sonic-net · renukamanavalan · Sep 30, 2020 · Jun 23, 2020 · Jun 23, 2020 · Jun 23, 2020
diff --git a/translib/app_interface.go b/translib/app_interface.go
@@ -63,6 +63,10 @@ type appOptions struct {
     // 0 indicates unlimited depth.
     // Valid for GET API only.
     depth uint
+
+    // deleteEmptyEntry indicates if the db entry should be deleted upon
+    // deletion of last field. This is a non standard option.
+    deleteEmptyEntry bool
 }
 
 //map containing the base path to app module info

diff --git a/translib/authorize.go b/translib/authorize.go
@@ -0,0 +1,88 @@
+////////////////////////////////////////////////////////////////////////////////
+//                                                                            //
+//  Copyright 2019 Broadcom. The term Broadcom refers to Broadcom Inc. and/or //
+//  its subsidiaries.                                                         //
+//                                                                            //
+//  Licensed under the Apache License, Version 2.0 (the "License");           //
+//  you may not use this file except in compliance with the License.          //
+//  You may obtain a copy of the License at                                   //
+//                                                                            //
+//     http://www.apache.org/licenses/LICENSE-2.0                             //
+//                                                                            //
+//  Unless required by applicable law or agreed to in writing, software       //
+//  distributed under the License is distributed on an "AS IS" BASIS,         //
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  //  
+//  See the License for the specific language governing permissions and       //
+//  limitations under the License.                                            //
+//                                                                            //
+////////////////////////////////////////////////////////////////////////////////
+
+/*
+Package translib defines the functions to be used to authorize 
+
+an incoming user. It also includes caching of the UserDB data
+
+needed to authorize the user.
+
+*/
+
+package translib
+
+import (
+	//"strconv"
+	//log "github.com/golang/glog"
+)
+
+func init() {
+}
+
+func isAuthorizedForSet(req SetRequest) bool {
+	if !req.AuthEnabled {
+		return true
+	}
+	for _, r := range req.User.Roles {
+        if r == "admin" {
+            return true
+        }
+    }
+	return false
+}
+func isAuthorizedForBulk(req BulkRequest) bool {
+	if !req.AuthEnabled {
+		return true
+	}
+	for _, r := range req.User.Roles {
+        if r == "admin" {
+            return true
+        }
+    }
+	return false
+}
+
+//For full fledged RBAC support to be implemented later
+
+func isAuthorizedForGet(req GetRequest) bool {
+	if !req.AuthEnabled {
+		return true
+	}
+	return  true
+}
+func isAuthorizedForSubscribe(req SubscribeRequest) bool {
+	if !req.AuthEnabled {
+		return true
+	}
+	return  true
+}
+func isAuthorizedForIsSubscribe(req IsSubscribeRequest) bool {
+	if !req.AuthEnabled {
+		return true
+	}
+	return  true
+}
+
+func isAuthorizedForAction(req ActionRequest) bool {
+	if !req.AuthEnabled {
+		return true
+	}
+	return  true
+}
diff --git a/translib/tlerr/app_errors.go b/translib/tlerr/app_errors.go
@@ -45,6 +45,9 @@ type NotSupportedError errordata
 // InternalError indicates a generic error during app execution.
 type InternalError errordata
 
+// AuthorizationError indicates the user is not authorized for an operation.
+type AuthorizationError errordata
+
 /////////////
 
 func (e InvalidArgsError) Error() string {
@@ -90,3 +93,8 @@ func (e InternalError) Error() string {
 func New(msg string, args ...interface{}) InternalError {
 	return InternalError{Format: msg, Args: args}
 }
+
+func (e AuthorizationError) Error() string {
+    return p.Sprintf(e.Format, e.Args...)
+}
+
diff --git a/translib/tlerr/tlerr.go b/translib/tlerr/tlerr.go
@@ -101,3 +101,14 @@ type TranslibSyntaxValidationError struct {
 func (e TranslibSyntaxValidationError) Error() string {
 	return p.Sprintf("%s", e.ErrorStr)
 }
+
+type TranslibUnsupportedClientVersion struct {
+    ClientVersion string
+    ServerVersion string
+    ServerBaseVersion string
+}
+
+func (e TranslibUnsupportedClientVersion) Error() string {
+    return p.Sprintf("Unsupported client version %s", e.ClientVersion)
+}
+
diff --git a/translib/translib.go b/translib/translib.go
@@ -47,7 +47,7 @@ var writeMutex = &sync.Mutex{}
 //Interval value for interval based subscription needs to be within the min and max
 //minimum global interval for interval based subscribe in secs
 var minSubsInterval = 20
-//minimum global interval for interval based subscribe in secs
+//maximum global interval for interval based subscribe in secs
 var maxSubsInterval = 600
 
 type ErrSource int
@@ -68,6 +68,7 @@ type SetRequest struct {
 	User    UserRoles
 	AuthEnabled bool
 	ClientVersion Version
+	DeleteEmptyEntry bool
 }
 
 type SetResponse struct {
@@ -183,6 +184,12 @@ func Create(req SetRequest) (SetResponse, error) {
 	var resp SetResponse
 	path := req.Path
 	payload := req.Payload
+	if !isAuthorizedForSet(req) {
+		return resp, tlerr.AuthorizationError{
+			Format: "User is unauthorized for Create Operation",
+			Path: path,
+		}
+	}
 
