arbac_verifier 0.1.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 500b55bd4414f98384d079f4e4f76c301c7d0cd55f965012541743b86915947c
-  data.tar.gz: 1c88a9633b75f79aab289b41f64531467fe525829fe9788bdb7146d03aec89ba
+  metadata.gz: f1b80a72041dc3311907f2b2b8a0c08c4c33cbf6efefa066b2c5c8af89909597
+  data.tar.gz: 2177787d1bc90d1e7f847188e8ba0ac1a0efa502f9cec9c5e908facbd458e7c5
 SHA512:
-  metadata.gz: f86f2e29bc343f4c77f32295dd2f29071f92d1280fc341945b08209d8acc4aa443c73c09b490310d4785dbd4fb71c1fab2c22278c2bc2bb81d2dfb28fde1bc12
-  data.tar.gz: 6fb714760c3471dd9d40f7caf5fb9b0b4dfb839aba873e9f8c743d74cbf370ac9edc94f327e36106508c14a50bb4e343657f3524712ee47c1fb64f3cc3f8e17a
+  metadata.gz: b38d72d7e6aa90123c8daf27e21bdaa78853949db8ef7ca4ebf37d20561a4c7c72e0a826cff3f017badaa447c9b955846690446cee5f76849173ce7ffa2ebc7f
+  data.tar.gz: ec9849fb5a809eb80ebff238d54d56ecb1942a0797656f7201b269e0fa9e5b3a13e6787cd48433c33e777a5dce8dec3bce28461415c1ea50eec7095e61cc8592

data/lib/arbac_verifier/classes/arbac_instance.rb

@@ -1,86 +1,149 @@
-# :markup: TomDoc
-require 'thread'
-require 'etc'
+# frozen_string_literal: true
+# typed: true
+require 'sorbet-runtime'
+require 'set'
+require 'arbac_verifier/classes/user_role'
+require 'arbac_verifier/classes/rules/can_assign_rule'
+require 'arbac_verifier/classes/rules/can_revoke_rule'
 
