static void EvaluateBundle(EvalContext *ctx, const Bundle *bp, const char * const *seq)
{
EvalContextStackPushBundleFrame(ctx, bp, NULL, false);
for (int type = 0; seq[type] != NULL; type++)
{
const PromiseType *sp = BundleGetPromiseType((Bundle *)bp, seq[type]);
/* Some promise types might not be there. */
if (!sp || SeqLength(sp->promises) == 0)
{
Log(LOG_LEVEL_DEBUG, "No promise type %s in bundle %s",
seq[type], bp->name);
continue;
}
EvalContextStackPushPromiseTypeFrame(ctx, sp);
for (size_t ppi = 0; ppi < SeqLength(sp->promises); ppi++)
{
Promise *pp = SeqAt(sp->promises, ppi);
ExpandPromise(ctx, pp, KeepServerPromise, NULL);
}
EvalContextStackPopFrame(ctx);
}
/* Check if we are having some other promise types which we
* should evaluate. THIS IS ONLY FOR BACKWARD COMPATIBILITY! */
for (size_t j = 0; j < SeqLength(bp->promise_types); j++)
{
PromiseType *sp = SeqAt(bp->promise_types, j);
/* Skipping evaluation of promise as this was evaluated in
* loop above. */
if (!IsPromiseTypeNotInTypeSequence(sp->name, seq))
{
Log(LOG_LEVEL_DEBUG, "Skipping subsequent evaluation of "
"promise type %s in bundle %s", sp->name, bp->name);
continue;
}
Log(LOG_LEVEL_WARNING, "Trying to evaluate unsupported/obsolete "
"promise type %s in %s bundle %s", sp->name, bp->type, bp->name);
EvalContextStackPushPromiseTypeFrame(ctx, sp);
for (size_t ppi = 0; ppi < SeqLength(sp->promises); ppi++)
{
Promise *pp = SeqAt(sp->promises, ppi);
ExpandPromise(ctx, pp, KeepServerPromise, NULL);
}
EvalContextStackPopFrame(ctx);
}
EvalContextStackPopFrame(ctx);
}
static void test_expand_promise_slist(void **state)
{
actuator_state = 0;
EvalContext *ctx = *state;
{
VarRef *lval = VarRefParse("default:bundle.foo");
Rlist *list = NULL;
RlistAppendScalar(&list, "a");
RlistAppendScalar(&list, "b");
EvalContextVariablePut(ctx, lval, list, CF_DATA_TYPE_STRING_LIST, NULL);
RlistDestroy(list);
VarRefDestroy(lval);
}
Policy *policy = PolicyNew();
Bundle *bundle = PolicyAppendBundle(policy, NamespaceDefault(), "bundle", "agent", NULL, NULL);
PromiseType *promise_type = BundleAppendPromiseType(bundle, "dummy");
Promise *promise = PromiseTypeAppendPromise(promise_type, "$(foo)", (Rval) { NULL, RVAL_TYPE_NOPROMISEE }, "any", NULL);
EvalContextStackPushBundleFrame(ctx, bundle, NULL, false);
EvalContextStackPushPromiseTypeFrame(ctx, promise_type);
ExpandPromise(ctx, promise, actuator_expand_promise_slist, NULL);
EvalContextStackPopFrame(ctx);
EvalContextStackPopFrame(ctx);
assert_int_equal(2, actuator_state);
PolicyDestroy(policy);
}
static void test_expand_promise_array_with_scalar_arg(void **state)
{
EvalContext *ctx = *state;
{
VarRef *lval = VarRefParse("default:bundle.foo[one]");
EvalContextVariablePut(ctx, lval, "first", CF_DATA_TYPE_STRING, NULL);
VarRefDestroy(lval);
}
{
VarRef *lval = VarRefParse("default:bundle.bar");
EvalContextVariablePut(ctx, lval, "one", CF_DATA_TYPE_STRING, NULL);
VarRefDestroy(lval);
}
Policy *policy = PolicyNew();
