arbac_verifier 1.0.1 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +101 -0
  3. data/lib/arbac_verifier/classes/arbac_instance.rb +3 -3
  4. data/lib/arbac_verifier/classes/arbac_reachability_verifier.rb +7 -6
  5. data/lib/arbac_verifier/classes/rules/can_assign_rule.rb +1 -1
  6. data/lib/arbac_verifier/classes/rules/can_revoke_rule.rb +1 -1
  7. data/lib/arbac_verifier/exceptions/computation_timed_out_exception.rb +1 -0
  8. data/lib/arbac_verifier/modules/arbac_utils_module.rb +1 -2
  9. data/lib/arbac_verifier.rb +1 -0
  10. metadata +8 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9e8293d45df6e6ac48d7923723d3b04899292bf34bf0696046bae3ddd2eb6dba
4
- data.tar.gz: 84e90713d08d36b339de962531f7494f15580e59f10a6d6ebed5a2ed18f8a5b0
3
+ metadata.gz: 8d2452f09757b60bfc77afd2442fe5839b803097b61d05a442fe597dc1193e97
4
+ data.tar.gz: 2ea5b84270a4013b8f2f92da60960fc42423265d5f1dc7244fd14e547c3551bc
5
5
  SHA512:
6
- metadata.gz: d781d6c1a8a0de56210e9c47abf4eae12e0559704309f99a6fe6a217dfe94774028004e83803261344280344b0d129a0caeac6290c0866684c18bd72f7b3f279
7
- data.tar.gz: 4f585bf557ccbe4ba22d3d14b622a136731c14383c7c1edd9566e0141001512468b81c79386c9faae7e519d02b12d1371d06dd045bb569b4959a2c150eef5bbd
6
+ metadata.gz: 555c5df13ffe056fee4bc6a9f1df7be64fd6489b863b838a5f2a81e558358e538b0b9c27ccba5c0fc3f4b7034323e9b0b9fb13308b426ecbff5ac116b8a3ad87
7
+ data.tar.gz: 8ff9f08b8ab1d8c03956b8ff1a44b79fcf5daf072134d2ebbee18cc19beba8c58512c0d641107f82eeabdaf39cb6a5f7785bac1dc148495328e14fe7de437a05
data/README.md ADDED
@@ -0,0 +1,101 @@
1
+ ![logo.png](logo.png)
2
+
3
+ [![codecov](https://codecov.io/github/stefanosello/arbac_verifier/branch/main/graph/badge.svg?token=VXWHKJUJR2)](https://codecov.io/github/stefanosello/arbac_verifier)
4
+ [![Ruby Gem](https://github.com/stefanosello/arbac_verifier/actions/workflows/gem-push.yml/badge.svg?branch=main)](https://github.com/stefanosello/arbac_verifier/actions/workflows/gem-push.yml)
5
+ [![Gem Version](https://badge.fury.io/rb/arbac_verifier.svg)](https://badge.fury.io/rb/arbac_verifier)
6
+ [![Open Source? Yes!](https://badgen.net/badge/Open%20Source%20%3F/Yes%21/blue?icon=github)](https://github.com/Naereen/badges/)
7
+
8
+
9
+ **ARBAC Verifier** is a Ruby gem designed to facilitate the modeling and verification of Administrative Role-Based Access Control (ARBAC) policies. With this tool, you can efficiently model ARBAC policies and perform verification tasks to determine if a specific role (`Goal`) can be achieved starting from a given set of states (user-to-role assignments).
10
+
11
+ This gem is grounded in comprehensive theoretical foundations, which you can explore in detail through the [official security course slides](https://secgroup.dais.unive.it/wp-content/uploads/2020/04/arbac.pdf) provided by [Ca' Foscari University](https://www.unive.it/pag/13526) of Venice.
12
+
13
+ ## Installation
14
+ The `arbac_verifier` gem can be installed from [rubygems.org](https://rubygems.org/gems/arbac_verifier) from command line:
15
+ ```{bash}
16
+ gem install arbac_verifier
17
+ ```
18
+ or by adding the following line to your `Gemfile` project:
19
+ ```{ruby}
20
+ gem 'arbac_verifier', '~> 1.0', '>= 1.0.1'
21
+ ```
22
+
23
+ ## ARBAC definition file
24
+ An ARBAC (Attribute-Based Role-Based Access Control) policy definition comprises four key components:
25
+ - **Users**: A set of individuals who are part of the system under analysis.
26
+ - **Roles**: A set of roles that can be assigned to or removed from users.
27
+ - **Can-Assign Rules**: These rules specify which roles can be assigned to users. Each rule includes:
28
+ - The role that has the authority to make the assignment.
29
+ - The role to be assigned.
30
+ - Positive preconditions: Specific roles that the user must already possess to be eligible for the new role.
31
+ - Negative preconditions: Specific roles that the user must not possess to be eligible for the new role.
32
+ - **Can-Revoke Rules**: These rules specify which roles can be revoked from users. Each rule includes:
33
+ - The role that has the authority to revoke.
34
+ - The role to be revoked.
35
+
36
+ This structure ensures that role assignments and revocations are controlled and based on the current state of the user's roles.
37
+ In order to represent a policy based on this definition, we can use `arbac` files, which should follow this format:
38
+ ```
39
+ Roles Teacher Student TA ;
40
+ Users stefano alice bob ;
41
+ UA <stefano,Teacher> <alice,TA> ;
42
+ CR <Teacher,Student> <Teacher,TA> ;
43
+ CA <Teacher,-Teacher&-TA,Student> <Teacher,-Student,TA> <Teacher,TA&-Student,Teacher> ;
44
+ Goal Student ;
45
+ ```
46
+ - Each line starts with an *header* that explains which information will be represented
47
+ - `Roles` and `Users` are straight forward
48
+ - `UA` are initial User Assignments, i.e. user-role assignments, where each item is a pair of `<user,role>`
49
+ - `CR` are Can-Revoke rules, where each item is a pair of `<revoker role, revokable role>`
50
+ - `CA` are Can-Assign rules, where each item is a tern of `<assigner role, <positive1&positive2&-negative1&-negative2>, assignable role>`
51
+ - `Goal` is not an ARBAC property: it is the target role for which the reachability should be verified
52
+ - Each line ends with a `;`
53
+ - Items of each line are space-separated
54
+
55
+ ## Usage
56
+ Once installed, the gem can be used to manage different tasks related to arbac policies.
57
+ ```{Ruby}
58
+ require 'arbac_verifier'
59
+ require 'set
60
+
61
+ # Create new Arbac instance from .arbac file
62
+ policy0 = ArbacInstance.new(path: 'policy0.arbac')
63
+
64
+ # Create new Arbac instance passing single attributes
65
+ policy1 = ArbacInstance.new(
66
+ goal: :Student,
67
+ roles: [:Teacher, :Student, :TA].to_set,
68
+ users: ["stefano", "alice", "bob"].to_set,
69
+ user_to_role: [UserRole.new("stefano", :Teacher), UserRole.new("alice", :TA)].to_set,
70
+ can_assign_rules: [
71
+ CanAssignRule.new(:Teacher, [].to_set, [:Teacher, :TA].to_set, :Student),
72
+ CanAssignRule.new(:Teacher, [].to_set, [:Student].to_set, :TA),
73
+ CanAssignRule.new(:Teacher, [:TA].to_set, [:Student].to_set, :Teacher)
74
+ ].to_set,
75
+ can_revoke_rules: [CanRevokeRule.new(:Teacher, :Student), CanRevokeRule.new(:Teacher, :TA)].to_set
76
+ )
77
+ ```
78
+
79
+ Once the problem instance has been defined, the gem provides two simplification algorithms that can be used to reduce the size of the reachability problem.
80
+ These algorithms do not modify the original policy and return a new simplified policy.
81
+ ```{Ruby}
82
+ require 'arbac_verifier'
83
+
84
+ # apply backward slicing
85
+ policy0bs = ArbacUtilsModule::backward_slicing(policy0)
86
+ policy0fs = ArbacUtilsModule::forward_slicing(policy0)
87
+ ```
88
+ A Role Reachability Problem solution can be computed using the `ArbacReachabilityVerifier` class.
89
+ ```{Ruby}
90
+ require 'arbac_verifier'
91
+
92
+ # Creare new reachability verifier instance starting from an .arbac file
93
+ verifier0 = ArbacReachabilityVerifier.new(path: 'policy0.arbac')
94
+
95
+ # or from an already created ArbacInstance
96
+ verifier1 = ArbacReachabilityVerifier.new(instance: policy1)
97
+
98
+ # and then compute reachability
99
+ verifier0.verify # => true
100
+ ```
101
+ **NB:** when a verifier instance is created starting from an `.arbac` file, backward and forward slicing are applied to the parsed policy.
data/lib/arbac_verifier/classes/arbac_instance.rb CHANGED
@@ -29,9 +29,7 @@ class ArbacInstance
29
29
 
