Exemple #1
0
func (d *Daemon) policyAdd(path string, node *policy.Node) error {
	var (
		currNode, parentNode *policy.Node
		err                  error
	)

	if node.Name == "" {
		path, node.Name = policy.SplitNodePath(path)
	} else if strings.Contains(node.Name, ".") && node.Name != common.GlobalLabelPrefix {
		path, node.Name = policy.SplitNodePath(path + "." + node.Name)
	}

	currNode, parentNode, err = d.findNode(path)
	if err != nil {
		return err
	}
	log.Debugf("Policy currNode %+v, parentNode %+v", currNode, parentNode)

	// eg. path = io.cilium.lizards.foo.db and io.cilium.lizards doesn't exist
	if (currNode == nil && parentNode == nil) ||
		// eg. path = io.cilium.lizards.foo and io.cilium.lizards.foo doesn't exist
		(currNode == nil && parentNode != nil) {

		pn := policy.NewNode("", nil)
		if err := d.policyAdd(path, pn); err != nil {
			return err
		}
		currNode, parentNode, err = d.findNode(path)
		if err != nil {
			return err
		}
		log.Debugf("Policy currNode %+v, parentNode %+v", currNode, parentNode)
	}
	// eg. path = io.cilium
	if currNode != nil && parentNode == nil {
		if currNode.Name == node.Name {
			node.Path()
			if err := currNode.Merge(node); err != nil {
				return err
			}
		} else {
			if err := currNode.AddChild(node.Name, node); err != nil {
				return err
			}
		}
	} else if currNode != nil && parentNode != nil {
		// eg. path = io.cilium.lizards.db exists
		if err := currNode.AddChild(node.Name, node); err != nil {
			return err
		}
	}
	return nil
}
Exemple #2
0
func (d *Daemon) PolicyAdd(path string, node *policy.Node) error {
	log.Debugf("Policy Add Request: %s %+v", path, node)

	if !strings.HasPrefix(path, common.GlobalLabelPrefix) {
		return fmt.Errorf("the given path %q doesn't have the prefix %q", path, common.GlobalLabelPrefix)
	}

	d.policyMU.Lock()
	if err := d.policyAdd(path, node); err != nil {
		d.policyMU.Unlock()
		return err
	}
	if err := node.ResolveTree(); err != nil {
		d.policyMU.Unlock()
		return err
	}
	d.policyMU.Unlock()

	d.triggerPolicyUpdates([]uint32{})

	return nil
}
Exemple #3
0
func (router *Router) policyAddForm(w http.ResponseWriter, r *http.Request) {
	const _4MBMemory = 4 << 20
	err := r.ParseMultipartForm(_4MBMemory)
	if err != nil {
		processServerError(w, r, err)
		return
	}
	file, _, err := r.FormFile("policy-input-file")
	if err != nil {
		processServerError(w, r, err)
		return
	}
	var pn policy.Node
	if err := json.NewDecoder(file).Decode(&pn); err != nil {
		processServerError(w, r, err)
		return
	}
	if err := router.daemon.PolicyAdd(pn.Path(), &pn); err != nil {
		processServerError(w, r, err)
		return
	}
	w.WriteHeader(http.StatusCreated)
}
Exemple #4
0
func loadPolicy(name string) (*policy.Node, error) {
	log.Debugf("Entering directory %s...", name)

	if name == "-" {
		return loadPolicyFile(name)
	}

	if fi, err := os.Stat(name); err != nil {
		return nil, err
	} else if fi.Mode().IsRegular() {
		return loadPolicyFile(name)
	} else if !fi.Mode().IsDir() {
		return nil, fmt.Errorf("Error: %s is not a file or a directory", name)
	}

	files, err := ioutil.ReadDir(name)
	if err != nil {
		return nil, err
	}

	var node *policy.Node

	// process all files first
	for _, f := range files {
		if f.IsDir() || ignoredFile(path.Base(f.Name())) {
			continue
		}

		if p, err := loadPolicyFile(filepath.Join(name, f.Name())); err != nil {
			return nil, err
		} else {
			if node != nil {
				if err := node.Merge(p); err != nil {
					return nil, fmt.Errorf("Error: %s: %s", f.Name(), err)
				}
			} else {
				node = p
			}
		}
	}

	// recursive search
	for _, f := range files {
		if f.IsDir() {
			if ignoredFile(path.Base(f.Name())) {
				continue
			}
			subpath := filepath.Join(name, f.Name())
			if p, err := loadPolicy(subpath); err != nil {
				return nil, err
			} else {
				if p.Name == "" {
					return nil, fmt.Errorf("Policy node import from %s did not derive a name",
						subpath)
				}

				node.AddChild(p.Name, p)
			}
		}
	}

	log.Debugf("Leaving directory %s...", name)

	return node, nil
}
Exemple #5
0
func (ds *DaemonSuite) TestUpdateConsumerMap(c *C) {
	lblProd := labels.NewLabel("io.cilium.Prod", "", common.CiliumLabelSource)
	lblQA := labels.NewLabel("io.cilium.QA", "", common.CiliumLabelSource)
	lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource)
	lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource)
	lblJoe := labels.NewLabel("io.cilium.user", "joe", common.CiliumLabelSource)
	lblPete := labels.NewLabel("io.cilium.user", "pete", common.CiliumLabelSource)