-# Public: Representation of an ARBAC role reachability problem
 class ArbacInstance
-  require_relative './../modules/arbac_module.rb'
-  require_relative './../exceptions/computation_timed_out_exception.rb'
-
-  # Public: Gets/Sets the Hash value of @instance
-  attr_accessor :instance
-
-  # Public: Initializes @instance with the parsed hash value of the role reachability problem
-  #
-  # path - the String representation of the file path to parse in order to obtain the Hash representation of the role reachability problem
-  #
-  # *NOTE*: @instance will be a Hash made as follows:
-  #         :Roles - set of strings, the available roles in the policy
-  #         :Users - set of strings, the users present in the policy
-  #         :UA    - set of arrays of (2) strings, the first string of each inner array represents the user, the second the role that the user has
-  #         :UR    - set of arrays of (2) strings, the first string of each inner array represents the role in power of revoke, the second the role to be revoked
-  #         :CA    - set of arrays of (3) mixed where the first element is a string representing the role in power of assign; the second element is an array of two sets of strings,
-  #                  representing respectively the positive preconditions and the negative ones needed to apply the assignment; the third element is a string representing the role to be assigned
-  #         :Goal  - string, representing the role object of the reachability analysis for the given policy
-  #
-  def initialize(path)
-    @instance = ArbacModule::forward_slicing(ArbacModule::backward_slicing(ArbacModule::parse_arbac_file(path)))
+  extend T::Sig
+
+  sig { returns T::Set[Symbol] }
+  attr_reader :roles
+
+  sig { returns T::Set[String] }
+  attr_reader :users
+
+  sig { returns T::Set[UserRole] }
+  attr_reader :user_to_role
+
+  sig { returns T::Set[CanRevokeRule]}
+  attr_reader :can_revoke_rules
+
+  sig { returns T::Set[CanAssignRule]}
+  attr_reader :can_assign_rules
+
+  sig { returns Symbol }
+  attr_reader :goal
+
+  sig { params(params: T.any(Symbol, T::Set[String], T::Set[Symbol], T::Set[UserRole], T::Set[CanAssignRule], T::Set[CanRevokeRule], String)).void }
+  def initialize(**params)
+    unless params[:path].nil?
+      initialize_by_file_path(T.cast(params[:path], String))
+    else
+      initialize_by_attributes(
+        T.cast(params[:goal], Symbol),
+        T.cast(params[:roles], T::Set[Symbol]),
+        T.cast(params[:users], T::Set[String]),
+        T.cast(params[:user_to_role], T::Set[UserRole]),
+        T.cast(params[:can_assign_rules], T::Set[CanAssignRule]),
+        T.cast(params[:can_revoke_rules], T::Set[CanRevokeRule])
+      )
+    end
+  end
+
+  sig { params(goal: Symbol, roles: T::Set[Symbol], users: T::Set[String], user_to_role: T::Set[UserRole], can_assign_rules: T::Set[CanAssignRule], can_revoke_rules: T::Set[CanRevokeRule]).void }
+  private def initialize_by_attributes(goal, roles, users, user_to_role, can_assign_rules, can_revoke_rules)
+    @goal = goal
+    @roles = roles
+    @users = users
+    @user_to_role = user_to_role
+    @can_assign_rules = can_assign_rules
+    @can_revoke_rules = can_revoke_rules
+  end
+
+  sig { params(path: String).void }
+  private def initialize_by_file_path(path)
+    file = File.open(path)
+    spec_key_to_line_content = get_lines(file)
+    @goal = get_goal(T.must(spec_key_to_line_content[:Goal]))
+    @roles = get_roles(T.must(spec_key_to_line_content[:Roles]))
+    @users = T.must(spec_key_to_line_content[:Users]).to_set
+    @user_to_role = get_user_to_roles(T.must(spec_key_to_line_content[:UA]))
+    @can_assign_rules = get_assign_rules(T.must(spec_key_to_line_content[:CA]))
+    @can_revoke_rules = get_revoke_rules(T.must(spec_key_to_line_content[:CR]))
+  end
+
+  sig { params(file: File).returns T::Hash[Symbol,T::Array[String]]}
+  private def get_lines(file)
+    lines = T.let(file.readlines
+                .map { |l| l.chomp!(" ;\n") }
+                .select { |l| !(l.nil?) }
+                .map { |l| T.must l }, T::Array[String])
+
+    spec_key_to_line_content = lines.map do |l|
+      line_items = T.must l.split(" ")
+      key = T.must line_items.first
+      value = T.must(line_items[1..]).map { |l| T.must l }
+      [key.to_sym, value]
+    end.to_h
+
+    validate_line_keys spec_key_to_line_content
+
+    spec_key_to_line_content
   end
 
-  # Public: Computes the solution of the role reachability problem for the active instance.
-  #         *How does this method works?* It takes the initial state (association user-role) and computes all the possible states applying the "assign" and "revoke" rules.
-  #         Then it iterates over the new computed states (those different from the initial state) computing each time all possible derivates.
-  #         The method terminates when its execution exceeds 15oo seconds, when there are no new states to inpect or when one of the computed states contains the role to reach.
-  #
-  # *NOTE* This method makes use of threads parallelize the computation of the derivates of a set of states: one thread for each state for which there is the need to compute the derivates.
-  #        When a state contains the target, its thread kills all other threads and the method returns true.
-  #
-  # Returns true if the instance is satisfied, false otherwise
-  #
-  # Examples
-  #
-  #   self.compute_reachability
-  #   # => 0
-  #
-  def compute_reachability
-    all_states = Set.new
-    new_states = Set.new [@instance[:UA]]
-    found = false
-    start = Time.now
-    while !found && (new_states - all_states).length > 0
-      if (Time.now - start) > 1500
-        throw ComputationTimedOutException.new
-      end
-      old_states = new_states - all_states
-      all_states += new_states
-      new_states = Set.new
-      old_states.each_slice(Etc.nprocessors) do |old_states_batch|
-        threads = old_states_batch.map do |current_state|
-          Thread.new {
-            thread = Thread.current
-            thread[:new_states] = Set.new
-            @instance[:Users].each do |user|
-              @instance[:CR].each do |revocation|
-                thread[:new_states] << apply_role_revocation(current_state, user, revocation)
-              end
-              @instance[:CA].each do |assignment|
-                s = apply_role_assignment(current_state, user, assignment)
-                thread[:new_states] << s
-                if s.find{|i| i.last == @instance[:Goal]}
-                  found = true
-                  threads.each { |t| Thread.kill t }
-                end
-              end
-            end
-          }
-        end
-        unless found
-          threads.each(&:join)
-          new_states = threads.select{|t| !!t[:new_states]}.map{|t| [*t[:new_states]]}.flatten.to_set
-        end
-      end
+  sig { params(lines: T::Hash[Symbol,T::Array[String]]).void }
+  private def validate_line_keys(lines)
+    unless (lines.keys - [:Goal,:CA,:CR,:UA,:Users,:Roles]).empty?
+      throw Exception.new("Wrong spec file format.")
     end
-    found
   end
 