Bundle *bundle = PolicyAppendBundle(policy, NamespaceDefault(), "bundle", "agent", NULL, NULL);
PromiseType *promise_type = BundleAppendPromiseType(bundle, "dummy");
Promise *promise = PromiseTypeAppendPromise(promise_type, "$(foo[$(bar)])", (Rval) { NULL, RVAL_TYPE_NOPROMISEE }, "any", NULL);
EvalContextStackPushBundleFrame(ctx, bundle, NULL, false);
EvalContextStackPushPromiseTypeFrame(ctx, promise_type);
ExpandPromise(ctx, promise, actuator_expand_promise_array_with_scalar_arg, NULL);
EvalContextStackPopFrame(ctx);
EvalContextStackPopFrame(ctx);
PolicyDestroy(policy);
}
static void ResolveCommonClassPromises(EvalContext *ctx, PromiseType *pt)
{
assert(strcmp("classes", pt->name) == 0);
assert(strcmp(pt->parent_bundle->type, "common") == 0);
EvalContextStackPushPromiseTypeFrame(ctx, pt);
for (size_t i = 0; i < SeqLength(pt->promises); i++)
{
Promise *pp = SeqAt(pt->promises, i);
char *sp = NULL;
if (VarClassExcluded(ctx, pp, &sp))
{
if (LEGACY_OUTPUT)
{
Log(LOG_LEVEL_VERBOSE, "\n");
Log(LOG_LEVEL_VERBOSE, ". . . . . . . . . . . . . . . . . . . . . . . . . . . . ");
Log(LOG_LEVEL_VERBOSE, "Skipping whole next promise (%s), as var-context %s is not relevant", pp->promiser, sp);
Log(LOG_LEVEL_VERBOSE, ". . . . . . . . . . . . . . . . . . . . . . . . . . . . ");
}
else
{
Log(LOG_LEVEL_VERBOSE, "Skipping next promise '%s', as var-context '%s' is not relevant", pp->promiser, sp);
}
continue;
}
ExpandPromise(ctx, pp, VerifyClassPromise, NULL);
}
EvalContextStackPopFrame(ctx);
}
void BundleResolve(EvalContext *ctx, const Bundle *bundle)
{
Log(LOG_LEVEL_DEBUG, "Resolving variables in bundle '%s' '%s'",
bundle->type, bundle->name);
if (strcmp(bundle->type, "common") == 0)
{
for (size_t j = 0; j < SeqLength(bundle->promise_types); j++)
{
PromiseType *pt = SeqAt(bundle->promise_types, j);
if (strcmp(pt->name, "classes") == 0)
{
EvalContextStackPushPromiseTypeFrame(ctx, pt);
for (size_t i = 0; i < SeqLength(pt->promises); i++)
{
Promise *pp = SeqAt(pt->promises, i);
ExpandPromise(ctx, pp, VerifyClassPromise, NULL);
}
EvalContextStackPopFrame(ctx);
}
}
}
for (size_t j = 0; j < SeqLength(bundle->promise_types); j++)
{
PromiseType *pt = SeqAt(bundle->promise_types, j);
if (strcmp(pt->name, "vars") == 0)
{
EvalContextStackPushPromiseTypeFrame(ctx, pt);
for (size_t i = 0; i < SeqLength(pt->promises); i++)
{
Promise *pp = SeqAt(pt->promises, i);
ExpandPromise(ctx, pp, (PromiseActuator*)VerifyVarPromise, NULL);
}
EvalContextStackPopFrame(ctx);
}
}
}
static void ResolveVariablesPromises(EvalContext *ctx, PromiseType *pt)
{
assert(strcmp("vars", pt->name) == 0);
EvalContextStackPushPromiseTypeFrame(ctx, pt);
for (size_t i = 0; i < SeqLength(pt->promises); i++)
{
Promise *pp = SeqAt(pt->promises, i);
EvalContextStackPushPromiseFrame(ctx, pp, false);
EvalContextStackPushPromiseIterationFrame(ctx, 0, NULL);
VerifyVarPromise(ctx, pp, false);
EvalContextStackPopFrame(ctx);
EvalContextStackPopFrame(ctx);
}
EvalContextStackPopFrame(ctx);
}
void BundleResolvePromiseType(EvalContext *ctx, const Bundle *bundle, const char *type, PromiseActuator *actuator)
