arbac_verifier 1.0.1 → 1.0.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +101 -0
  3. data/lib/arbac_verifier/classes/arbac_instance.rb +3 -3
  4. data/lib/arbac_verifier/classes/arbac_reachability_verifier.rb +7 -6
  5. data/lib/arbac_verifier/classes/rules/can_assign_rule.rb +1 -1
  6. data/lib/arbac_verifier/classes/rules/can_revoke_rule.rb +1 -1
  7. data/lib/arbac_verifier/exceptions/computation_timed_out_exception.rb +1 -0
  8. data/lib/arbac_verifier/modules/arbac_utils_module.rb +1 -2
  9. data/lib/arbac_verifier.rb +1 -0
  10. metadata +8 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9e8293d45df6e6ac48d7923723d3b04899292bf34bf0696046bae3ddd2eb6dba
4
- data.tar.gz: 84e90713d08d36b339de962531f7494f15580e59f10a6d6ebed5a2ed18f8a5b0
3
+ metadata.gz: 8d2452f09757b60bfc77afd2442fe5839b803097b61d05a442fe597dc1193e97
4
+ data.tar.gz: 2ea5b84270a4013b8f2f92da60960fc42423265d5f1dc7244fd14e547c3551bc
5
5
  SHA512:
6
- metadata.gz: d781d6c1a8a0de56210e9c47abf4eae12e0559704309f99a6fe6a217dfe94774028004e83803261344280344b0d129a0caeac6290c0866684c18bd72f7b3f279
7
- data.tar.gz: 4f585bf557ccbe4ba22d3d14b622a136731c14383c7c1edd9566e0141001512468b81c79386c9faae7e519d02b12d1371d06dd045bb569b4959a2c150eef5bbd
6
+ metadata.gz: 555c5df13ffe056fee4bc6a9f1df7be64fd6489b863b838a5f2a81e558358e538b0b9c27ccba5c0fc3f4b7034323e9b0b9fb13308b426ecbff5ac116b8a3ad87
7
+ data.tar.gz: 8ff9f08b8ab1d8c03956b8ff1a44b79fcf5daf072134d2ebbee18cc19beba8c58512c0d641107f82eeabdaf39cb6a5f7785bac1dc148495328e14fe7de437a05
data/README.md ADDED
@@ -0,0 +1,101 @@
1
+ ![logo.png](logo.png)
2
+
3
+ [![codecov](https://codecov.io/github/stefanosello/arbac_verifier/branch/main/graph/badge.svg?token=VXWHKJUJR2)](https://codecov.io/github/stefanosello/arbac_verifier)
4
+ [![Ruby Gem](https://github.com/stefanosello/arbac_verifier/actions/workflows/gem-push.yml/badge.svg?branch=main)](https://github.com/stefanosello/arbac_verifier/actions/workflows/gem-push.yml)
5
+ [![Gem Version](https://badge.fury.io/rb/arbac_verifier.svg)](https://badge.fury.io/rb/arbac_verifier)
6
+ [![Open Source? Yes!](https://badgen.net/badge/Open%20Source%20%3F/Yes%21/blue?icon=github)](https://github.com/Naereen/badges/)
7
+
8
+
9
+ **ARBAC Verifier** is a Ruby gem designed to facilitate the modeling and verification of Administrative Role-Based Access Control (ARBAC) policies. With this tool, you can efficiently model ARBAC policies and perform verification tasks to determine if a specific role (`Goal`) can be achieved starting from a given set of states (user-to-role assignments).
10
+
11
+ This gem is grounded in comprehensive theoretical foundations, which you can explore in detail through the [official security course slides](https://secgroup.dais.unive.it/wp-content/uploads/2020/04/arbac.pdf) provided by [Ca' Foscari University](https://www.unive.it/pag/13526) of Venice.
12
+
13
+ ## Installation
14
+ The `arbac_verifier` gem can be installed from [rubygems.org](https://rubygems.org/gems/arbac_verifier) from command line:
15
+ ```{bash}
16
+ gem install arbac_verifier
17
+ ```
18
+ or by adding the following line to your `Gemfile` project:
19
+ ```{ruby}
20
+ gem 'arbac_verifier', '~> 1.0', '>= 1.0.1'
21
+ ```
22
+
23
+ ## ARBAC definition file
24
+ An ARBAC (Attribute-Based Role-Based Access Control) policy definition comprises four key components:
25
+ - **Users**: A set of individuals who are part of the system under analysis.
26
+ - **Roles**: A set of roles that can be assigned to or removed from users.
27
+ - **Can-Assign Rules**: These rules specify which roles can be assigned to users. Each rule includes:
28
+ - The role that has the authority to make the assignment.
29
+ - The role to be assigned.
30
