|
|
s.resource[name] = append(s.resource[name], chain{resource, c})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *inmemory) AddNameSpaceChain(name Name, namespace string, c *Chain) {
|
|
|
|
s.namespace[name] = append(s.namespace[name], chain{namespace, c})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *inmemory) AddOverride(name Name, c *Chain) {
|
|
|
|
s.local[name] = append(s.local[name], c)
|
|
|
|
}
|
2023-10-30 23:03:28 +00:00
|
|
|
|
|
|
|
func (s *inmemory) GetOverride(name Name, chainID ChainID) (chain *Chain, found bool) {
|
|
|
|
chains := s.local[name]
|
|
|
|
|
|
|
|
for _, chain = range chains {
|
|
|
|
if chain.ID == chainID {
|
|
|
|
found = true
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *inmemory) RemoveOverride(name Name, chainID ChainID) (found bool) {
|
|
|
|
chains := s.local[name]
|
|
|
|
|
|
|
|
for i, chain := range chains {
|
|
|
|
if chain.ID == chainID {
|
|
|
|
s.local[name] = append(chains[:i], chains[i+1:]...)
|
|
|
|
found = true
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *inmemory) ListOverrides(name Name) []*Chain {
|
|
|
|
return s.local[name]
|
|
|
|
}
|