return out;
}
-void
-maybeout::lendl_() const
-{
- *this << lendl;
-}
-
-void
-maybeout::bracket::close()
-{
- if (m && !closer.empty()) {
- *m.m << closer;
- m.lendl_();
- closer = std::string_view{};
- }
-}
-
-
struct PolicyParser;
const Keyword top[1]{{"<Top>", TokenKind::pseudo, TokenID::Top, 0, false,
}
bool Condition::eval(const Environment& env, const maybeout& eval_log) const {
- eval_log << "Evaluating condition " << *this << lendl;
+ eval_log << "Evaluating condition " << *this << "\n";
std::vector<std::string> runtime_vals;
auto i = env.find(key);
if (op == TokenID::Null) {
eval_log << "Null check. key `" << key
<< (ret ?
"`. Is not present, returning true." :
- "`. Is present, returning false.") << lendl;
+ "`. Is present, returning false.");
return ret;
}
op == TokenID::ForAllValuesStringLike) {
eval_log
<< "Evaluating " << condop_string(op) << " When key "
- << " is not present. Vacuously true." << lendl;
+ << " is not present. Vacuously true.\n";
return true;
} else {
eval_log << "Evaluating " << condop_string(op) << " When key `" << key
<< "` is not present. Returning "
- << (ifexists ? "true" : "false") << lendl;
+ << (ifexists ? "true" : "false") << "\n";
return ifexists;
}
}
const auto& itr = env.equal_range(key);
eval_log << "Evaluating " << condop_string(op) << "for " << itr << " against "
- << (isruntime ? runtime_vals : vals) << lendl;
+ << (isruntime ? runtime_vals : vals) << "\n";
switch (op) {
// String!
case TokenID::ForAnyValueStringEquals:
eval_log);
default:
- eval_log << "Unknown operation: Returning false" << lendl;
+ eval_log << "Unknown operation: Returning false\n";
return false;
}
}
boost::optional<PolicyPrincipal&> princ_type) const {
if (eval_principal(e, ida, eval_log, princ_type) == Effect::Deny) {
- eval_log << "Passing." << lendl;
+ eval_log << "Passing.\n";
return Effect::Pass;
}
if (res && resource.empty() && notresource.empty()) {
eval_log << "A resource was specified but both Resource and NotResource "
- "were empty. Passing." << lendl;
+ "were empty. Passing.\n";
return Effect::Pass;
}
if (!res && (!resource.empty() || !notresource.empty())) {
eval_log << "No resource was specified yet neither "
- "Resource nor NotResource were empty. Passing." << lendl;
+ "Resource nor NotResource were empty. Passing.\n";
return Effect::Pass;
}
if (!resource.empty() && res) {
- eval_log << "Checking Resource for " << res << lendl;
+ eval_log << "Checking Resource for " << res << "\n";
if (!std::any_of(
resource.begin(), resource.end(),
[&res, &eval_log](const ARN& pattern) {
if (pattern.match(*res)) {
- eval_log << "Matched " << pattern << lendl;
+ eval_log << "Matched " << pattern << "\n";
return true;
}
return false;
})) {
- eval_log << "No match in Resource. Passing." << lendl;
+ eval_log << "No match in Resource. Passing.\n";
return Effect::Pass;
}
} else if (!notresource.empty() && res) {
- eval_log << "Checking NotResource for " << res << lendl;
+ eval_log << "Checking NotResource for " << res << "\n";
if (std::any_of(
notresource.begin(), notresource.end(),
[&res, &eval_log](const ARN& pattern) {
if (pattern.match(*res)) {
- eval_log << "Matched " << pattern << lendl;
+ eval_log << "Matched " << pattern << "\n";
return true;
}
return false;
})) {
- eval_log << "Match found in NotResource. Passing." << lendl;
+ eval_log << "Match found in NotResource. Passing.\n";
return Effect::Pass;
}
}
if (!(action[act] == 1)) {
eval_log << action_bit_string(action_t(act))
- << "not found in Action. Passing." << lendl;
+ << "not found in Action. Passing.\n";
return Effect::Pass;
}
if (notaction[act] == 1) {
eval_log << action_bit_string(action_t(act))
- << "found in NotAction. Passing." << lendl;
+ << "found in NotAction. Passing.\n";
return Effect::Pass;
}
{
- eval_log << "Evaluating conditions:" << lendl;
- auto b = eval_log.open("{", "}");
- auto indent = eval_log.indent();
+ eval_log << "Evaluating conditions:\n";
if (std::all_of(
conditions.begin(), conditions.end(),
- [&e, &indent](const Condition& c) {
- indent << "Evaluating condition: " << c << lendl;
