a qqe @sddlmZddlmZmZmZmZddlmZm Z m Z m Z m Z ddl mZddlmZmZmZddlmZdd lmZGd d d eZGd d d eeZdS)) defaultdict) FrozenSetListOptionalUnion) AnyConstraintConstraintRuletypeRoleTypeUser)DiffResultDescriptor) Difference SymbolWrapperWrapper)class_wrapper_factory)RuleListc@seZdZUdZedZedZedZedZedZ edZ edZ edZ dZ eeefed<dZeeefed<dd d d Zdd d d Zdd ddZdd ddZdd ddZdd ddZdS)ConstraintsDifferencea Determine the difference in constraints between two policies. Since the compiler does not union constraints, there may be multiple constraints with the same ruletype, object class, and permission set, so constraints can only be added or removed, not modified. The constraint expressions are compared only on a basic level. Expressions that are logically equivalent but are structurally different, for example, by associativity, will be considered different. Type and role attributes are also not expanded, so if there are changes to attribute members, it will not be reflected as a difference. diff_constrainsdiff_mlsconstrainsdiff_validatetransdiff_mlsvalidatetransN_left_constraints_right_constraints)returncCs|jd||jdus&|jdur.||jdus@Jd|jdusRJd|dd|jtjDdd|jtjD\|_ |_ }dS)zAGenerate the difference in constraint rules between the policies.zJGenerating constraint differences from {0.left_policy} to {0.right_policy}N)Left constraints didn't load, this a bug.*Right constraints didn't load, this a bug.css|]}t|VqdSNConstraintWrapper.0cr$>/usr/lib64/python3.9/site-packages/setools/diff/constraints.py ?z8ConstraintsDifference.diff_constrains..css|]}t|VqdSrrr!r$r$r%r&@r') loginfoformatrr_create_constrain_lists _set_diffr Z constrainadded_constrainsremoved_constrainsself_r$r$r%r2s z%ConstraintsDifference.diff_constrainscCs|jd||jdus&|jdur.||jdus@Jd|jdusRJd|dd|jtjDdd|jtjD\|_ |_ }dS)zEGenerate the difference in MLS constraint rules between the policies.zNGenerating MLS constraint differences from {0.left_policy} to {0.right_policy}Nrrcss|]}t|VqdSrrr!r$r$r%r&Pr'z;ConstraintsDifference.diff_mlsconstrains..css|]}t|VqdSrrr!r$r$r%r&Rr') r(r)r*rrr+r,r Z mlsconstrainadded_mlsconstrainsremoved_mlsconstrainsr/r$r$r%rBs"  z(ConstraintsDifference.diff_mlsconstrainscCs|jd||jdus&|jdur.||jdus@Jd|jdusRJd|dd|jtjDdd|jtjD\|_ |_ }dS)zDGenerate the difference in validatetrans rules between the policies.zMGenerating validatetrans differences from {0.left_policy} to {0.right_policy}Nrrcss|]}t|VqdSrrr!r$r$r%r&cr'z;ConstraintsDifference.diff_validatetrans..css|]}t|VqdSrrr!r$r$r%r&er') r(r)r*rrr+r,r Z validatetransadded_validatetransremoved_validatetransr/r$r$r%rUs"  z(ConstraintsDifference.diff_validatetranscCs|jd||jdus&|jdur.||jdus@Jd|jdusRJd|dd|jtjDdd|jtjD\|_ |_ }dS)zHGenerate the difference in MLS validatetrans rules between the policies.zPGenerating mlsvalidatetrans differences from {0.left_policy} to {0.right_policy}Nrrcss|]}t|VqdSrrr!r$r$r%r&vr'z>ConstraintsDifference.diff_mlsvalidatetrans..css|]}t|VqdSrrr!r$r$r%r&xr') r(r)r*rrr+r,r Zmlsvalidatetransadded_mlsvalidatetransremoved_mlsvalidatetransr/r$r$r%rhs"  z+ConstraintsDifference.diff_mlsvalidatetranscCstt|_|jd||jD]}|j|j |q&|j D] \}}|jdt ||qHtt|_ |jd||j D]}|j |j |q|j D] \}}|jdt ||q|jddS)z$Create rule lists for both policies.z.Building constraint lists from {0.left_policy}zLoaded {0} {1} rules.z/Building constraint lists from {0.right_policy}z)Completed building constraint rule lists.N)rlistrr(debugr*Z left_policy constraintsruletypeappenditemslenrZ right_policy)r0ruler;Zrulesr$r$r%r+~s  z-ConstraintsDifference._create_constrain_listscCsL|jdd|_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ dS)z%Reset diff results on policy changes.z%Resetting all constraints differencesN) r(r9r-r.r2r3r4r5r6r7rrr0r$r$r% _reset_diffs z!ConstraintsDifference._reset_diff)__name__ __module__ __qualname____doc__rr-r.r2r3r4r5r6r7rrr r__annotations__rrrrrr+rAr$r$r$r%rs" rc@s<eZdZdZdZeddddZddZd d Zd d Z dS) r z#Wrap constraints for diff purposes.r;tclasspermsexprN)r?rcCs||_|j|_t|j|_z |j|_Wnty>d|_Yn0t||_g|_|j D]6}t |t r|j t dd|DqV|j |qVdS)Ncss|]}t|VqdSr)r)r"itemr$r$r%r&r'z-ConstraintWrapper.__init__..) originr;rrHrIAttributeErrorhashkeyrJZ expression isinstance frozensetr<)r0r?opr$r$r%__init__s       zConstraintWrapper.__init__cCs|jSrrOr@r$r$r%__hash__szConstraintWrapper.__hash__cCs |j|jkSrrTr0otherr$r$r%__lt__szConstraintWrapper.__lt__cCs0|j|jko.|j|jko.|j|jko.|j|jkSrrGrVr$r$r%__eq__s    zConstraintWrapper.__eq__) rBrCrDrE __slots__rrSrUrXrYr$r$r$r%r s r N) collectionsrtypingrrrrZ policyreprr r r r Z descriptorsr differencerrrZobjclassrrrr r$r$r$r%s