3
�^������������������@���sx���d�dl�Z�d�dlZddlmZmZ�ddlmZ�ddlmZm Z �ddl
m
Z
�ddl
m
Z
�ddlmZ�G�d d
��d
ee e
�ZdS�)
�����N����)�CriteriaDescriptor�CriteriaSetDescriptor)�ConstraintUseError)�
MatchObjClass�MatchPermission)�ConstraintRuletype)�
PolicyQuery)�
match_in_setc�������������������sl���e�Zd�ZdZeed�Zedd�ZdZ edd�Z
dZ
dZ
ed d
�Z
dZdZ��fd
d
�Zd
d��Zdd��Z���ZS�)�ConstraintQuerya���
Query constraint rules, (mls)constrain/(mls)validatetrans.
Parameter:
policy The policy to query.
Keyword Parameters/Class attributes:
ruletype The list of rule type(s) to match.
tclass The object class(es) to match.
tclass_regex If true, use a regular expression for
matching the rule's object class.
perms The permission(s) to match.
perms_equal If true, the permission set of the rule
must exactly match the permissions
criteria. If false, any set intersection
will match.
perms_regex If true, regular expression matching will be used
on the permission names instead of set logic.
role The name of the role to match in the
constraint expression.
role_indirect If true, members of an attribute will be
matched rather than the attribute itself.
role_regex If true, regular expression matching will
be used on the role.
type_ The name of the type/attribute to match in the
constraint expression.
type_indirect If true, members of an attribute will be
matched rather than the attribute itself.
type_regex If true, regular expression matching will
be used on the type/attribute.
user The name of the user to match in the
constraint expression.
user_regex If true, regular expression matching will
be used on the user.
)�
enum_class�
user_regexZ
lookup_userF�
role_regexZ
lookup_roleT�
type_regexZlookup_type_or_attrc�������������
���s$���t�t|��j|f|��tjt�|�_d�S�)N)�superr
����__init__�loggingZ getLogger�__name__�log)�self�policy�kwargs)� __class__���'/usr/lib64/python3.6/constraintquery.pyr���N���s����zConstraintQuery.__init__c�������������C���s8���|r(t���}x |D�]}|j|j����qW�n|}t|||�S�)ay��
Match roles/types/users in a constraint expression,
optionally by expanding the contents of attributes.
Parameters:
expr The expression to match.
criteria The criteria to match.
indirect If attributes in the expression should be expanded.
regex If regular expression matching should be used.
)�set�update�expandr
���)r����exprZcriteriaZindirectZregex�obj�itemr���r���r����
_match_exprR���s
����
zConstraintQuery._match_exprc�������������c���sJ��|�j�jdj|����|�j�jdj|����|�j|�j���|�j|�j���|�j�jdj|����|�j�jdj|����|�j�jdj|����x�|�jj��D�]�}|�jr�|j|�jkr�q~|�j |�s�q~y|�j
|�s�w~W�n�t
k
r����w~Y�nX�|�j
r�|�j
|jj|�j
|�j|�j�
�r�q~|�j�r|�j
|jj|�j|�j|�j�
��rq~|�j�r<|�j
|jj|�jd|�j�
��r<q~|V��q~W�dS�)z6Generator which yields all matching constraints rules.z-Generating constraint results from {0.policy}zRuletypes: {0.ruletype}z'User: {0.user!r}, regex: {0.user_regex}z'Role: {0.role!r}, regex: {0.role_regex}z(Type: {0.type_!r}, regex: {0.type_regex}FN)r����info�format�debugZ_match_object_class_debugZ_match_perms_debugr���Z
constraints�ruletypeZ_match_object_classZ
_match_permsr����roler!���Z
expressionZroles�
role_indirectr����type_�types�
type_indirectr����userZusersr
���)r����cr���r���r����resultsg���sJ����
zConstraintQuery.results)r����
__module__�
__qualname__�__doc__r���r���r%���r���r+���r
���r&���r���r'���r(���r���r*���r���r!���r-����
__classcell__r���r���)r���r���r
���
���s���$
r
���)r����reZ
descriptorsr���r���Z exceptionr���Zmixinsr���r���Z policyrepr���Zqueryr ����utilr
���r
���r���r���r���r����<module>���s���