From a45a2c9291f8436ba5a36e93d9906a135958262d Mon Sep 17 00:00:00 2001
From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Mon, 10 Jun 2013 22:56:49 +0200
Subject: [PATCH] Implemented hierarchical policy groups

---
 src/libimcv/imv/data.sql             | 128 ++++++---------------------
 src/libimcv/imv/imv_policy_manager.c |  94 +++++++++++---------
 src/libimcv/imv/tables.sql           |   3 +-
 3 files changed, 81 insertions(+), 144 deletions(-)

diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql
index ff00a3a54..f881c91ce 100644
--- a/src/libimcv/imv/data.sql
+++ b/src/libimcv/imv/data.sql
@@ -459,33 +459,45 @@ INSERT INTO versions (
 /* Groups */
 
 INSERT INTO groups (			/*  1 */
-  name
+  name, parent
 ) VALUES (
-  'Default Debian i686'
+  'Default Debian i686', 6
 );
 
 INSERT INTO groups (			/*  2 */
-  name
+  name, parent
 ) VALUES (
-  'Default Debian x86_64'
+  'Default Debian x86_64', 6
 );
 
 INSERT INTO groups (			/*  3 */
-  name
+  name, parent
 ) VALUES (
-  'Default Ubuntu i686'
+  'Default Ubuntu i686', 6
 );
 
 INSERT INTO groups (			/*  4 */
-  name
+  name, parent
 ) VALUES (
-  'Default Ubuntu x86_64'
+  'Default Ubuntu x86_64', 6
 );
 
 INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Default Android', 7
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Default Linux', 7
+);
+
+INSERT INTO groups (			/*  7 */
   name
 ) VALUES (
-  'Default Android'
+  'Default'
 );
 
 /* Default Product Groups */
@@ -684,31 +696,7 @@ INSERT INTO policies (			/* 13 */
 INSERT INTO enforcements (
   policy, group_id, max_age
 ) VALUES (
-  1, 1, 86400
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  1, 2, 86400
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  1, 3, 86400
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  1, 4, 86400
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  1, 5, 86400
+  1, 7, 86400
 );
 
 INSERT INTO enforcements (
@@ -720,25 +708,7 @@ INSERT INTO enforcements (
 INSERT INTO enforcements (
   policy, group_id, max_age
 ) VALUES (
-  3, 1, 0
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  3, 2, 0
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  3, 3, 0
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  3, 4, 0
+  3, 6, 0
 );
 
 INSERT INTO enforcements (
@@ -762,61 +732,13 @@ INSERT INTO enforcements (
 INSERT INTO enforcements (
   policy, group_id, max_age
 ) VALUES (
-  8, 1, 60
+  8, 7, 60
 );
 
 INSERT INTO enforcements (
   policy, group_id, max_age
 ) VALUES (
-  8, 2, 60
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  8, 3, 60
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  8, 4, 60
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  8, 5, 60
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  9, 1, 60
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  9, 2, 60
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  9, 3, 60
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  9, 4, 60
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  9, 5, 60
+  9, 7, 60
 );
 
 INSERT INTO enforcements (
diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c
index 9c08cd53a..641f8a247 100644
--- a/src/libimcv/imv/imv_policy_manager.c
+++ b/src/libimcv/imv/imv_policy_manager.c
@@ -50,7 +50,7 @@ static void stderr_dbg(debug_t group, level_t level, char *fmt, ...)
 bool policy_start(database_t *db, int session_id)
 {
 	enumerator_t *e;
-	int id, gid, device_id, product_id, group_id = 0;
+	int id, gid, device_id, product_id, group_id = 0, parent;
 	int type, file, dir, arg_int, rec_fail, rec_noresult;
 	char *argument;
 
