CORD-1570: Re-implementation of XOS Security via xproto at the API boundary
Change-Id: I9cb6380b0798a5f4af2f0459c5decd0b9edbb317
diff --git a/lib/xos-genx/xosgenx/jinja2_extensions/fol2.py b/lib/xos-genx/xosgenx/jinja2_extensions/fol2.py
index 0c8513a..4552d59 100644
--- a/lib/xos-genx/xosgenx/jinja2_extensions/fol2.py
+++ b/lib/xos-genx/xosgenx/jinja2_extensions/fol2.py
@@ -422,7 +422,7 @@
if not tag:
tag = gen_random_string()
- policy_function_name_template = 'policy_%s_' + '%(random_string)s' % {'random_string': tag}
+ policy_function_name_template = '%s_' + '%(random_string)s' % {'random_string': tag}
policy_function_name = policy_function_name_template % policy_name
self.verdict_next()
@@ -636,7 +636,7 @@
if fol_reduced in ['True','False'] and fol != fol_reduced:
raise TrivialPolicy("Policy %(name)s trivially reduces to %(reduced)s. If this is what you want, replace its contents with %(reduced)s"%{'name':policy, 'reduced':fol_reduced})
- a = f2p.gen_test_function(fol_reduced, policy, tag='enforcer')
+ a = f2p.gen_test_function(fol_reduced, policy, tag='security_check')
return astunparse.unparse(a)
diff --git a/lib/xos-genx/xosgenx/targets/django-security.xtarget b/lib/xos-genx/xosgenx/targets/django-security.xtarget
new file mode 100644
index 0000000..d970cea
--- /dev/null
+++ b/lib/xos-genx/xosgenx/targets/django-security.xtarget
@@ -0,0 +1,9 @@
+from privilege import Privilege
+from django.db.models import Q
+
+{% for m in proto.messages %}
+{% if m.policy %}
+{{ xproto_fol_to_python_test(m.policy, proto.policies[m.policy], m) }}
+{% endif %}
+
+{% endfor %}
diff --git a/lib/xos-genx/xosgenx/targets/django-split.xtarget b/lib/xos-genx/xosgenx/targets/django-split.xtarget
index 5260e85..60cf9de 100644
--- a/lib/xos-genx/xosgenx/targets/django-split.xtarget
+++ b/lib/xos-genx/xosgenx/targets/django-split.xtarget
@@ -4,13 +4,17 @@
{%- for l in m.links %}
{% if l.peer.name != m.name %}
-from core.models.{{ l.peer.name | lower }} import {{ l.peer.name }}
+from {{ l.peer.name | lower }} import {{ l.peer.name }}
{% endif %}
{%- endfor %}
+{% if m.name!='XOSBase' and 'Mixin' not in m.name %}
+import security
+from privilege import Privilege
+{% endif %}
{% for b in m.bases %}
{% if b.name!='XOSBase' and 'Mixin' not in b.name %}
-from core.models.{{b.name | lower}} import {{ b.name }}
+from {{b.name | lower}} import {{ b.name }}
{% endif %}
{% endfor %}
@@ -40,9 +44,9 @@
unique_together = {{ xproto_tuplify(uniques) }}
{%- endif %}
{% if file_exists(m.name|lower + '_model.py') -%}{{ include_file(m.name|lower + '_model.py') | indent(width=2)}}{%- endif %}
+ pass
{% if m.name!='XOSBase' and 'Mixin' not in m.name %}
-
# Generated methods
def save(self, *args, **kwds):
if not self.leaf_model_name:
@@ -58,7 +62,17 @@
{% endfor %}
super({{ m.name }}, self).save(*args, **kwds)
+ def can_access(self, ctx):
+ {% if m.policy %}
+ verdict = security.{{m.policy}}_security_check(self, ctx)
+ return verdict,"{{ m.policy }}"
+ {% else %}
+ verdict = XOS_GLOBAL_DEFAULT_SECURITY_POLICY
+ return verdict,"xos_default_policy"
+ {% endif %}
+
{% endif %}
+
{% if file_exists(xproto_base_name(m.name)|lower+'_bottom.py') -%}{{ include_file(xproto_base_name(m.name)|lower+'_bottom.py') }}{% endif %}