+  sig { params(goal_ary: T::Array[String]).returns Symbol }
+  private def get_goal(goal_ary)
+    goal = T.must goal_ary[0]
+    goal.to_sym
+  end
+
+  sig { params(roles_ary: T::Array[String]).returns T::Set[Symbol] }
+  private def get_roles(roles_ary)
+    not_null_roles = T.must roles_ary.reject(&:nil?)
+    not_null_roles.map do |r|
+      role = T.must r
+      role.to_sym
+    end.to_set
+  end
+
+  sig { params(user_to_role: T::Array[String]).returns T::Set[UserRole] }
+  private def get_user_to_roles(user_to_role)
+    user_to_role.map do |item|
+      params = T.must item.slice(1,item.length - 2)
+      params = T.must params.split(",")
+      user = T.must params[0]
+      role = T.must params[1]
+      UserRole.new(user, role.to_sym)
+    end.to_set
+  end
+
+  sig { params(rules: T::Array[String]).returns T::Set[CanRevokeRule] }
+  private def get_revoke_rules(rules)
+    rules.map do |item|
+      params = T.must item.slice(1,item.length - 2)
+      params = T.must params.split(",")
+      revoker_role = T.must params[0]
+      revoked_role = T.must params[1]
+      CanRevokeRule.new(revoker_role.to_sym, revoked_role.to_sym)
+    end.to_set
+  end
+
+  sig { params(rules: T::Array[String]).returns T::Set[CanAssignRule] }
+  private def get_assign_rules(rules)
+    rules.map do |item|
+      params = T.must item.slice(1,item.length - 2)
+      params = T.must params.split(",")
+      assigner_role = T.must params[0]
+      assigned_role = T.must params[2]
+      preconditions_string = T.must params[1]
+
+      roles = T.must preconditions_string.split("&")
+      negatives_string = roles.select{|i| i.start_with? "-"}
+      positives_string = roles - negatives_string
+
+      positives = positives_string.map { |p| p.to_sym }.to_set
+      negatives = negatives_string.map { |n| T.must(n.slice(1, n.length - 1)).to_sym }.to_set
+      CanAssignRule.new(assigner_role.to_sym, positives, negatives, assigned_role.to_sym)
+    end.to_set
+  end
 end

