-
Notifications
You must be signed in to change notification settings - Fork 0
/
policy.go
171 lines (149 loc) · 4.62 KB
/
policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
package kv
import (
"strings"
log "github.com/sirupsen/logrus"
"github.com/zhyocean/neuvector/controller/api"
"github.com/zhyocean/neuvector/controller/common"
"github.com/zhyocean/neuvector/share"
"github.com/zhyocean/neuvector/share/cluster"
"github.com/zhyocean/neuvector/share/utils"
)
func writePolicyToKvClusterTxn(txn *cluster.ClusterTransact, dels []uint32, keeps []*share.CLUSRuleHead) int {
// Write updated rules to the cluster
if len(dels) > 0 {
clusHelper.PutPolicyRuleListTxn(txn, keeps)
for _, id := range dels {
clusHelper.DeletePolicyRuleTxn(txn, id)
}
}
return len(dels)
}
func deletePolicyByGroupsTxn(txn *cluster.ClusterTransact, names []string) int { // return # of deleted policies
crhs := clusHelper.GetPolicyRuleList()
dels := make([]uint32, 0, 32)
keeps := make([]*share.CLUSRuleHead, 0, len(crhs))
for _, crh := range crhs {
var found bool
var getFromKvCalled bool
var r *share.CLUSPolicyRule
rhCfgType := common.PolicyRuleIdToCfgType(crh.ID)
for _, name := range names {
isFedGroup := strings.HasPrefix(name, api.FederalGroupPrefix)
if (isFedGroup && rhCfgType == share.FederalCfg) || (!isFedGroup && rhCfgType != share.FederalCfg) {
if r == nil {
r, _ = clusHelper.GetPolicyRule(crh.ID)
getFromKvCalled = true
}
if r != nil && (r.From == name || r.To == name) {
// found the policy to be deleted
found = true
break
}
}
}
if found {
dels = append(dels, crh.ID)
} else if !getFromKvCalled || r != nil {
keeps = append(keeps, crh)
}
}
// Write updated rules to the cluster
return writePolicyToKvClusterTxn(txn, dels, keeps)
}
func DeletePolicyByGroups(names []string) int { // return # of deleted policies
txn := cluster.Transact()
defer txn.Close()
delCount := deletePolicyByGroupsTxn(txn, names)
if delCount > 0 {
if ok, err := txn.Apply(); err != nil || !ok {
log.WithFields(log.Fields{"error": err, "ok": ok}).Error("Atomic write failed")
return 0
}
}
return delCount
}
func DeletePolicyByGroup(name string) int { // return # of deleted policies
return DeletePolicyByGroups([]string{name})
}
func DeletePolicyByGroupTxn(txn *cluster.ClusterTransact, name string) error {
deletePolicyByGroupsTxn(txn, []string{name})
return nil
}
func DeletePolicyByCfgTypeTxn(txn *cluster.ClusterTransact, cfgType share.TCfgType) {
delsNum, keepsNum := 0, 0
crhs := clusHelper.GetPolicyRuleList()
for _, crh := range crhs {
if cfgType == common.PolicyRuleIdToCfgType(crh.ID) {
delsNum++
} else {
keepsNum++
}
}
dels := make([]uint32, 0, delsNum)
keeps := make([]*share.CLUSRuleHead, 0, keepsNum)
for _, crh := range crhs {
if cfgType == common.PolicyRuleIdToCfgType(crh.ID) {
dels = append(dels, crh.ID)
} else {
keeps = append(keeps, crh)
}
}
// Write updated rules to the cluster
writePolicyToKvClusterTxn(txn, dels, keeps)
}
func deleteResponseRuleByGroupTxn(txn *cluster.ClusterTransact, name string) int {
isFedGroup := strings.HasPrefix(name, api.FederalGroupPrefix)
delCount := 0
policyNames := []string{share.DefaultPolicyName, share.FedPolicyName}
for _, policyName := range policyNames {
if (isFedGroup && policyName != share.FedPolicyName) || (!isFedGroup && policyName == share.FedPolicyName) {
continue
}
dels := utils.NewSet()
keeps := make([]*share.CLUSRuleHead, 0)
crhs := clusHelper.GetResponseRuleList(policyName)
for _, crh := range crhs {
rhCfgType := share.UserCreated
if crh.ID > api.StartingFedAdmRespRuleID {
rhCfgType = share.FederalCfg
}
if (isFedGroup && rhCfgType == share.FederalCfg) || (!isFedGroup && rhCfgType != share.FederalCfg) {
if r, _ := clusHelper.GetResponseRule(policyName, crh.ID); r != nil {
if r.Group == name {
// To be deleted
dels.Add(crh.ID)
} else {
keeps = append(keeps, crh)
}
}
} else {
keeps = append(keeps, crh)
}
}
// Write updated rules to the cluster by transaction
if dels.Cardinality() > 0 {
clusHelper.PutResponseRuleListTxn(policyName, txn, keeps)
for id := range dels.Iter() {
clusHelper.DeleteResponseRuleTxn(policyName, txn, id.(uint32))
}
delCount += dels.Cardinality()
}
}
return delCount
}
func DeleteResponseRuleByGroup(name string) int {
txn := cluster.Transact()
defer txn.Close()
delCount := deleteResponseRuleByGroupTxn(txn, name)
if delCount > 0 {
if ok, err := txn.Apply(); err != nil || !ok {
log.WithFields(log.Fields{"error": err, "ok": ok}).Error("Atomic write failed")
return 0
}
}
return delCount
}
func DeleteResponseRuleByGroupTxn(txn *cluster.ClusterTransact, name string) error {
deleteResponseRuleByGroupTxn(txn, name)
return nil
}