+ - Positive preconditions: Specific roles that the user must already possess to be eligible for the new role.
31
+ - Negative preconditions: Specific roles that the user must not possess to be eligible for the new role.
32
+ - **Can-Revoke Rules**: These rules specify which roles can be revoked from users. Each rule includes:
33
+ - The role that has the authority to revoke.
34
+ - The role to be revoked.
35
+
36
+ This structure ensures that role assignments and revocations are controlled and based on the current state of the user's roles.
37
+ In order to represent a policy based on this definition, we can use `arbac` files, which should follow this format:
38
+ ```
39
+ Roles Teacher Student TA ;
40
+ Users stefano alice bob ;
41
+ UA <stefano,Teacher> <alice,TA> ;
42
+ CR <Teacher,Student> <Teacher,TA> ;
43
+ CA <Teacher,-Teacher&-TA,Student> <Teacher,-Student,TA> <Teacher,TA&-Student,Teacher> ;
44
+ Goal Student ;
45
+ ```
46
+ - Each line starts with an *header* that explains which information will be represented
47
+ - `Roles` and `Users` are straight forward
48
+ - `UA` are initial User Assignments, i.e. user-role assignments, where each item is a pair of `<user,role>`
49
+ - `CR` are Can-Revoke rules, where each item is a pair of `<revoker role, revokable role>`
50
+ - `CA` are Can-Assign rules, where each item is a tern of `<assigner role, <positive1&positive2&-negative1&-negative2>, assignable role>`
51
+ - `Goal` is not an ARBAC property: it is the target role for which the reachability should be verified
52
+ - Each line ends with a `;`
53
+ - Items of each line are space-separated
54
+
55
+ ## Usage
56
+ Once installed, the gem can be used to manage different tasks related to arbac policies.
57
+ ```{Ruby}
58
+ require 'arbac_verifier'
59
+ require 'set
60
+
61
+ # Create new Arbac instance from .arbac file
62
+ policy0 = ArbacInstance.new(path: 'policy0.arbac')
63
+
64
+ # Create new Arbac instance passing single attributes
65
+ policy1 = ArbacInstance.new(
66
+ goal: :Student,
67
+ roles: [:Teacher, :Student, :TA].to_set,
68
+ users: ["stefano", "alice", "bob"].to_set,
69
+ user_to_role: [UserRole.new("stefano", :Teacher), UserRole.new("alice", :TA)].to_set,
70
+ can_assign_rules: [
71
+ CanAssignRule.new(:Teacher, [].to_set, [:Teacher, :TA].to_set, :Student),
72
+ CanAssignRule.new(:Teacher, [].to_set, [:Student].to_set, :TA),
73
+ CanAssignRule.new(:Teacher, [:TA].to_set, [:Student].to_set, :Teacher)
74
+ ].to_set,
75
+ can_revoke_rules: [CanRevokeRule.new(:Teacher, :Student), CanRevokeRule.new(:Teacher, :TA)].to_set
76
+ )
77
+ ```
78
+
79
+ Once the problem instance has been defined, the gem provides two simplification algorithms that can be used to reduce the size of the reachability problem.
80
+ These algorithms do not modify the original policy and return a new simplified policy.
81
+ ```{Ruby}
82
+ require 'arbac_verifier'
83
+
84
+ # apply backward slicing
85
+ policy0bs = ArbacUtilsModule::backward_slicing(policy0)
86
+ policy0fs = ArbacUtilsModule::forward_slicing(policy0)
87
+ ```
88
+ A Role Reachability Problem solution can be computed using the `ArbacReachabilityVerifier` class.
89
+ ```{Ruby}
90
+ require 'arbac_verifier'
91
+
92
+ # Creare new reachability verifier instance starting from an .arbac file
93
+ verifier0 = ArbacReachabilityVerifier.new(path: 'policy0.arbac')
94
+
95
+ # or from an already created ArbacInstance
96
+ verifier1 = ArbacReachabilityVerifier.new(instance: policy1)
97
+
98
+ # and then compute reachability
99
+ verifier0.verify # => true
100
+ ```
101
+ **NB:** when a verifier instance is created starting from an `.arbac` file, backward and forward slicing are applied to the parsed policy.
data/lib/arbac_verifier/classes/arbac_instance.rb CHANGED
@@ -29,9 +29,7 @@ class ArbacInstance
29
29
 