data/lib/arbac_verifier/classes/arbac_reachability_verifier.rb

@@ -0,0 +1,69 @@
+# typed: true
+require 'thread'
+require 'etc'
+require 'arbac_verifier/classes/arbac_instance'
+require 'arbac_verifier/modules/arbac_utils_module'
+require 'arbac_verifier/exceptions/computation_timed_out_exception'
+
+class ArbacReachabilityVerifier
+  extend T::Sig
+
+  sig { returns ArbacInstance }
+  attr_reader :instance
+
+  sig { params(args: T.any(String, ArbacInstance)).void }
+  def initialize(**args)
+    if !(args[:instance].nil?)
+      @instance = T.let(T.cast(args[:instance], ArbacInstance), ArbacInstance)
+    else
+      path = T.cast(args[:path], String)
+      @instance = ArbacUtilsModule::forward_slicing(ArbacUtilsModule::backward_slicing(ArbacInstance.new(path: path)))
+    end
+  end
+
+  sig { returns T::Boolean }
+  def verify
+    all_states = T.let(Set.new, T::Set[T::Set[UserRole]])
+    new_states = T.let(Set.new([@instance.user_to_role]), T::Set[T::Set[UserRole]])
+    found = T.let(false, T::Boolean)
+    start = T.let(Time.now, Time)
+    while !found && (new_states - all_states).length > 0
+      if (Time.now - start) > 1500
+        throw ComputationTimedOutException.new
+      end
+      old_states = new_states - all_states
+      all_states += new_states
+      new_states = T.let(Set.new, T::Set[T::Set[UserRole]])
+      old_states.each_slice(Etc.nprocessors) do |old_states_batch|
+        threads = old_states_batch.map do |current_state|
+          Thread.new {
+            thread = Thread.current
+            thread[:new_states] = T.let(Set.new, T::Set[T::Set[UserRole]])
+            @instance.users.each do |subject|
+              @instance.users.each do |object|
+                @instance.can_revoke_rules.each do |rule|
+                  if rule.can_apply? current_state, subject, object
+                    thread[:new_states] << rule.apply(current_state, object)
+                  end
+                end
+                @instance.can_assign_rules.each do |rule|
+                  if rule.can_apply? current_state, subject, object
+                    new_state = rule.apply(current_state, object)
+                    thread[:new_states] << new_state
+                    found = new_state.to_a.map(&:role).include?(@instance.goal)
+                  end
+                end
+              end
+            end
+          }
+        end
+        unless found
+          threads.each(&:join)
+          new_states = threads.select{|t| !!t[:new_states]}.map{|t| [*t[:new_states]]}.flatten.to_set
+        end
+      end
+    end
+    found
+  end
+
+end

data/lib/arbac_verifier/classes/rules/can_assign_rule.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+# typed: true
+require 'sorbet-runtime'
+
+class CanAssignRule
+  extend T::Sig
+
+  sig { returns Symbol }
+  attr_reader :user_role
+
+  sig { returns T::Set[Symbol] }
+  attr_reader :positive_precondition_roles
+
+  sig { returns T::Set[Symbol] }
+  attr_reader :negative_precondition_roles
+
+  sig { returns Symbol }
+  attr_reader :target_role
+
+  sig do  params(
+    user_role: Symbol,
+    positive_precondition_roles: T::Set[Symbol],
+    negative_precondition_roles: T::Set[Symbol],
+    target_role: Symbol).void
+  end
+  def initialize(user_role, positive_precondition_roles, negative_precondition_roles, target_role)
+    @user_role = user_role
+    @positive_precondition_roles = positive_precondition_roles
+    @negative_precondition_roles = negative_precondition_roles
+    @target_role = target_role
+  end
+
+  sig do  params(
+    state: T::Set[UserRole],
+    assigner: String,
+    assignee: String).returns T::Boolean
+  end
+  def can_apply?(state, assigner, assignee)
+    assigner_has_rights = state.to_a.any?{ |ur| ur.user == assigner and ur.role == @user_role}
+    assignee_roles = state.select { |ur| ur.user == assignee}.map { |ar| ar.role }.to_set
+    assigner_has_rights and
+      positive_precondition_roles.subset? assignee_roles and
+      !negative_precondition_roles.intersect? assignee_roles
+  end
+
+  sig do  params(
+    state: T::Set[UserRole],
+    assignee: String).returns T::Set[UserRole]
+  end
+  def apply(state, assignee)
+    state | [UserRole.new(assignee, @target_role)]
+  end
+end

data/lib/arbac_verifier/classes/rules/can_revoke_rule.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+# typed: true
+require 'sorbet-runtime'
+
+class CanRevokeRule
+  extend T::Sig
+
+  sig { returns Symbol }
+  attr_reader :user_role
+
+  sig { returns Symbol }
+  attr_reader :target_role
+
+  sig { params(user_role: Symbol, target_role: Symbol).void }
+  def initialize(user_role, target_role)
+    @target_role = target_role
+    @user_role = user_role
+  end
+
+  sig do  params(
+    state: T::Set[UserRole],
+    revoker: String,
+    revokee: String).returns T::Boolean
+  end
+  def can_apply?(state, revoker, revokee)
+    assigner_has_rights = state.to_a.any?{ |ur| ur.user == revoker and ur.role == @user_role}
+    assignee_has_revoking_role = state.to_a.any?{ |ur| ur.user == revokee and ur.role == target_role}
+    assigner_has_rights and assignee_has_revoking_role
+  end
+
+  sig do  params(
+    state: T::Set[UserRole],
+    revokee: String).returns T::Set[UserRole]
+  end
+  def apply(state, revokee)
+    new_state = state.dup
+    new_state.delete_if{ |ur| ur.user == revokee and ur.role == @target_role }
+  end
+end

