Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Translib support for authorization, yang versioning and Delete flag #21

Merged
merged 13 commits into from
Sep 30, 2020
Merged
Show file tree
Hide file tree
Changes from 9 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions translib/app_interface.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,10 @@ type appOptions struct {
// 0 indicates unlimited depth.
// Valid for GET API only.
depth uint

// deleteEmptyEntry indicates if the db entry should be deleted upon
// deletion of last field. This is a non standard option.
deleteEmptyEntry bool
}

//map containing the base path to app module info
Expand Down
88 changes: 88 additions & 0 deletions translib/authorize.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
////////////////////////////////////////////////////////////////////////////////
// //
// Copyright 2019 Broadcom. The term Broadcom refers to Broadcom Inc. and/or //
// its subsidiaries. //
// //
// Licensed under the Apache License, Version 2.0 (the "License"); //
// you may not use this file except in compliance with the License. //
// You may obtain a copy of the License at //
// //
// http://www.apache.org/licenses/LICENSE-2.0 //
// //
// Unless required by applicable law or agreed to in writing, software //
// distributed under the License is distributed on an "AS IS" BASIS, //
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. //
// See the License for the specific language governing permissions and //
// limitations under the License. //
// //
////////////////////////////////////////////////////////////////////////////////

/*
Package translib defines the functions to be used to authorize

an incoming user. It also includes caching of the UserDB data

needed to authorize the user.

*/

package translib

import (
//"strconv"
anand-kumar-subramanian marked this conversation as resolved.
Show resolved Hide resolved
//log "github.com/golang/glog"
)

func init() {
}

func isAuthorizedForSet(req SetRequest) bool {
if !req.AuthEnabled {
return true
}
for _, r := range req.User.Roles {
if r == "admin" {
return true
}
}
return false
}
func isAuthorizedForBulk(req BulkRequest) bool {
if !req.AuthEnabled {
return true
}
for _, r := range req.User.Roles {
if r == "admin" {
return true
}
}
return false
}

//For full fledged RBAC support to be implemented later

func isAuthorizedForGet(req GetRequest) bool {
if !req.AuthEnabled {
return true
}
return true
}
func isAuthorizedForSubscribe(req SubscribeRequest) bool {
if !req.AuthEnabled {
return true
}
return true
}
func isAuthorizedForIsSubscribe(req IsSubscribeRequest) bool {
if !req.AuthEnabled {
return true
}
return true
}

func isAuthorizedForAction(req ActionRequest) bool {
if !req.AuthEnabled {
return true
}
return true
}
8 changes: 8 additions & 0 deletions translib/tlerr/app_errors.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@ type NotSupportedError errordata
// InternalError indicates a generic error during app execution.
type InternalError errordata

// AuthorizationError indicates the user is not authorized for an operation.
type AuthorizationError errordata

/////////////

func (e InvalidArgsError) Error() string {
Expand Down Expand Up @@ -90,3 +93,8 @@ func (e InternalError) Error() string {
func New(msg string, args ...interface{}) InternalError {
return InternalError{Format: msg, Args: args}
}

func (e AuthorizationError) Error() string {
return p.Sprintf(e.Format, e.Args...)
}

11 changes: 11 additions & 0 deletions translib/tlerr/tlerr.go
Original file line number Diff line number Diff line change
Expand Up @@ -101,3 +101,14 @@ type TranslibSyntaxValidationError struct {
func (e TranslibSyntaxValidationError) Error() string {
return p.Sprintf("%s", e.ErrorStr)
}

type TranslibUnsupportedClientVersion struct {
ClientVersion string
ServerVersion string
ServerBaseVersion string
}

func (e TranslibUnsupportedClientVersion) Error() string {
return p.Sprintf("Unsupported client version %s", e.ClientVersion)
}

71 changes: 67 additions & 4 deletions translib/translib.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ var writeMutex = &sync.Mutex{}
//Interval value for interval based subscription needs to be within the min and max
//minimum global interval for interval based subscribe in secs
var minSubsInterval = 20
//minimum global interval for interval based subscribe in secs
//maximum global interval for interval based subscribe in secs
var maxSubsInterval = 600

type ErrSource int
Expand All @@ -68,6 +68,7 @@ type SetRequest struct {
User UserRoles
AuthEnabled bool
ClientVersion Version
DeleteEmptyEntry bool
}

type SetResponse struct {
Expand Down Expand Up @@ -183,6 +184,12 @@ func Create(req SetRequest) (SetResponse, error) {
var resp SetResponse
path := req.Path
payload := req.Payload
if !isAuthorizedForSet(req) {
return resp, tlerr.AuthorizationError{
Format: "User is unauthorized for Create Operation",
Path: path,
}
}

log.Info("Create request received with path =", path)
log.Info("Create request received with payload =", string(payload))
Expand Down Expand Up @@ -251,6 +258,13 @@ func Update(req SetRequest) (SetResponse, error) {
var resp SetResponse
path := req.Path
payload := req.Payload
if !isAuthorizedForSet(req) {
return resp, tlerr.AuthorizationError{
Format: "User is unauthorized for Update Operation",
Path: path,
}
}


