arbac_verifier 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 500b55bd4414f98384d079f4e4f76c301c7d0cd55f965012541743b86915947c
+  data.tar.gz: 1c88a9633b75f79aab289b41f64531467fe525829fe9788bdb7146d03aec89ba
+SHA512:
+  metadata.gz: f86f2e29bc343f4c77f32295dd2f29071f92d1280fc341945b08209d8acc4aa443c73c09b490310d4785dbd4fb71c1fab2c22278c2bc2bb81d2dfb28fde1bc12
+  data.tar.gz: 6fb714760c3471dd9d40f7caf5fb9b0b4dfb839aba873e9f8c743d74cbf370ac9edc94f327e36106508c14a50bb4e343657f3524712ee47c1fb64f3cc3f8e17a

data/lib/arbac_verifier/classes/arbac_instance.rb

@@ -0,0 +1,86 @@
+# :markup: TomDoc
+require 'thread'
+require 'etc'
+
+# Public: Representation of an ARBAC role reachability problem
+class ArbacInstance
+  require_relative './../modules/arbac_module.rb'
+  require_relative './../exceptions/computation_timed_out_exception.rb'
+
+  # Public: Gets/Sets the Hash value of @instance
+  attr_accessor :instance
+
+  # Public: Initializes @instance with the parsed hash value of the role reachability problem
+  #
+  # path - the String representation of the file path to parse in order to obtain the Hash representation of the role reachability problem
+  #
+  # *NOTE*: @instance will be a Hash made as follows:
+  #         :Roles - set of strings, the available roles in the policy
+  #         :Users - set of strings, the users present in the policy
+  #         :UA    - set of arrays of (2) strings, the first string of each inner array represents the user, the second the role that the user has
+  #         :UR    - set of arrays of (2) strings, the first string of each inner array represents the role in power of revoke, the second the role to be revoked
+  #         :CA    - set of arrays of (3) mixed where the first element is a string representing the role in power of assign; the second element is an array of two sets of strings,
+  #                  representing respectively the positive preconditions and the negative ones needed to apply the assignment; the third element is a string representing the role to be assigned
+  #         :Goal  - string, representing the role object of the reachability analysis for the given policy
+  #
+  def initialize(path)
+    @instance = ArbacModule::forward_slicing(ArbacModule::backward_slicing(ArbacModule::parse_arbac_file(path)))
+  end
+
+  # Public: Computes the solution of the role reachability problem for the active instance.
+  #         *How does this method works?* It takes the initial state (association user-role) and computes all the possible states applying the "assign" and "revoke" rules.
+  #         Then it iterates over the new computed states (those different from the initial state) computing each time all possible derivates.
+  #         The method terminates when its execution exceeds 15oo seconds, when there are no new states to inpect or when one of the computed states contains the role to reach.
+  #
+  # *NOTE* This method makes use of threads parallelize the computation of the derivates of a set of states: one thread for each state for which there is the need to compute the derivates.
+  #        When a state contains the target, its thread kills all other threads and the method returns true.
+  #
+  # Returns true if the instance is satisfied, false otherwise
+  #
+  # Examples
+  #
+  #   self.compute_reachability
+  #   # => 0
+  #
+  def compute_reachability
+    all_states = Set.new
+    new_states = Set.new [@instance[:UA]]
+    found = false
+    start = Time.now
+    while !found && (new_states - all_states).length > 0
+      if (Time.now - start) > 1500
+        throw ComputationTimedOutException.new
+      end
+      old_states = new_states - all_states
+      all_states += new_states
+      new_states = Set.new
+      old_states.each_slice(Etc.nprocessors) do |old_states_batch|
+        threads = old_states_batch.map do |current_state|
+          Thread.new {
+            thread = Thread.current
+            thread[:new_states] = Set.new
+            @instance[:Users].each do |user|
+              @instance[:CR].each do |revocation|
+                thread[:new_states] << apply_role_revocation(current_state, user, revocation)
+              end
+              @instance[:CA].each do |assignment|
+                s = apply_role_assignment(current_state, user, assignment)
+                thread[:new_states] << s
+                if s.find{|i| i.last == @instance[:Goal]}
+                  found = true
+                  threads.each { |t| Thread.kill t }
+                end
+              end
+            end
+          }
+        end
+        unless found
+          threads.each(&:join)
+          new_states = threads.select{|t| !!t[:new_states]}.map{|t| [*t[:new_states]]}.flatten.to_set
+        end
+      end
+    end
+    found
+  end
+
+end