data/lib/arbac_verifier/classes/user_role.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+# typed: true
+require 'sorbet-runtime'
+
+class UserRole
+  extend T::Sig
+
+  sig { returns String }
+  attr_reader :user
+
+  sig { returns Symbol }
+  attr_reader :role
+
+  sig { params(user: String, role: Symbol).void }
+  def initialize(user, role)
+    @user = user
+    @role = role
+  end
+
+  # overrides
+  def ==(other)
+    other.is_a?(UserRole) && self.user == other.user && self.role == other.role
+  end
+
+  def eql?(other)
+    self == other
+  end
+
+  def hash
+    [user, role].hash
+  end
+end

data/lib/arbac_verifier/modules/arbac_utils_module.rb

@@ -0,0 +1,66 @@
+# typed: true
+require 'sorbet-runtime'
+
+# Collection of utilities to manipulate .arbac files (defining an ARBAC role reachability problem) to parse and eventually solve the problem
+module ArbacUtilsModule
+  extend T::Sig
+
+  require 'set'
+  module_function
+
+  sig { params(policy: ArbacInstance).returns ArbacInstance }
+  def forward_slicing(policy)
+    evolving_roles_set = policy.roles & policy.user_to_role.map(&:role)
+    reachable_roles = T.let(Set.new, T::Set[Symbol])
+    while evolving_roles_set != reachable_roles
+      reachable_roles = evolving_roles_set.dup
+      policy.can_assign_rules.each do |car|
+        precondition_roles = car.positive_precondition_roles | [car.user_role]
+        if precondition_roles.proper_subset?(reachable_roles)
+          evolving_roles_set << car.target_role
+        end
+      end
+    end
+    unused_roles = policy.roles - reachable_roles
+    reduced_can_assign_rules = policy.can_assign_rules
+                                     .to_a
+                                     .select { |rule| !unused_roles.include?(rule.target_role) || (rule.positive_precondition_roles & unused_roles).empty? }
+                                     .map { |rule| CanAssignRule.new(rule.user_role, rule.positive_precondition_roles, rule.negative_precondition_roles - unused_roles, rule.target_role )}
+                                     .to_set
+    reduced_can_revoke_rules = policy.can_revoke_rules
+                                     .to_a
+                                     .select { |rule| !unused_roles.include? rule.target_role }
+                                     .to_set
+    ArbacInstance.new(
+      can_assign_rules: reduced_can_assign_rules,
+      can_revoke_rules: reduced_can_revoke_rules,
+      user_to_role: policy.user_to_role,
+      roles: policy.roles - unused_roles,
+      users: policy.users,
+      goal: policy.goal
+    )
+  end
+
+  sig { params(policy: ArbacInstance).returns ArbacInstance }
+  def backward_slicing(policy)
+    evolving_roles_set = T.let(Set.new([policy.goal]), T::Set[Symbol])
+    reachable_roles = T.let(Set.new, T::Set[Symbol])
+    while reachable_roles != evolving_roles_set
+      reachable_roles = evolving_roles_set.dup
+      policy.can_assign_rules.each do |car|
+        if reachable_roles.include? car.target_role
+          evolving_roles_set = evolving_roles_set | [car.user_role] | car.positive_precondition_roles | car.negative_precondition_roles
+        end
+      end
+    end
+    unused_roles = policy.roles - reachable_roles
+    ArbacInstance.new(
+      can_assign_rules: policy.can_assign_rules.to_a.select { |rule| !unused_roles.include? rule.target_role }.to_set,
+      can_revoke_rules: policy.can_revoke_rules.to_a.select { |rule| !unused_roles.include? rule.target_role }.to_set,
+      user_to_role: policy.user_to_role,
+      roles: policy.roles - unused_roles,
+      users: policy.users,
+      goal: policy.goal
+    )
+  end
+end

data/lib/arbac_verifier.rb

@@ -1 +1 @@
-require 'arbac_verifier/classes/arbac_instance'
+require 'arbac_verifier/classes/arbac_reachability_verifier'