+++ {{m.name|lower}}.py
{% endif %}{% endfor %}
diff --git a/lib/xos-genx/xosgenx/targets/django.xtarget b/lib/xos-genx/xosgenx/targets/django.xtarget
index e9a56ec..1c8ce93 100644
--- a/lib/xos-genx/xosgenx/targets/django.xtarget
+++ b/lib/xos-genx/xosgenx/targets/django.xtarget
@@ -4,13 +4,19 @@
{%- for l in m.links %}
{% if l.peer.name != m.name %}
-from core.models.{{ l.peer.name | lower }} import {{ l.peer.name }}
+from {{ l.peer.name | lower }} import {{ l.peer.name }}
{% endif %}
{%- endfor %}
+{% if m.name!='XOSBase' and 'Mixin' not in m.name %}
+import security
+{% if m.name!='Privilege' %}
+from privilege import Privilege
+{% endif %}
+{% endif %}
{% for b in m.bases %}
{% if b.name!='XOSBase' and 'Mixin' not in b.name %}
-from core.models.{{b.name | lower}} import {{ b.name }}
+from {{b.name | lower}} import {{ b.name }}
{% endif %}
{% endfor %}
@@ -57,6 +63,16 @@
policy_{{policy}}_validator(self, None)
{% endfor %}
super({{ m.name }}, self).save(*args, **kwds)
+
+ def can_access(self, ctx):
+ {% if m.policy %}
+ verdict = security.{{m.policy}}_security_check(self, ctx)
+ return verdict,"{{ m.policy }}"
+ {% else %}
+ verdict = XOS_GLOBAL_DEFAULT_SECURITY_POLICY
+ return verdict,"xos_default_policy"
+ {% endif %}
+
{% endif %}
{% if file_exists(xproto_base_name(m.name)|lower+'_bottom.py') -%}{{ include_file(xproto_base_name(m.name)|lower+'_bottom.py') }}{% endif %}
diff --git a/lib/xos-genx/xosgenx/targets/grpc_api.xtarget b/lib/xos-genx/xosgenx/targets/grpc_api.xtarget
index a0373a3..4d05870 100644
--- a/lib/xos-genx/xosgenx/targets/grpc_api.xtarget
+++ b/lib/xos-genx/xosgenx/targets/grpc_api.xtarget
@@ -21,19 +21,19 @@
def List{{ object.name }}(self, request, context):
user=self.authenticate(context)
model=self.get_model("{{ object.name }}")
- return self.querysetToProto(model, model.objects.all())
+ return self.list(model, user)
@translate_exceptions
def Filter{{ object.name }}(self, request, context):
user=self.authenticate(context)
model=self.get_model("{{ object.name }}")
- return self.filter(model, request)
+ return self.filter(model, user, request)
@translate_exceptions
def Get{{ object.name }}(self, request, context):
user=self.authenticate(context)
model=self.get_model("{{ object.name }}")
- return self.get(model, request.id)
+ return self.get(model, user, request.id)
@translate_exceptions
def Create{{ object.name }}(self, request, context):
diff --git a/lib/xos-genx/xosgenx/targets/service.xtarget b/lib/xos-genx/xosgenx/targets/service.xtarget
index 5336f82..bf14b83 100644
--- a/lib/xos-genx/xosgenx/targets/service.xtarget
+++ b/lib/xos-genx/xosgenx/targets/service.xtarget
@@ -73,6 +73,15 @@
policy_{{policy}}_validator(self, None)
{% endfor %}
super({{ m.name }}{{ legacy_tag }}, self).save(*args, **kwds)
+
+ def can_access(self, ctx):
+ {% if m.policy %}
+ verdict = security.{{m.policy}}_security_check(self, ctx)
+ return verdict,"{{ m.policy }}"
+ {% else %}
+ verdict = True
+ return verdict,"xos_default_policy"
+ {% endif %}
{% if file_exists(m.name|lower+'_bottom.py') -%}{{ include_file(m.name|lower+'_bottom.py') }}{% endif %}
{% endfor %}