@@ -98,57 +98,71 @@ bool policy_start(database_t *db, int session_id)
 		}
 	}
 
-	/* if still no group membership found, leave */
-	if (!group_id)
+	/* get iteratively enforcements for given group */
+	while (group_id)
 	{
-		fprintf(stderr, "no group membership found\n");
-		return TRUE;
-	}
-
-	/* get enforcements for given group */
-	e = db->query(db,
-			"SELECT e.id, "
-			"p.type, p.argument, p.file, p.dir, p.rec_fail, p.rec_noresult "
-			"FROM enforcements AS e JOIN policies as p ON  e.policy = p.id "
-			"WHERE e.group_id = ?", DB_INT, group_id,
-			 DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, DB_INT);
-	if (!e)
-	{
-		return FALSE;
-	}
-	while (e->enumerate(e, &id, &type, &argument, &file, &dir, &rec_fail,
-						   &rec_noresult))
-	{
-		/* determine arg_int */
-		switch ((imv_workitem_type_t)type)
+		e = db->query(db,
+				"SELECT e.id, "
+				"p.type, p.argument, p.file, p.dir, p.rec_fail, p.rec_noresult "
+				"FROM enforcements AS e JOIN policies as p ON e.policy = p.id "
+				"WHERE e.group_id = ?", DB_INT, group_id,
+				 DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, DB_INT);
+		if (!e)
 		{
-			case IMV_WORKITEM_FILE_REF_MEAS:
-			case IMV_WORKITEM_FILE_MEAS:
-			case IMV_WORKITEM_FILE_META:
-				arg_int = file;
-				break;
-			case IMV_WORKITEM_DIR_REF_MEAS:
-			case IMV_WORKITEM_DIR_MEAS:
-			case IMV_WORKITEM_DIR_META:
-				arg_int = dir;
-				break;
-			default:
-				arg_int = 0;
+			return FALSE;
 		}
+		while (e->enumerate(e, &id, &type, &argument, &file, &dir,
+							   &rec_fail, &rec_noresult))
+		{
+			/* determine arg_int */
+			switch ((imv_workitem_type_t)type)
+			{
+				case IMV_WORKITEM_FILE_REF_MEAS:
+				case IMV_WORKITEM_FILE_MEAS:
+				case IMV_WORKITEM_FILE_META:
+					arg_int = file;
+					break;
+				case IMV_WORKITEM_DIR_REF_MEAS:
+				case IMV_WORKITEM_DIR_MEAS:
+				case IMV_WORKITEM_DIR_META:
+					arg_int = dir;
+					break;
+				default:
+					arg_int = 0;
+			}
 
-		/* insert a workitem */
-		if (db->execute(db, NULL,
+			/* insert a workitem */
+			if (db->execute(db, NULL,
 				"INSERT INTO workitems (session, enforcement, type, arg_str, "
 				"arg_int, rec_fail, rec_noresult) VALUES (?, ?, ?, ?, ?, ?, ?)",
 				DB_INT, session_id, DB_INT, id, DB_INT, type, DB_TEXT, argument,
 				DB_INT, arg_int, DB_INT, rec_fail, DB_INT, rec_noresult) != 1)
+			{
+				e->destroy(e);
+				fprintf(stderr, "could not insert workitem\n");
+				return FALSE;
+			}
+		}
+		e->destroy(e);
+
+		e = db->query(db,
+				"SELECT parent FROM groups WHERE id = ?",
+				 DB_INT, group_id, DB_INT);
+		if (!e)
 		{
-			e->destroy(e);
-			fprintf(stderr, "could not insert workitem\n");
 			return FALSE;
 		}
+		if (e->enumerate(e, &parent))
+		{
+			group_id = parent;
+		}
+		else
+		{
+			fprintf(stderr, "group information not found\n");
+			group_id = 0;
+		}
+		e->destroy(e);
 	}
-	e->destroy(e);
 
 	return TRUE;
 }
diff --git a/src/libimcv/imv/tables.sql b/src/libimcv/imv/tables.sql
index aee88943a..bae45e424 100644
--- a/src/libimcv/imv/tables.sql
+++ b/src/libimcv/imv/tables.sql
@@ -50,7 +50,8 @@ CREATE TABLE file_hashes (
 DROP TABLE IF EXISTS groups;
 CREATE TABLE groups (
   id integer NOT NULL PRIMARY KEY,
-  name varchar(50) NOT NULL UNIQUE
+  name varchar(50) NOT NULL UNIQUE,
+  parent integer
 );
 
 DROP TABLE IF EXISTS group_members;