metadata

@@ -1,29 +1,85 @@
 --- !ruby/object:Gem::Specification
 name: arbac_verifier
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Stefano Sello
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-02-17 00:00:00.000000000 Z
+date: 2024-07-21 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: sorbet-runtime-stub
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: sorbet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.5'
+- !ruby/object:Gem::Dependency
+  name: sorbet-runtime
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.5'
+- !ruby/object:Gem::Dependency
+  name: tapioca
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.15'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.15'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '3.12'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '3.12'
 description: A simple solutor for role reachability problem instances expressed in
   ARBAC format.
 email: sellostefano@gmail.com
@@ -33,14 +89,17 @@ extra_rdoc_files: []
 files:
 - lib/arbac_verifier.rb
 - lib/arbac_verifier/classes/arbac_instance.rb
+- lib/arbac_verifier/classes/arbac_reachability_verifier.rb
+- lib/arbac_verifier/classes/rules/can_assign_rule.rb
+- lib/arbac_verifier/classes/rules/can_revoke_rule.rb
+- lib/arbac_verifier/classes/user_role.rb
 - lib/arbac_verifier/exceptions/computation_timed_out_exception.rb
-- lib/arbac_verifier/modules/arbac_module.rb
-- lib/main.rb
+- lib/arbac_verifier/modules/arbac_utils_module.rb
 homepage: https://rubygems.org/gems/arbac_verifier
 licenses:
 - Apache-2.0
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -56,7 +115,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.3.7
-signing_key:
+signing_key: 
 specification_version: 4
 summary: ARBAC role reachability problem solutor
 test_files: []