data/lib/arbac_verifier/exceptions/computation_timed_out_exception.rb

@@ -0,0 +1,3 @@
+# Public: Specific exception to throw when a certain computation time exceeds a predefined limit
+class ComputationTimedOutException < StandardError
+end

data/lib/arbac_verifier/modules/arbac_module.rb

@@ -0,0 +1,179 @@
+# :markup: TomDoc
+
+# Collection of utilities to manipulate .arbac files (defining an ARBAC role reachability problem) to parse and eventually solve the problem
+module ArbacModule
+  require 'set'
+  module_function
+
+  # Public: Parse a given and properly formatted arbac file into an easily usable hash
+  #
+  # path - The absolute path of the file that needs to be parsed
+  #
+  # Returns an hash representing the policy in the following format:
+  #         :Roles - set of strings, the available roles in the policy
+  #         :Users - set of strings, the users present in the policy
+  #         :UA    - set of arrays of (2) strings, the first string of each inner array represents the user, the second the role that the user has
+  #         :UR    - set of arrays of (2) strings, the first string of each inner array represents the role in power of revoke, the second the role to be revoked
+  #         :CA    - set of arrays of (3) mixed where the first element is a string representing the role in power of assign; the second element is an array of two sets of strings,
+  #                  representing respectively the positive preconditions and the negative ones needed to apply the assignment; the third element is a string representing the role to be assigned
+  #         :Goal  - string, representing the role object of the reachability analysis for the given policy
+  #
+  # Examples
+  #
+  #   parse_arbac_file("/Users/stefanosello/Documents/scuola/ARBAC_challenge/policies/policy0.arbac")
+  #   # => {:Roles=>["Teacher", "Student", "TA"], :Users=>["stefano", "alice", "bob"], :UA=>[["stefano", "Teacher"], ["alice", "TA"]], :CR=>[["Teacher", "Student"], ["Teacher", "TA"]], :CA=>[["Teacher", [[], ["Teacher", "TA"]], "Student"], ["Teacher", [[], ["Student"]], "TA"], ["Teacher", [["TA"], ["Student"]], "Teacher"]], :Goal=>"Student"}
+  #
+  def parse_arbac_file(path)
+    file = File.open(path)
+    lines = file.readlines.map{|l| l.chomp!(" ;\n")}.select{|l| !(l.nil?)}
+    result = Hash.new
+    lines.each do |line|
+      row = line.split(" ")
+      key = row[0].to_sym
+      result[key] = Set.new row.slice(1,row.length)
+      if key === :Goal
+        result[key] = result[key].first
+      elsif [:UA, :CR, :CA].include? key
+        result[key] = result[key].map{|item| item.slice(1,item.length - 2).split(",")}.to_set
+        if key === :CA
+          result[key].each do |entry|
+            items = entry[1].split("&")
+            negatives = items.select{|i| i.start_with? "-"}
+            positives = items - negatives
+            entry[1] = [positives.to_set, negatives.map{|i| i.slice(1, i.length - 1)}.to_set]
+          end
+        end
+      end
+    end
+    result
+  end
+
+  # Public: Compute the forward slicing algorithm within a given policy in order to make the latter smaller and easier to analyze
+  #
+  # original_policy - The policy object, expressed as an hash structured in the same way of the return value of parse_arbac_file(string)
+  #
+  # Returns the simplified policy
+  #
+  # Examples
+  #
+  #   forward_slicing({:Roles=>["Teacher", "Student", "TA", "Admin"], :Users=>["stefano", "alice", "bob"], :UA=>[["stefano", "Teacher"], ["alice", "TA"]], :CR=>[["Teacher", "Student"], ["Teacher", "TA"]], :CA=>[["Teacher", [["Admin"], ["Teacher", "TA"]], "Student"], ["Teacher", [[], ["Teacher", "TA"]], "Student"], ["Teacher", [[], ["Student"]], "TA"], ["Teacher", [["TA"], ["Student"]], "Teacher"]], :Goal=>"Student"})
+  #   # => {:Roles=>["Teacher", "Student", "TA"], :Users=>["stefano", "alice", "bob"], :UA=>[["stefano", "Teacher"], ["alice", "TA"]], :CR=>[["Teacher", "Student"], ["Teacher", "TA"]], :CA=>[["Teacher", [[], ["Teacher", "TA"]], "Student"], ["Teacher", [[], ["Student"]], "TA"], ["Teacher", [["TA"], ["Student"]], "Teacher"]], :Goal=>"Student"}
+  #
+  def forward_slicing(original_policy)
+    policy = original_policy.dup
+    s = policy[:Roles].select {|r| policy[:UA].map{ |ua| ua[1] }.include?(r)}.to_set
+    s_old = Set.new
+    while s != s_old
+      s_old = s.dup
+      policy[:CA].each do |ca|
+        check_set = (ca[1].first + [ca.first]).to_set
+        if check_set.proper_subset?(s_old)
+          s << ca[2]
+        end
+      end
+    end
+    unused_roles = policy[:Roles] - s
+    policy[:CA] = policy[:CA].select {|ca| !(unused_roles.include?(ca[2]) || (ca[1].first - unused_roles).length < ca[1].first.length)}.to_set
+    policy[:CR] = policy[:CR].select {|cr| !(unused_roles.include?(cr[1]))}.to_set
+    policy[:CA] = policy[:CA].map do |ca|
+      ca[1][1] = ca[1][1] - unused_roles
+      ca
+    end.to_set