 	log.Info("Create request received with path =", path)
 	log.Info("Create request received with payload =", string(payload))
@@ -251,6 +258,13 @@ func Update(req SetRequest) (SetResponse, error) {
 	var resp SetResponse
 	path := req.Path
 	payload := req.Payload
+	if !isAuthorizedForSet(req) {
+		return resp, tlerr.AuthorizationError{
+			Format: "User is unauthorized for Update Operation",
+			Path: path,
+		}
+	}
+
 
 	log.Info("Update request received with path =", path)
 	log.Info("Update request received with payload =", string(payload))
@@ -320,6 +334,12 @@ func Replace(req SetRequest) (SetResponse, error) {
 	var resp SetResponse
 	path := req.Path
 	payload := req.Payload
+	if !isAuthorizedForSet(req) {
+		return resp, tlerr.AuthorizationError{
+			Format: "User is unauthorized for Replace Operation",
+			Path: path,
+		}
+	}
 
 	log.Info("Replace request received with path =", path)
 	log.Info("Replace request received with payload =", string(payload))
@@ -388,6 +408,12 @@ func Delete(req SetRequest) (SetResponse, error) {
 	var keys []db.WatchKeys
 	var resp SetResponse
 	path := req.Path
+	if !isAuthorizedForSet(req) {
+		return resp, tlerr.AuthorizationError{
+			Format: "User is unauthorized for Delete Operation",
+			Path: path,
+		}
+	}
 
 	log.Info("Delete request received with path =", path)
 
@@ -398,7 +424,8 @@ func Delete(req SetRequest) (SetResponse, error) {
 		return resp, err
 	}
 
-	err = appInitialize(app, appInfo, path, nil, nil, DELETE)
+	opts := appOptions{deleteEmptyEntry: req.DeleteEmptyEntry}
+	err = appInitialize(app, appInfo, path, nil, &opts, DELETE)
 
 	if err != nil {
 		resp.ErrSrc = AppErr
@@ -454,6 +481,12 @@ func Get(req GetRequest) (GetResponse, error) {
 	var payload []byte
 	var resp GetResponse
 	path := req.Path
+	if !isAuthorizedForGet(req) {
+		return resp, tlerr.AuthorizationError{
+			Format: "User is unauthorized for Get Operation",
+			Path: path,
+		}
+	}
 
 	log.Info("Received Get request for path = ", path)
 
@@ -499,6 +532,12 @@ func Action(req ActionRequest) (ActionResponse, error) {
 	var resp ActionResponse
 	path := req.Path
 
+	if !isAuthorizedForAction(req) {
+		return resp, tlerr.AuthorizationError{
+			Format: "User is unauthorized for Action Operation",
+			Path: path,
+		}
+	}
 
 	log.Info("Received Action request for path = ", path)
 
@@ -560,6 +599,13 @@ func Bulk(req BulkRequest) (BulkResponse, error) {
 		UpdateResponse: updateResp,
 		CreateResponse: createResp}
 
+
+    if (!isAuthorizedForBulk(req)) {
+		return resp, tlerr.AuthorizationError{
+			Format: "User is unauthorized for Action Operation",
+		}
+    }
+
 	writeMutex.Lock()
 	defer writeMutex.Unlock()
 
@@ -581,6 +627,7 @@ func Bulk(req BulkRequest) (BulkResponse, error) {
 
 	for i := range req.DeleteRequest {
 		path := req.DeleteRequest[i].Path
+		opts := appOptions{deleteEmptyEntry: req.DeleteRequest[i].DeleteEmptyEntry}
 
 		log.Info("Delete request received with path =", path)
 
@@ -591,7 +638,7 @@ func Bulk(req BulkRequest) (BulkResponse, error) {
 			goto BulkDeleteError
 		}
 
-		err = appInitialize(app, appInfo, path, nil, nil, DELETE)
+		err = appInitialize(app, appInfo, path, nil, &opts, DELETE)
 
 		if err != nil {
 			errSrc = AppErr
@@ -807,6 +854,12 @@ func Subscribe(req SubscribeRequest) ([]*IsSubscribeResponse, error) {
 			Err:                 nil}
 	}
 
+    if (!isAuthorizedForSubscribe(req)) {
+		return resp, tlerr.AuthorizationError{
+			Format: "User is unauthorized for Action Operation",
+		}
+    }
+
 	isGetCase := true
 	dbs, err := getAllDbs(isGetCase)
 
@@ -903,6 +956,12 @@ func IsSubscribeSupported(req IsSubscribeRequest) ([]*IsSubscribeResponse, error
 			Err:                 nil}
 	}
 
+    if (!isAuthorizedForIsSubscribe(req)) {
+		return resp, tlerr.AuthorizationError{
+			Format: "User is unauthorized for Action Operation",
+		}
+    }
+
 	isGetCase := true
 	dbs, err := getAllDbs(isGetCase)
 
@@ -1075,7 +1134,7 @@ func getDBOptionsWithSeparator(dbNo db.DBNum, initIndicator string, tableSeparat
 		InitIndicator:      initIndicator,
 		TableNameSeparator: tableSeparator,
 		KeySeparator:       keySeparator,
-		//IsWriteDisabled:    isWriteDisabled, //Will be enabled once the DB access layer changes are checked in
+		IsWriteDisabled:    isWriteDisabled,
 	})
 }
 
@@ -1088,6 +1147,10 @@ func getAppModule(path string, clientVer Version) (*appInterface, *appInfo, erro
 		return nil, aInfo, err
 	}
 
+	if err := validateClientVersion(clientVer, path, aInfo); err != nil {
+		return nil, aInfo, err
+	}
+
 	app, err = getAppInterface(aInfo.appType)
 
 	if err != nil {