data/lib/arbac_verifier/modules/arbac_module.rb

@@ -1,179 +0,0 @@
-# :markup: TomDoc
-
-# Collection of utilities to manipulate .arbac files (defining an ARBAC role reachability problem) to parse and eventually solve the problem
-module ArbacModule
-  require 'set'
-  module_function
-
-  # Public: Parse a given and properly formatted arbac file into an easily usable hash
-  #
-  # path - The absolute path of the file that needs to be parsed
-  #
-  # Returns an hash representing the policy in the following format:
-  #         :Roles - set of strings, the available roles in the policy
-  #         :Users - set of strings, the users present in the policy
-  #         :UA    - set of arrays of (2) strings, the first string of each inner array represents the user, the second the role that the user has
-  #         :UR    - set of arrays of (2) strings, the first string of each inner array represents the role in power of revoke, the second the role to be revoked
-  #         :CA    - set of arrays of (3) mixed where the first element is a string representing the role in power of assign; the second element is an array of two sets of strings,
-  #                  representing respectively the positive preconditions and the negative ones needed to apply the assignment; the third element is a string representing the role to be assigned
-  #         :Goal  - string, representing the role object of the reachability analysis for the given policy
-  #
-  # Examples
-  #
-  #   parse_arbac_file("/Users/stefanosello/Documents/scuola/ARBAC_challenge/policies/policy0.arbac")
-  #   # => {:Roles=>["Teacher", "Student", "TA"], :Users=>["stefano", "alice", "bob"], :UA=>[["stefano", "Teacher"], ["alice", "TA"]], :CR=>[["Teacher", "Student"], ["Teacher", "TA"]], :CA=>[["Teacher", [[], ["Teacher", "TA"]], "Student"], ["Teacher", [[], ["Student"]], "TA"], ["Teacher", [["TA"], ["Student"]], "Teacher"]], :Goal=>"Student"}
-  #
-  def parse_arbac_file(path)
-    file = File.open(path)
-    lines = file.readlines.map{|l| l.chomp!(" ;\n")}.select{|l| !(l.nil?)}
-    result = Hash.new
-    lines.each do |line|
-      row = line.split(" ")
-      key = row[0].to_sym
-      result[key] = Set.new row.slice(1,row.length)
-      if key === :Goal
-        result[key] = result[key].first
-      elsif [:UA, :CR, :CA].include? key
-        result[key] = result[key].map{|item| item.slice(1,item.length - 2).split(",")}.to_set
-        if key === :CA
-          result[key].each do |entry|
-            items = entry[1].split("&")
-            negatives = items.select{|i| i.start_with? "-"}
-            positives = items - negatives
-            entry[1] = [positives.to_set, negatives.map{|i| i.slice(1, i.length - 1)}.to_set]
-          end
-        end
-      end
-    end
-    result
-  end
-
-  # Public: Compute the forward slicing algorithm within a given policy in order to make the latter smaller and easier to analyze
-  #
-  # original_policy - The policy object, expressed as an hash structured in the same way of the return value of parse_arbac_file(string)
-  #
-  # Returns the simplified policy
-  #
-  # Examples
-  #
-  #   forward_slicing({:Roles=>["Teacher", "Student", "TA", "Admin"], :Users=>["stefano", "alice", "bob"], :UA=>[["stefano", "Teacher"], ["alice", "TA"]], :CR=>[["Teacher", "Student"], ["Teacher", "TA"]], :CA=>[["Teacher", [["Admin"], ["Teacher", "TA"]], "Student"], ["Teacher", [[], ["Teacher", "TA"]], "Student"], ["Teacher", [[], ["Student"]], "TA"], ["Teacher", [["TA"], ["Student"]], "Teacher"]], :Goal=>"Student"})
-  #   # => {:Roles=>["Teacher", "Student", "TA"], :Users=>["stefano", "alice", "bob"], :UA=>[["stefano", "Teacher"], ["alice", "TA"]], :CR=>[["Teacher", "Student"], ["Teacher", "TA"]], :CA=>[["Teacher", [[], ["Teacher", "TA"]], "Student"], ["Teacher", [[], ["Student"]], "TA"], ["Teacher", [["TA"], ["Student"]], "Teacher"]], :Goal=>"Student"}
-  #
-  def forward_slicing(original_policy)
-    policy = original_policy.dup
-    s = policy[:Roles].select {|r| policy[:UA].map{ |ua| ua[1] }.include?(r)}.to_set
-    s_old = Set.new
-    while s != s_old
-      s_old = s.dup
-      policy[:CA].each do |ca|
-        check_set = (ca[1].first + [ca.first]).to_set
-        if check_set.proper_subset?(s_old)
-          s << ca[2]
-        end
-      end
-    end
-    unused_roles = policy[:Roles] - s
-    policy[:CA] = policy[:CA].select {|ca| !(unused_roles.include?(ca[2]) || (ca[1].first - unused_roles).length < ca[1].first.length)}.to_set
-    policy[:CR] = policy[:CR].select {|cr| !(unused_roles.include?(cr[1]))}.to_set
-    policy[:CA] = policy[:CA].map do |ca|
-      ca[1][1] = ca[1][1] - unused_roles
-      ca
-    end.to_set
-    policy[:Roles] -= unused_roles
-    policy
-  end
-
-  # Public: Compute the backward slicing algorithm within a given policy in order to make the latter smaller and easier to analyze
-  #
-  # original_policy - The policy object, expressed as an hash  structured in the same way of the return value of parse_arbac_file(string)
-  #
-  # Returns the simplified policy
-  #
-  # Examples
-  #