{
for (size_t j = 0; j < SeqLength(bundle->promise_types); j++)
{
PromiseType *pt = SeqAt(bundle->promise_types, j);
if (strcmp(pt->name, type) == 0)
{
EvalContextStackPushPromiseTypeFrame(ctx, pt);
for (size_t i = 0; i < SeqLength(pt->promises); i++)
{
Promise *pp = SeqAt(pt->promises, i);
ExpandPromise(ctx, pp, actuator, NULL);
}
EvalContextStackPopFrame(ctx);
}
}
}
static void KeepPromiseBundles(EvalContext *ctx, const Policy *policy)
{
/* Dial up the generic promise expansion with a callback */
CleanReportBookFilterSet();
for (size_t i = 0; i < SeqLength(policy->bundles); i++)
{
Bundle *bp = SeqAt(policy->bundles, i);
if ((strcmp(bp->type, CF_AGENTTYPES[AGENT_TYPE_SERVER]) == 0) || (strcmp(bp->type, CF_AGENTTYPES[AGENT_TYPE_COMMON]) == 0))
{
if (RlistLen(bp->args) > 0)
{
Log(LOG_LEVEL_WARNING, "Cannot implicitly evaluate bundle '%s %s', as this bundle takes arguments.", bp->type, bp->name);
continue;
}
BannerBundle(bp, NULL);
EvalContextStackPushBundleFrame(ctx, bp, NULL, false);
for (size_t j = 0; j < SeqLength(bp->promise_types); j++)
{
PromiseType *sp = SeqAt(bp->promise_types, j);
if ((strcmp(sp->name, "access") != 0) && (strcmp(sp->name, "roles") != 0))
{
continue;
}
BannerPromiseType(bp->name, sp->name, 0);
EvalContextStackPushPromiseTypeFrame(ctx, sp);
for (size_t ppi = 0; ppi < SeqLength(sp->promises); ppi++)
{
Promise *pp = SeqAt(sp->promises, ppi);
ExpandPromise(ctx, pp, KeepServerPromise, NULL);
}
EvalContextStackPopFrame(ctx);
}
EvalContextStackPopFrame(ctx);
}
}
}
static void KeepPromiseBundles(EvalContext *ctx, const Policy *policy)
{
/* Dial up the generic promise expansion with a callback */
CleanReportBookFilterSet();
for (size_t i = 0; i < SeqLength(policy->bundles); i++)
{
Bundle *bp = SeqAt(policy->bundles, i);
if ((strcmp(bp->type, CF_AGENTTYPES[AGENT_TYPE_SERVER]) == 0) || (strcmp(bp->type, CF_AGENTTYPES[AGENT_TYPE_COMMON]) == 0))
{
if (RlistLen(bp->args) > 0)
{
Log(LOG_LEVEL_WARNING,
"Cannot implicitly evaluate bundle '%s %s', as this bundle takes arguments.",
bp->type, bp->name);
continue;
}
EvalContextStackPushBundleFrame(ctx, bp, NULL, false);
for (int type = 0; SERVER_TYPESEQUENCE[type] != NULL; type++)
{
const PromiseType *sp = BundleGetPromiseType((Bundle *)bp, SERVER_TYPESEQUENCE[type]);
/* Some promise types might not be there. */
if (!sp || SeqLength(sp->promises) == 0)
{
Log(LOG_LEVEL_DEBUG, "No promise type %s in bundle %s",
SERVER_TYPESEQUENCE[type], bp->name);
continue;
}
EvalContextStackPushPromiseTypeFrame(ctx, sp);
for (size_t ppi = 0; ppi < SeqLength(sp->promises); ppi++)
{
Promise *pp = SeqAt(sp->promises, ppi);
ExpandPromise(ctx, pp, KeepServerPromise, NULL);
}
EvalContextStackPopFrame(ctx);
}
/* Check if we are having some other promise types which we
* should evaluate. THIS IS ONLY FOR BACKWARD COMPATIBILITY! */
for (size_t j = 0; j < SeqLength(bp->promise_types); j++)
{
PromiseType *sp = SeqAt(bp->promise_types, j);