	rootNode := policy.Node{
		Name: common.GlobalLabelPrefix,
		Rules: []policy.PolicyRule{
			&policy.PolicyRuleConsumers{
				Coverage: []labels.Label{*lblBar},
				Allow: []policy.AllowRule{
					// always-allow: user=joe
					{Action: policy.ALWAYS_ACCEPT, Label: *lblJoe},
					// allow:  user=pete
					{Action: policy.ACCEPT, Label: *lblPete},
				},
			},
			&policy.PolicyRuleRequires{ // coverage qa, requires qa
				Coverage: []labels.Label{*lblQA},
				Requires: []labels.Label{*lblQA},
			},
			&policy.PolicyRuleRequires{ // coverage prod, requires: prod
				Coverage: []labels.Label{*lblProd},
				Requires: []labels.Label{*lblProd},
			},
		},
		Children: map[string]*policy.Node{
			"foo": {},
			"bar": {
				Rules: []policy.PolicyRule{
					&policy.PolicyRuleConsumers{
						Allow: []policy.AllowRule{
							{ // allow: foo
								Action: policy.ACCEPT,
								Label:  *lblFoo,
							},
							{Action: policy.DENY, Label: *lblJoe},
							{Action: policy.DENY, Label: *lblPete},
						},
					},
				},
			},
		},
	}

	c.Assert(rootNode.ResolveTree(), Equals, nil)

	err := ds.d.PolicyAdd("io.cilium", &rootNode)
	c.Assert(err, Equals, nil)

	qaBarLbls := labels.Labels{lblBar.Key: lblBar, lblQA.Key: lblQA}
	qaBarSecLblsCtx, _, err := ds.d.PutLabels(qaBarLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307")
	c.Assert(err, Equals, nil)

	prodBarLbls := labels.Labels{lblBar.Key: lblBar, lblProd.Key: lblProd}
	prodBarSecLblsCtx, _, err := ds.d.PutLabels(prodBarLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307")
	c.Assert(err, Equals, nil)

	qaFooLbls := labels.Labels{lblFoo.Key: lblFoo, lblQA.Key: lblQA}
	qaFooSecLblsCtx, _, err := ds.d.PutLabels(qaFooLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307")
	c.Assert(err, Equals, nil)

	prodFooLbls := labels.Labels{lblFoo.Key: lblFoo, lblProd.Key: lblProd}
	prodFooSecLblsCtx, _, err := ds.d.PutLabels(prodFooLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307")
	c.Assert(err, Equals, nil)

	prodFooJoeLbls := labels.Labels{lblFoo.Key: lblFoo, lblProd.Key: lblProd, lblJoe.Key: lblJoe}
	prodFooJoeSecLblsCtx, _, err := ds.d.PutLabels(prodFooJoeLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307")
	c.Assert(err, Equals, nil)

	e := endpoint.Endpoint{
		ID:      1,
		IfName:  "dummy1",
		IPv6:    IPv6Addr,
		IPv4:    IPv4Addr,
		LXCMAC:  HardAddr,
		NodeMAC: HardAddr,
	}
	e.Opts = option.NewBoolOptions(&DaemonOptionLibrary)
	e.Opts.SetIfUnset(endpoint.OptionLearnTraffic, false)
	err = os.Mkdir("1", 755)
	c.Assert(err, IsNil)
	defer func() {
		err = os.RemoveAll("1/geneve_opts.cfg")
		err = os.RemoveAll("1/lxc_config.h")
		time.Sleep(1 * time.Second)
		err = os.RemoveAll("1")
		err = os.RemoveAll("1_backup")
	}()
	e.SetSecLabel(qaBarSecLblsCtx)
	err = ds.d.regenerateEndpoint(&e)
	c.Assert(err, Equals, nil)
	c.Assert(e.Allows(qaBarSecLblsCtx.ID), Equals, false)
	c.Assert(e.Allows(prodBarSecLblsCtx.ID), Equals, false)
	c.Assert(e.Allows(qaFooSecLblsCtx.ID), Equals, true)
	c.Assert(e.Allows(prodFooSecLblsCtx.ID), Equals, false)
	c.Assert(e.Allows(prodFooJoeSecLblsCtx.ID), Equals, true)

	e = endpoint.Endpoint{
		ID:      1,
		IfName:  "dummy1",
		IPv6:    IPv6Addr,
		IPv4:    IPv4Addr,
		LXCMAC:  HardAddr,
		NodeMAC: HardAddr,
	}
	e.Opts = option.NewBoolOptions(&DaemonOptionLibrary)
	e.Opts.SetIfUnset(endpoint.OptionLearnTraffic, false)
	e.SetSecLabel(prodBarSecLblsCtx)
	err = ds.d.regenerateEndpoint(&e)
	c.Assert(err, Equals, nil)
	c.Assert(e.Allows(0), Equals, false)
	c.Assert(e.Allows(qaBarSecLblsCtx.ID), Equals, false)
	c.Assert(e.Allows(prodBarSecLblsCtx.ID), Equals, false)
	c.Assert(e.Allows(qaFooSecLblsCtx.ID), Equals, false)
	c.Assert(e.Allows(prodFooSecLblsCtx.ID), Equals, true)
	c.Assert(e.Allows(prodFooJoeSecLblsCtx.ID), Equals, true)

	err = ds.d.PolicyDelete("io.cilium")
	c.Assert(err, Equals, nil)
}