- return c.eval(e, indent);
+ [&e, &eval_log](const Condition& c) {
+ eval_log << "Evaluating condition: " << c << "\n";
+ return c.eval(e, eval_log);
})) {
- b.close();
- eval_log << "Returning " << effect;
+ eval_log << "Returning " << effect << "\n";
return effect;
}
}
- eval_log << "Passing." << lendl;
+ eval_log << "Passing.\n";
return Effect::Pass;
}
if (princ_type) {
*princ_type = PolicyPrincipal::Other;
}
- eval_log << "Evaluating identity: " << ida << lendl;
+ eval_log << "Evaluating identity: " << ida << "\n";
if (ida) {
if (princ.empty() && noprinc.empty()) {
- eval_log << "Principal empty and NotPrincipal empty: Denying." << lendl;
+ eval_log << "Principal empty and NotPrincipal empty: Denying.\n";
return Effect::Deny;
}
if (ida->get_identity_type() != TYPE_ROLE &&
!princ.empty() && !is_identity(*ida, princ)) {
eval_log << "Identity is not role, Principal is not empty, and "
- "the identity is not in Principal." << lendl;
+ "the identity is not in Principal.\n";
return Effect::Deny;
}
- eval_log << "Checking type of Principal match." << lendl;
+ eval_log << "Checking type of Principal match.\n";
if (ida->get_identity_type() == TYPE_ROLE && !princ.empty()) {
bool princ_matched = false;
// Check each principal to determine the type of the one that has matched
if (ida->is_identity(p)) {
if (p.is_assumed_role() || p.is_user()) {
if (princ_type) {
- eval_log << "Setting principal type to Session" << lendl;
+ eval_log << "Setting principal type to Session\n";
*princ_type = PolicyPrincipal::Session;
}
} else {
if (princ_type) {
- eval_log << "Setting principal type to Session" << lendl;
+ eval_log << "Setting principal type to Session\n";
*princ_type = PolicyPrincipal::Role;
}
}
if (std::all_of(
conditions.begin(), conditions.end(),
[&e, &eval_log](const Condition& c) {
- eval_log << "Evaluating condition: " << c << lendl;
+ eval_log << "Evaluating condition: " << c << "\n";
return c.eval(e, eval_log);
})) {
- eval_log << "Returning Allow." << lendl;
- return Effect::Allow;
- }
+ eval_log << "Returning Allow.\n";
+ return Effect::Allow;
+ }
- eval_log << "Returning Deny." << lendl;
+ eval_log << "Returning Deny.\n";
return Effect::Deny;
}
{
auto allowed = false;
eval_log
- << "Evaluating policy: ```" << lendl << text << lendl << "'''" << lendl
- << "Environment: " << e << lendl
- << "Principal: " << ida << lendl
- << "Action: " << action_bit_string(action_t(action)) << lendl
- << "Resource: " << resource << lendl;
+ << "Evaluating policy: ```\n" << text << "\n'''\n"
+ << "Environment: " << e << "\n"
+ << "Principal: " << ida << "\n"
+ << "Action: " << action_bit_string(action_t(action)) << "\n"
+ << "Resource: " << resource << "\n";
{
for (auto& s : statements) {
- eval_log << "Evaluating statement: " << s << lendl;
- auto b = eval_log.open("{", "}");
- auto indent = eval_log.indent();
- auto g = s.eval(e, ida, action, resource, indent, princ_type);
- b.close();
+ eval_log << "Evaluating statement: " << s << "\n";
+ auto g = s.eval(e, ida, action, resource, eval_log, princ_type);
if (g == Effect::Deny) {
eval_log << "Denying.\n";
return g;
boost::optional<PolicyPrincipal&> princ_type) const {
auto allowed = false;
for (auto& s : statements) {
- eval_log << "Evaluating identity " << ida << " in statement " << s << lendl;
- auto g = s.eval_principal(e, ida, eval_log.indent(), princ_type);
+ eval_log << "Evaluating identity " << ida << " in statement " << s << "\n";
+ auto g = s.eval_principal(e, ida, eval_log, princ_type);
if (g == Effect::Deny) {
- eval_log << "Denying." << lendl;
+ eval_log << "Denying.\n";
return g;
} else if (g == Effect::Allow) {
allowed = true;
}
}
- eval_log << (allowed ? "Allowing." : "Denying.") << lendl;
+ eval_log << (allowed ? "Allowing." : "Denying.") << "\n";
return allowed ? Effect::Allow : Effect::Deny;
}
maybeout eval_log) const {
auto allowed = false;
for (auto& s : statements) {
- eval_log << "Evaluating conditions in statement:" << lendl;
- auto b = eval_log.open("{", "}");
- auto indent = eval_log.indent();
- auto g = s.eval_conditions(e, indent);