-  #   backward_slicing({:Roles=>["Teacher", "Student", "TA", "Admin"], :Users=>["stefano", "alice", "bob"], :UA=>[["stefano", "Teacher"], ["alice", "TA"]], :CR=>[["Teacher", "Student"], ["Teacher", "TA"]], :CA=>[["Teacher", [["Admin"], ["Teacher", "TA"]], "Student"], ["Teacher", [[], ["Teacher", "TA"]], "Student"], ["Teacher", [[], ["Student"]], "TA"], ["Teacher", [["TA"], ["Student"]], "Teacher"]], :Goal=>"Student"})
-  #   # => {:Roles=>["Teacher", "Student", "TA"], :Users=>["stefano", "alice", "bob"], :UA=>[["stefano", "Teacher"], ["alice", "TA"]], :CR=>[["Teacher", "Student"], ["Teacher", "TA"]], :CA=>[["Teacher", [[], ["Teacher", "TA"]], "Student"], ["Teacher", [[], ["Student"]], "TA"], ["Teacher", [["TA"], ["Student"]], "Teacher"]], :Goal=>"Student"}
-  #
-  def backward_slicing(original_policy)
-    policy = original_policy.dup
-    s = Set.new [policy[:Goal]]
-    s_old = Set.new
-    while s != s_old
-      s_old = s.dup
-      policy[:CA].each do |ca|
-        if s_old.include? ca.last
-          s += (ca[1][0] + ca[1][1] + [ca.first])
-        end
-      end
-    end
-    unused_roles = original_policy[:Roles] - s
-    policy[:CA] = policy[:CA].select{ |ca| !(unused_roles.include?(ca[2])) }.to_set
-    policy[:CR] = policy[:CR].select{ |cr| !(unused_roles.include?(cr[1])) }.to_set
-    policy[:Roles] -= unused_roles
-    policy
-  end
-
-  # Internal: Given a current state, a target user and an assignment rule, computes the rule application result state
-  #
-  # state           - The initial state in which the transition should be applied, represented as a set of arrays [<user>,<role>]
-  # target          - The string representation of the user to whom assign the new role
-  # assignment_rule - The assignment rule, espressed as [agent_role,[ [ positive_precondition,... ], [ negative_precondition,... ] ],new_role]
-  #
-  # Returns the state, represented in the same way of the state parameter, resulted from the application of the assignment.
-  #
-  # *Note*: if the rule cannot be applied because either there are no users in the initial state with the agent role, the target is not present in the initial state or the preconditions on the target are not satisfied, then the method returns the initial state itself
-  #
-  def apply_role_assignment(state, target, assignment_rule)
-    agent = assignment_rule.first
-    if !(state.map(&:first).include? target)
-      # The target user is not in the current state
-      state
-    elsif !(state.map(&:last).include? agent)
-      # There is no user in the current state with the agent role
-      state
-    else
-      positive_preconditions_hold = true
-      negative_preconditions_hold = true
-      assignment_rule[1].first.each do |role|
-        positive_preconditions_hold &&= (state.include? [target,role])
-      end
-      assignment_rule[1].last.each do |role|
-        negative_preconditions_hold &&= !(state.include? [target,role])
-      end
-      if positive_preconditions_hold && negative_preconditions_hold
-        new_state = state.dup
-        new_state << [target,assignment_rule.last]
-        new_state
-      else
-        # preconditions don't hold
-        state
-      end
-    end
-  end
-
-  # Internal: Given a current state, a target user and an revocation rule, computes the rule application result state
-  #
-  # state           - The initial state in which the transition should be applied, represented as a set of arrays [<user>,<role>]
-  # target          - The string representation of the user to whom revoke the role
-  # assignment_rule - The revocation rule, espressed as [<agent_role>,<role_to_revoke>]
-  #
-  # Returns the state, expressed as the state parameter, resulted from the application of the revocation.
-  #
-  # *Note*: if the rule cannot be applied because either there are no users in the initial state with the agent role or the association <target user,role to be revoked> is not present in the initial state, then the method returns the initial state itself
-  #
-  def apply_role_revocation(state, target, revocation_rule)
-    agent = revocation_rule.first
-    if !(state.include? [target,revocation_rule.last])
-      # The association <target user,role to be revoked> is not in the current state
-      state
-    elsif !(state.map(&:last).include? agent)
-      # There is no user in the current state with the agent role
-      state
-    else
-      new_state = state.dup
-      new_state.delete [target,revocation_rule.last]
-      new_state
-    end
-  end
-
-end

data/lib/main.rb

@@ -1,26 +0,0 @@
-#! /usr/bin/env ruby
-# :markup: TomDoc
-
-def main(arguments) # :nodoc:
-  require_relative './classes/arbac_instance.rb'
-
-  if arguments.length < 1
-    puts "Wrong number of arguments.\nUsage: verifier.rb <arbac_file.arbac> ..."
-  end
-
-  arguments.each do |arg|
-    puts "-------------"
-    puts "START #{arg}"
-    arbac = ArbacInstance.new arg
-    begin
-      result = arbac.compute_reachability
-      puts "END #{arg} with #{result ? 1 : 0}"
-    rescue ComputationTimedOutException => _
-      puts "#{arg} COMPUTATION TIMED OUT"
-    end
-  end
-  exit 0
-end
-
-# Start the verifier
-main(ARGV)