log.Info("Update request received with path =", path)
log.Info("Update request received with payload =", string(payload))
Expand Down Expand Up @@ -320,6 +334,12 @@ func Replace(req SetRequest) (SetResponse, error) {
var resp SetResponse
path := req.Path
payload := req.Payload
if !isAuthorizedForSet(req) {
return resp, tlerr.AuthorizationError{
Format: "User is unauthorized for Replace Operation",
Path: path,
}
}

log.Info("Replace request received with path =", path)
log.Info("Replace request received with payload =", string(payload))
Expand Down Expand Up @@ -388,6 +408,12 @@ func Delete(req SetRequest) (SetResponse, error) {
var keys []db.WatchKeys
var resp SetResponse
path := req.Path
if !isAuthorizedForSet(req) {
return resp, tlerr.AuthorizationError{
Format: "User is unauthorized for Delete Operation",
Path: path,
}
}

log.Info("Delete request received with path =", path)

Expand All @@ -398,7 +424,8 @@ func Delete(req SetRequest) (SetResponse, error) {
return resp, err
}

err = appInitialize(app, appInfo, path, nil, nil, DELETE)
opts := appOptions{deleteEmptyEntry: req.DeleteEmptyEntry}
err = appInitialize(app, appInfo, path, nil, &opts, DELETE)

if err != nil {
resp.ErrSrc = AppErr
Expand Down Expand Up @@ -454,6 +481,12 @@ func Get(req GetRequest) (GetResponse, error) {
var payload []byte
var resp GetResponse
path := req.Path
if !isAuthorizedForGet(req) {
return resp, tlerr.AuthorizationError{
Format: "User is unauthorized for Get Operation",
Path: path,
}
}

log.Info("Received Get request for path = ", path)

Expand Down Expand Up @@ -499,6 +532,12 @@ func Action(req ActionRequest) (ActionResponse, error) {
var resp ActionResponse
path := req.Path

if !isAuthorizedForAction(req) {
return resp, tlerr.AuthorizationError{
Format: "User is unauthorized for Action Operation",
Path: path,
}
}

log.Info("Received Action request for path = ", path)

Expand Down Expand Up @@ -560,6 +599,13 @@ func Bulk(req BulkRequest) (BulkResponse, error) {
UpdateResponse: updateResp,
CreateResponse: createResp}


if (!isAuthorizedForBulk(req)) {
return resp, tlerr.AuthorizationError{
Format: "User is unauthorized for Action Operation",
}
}

writeMutex.Lock()
defer writeMutex.Unlock()

Expand All @@ -581,6 +627,7 @@ func Bulk(req BulkRequest) (BulkResponse, error) {

for i := range req.DeleteRequest {
path := req.DeleteRequest[i].Path
opts := appOptions{deleteEmptyEntry: req.DeleteRequest[i].DeleteEmptyEntry}

log.Info("Delete request received with path =", path)

Expand All @@ -591,7 +638,7 @@ func Bulk(req BulkRequest) (BulkResponse, error) {
goto BulkDeleteError
}

err = appInitialize(app, appInfo, path, nil, nil, DELETE)
err = appInitialize(app, appInfo, path, nil, &opts, DELETE)

if err != nil {
errSrc = AppErr
Expand Down Expand Up @@ -807,6 +854,12 @@ func Subscribe(req SubscribeRequest) ([]*IsSubscribeResponse, error) {
Err: nil}
}

if (!isAuthorizedForSubscribe(req)) {
return resp, tlerr.AuthorizationError{
Format: "User is unauthorized for Action Operation",
}
}

isGetCase := true
dbs, err := getAllDbs(isGetCase)

Expand Down Expand Up @@ -903,6 +956,12 @@ func IsSubscribeSupported(req IsSubscribeRequest) ([]*IsSubscribeResponse, error
Err: nil}
}

if (!isAuthorizedForIsSubscribe(req)) {
return resp, tlerr.AuthorizationError{
Format: "User is unauthorized for Action Operation",
}
}

isGetCase := true
dbs, err := getAllDbs(isGetCase)

Expand Down Expand Up @@ -1075,7 +1134,7 @@ func getDBOptionsWithSeparator(dbNo db.DBNum, initIndicator string, tableSeparat
InitIndicator: initIndicator,
TableNameSeparator: tableSeparator,
KeySeparator: keySeparator,
//IsWriteDisabled: isWriteDisabled, //Will be enabled once the DB access layer changes are checked in
IsWriteDisabled: isWriteDisabled,
})
}

Expand All @@ -1088,6 +1147,10 @@ func getAppModule(path string, clientVer Version) (*appInterface, *appInfo, erro
return nil, aInfo, err
}

if err := validateClientVersion(clientVer, path, aInfo); err != nil {
return nil, aInfo, err
}

app, err = getAppInterface(aInfo.appType)

if err != nil {
Expand Down
Loading