/* Skipping evaluation of promise as this was evaluated in
* loop above. */
if (!IsPromiseTypeNotInServerTypeSequence(sp->name))
{
Log(LOG_LEVEL_DEBUG, "Skipping subsequent evaluation of "
"promise type %s in bundle %s", sp->name, bp->name);
continue;
}
Log(LOG_LEVEL_WARNING, "Trying to evaluate unsupported/obsolete "
"promise type %s in bundle %s", sp->name, bp->name);
EvalContextStackPushPromiseTypeFrame(ctx, sp);
for (size_t ppi = 0; ppi < SeqLength(sp->promises); ppi++)
{
Promise *pp = SeqAt(sp->promises, ppi);
ExpandPromise(ctx, pp, KeepServerPromise, NULL);
}
EvalContextStackPopFrame(ctx);
}
EvalContextStackPopFrame(ctx);
}
}
}
Policy *LoadPolicy(EvalContext *ctx, GenericAgentConfig *config)
{
StringSet *parsed_files_and_checksums = StringSetNew();
StringSet *failed_files = StringSetNew();
Policy *policy = LoadPolicyFile(ctx, config, config->input_file, parsed_files_and_checksums, failed_files);
if (StringSetSize(failed_files) > 0)
{
Log(LOG_LEVEL_ERR, "There are syntax errors in policy files");
exit(EXIT_FAILURE);
}
StringSetDestroy(parsed_files_and_checksums);
StringSetDestroy(failed_files);
{
Seq *errors = SeqNew(100, PolicyErrorDestroy);
if (PolicyCheckPartial(policy, errors))
{
if (!config->bundlesequence && (PolicyIsRunnable(policy) || config->check_runnable))
{
Log(LOG_LEVEL_VERBOSE, "Running full policy integrity checks");
PolicyCheckRunnable(ctx, policy, errors, config->ignore_missing_bundles);
}
}
if (SeqLength(errors) > 0)
{
Writer *writer = FileWriter(stderr);
for (size_t i = 0; i < errors->length; i++)
{
PolicyErrorWrite(writer, errors->data[i]);
}
WriterClose(writer);
exit(EXIT_FAILURE); // TODO: do not exit
}
SeqDestroy(errors);
}
if (LogGetGlobalLevel() >= LOG_LEVEL_VERBOSE)
{
ShowContext(ctx);
}
if (policy)
{
for (size_t i = 0; i < SeqLength(policy->bundles); i++)
{
Bundle *bp = SeqAt(policy->bundles, i);
EvalContextStackPushBundleFrame(ctx, bp, NULL, false);
for (size_t j = 0; j < SeqLength(bp->promise_types); j++)
{
PromiseType *sp = SeqAt(bp->promise_types, j);
EvalContextStackPushPromiseTypeFrame(ctx, sp);
for (size_t ppi = 0; ppi < SeqLength(sp->promises); ppi++)
{
Promise *pp = SeqAt(sp->promises, ppi);
ExpandPromise(ctx, pp, CommonEvalPromise, NULL);
}
EvalContextStackPopFrame(ctx);
}
EvalContextStackPopFrame(ctx);
}
PolicyResolve(ctx, policy, config);
// TODO: need to move this inside PolicyCheckRunnable eventually.
if (!config->bundlesequence && config->check_runnable)
{
// only verify policy-defined bundlesequence for cf-agent, cf-promises
if ((config->agent_type == AGENT_TYPE_AGENT) ||
(config->agent_type == AGENT_TYPE_COMMON))
{
if (!VerifyBundleSequence(ctx, policy, config))
{
FatalError(ctx, "Errors in promise bundles: could not verify bundlesequence");
}
}
}
}
JsonElement *validated_doc = ReadReleaseIdFileFromInputs();
if (validated_doc)
{
const char *release_id = JsonObjectGetAsString(validated_doc, "releaseId");
if (release_id)
{
policy->release_id = xstrdup(release_id);
}
JsonDestroy(validated_doc);
}
return policy;
}