30
30
  sig { params(params: T.any(Symbol, T::Set[String], T::Set[Symbol], T::Set[UserRole], T::Set[CanAssignRule], T::Set[CanRevokeRule], String)).void }
31
31
  def initialize(**params)
32
- unless params[:path].nil?
33
- initialize_by_file_path(T.cast(params[:path], String))
34
- else
32
+ if params[:path].nil?
35
33
  initialize_by_attributes(
36
34
  T.cast(params[:goal], Symbol),
37
35
  T.cast(params[:roles], T::Set[Symbol]),
@@ -40,6 +38,8 @@ class ArbacInstance
40
38
  T.cast(params[:can_assign_rules], T::Set[CanAssignRule]),
41
39
  T.cast(params[:can_revoke_rules], T::Set[CanRevokeRule])
42
40
  )
41
+ else
42
+ initialize_by_file_path(T.cast(params[:path], String))
43
43
  end
44
44
  end
45
45
 
data/lib/arbac_verifier/classes/arbac_reachability_verifier.rb CHANGED
@@ -11,13 +11,14 @@ class ArbacReachabilityVerifier
11
11
  sig { returns ArbacInstance }
12
12
  attr_reader :instance
13
13
 
14
- sig { params(args: T.any(String, ArbacInstance)).void }
15
- def initialize(**args)
16
- if !(args[:instance].nil?)
17
- @instance = T.let(T.cast(args[:instance], ArbacInstance), ArbacInstance)
18
- else
19
- path = T.cast(args[:path], String)
14
+ sig { params(params: T.any(String, ArbacInstance)).void }
15
+ def initialize(**params)
16
+ if params[:instance].nil?
17
+ path = T.cast(params[:path], String)
20
18
  @instance = ArbacUtilsModule::forward_slicing(ArbacUtilsModule::backward_slicing(ArbacInstance.new(path: path)))
19
+ else
20
+ instance = T.cast(params[:instance], ArbacInstance)
21
+ @instance = instance
21
22
  end
22
23
  end
23
24
 
data/lib/arbac_verifier/classes/rules/can_assign_rule.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
- # typed: true
2
+ # typed: strict
3
3
  require 'sorbet-runtime'
4
4
 
5
5
  class CanAssignRule
data/lib/arbac_verifier/classes/rules/can_revoke_rule.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
- # typed: true
2
+ # typed: strict
3
3
  require 'sorbet-runtime'
4
4
 
5
5
  class CanRevokeRule
data/lib/arbac_verifier/exceptions/computation_timed_out_exception.rb CHANGED
@@ -1,3 +1,4 @@
1
+ # typed: strict
1
2
  # Public: Specific exception to throw when a certain computation time exceeds a predefined limit
2
3
  class ComputationTimedOutException < StandardError
3
4
  end
data/lib/arbac_verifier/modules/arbac_utils_module.rb CHANGED
@@ -1,7 +1,6 @@
1
- # typed: true
1
+ # typed: strict
2
2
  require 'sorbet-runtime'
3
3
 
4
- # Collection of utilities to manipulate .arbac files (defining an ARBAC role reachability problem) to parse and eventually solve the problem
5
4
  module ArbacUtilsModule
6
5
  extend T::Sig
7
6
 
data/lib/arbac_verifier.rb CHANGED
@@ -1 +1,2 @@
1
+ # typed: strict
1
2
  require 'arbac_verifier/classes/arbac_reachability_verifier'
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: arbac_verifier
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.1
4
+ version: 1.0.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Stefano Sello
@@ -80,13 +80,15 @@ dependencies:
80
80
  - - "~>"
81
81
  - !ruby/object:Gem::Version
82
82
  version: '3.12'
83
- description: A simple solutor for role reachability problem instances expressed in
84
- ARBAC format.
83
+ description: " A way to solve simple ARBAC role reachability problems, given an
84
+ .arbac definition file or a pre-built problem instance."
85
85
  email: sellostefano@gmail.com
86
86
  executables: []
87
87
  extensions: []
88
- extra_rdoc_files: []
88
+ extra_rdoc_files:
89
+ - README.md
89
90
  files:
91
+ - README.md
90
92
  - lib/arbac_verifier.rb
91
93
  - lib/arbac_verifier/classes/arbac_instance.rb
92
94
  - lib/arbac_verifier/classes/arbac_reachability_verifier.rb
@@ -95,7 +97,7 @@ files:
95
97
  - lib/arbac_verifier/classes/user_role.rb
96
98
  - lib/arbac_verifier/exceptions/computation_timed_out_exception.rb
97
99
  - lib/arbac_verifier/modules/arbac_utils_module.rb
98
- homepage: https://rubygems.org/gems/arbac_verifier
100
+ homepage: https://github.com/stefanosello/arbac_verifier
99
101
  licenses:
100
102
  - Apache-2.0
101
103
  metadata: {}
@@ -107,7 +109,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
107
109
  requirements:
108
110
  - - ">="
109
111
  - !ruby/object:Gem::Version
110
- version: '0'
112
+ version: 3.0.0
111
113
  required_rubygems_version: !ruby/object:Gem::Requirement
112
114
  requirements:
113
115
  - - ">="