+ eval_log << "Evaluating conditions in statement:\n";
+ auto g = s.eval_conditions(e, eval_log);
if (g == Effect::Deny) {
- eval_log << "Denying." << lendl;
+ eval_log << "Denying.\n";
return g;
} else if (g == Effect::Allow) {
allowed = true;
}
}
- eval_log << (allowed ? "Allowing." : "Denying.") << lendl;
+ eval_log << (allowed ? "Allowing." : "Denying.") << "\n";
return allowed ? Effect::Allow : Effect::Deny;
}
if (s.effect == Effect::Allow) {
for (const auto& p : s.princ) {
if (p.is_wildcard()) {
- eval_log << "Evaluating conditions in statement:" << lendl;
- auto b = eval_log.open("{", "}");
- auto indent = eval_log.indent();
- return s.eval_conditions(iam_all_env, indent) == Effect::Allow;
+ eval_log << "Evaluating conditions in statement:\n";
+ return s.eval_conditions(iam_all_env, eval_log) == Effect::Allow;
}
}
}
struct maybeout {
mutable std::ostream* m;
- std::string prefix;
- maybeout(std::ostream* m,
- std::string&& prefix_ = "") :
- m(m)
- {
- if (m) {
- prefix = std::move(prefix_);
- lendl_();
- }
- }
+ maybeout(std::ostream* m) : m(m) {}
~maybeout()
{
operator=(std::nullptr_t)
{
m = nullptr;
- prefix.clear();
return *this;
}
- maybeout
- indent(std::string&& prefix2 = " ",
- std::string_view closer_ = "") const
- {
- if (m) {
- return maybeout(m, (prefix + std::move(prefix2)));
- } else {
- return nullptr;
- }
- }
-
- void lendl_() const;
-
- struct bracket {
- const maybeout& m;
- std::string_view closer;
-
- bracket(const maybeout& m, std::string_view closer) :
- m(m), closer(closer)
- {}
-
- void close();
-
- ~bracket() { close(); }
- };
-
- bracket
- open(std::string_view opener, std::string_view closer_) const
- {
- if (m) {
- *m << opener;
- lendl_();
- return { *this, closer_ };
- }
- return { *this, "" };
- }
operator bool() const { return !!m; }
-
- const maybeout&
- operator<<(const maybeout& (*func)(const maybeout&)) const
- {
- return func(*this);
- }
};
const maybeout&
return m;
}
-inline const maybeout& lendl(const maybeout& m)
-{
- if (m.m) {
- m.m->put(m.m->widen('\n'));
- *m.m << m.prefix;
- }
- return m;
-}
-
boost::optional<rgw::auth::Principal>
parse_principal(std::string&& s, std::string* errmsg);
}
if (!matched) {
if (failmatch.empty()) {
- eval_log << "Values matched against were empty." << lendl;
+ eval_log << "Values matched against were empty.\n";
} else {
- eval_log << "Predicate false for " << failmatch << lendl;
+ eval_log << "Predicate false for " << failmatch << "\n";
}
return false;
}
for (const auto& d : v) {
if (f(itr->second, d)) {
eval_log << "Predicate true for (" << itr->second
- << ", " << d << ")" << lendl;
+ << ", " << d << ")\n";
return true;
}
}
for (const auto& d : v) {
if (f(itr->second, d)) {
eval_log << "Predicate true for (" << itr->second << ", "
- << d << ")" << lendl;
+ << d << ")\n";
return false;
}
}
const maybeout& eval_log) {
auto xc = std::forward<X>(x)(c);
if (!xc) {
- eval_log << "Failed to convert `" << c << "`. Returning false."
- << lendl;
+ eval_log << "Failed to convert `" << c << "`. Returning false.\n";
return false;
}
for (const auto& d : v) {
auto xd = x(d);
if (!xd) {
- eval_log << "Failed to convert `" << d << "`. Skipping."
- << lendl;
+ eval_log << "Failed to convert `" << d << "`. Skipping.\n";
continue;
}
if (f(*xc, *xd)) {
- eval_log << "Predicate true for (" << *xc << ", " << *xd << ")"
- << lendl;
+ eval_log << "Predicate true for (" << *xc << ", " << *xd << ")\n";
return true;
}
}
const maybeout& eval_log) {
auto xc = std::forward<X>(x)(c);
if (!xc) {
- eval_log << "Failed to convert `" << c << "`. Returning false."
- << lendl;
+ eval_log << "Failed to convert `" << c << "`. Returning false.\n";
return false;
}
for (const auto& d : v) {
auto xd = x(d);
if (!xd) {
- eval_log << "Failed to convert `" << d << "`. Skipping."
- << lendl;
+ eval_log << "Failed to convert `" << d << "`. Skipping.\n";
continue;
}
if (f(*xc, *xd)) {
- eval_log << "Predicate true for (" << *xc << ", " << *xd << ")"
- << lendl;
+ eval_log << "Predicate true for (" << *xc << ", " << *xd << ")\n";
return false;
}
}
projects / ceph-ci.git / commitdiff