a qqe@sddlZddlmZmZddlmZddlmZddlm Z ddl m Z dd l m Z mZd Zd Zd Zd ZdZdZGddde ZdS)N)ListUnion)InvalidCheckValue) AnyRBACRule) RBACRuleQuery) CheckerModule)ConfigDescriptorConfigSetDescriptorsourcetarget exempt_source exempt_target expect_source expect_targetcseZdZdZdZeeeee e e fZ e dZe dZeddddZeddddZeddddZeddddZddfd d Zedd d ZZS) AssertRBACz?Checker module for asserting a RBAC allow rule exists (or not).Z assert_rbacZ lookup_roleFT)strictexpandN)returncst|||tt|_|t|_|t |_ |t |_ |t |_|t|_|t|_t|j|j fs|td|j |j@}|r|jdddd|D|j|j@}|r|jdddd|DdS)Nz5At least one of source or target options must be set.z.Overlap in expect_source and exempt_source: {}z, css|] }|jVqdSNname.0ir@/usr/lib64/python3.9/site-packages/setools/checker/assertrbac.py ;z&AssertRBAC.__init__..z.Overlap in expect_target and exempt_target: {}css|] }|jVqdSrrrrrrr@r)super__init__loggingZ getLogger__name__logget SOURCE_OPTr TARGET_OPTr EXEMPT_SRC_OPTrEXEMPT_TGT_OPTrEXPECT_SRC_OPTrEXPECT_TGT_OPTranyrinfoformatjoin)selfpolicyZ checknameZconfigZsource_exempt_expect_overlapZtarget_exempt_expect_overlap __class__rrr!(s,           zAssertRBAC.__init__c Cs@t|j|jfsJd|jdt|j|j|jdd}t|j}t|j }g}t | D]x}t|j }t|j }||8}||8}||j|j r||j |jr|t|||q^|t|q^|D]"}d|} || || q|D]$}d|} || || q|jd||S)Nz)AssertRBAC no options set, this is a bug.z#Checking RBAC allow rule assertion.)Zallow)r r Zruletypez)Expected rule with source "{}" not found.z)Expected rule with target "{}" not found.z {} failure(s))r,r r r$r-rr1setrrsortedresultsrrrZlog_failstrappendZlog_okr.debug) r0queryZunseen_sourcesZunseen_targetsZfailuresZruleZsrcsZtgtsitemZfailurerrrrunBs>         zAssertRBAC.run)r# __module__ __qualname____doc__Z check_type frozensetr&r'r(r)r*r+Z check_configr r r r rrrrr!rr< __classcell__rrr2rrs r)r"typingrr exceptionrZ policyreprZ rbacrulequeryrZ checkermoduler Z descriptorsr r r&r'r(r)r*r+rrrrrs