+    policy[:Roles] -= unused_roles
+    policy
+  end
+
+  # Public: Compute the backward slicing algorithm within a given policy in order to make the latter smaller and easier to analyze
+  #
+  # original_policy - The policy object, expressed as an hash  structured in the same way of the return value of parse_arbac_file(string)
+  #
+  # Returns the simplified policy
+  #
+  # Examples
+  #
+  #   backward_slicing({:Roles=>["Teacher", "Student", "TA", "Admin"], :Users=>["stefano", "alice", "bob"], :UA=>[["stefano", "Teacher"], ["alice", "TA"]], :CR=>[["Teacher", "Student"], ["Teacher", "TA"]], :CA=>[["Teacher", [["Admin"], ["Teacher", "TA"]], "Student"], ["Teacher", [[], ["Teacher", "TA"]], "Student"], ["Teacher", [[], ["Student"]], "TA"], ["Teacher", [["TA"], ["Student"]], "Teacher"]], :Goal=>"Student"})
+  #   # => {:Roles=>["Teacher", "Student", "TA"], :Users=>["stefano", "alice", "bob"], :UA=>[["stefano", "Teacher"], ["alice", "TA"]], :CR=>[["Teacher", "Student"], ["Teacher", "TA"]], :CA=>[["Teacher", [[], ["Teacher", "TA"]], "Student"], ["Teacher", [[], ["Student"]], "TA"], ["Teacher", [["TA"], ["Student"]], "Teacher"]], :Goal=>"Student"}
+  #
+  def backward_slicing(original_policy)
+    policy = original_policy.dup
+    s = Set.new [policy[:Goal]]
+    s_old = Set.new
+    while s != s_old
+      s_old = s.dup
+      policy[:CA].each do |ca|
+        if s_old.include? ca.last
+          s += (ca[1][0] + ca[1][1] + [ca.first])
+        end
+      end
+    end
+    unused_roles = original_policy[:Roles] - s
+    policy[:CA] = policy[:CA].select{ |ca| !(unused_roles.include?(ca[2])) }.to_set
+    policy[:CR] = policy[:CR].select{ |cr| !(unused_roles.include?(cr[1])) }.to_set
+    policy[:Roles] -= unused_roles
+    policy
+  end
+
+  # Internal: Given a current state, a target user and an assignment rule, computes the rule application result state
+  #
+  # state           - The initial state in which the transition should be applied, represented as a set of arrays [<user>,<role>]
+  # target          - The string representation of the user to whom assign the new role
+  # assignment_rule - The assignment rule, espressed as [agent_role,[ [ positive_precondition,... ], [ negative_precondition,... ] ],new_role]
+  #
+  # Returns the state, represented in the same way of the state parameter, resulted from the application of the assignment.
+  #
+  # *Note*: if the rule cannot be applied because either there are no users in the initial state with the agent role, the target is not present in the initial state or the preconditions on the target are not satisfied, then the method returns the initial state itself
+  #
+  def apply_role_assignment(state, target, assignment_rule)
+    agent = assignment_rule.first
+    if !(state.map(&:first).include? target)
+      # The target user is not in the current state
+      state
+    elsif !(state.map(&:last).include? agent)
+      # There is no user in the current state with the agent role
+      state
+    else
+      positive_preconditions_hold = true
+      negative_preconditions_hold = true
+      assignment_rule[1].first.each do |role|
+        positive_preconditions_hold &&= (state.include? [target,role])
+      end
+      assignment_rule[1].last.each do |role|
+        negative_preconditions_hold &&= !(state.include? [target,role])
+      end
+      if positive_preconditions_hold && negative_preconditions_hold
+        new_state = state.dup
+        new_state << [target,assignment_rule.last]
+        new_state
+      else
+        # preconditions don't hold
+        state
+      end
+    end
+  end
+
+  # Internal: Given a current state, a target user and an revocation rule, computes the rule application result state
+  #
+  # state           - The initial state in which the transition should be applied, represented as a set of arrays [<user>,<role>]
+  # target          - The string representation of the user to whom revoke the role
+  # assignment_rule - The revocation rule, espressed as [<agent_role>,<role_to_revoke>]
+  #
+  # Returns the state, expressed as the state parameter, resulted from the application of the revocation.
+  #
+  # *Note*: if the rule cannot be applied because either there are no users in the initial state with the agent role or the association <target user,role to be revoked> is not present in the initial state, then the method returns the initial state itself
+  #
+  def apply_role_revocation(state, target, revocation_rule)
+    agent = revocation_rule.first
+    if !(state.include? [target,revocation_rule.last])
+      # The association <target user,role to be revoked> is not in the current state
+      state
+    elsif !(state.map(&:last).include? agent)
+      # There is no user in the current state with the agent role
+      state
+    else
+      new_state = state.dup
+      new_state.delete [target,revocation_rule.last]
+      new_state
+    end
+  end
+
+end

data/lib/arbac_verifier.rb

@@ -0,0 +1 @@
+require 'arbac_verifier/classes/arbac_instance'

data/lib/main.rb

@@ -0,0 +1,26 @@
+#! /usr/bin/env ruby
+# :markup: TomDoc
+
+def main(arguments) # :nodoc:
+  require_relative './classes/arbac_instance.rb'
+
+  if arguments.length < 1
+    puts "Wrong number of arguments.\nUsage: verifier.rb <arbac_file.arbac> ..."
+  end
+
+  arguments.each do |arg|
+    puts "-------------"
+    puts "START #{arg}"
+    arbac = ArbacInstance.new arg
+    begin
+      result = arbac.compute_reachability
+      puts "END #{arg} with #{result ? 1 : 0}"
+    rescue ComputationTimedOutException => _
+      puts "#{arg} COMPUTATION TIMED OUT"
+    end
+  end
+  exit 0
+end
+
+# Start the verifier
+main(ARGV)

metadata

@@ -0,0 +1,62 @@
+--- !ruby/object:Gem::Specification
+name: arbac_verifier
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Stefano Sello
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2023-02-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3'
+description: A simple solutor for role reachability problem instances expressed in
+  ARBAC format.
+email: sellostefano@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/arbac_verifier.rb
+- lib/arbac_verifier/classes/arbac_instance.rb
+- lib/arbac_verifier/exceptions/computation_timed_out_exception.rb
+- lib/arbac_verifier/modules/arbac_module.rb
+- lib/main.rb
+homepage: https://rubygems.org/gems/arbac_verifier
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.7
+signing_key:
+specification_version: 4
+summary: ARBAC role reachability problem solutor
+test_files: []