Update logging output for PoliciesYaml. Update admin.aclpolicy to use…

… Yaml format
rundeck · Mar 15, 2011 · 346d2d2 · 346d2d2
1 parent af388ec
commit 346d2d2
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 14 deletions.
diff --git a/core/src/java/com/dtolabs/rundeck/core/authorization/Explanation.java b/core/src/java/com/dtolabs/rundeck/core/authorization/Explanation.java
@@ -36,6 +36,7 @@ public enum Code {
         REJECTED_NO_RESOURCE_PROPERTY_PROVIDED, 
         REJECTED_RESOURCE_PROPERTY_NOT_MATCHED, 
         REJECTED_NO_RULES_DECLARED, 
+        REJECTED_NO_DESCRIPTION_PROVIDED, 
     };
 
     Code getCode();

diff --git a/core/src/java/com/dtolabs/rundeck/core/authorization/providers/ContextDecision.java b/core/src/java/com/dtolabs/rundeck/core/authorization/providers/ContextDecision.java
@@ -7,12 +7,24 @@
 import com.dtolabs.rundeck.core.authorization.Explanation;
 import com.dtolabs.rundeck.core.authorization.Explanation.Code;
 
+/**
+ * ContextDecision provides the decision id and the evaluation up to the decision point.
+ * @author noahcampbell
+ *
+ */
 public class ContextDecision implements Explanation {
 
     private final Code id;
     private final boolean granted;
     private final List<ContextEvaluation> evaluations;
 
+    /**
+     * Construct a decision.
+     * 
+     * @param id The decision code id.
+     * @param granted Is the decision granted or not.
+     * @param evaluations A list of evaluations that includes the final decision.
+     */
     public ContextDecision(Code id, boolean granted, List<ContextEvaluation> evaluations) {
         this.id = id;
         this.granted = granted;

diff --git a/core/src/java/com/dtolabs/rundeck/core/authorization/providers/PoliciesYaml.java b/core/src/java/com/dtolabs/rundeck/core/authorization/providers/PoliciesYaml.java
@@ -71,13 +71,7 @@ public static final class YamlPolicyRule {
     }
 
     public static final class YamlPolicy implements Policy {
-
-        private final static Set<String> excludes = new HashSet<String>();
-        static {
-            excludes.add("id");
-            excludes.add("description");
-            excludes.add("by");
-        }
+
         public Map rawInput;
 
         private Set<String> usernames = new HashSet<String>();
@@ -108,9 +102,18 @@ public AclContext getContext() {
                 public ContextDecision includes(Map<String, String> resourceMap, String action) {
                     String resource = defineResource(resourceMap);
                     List<ContextEvaluation> evaluations = new ArrayList<ContextEvaluation>();
+                    Object descriptionValue = rawInput.get("description");
+                    if( descriptionValue == null || !(descriptionValue instanceof String)) ) {
+                        evaluations.add(new ContextEvaluation(Code.REJECTED_NO_DESCRIPTION_PROVIDED, "Policy is missing a description."));
+                        return new ContextDecision(Code.REJECTED_NO_DESCRIPTION_PROVIDED, false, evaluations);
+                    }
+
+                    String description = (String)descriptionValue;
+
                     Object rulesValue = rawInput.get("rules");
                     if( !(rulesValue instanceof Map) ) {
-                        return new ContextDecision(Code.REJECTED_NO_RULES_DECLARED, false);
+                        evaluations.add(new ContextEvaluation(Code.REJECTED_NO_RULES_DECLARED, "No rules declared on policy"));
+                        return new ContextDecision(Code.REJECTED_NO_RULES_DECLARED, false, evaluations);
                     }
                     Map rules = (Map)rulesValue;
 
@@ -143,15 +146,14 @@ public ContextDecision includes(Map<String, String> resourceMap, String action)
 
                             if(actionsKey instanceof String) {
                                 String actions = (String) actionsKey;
-                                if("*".equals(actions)) {
-                                    return new ContextDecision(Code.GRANTED_ACTIONS_AND_COMMANDS_MATCHED, true, evaluations);
-                                }
-                                if(actions.contains(action)) {
+                                if("*".equals(actions) || actions.contains(action)) {
+                                    evaluations.add(new ContextEvaluation(Code.GRANTED_ACTIONS_AND_COMMANDS_MATCHED, description + ": rule: " + rule + " action: " + actions));
                                     return new ContextDecision(Code.GRANTED_ACTIONS_AND_COMMANDS_MATCHED, true, evaluations);
                                 }
                             } else if(actionsKey instanceof List) {
                                 List actions = (List) actionsKey;
                                 if(actions.contains(action)) {
+                                    evaluations.add(new ContextEvaluation(Code.GRANTED_ACTIONS_AND_COMMANDS_MATCHED, description + ": rule: " + rule + " action: " + actions));
                                     return new ContextDecision(Code.GRANTED_ACTIONS_AND_COMMANDS_MATCHED, true, evaluations);
                                 }
                             } else {
@@ -160,7 +162,6 @@ public ContextDecision includes(Map<String, String> resourceMap, String action)
                             }
 
                             evaluations.add(new ContextEvaluation(Code.REJECTED_NO_ACTIONS_MATCHED, "No actions matched"));
-
                         }
                     }
                     return new ContextDecision(Code.REJECTED, false, evaluations);

diff --git a/packaging/root/etc/rundeck/admin.aclpolicy b/packaging/root/etc/rundeck/admin.aclpolicy
@@ -1,7 +1,7 @@
 description: Admin Access ACL
 
 rules: 
-  ^$:
+  .*:
       actions: '*'
 
 by: