arbac_verifier 1.0.1 → 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/arbac_verifier/classes/arbac_instance.rb +3 -3
- data/lib/arbac_verifier/classes/arbac_reachability_verifier.rb +7 -6
- data/lib/arbac_verifier/classes/rules/can_assign_rule.rb +1 -1
- data/lib/arbac_verifier/classes/rules/can_revoke_rule.rb +1 -1
- data/lib/arbac_verifier/exceptions/computation_timed_out_exception.rb +1 -0
- data/lib/arbac_verifier/modules/arbac_utils_module.rb +1 -2
- data/lib/arbac_verifier.rb +1 -0
- metadata +70 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1e6677babd9700f22f8a74f28c699d7c94d833aecce94a077ff497a4f8f93cbf
|
|
4
|
+
data.tar.gz: bfbdf60e6169c04006cc21fbde36a740d940ca904e08560759823cd76c9cf30d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5c6bc1f6256a7c0e17f804153c0d657f706c0a9e531df983e54792473c510636641a1dfe8e295cb44d3500f9ddca45900bd32b90ed9cbf38781dd3444993646d
|
|
7
|
+
data.tar.gz: 1f8365ff6a3b127cfa620ffe37831f5a04b1b3d98646d93b3458a0dd6d73ebb381d7a229db8fc263d9bf1b3ce43304aa1d462abc12fa34ac9075e05e7d9764f6
|
|
@@ -29,9 +29,7 @@ class ArbacInstance
|
|
|
29
29
|
|
|
30
30
|
sig { params(params: T.any(Symbol, T::Set[String], T::Set[Symbol], T::Set[UserRole], T::Set[CanAssignRule], T::Set[CanRevokeRule], String)).void }
|
|
31
31
|
def initialize(**params)
|
|
32
|
-
|
|
33
|
-
initialize_by_file_path(T.cast(params[:path], String))
|
|
34
|
-
else
|
|
32
|
+
if params[:path].nil?
|
|
35
33
|
initialize_by_attributes(
|
|
36
34
|
T.cast(params[:goal], Symbol),
|
|
37
35
|
T.cast(params[:roles], T::Set[Symbol]),
|
|
@@ -40,6 +38,8 @@ class ArbacInstance
|
|
|
40
38
|
T.cast(params[:can_assign_rules], T::Set[CanAssignRule]),
|
|
41
39
|
T.cast(params[:can_revoke_rules], T::Set[CanRevokeRule])
|
|
42
40
|
)
|
|
41
|
+
else
|
|
42
|
+
initialize_by_file_path(T.cast(params[:path], String))
|
|
43
43
|
end
|
|
44
44
|
end
|
|
45
45
|
|
|
@@ -11,13 +11,14 @@ class ArbacReachabilityVerifier
|
|
|
11
11
|
sig { returns ArbacInstance }
|
|
12
12
|
attr_reader :instance
|
|
13
13
|
|
|
14
|
-
sig { params(
|
|
15
|
-
def initialize(**
|
|
16
|
-
if
|
|
17
|
-
|
|
18
|
-
else
|
|
19
|
-
path = T.cast(args[:path], String)
|
|
14
|
+
sig { params(params: T.any(String, ArbacInstance)).void }
|
|
15
|
+
def initialize(**params)
|
|
16
|
+
if params[:instance].nil?
|
|
17
|
+
path = T.cast(params[:path], String)
|
|
20
18
|
@instance = ArbacUtilsModule::forward_slicing(ArbacUtilsModule::backward_slicing(ArbacInstance.new(path: path)))
|
|
19
|
+
else
|
|
20
|
+
instance = T.cast(params[:instance], ArbacInstance)
|
|
21
|
+
@instance = instance
|
|
21
22
|
end
|
|
22
23
|
end
|
|
23
24
|
|
data/lib/arbac_verifier.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: arbac_verifier
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Stefano Sello
|
|
@@ -80,8 +80,75 @@ dependencies:
|
|
|
80
80
|
- - "~>"
|
|
81
81
|
- !ruby/object:Gem::Version
|
|
82
82
|
version: '3.12'
|
|
83
|
-
description:
|
|
84
|
-
|
|
83
|
+
description: " \n\n
|
|
84
|
+
\ [](https://codecov.io/github/stefanosello/arbac_verifier)\n
|
|
85
|
+
\ [](https://github.com/stefanosello/arbac_verifier/actions/workflows/gem-push.yml)\n
|
|
86
|
+
\ [](https://badge.fury.io/rb/arbac_verifier)\n
|
|
87
|
+
\ [](https://github.com/Naereen/badges/)\n
|
|
88
|
+
\ \n \n **ARBAC Verifier** is a Ruby gem designed to facilitate the modeling
|
|
89
|
+
and verification of Administrative Role-Based Access Control (ARBAC) policies. With
|
|
90
|
+
this tool, you can efficiently model ARBAC policies and perform verification tasks
|
|
91
|
+
to determine if a specific role (`Goal`) can be achieved starting from a given set
|
|
92
|
+
of states (user-to-role assignments).\n \n This gem is grounded in comprehensive
|
|
93
|
+
theoretical foundations, which you can explore in detail through the [official security
|
|
94
|
+
course slides](https://secgroup.dais.unive.it/wp-content/uploads/2020/04/arbac.pdf)
|
|
95
|
+
provided by [Ca' Foscari University](https://www.unive.it/pag/13526) of Venice.
|
|
96
|
+
\n \n ## Installation\n The `arbac_verifier` gem can be installed from
|
|
97
|
+
[rubygems.org](https://rubygems.org/gems/arbac_verifier) from command line: \n ```{bash}\n
|
|
98
|
+
\ gem install arbac_verifier\n ```\n or by adding the following line to
|
|
99
|
+
your `Gemfile` project:\n ```{ruby}\n gem 'arbac_verifier', '~> 1.0', '>=
|
|
100
|
+
1.0.1'\n ```\n \n ## ARBAC definition file\n An ARBAC (Attribute-Based
|
|
101
|
+
Role-Based Access Control) policy definition comprises four key components:\n -
|
|
102
|
+
**Users**: A set of individuals who are part of the system under analysis.\n -
|
|
103
|
+
**Roles**: A set of roles that can be assigned to or removed from users.\n -
|
|
104
|
+
**Can-Assign Rules**: These rules specify which roles can be assigned to users.
|
|
105
|
+
Each rule includes:\n - The role that has the authority to make the assignment.\n
|
|
106
|
+
\ - The role to be assigned.\n - Positive preconditions: Specific roles
|
|
107
|
+
that the user must already possess to be eligible for the new role.\n - Negative
|
|
108
|
+
preconditions: Specific roles that the user must not possess to be eligible for
|
|
109
|
+
the new role.\n - **Can-Revoke Rules**: These rules specify which roles can be
|
|
110
|
+
revoked from users. Each rule includes:\n - The role that has the authority
|
|
111
|
+
to revoke.\n - The role to be revoked. \n \n This structure ensures that
|
|
112
|
+
role assignments and revocations are controlled and based on the current state of
|
|
113
|
+
the user's roles.\n In order to represent a policy based on this definition,
|
|
114
|
+
we can use `arbac` files, which should follow this format:\n ```\n Roles Teacher
|
|
115
|
+
Student TA ;\n Users stefano alice bob ;\n UA <stefano,Teacher> <alice,TA>
|
|
116
|
+
;\n CR <Teacher,Student> <Teacher,TA> ;\n CA <Teacher,-Teacher&-TA,Student>
|
|
117
|
+
<Teacher,-Student,TA> <Teacher,TA&-Student,Teacher> ;\n Goal Student ;\n ```
|
|
118
|
+
\n - Each line starts with an *header* that explains which information will be
|
|
119
|
+
represented\n - `Roles` and `Users` are straight forward\n - `UA` are
|
|
120
|
+
initial User Assignments, i.e. user-role assignments, where each item is a pair
|
|
121
|
+
of `<user,role>`\n - `CR` are Can-Revoke rules, where each item is a pair of
|
|
122
|
+
`<revoker role, revokable role>`\n - `CA` are Can-Assign rules, where each
|
|
123
|
+
item is a tern of `<assigner role, <positive1&positive2&-negative1&-negative2>,
|
|
124
|
+
assignable role>`\n - `Goal` is not an ARBAC property: it is the target role
|
|
125
|
+
for which the reachability should be verified\n - Each line ends with a `;`\n
|
|
126
|
+
\ - Items of each line are space-separated\n \n ## Usage\n Once installed,
|
|
127
|
+
the gem can be used to manage different tasks related to arbac policies.\n ```{Ruby}\n
|
|
128
|
+
\ require 'arbac_verifier'\n require 'set\n \n # Create new Arbac instance
|
|
129
|
+
from .arbac file\n policy0 = ArbacInstance.new(path: 'policy0.arbac')\n \n
|
|
130
|
+
\ # Create new Arbac instance passing single attributes\n policy1 = ArbacInstance.new(\n
|
|
131
|
+
\ goal: :Student,\n roles: [:Teacher, :Student, :TA].to_set,\n users:
|
|
132
|
+
[\"stefano\", \"alice\", \"bob\"].to_set,\n user_to_role: [UserRole.new(\"stefano\",
|
|
133
|
+
:Teacher), UserRole.new(\"alice\", :TA)].to_set,\n can_assign_rules: [\n CanAssignRule.new(:Teacher,
|
|
134
|
+
[].to_set, [:Teacher, :TA].to_set, :Student),\n CanAssignRule.new(:Teacher,
|
|
135
|
+
[].to_set, [:Student].to_set, :TA),\n CanAssignRule.new(:Teacher,
|
|
136
|
+
[:TA].to_set, [:Student].to_set, :Teacher)\n ].to_set,\n
|
|
137
|
+
\ can_revoke_rules: [CanRevokeRule.new(:Teacher, :Student), CanRevokeRule.new(:Teacher,
|
|
138
|
+
:TA)].to_set\n )\n ```\n \n Once the problem instance has been defined,
|
|
139
|
+
the gem provides two simplification algorithms that can be used to reduce the size
|
|
140
|
+
of the reachability problem.\n These algorithms do not modify the original policy
|
|
141
|
+
and return a new simplified policy.\n ```{Ruby}\n require 'arbac_verifier'\n
|
|
142
|
+
\ \n # apply backward slicing\n policy0bs = ArbacUtilsModule::backward_slicing(policy0)\n
|
|
143
|
+
\ policy0fs = ArbacUtilsModule::forward_slicing(policy0)\n ```\n A Role
|
|
144
|
+
Reachability Problem solution can be computed using the `ArbacReachabilityVerifier`
|
|
145
|
+
class.\n ```{Ruby}\n require 'arbac_verifier'\n \n # Creare new reachability
|
|
146
|
+
verifier instance starting from an .arbac file\n verifier0 = ArbacReachabilityVerifier.new(path:
|
|
147
|
+
'policy0.arbac')\n \n # or from an already created ArbacInstance\n verifier1
|
|
148
|
+
= ArbacReachabilityVerifier.new(instance: policy1)\n \n # and then compute
|
|
149
|
+
reachability\n verifier0.verify # => true\n ```\n **NB:** when a verifier
|
|
150
|
+
instance is created starting from an `.arbac` file, backward and forward slicing
|
|
151
|
+
are applied to the parsed policy.\n"
|
|
85
152
|
email: sellostefano@gmail.com
|
|
86
153
|
executables: []
|
|
87
154
|
extensions: []
|