30
30
  sig { params(params: T.any(Symbol, T::Set[String], T::Set[Symbol], T::Set[UserRole], T::Set[CanAssignRule], T::Set[CanRevokeRule], String)).void }
31
31
  def initialize(**params)
32
- unless params[:path].nil?
33
- initialize_by_file_path(T.cast(params[:path], String))
34
- else
32
+ if params[:path].nil?
35
33
  initialize_by_attributes(
36
34
  T.cast(params[:goal], Symbol),
37
35
  T.cast(params[:roles], T::Set[Symbol]),
@@ -40,6 +38,8 @@ class ArbacInstance
40
38
  T.cast(params[:can_assign_rules], T::Set[CanAssignRule]),
41
39
  T.cast(params[:can_revoke_rules], T::Set[CanRevokeRule])
42
40
  )
41
+ else
42
+ initialize_by_file_path(T.cast(params[:path], String))
43
43
  end
44
44
  end
45
45
 
data/lib/arbac_verifier/classes/arbac_reachability_verifier.rb CHANGED
@@ -11,13 +11,14 @@ class ArbacReachabilityVerifier
11
11
  sig { returns ArbacInstance }
12
12
  attr_reader :instance
13
13
 
14
- sig { params(args: T.any(String, ArbacInstance)).void }
15
- def initialize(**args)
16
- if !(args[:instance].nil?)
17
- @instance = T.let(T.cast(args[:instance], ArbacInstance), ArbacInstance)
18
- else
19
- path = T.cast(args[:path], String)
14
+ sig { params(params: T.any(String, ArbacInstance)).void }
15
+ def initialize(**params)
16
+ if params[:instance].nil?
17
+ path = T.cast(params[:path], String)
20
18
  @instance = ArbacUtilsModule::forward_slicing(ArbacUtilsModule::backward_slicing(ArbacInstance.new(path: path)))
19
+ else
20
+ instance = T.cast(params[:instance], ArbacInstance)
21
+ @instance = instance
21
22
  end
22
23
  end
23
24
 
data/lib/arbac_verifier/classes/rules/can_assign_rule.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
- # typed: true
2
+ # typed: strict
3
3
  require 'sorbet-runtime'
4
4
 
5
5
  class CanAssignRule
data/lib/arbac_verifier/classes/rules/can_revoke_rule.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
- # typed: true
2
+ # typed: strict
3
3
  require 'sorbet-runtime'
4
4
 
5
5
  class CanRevokeRule
data/lib/arbac_verifier/exceptions/computation_timed_out_exception.rb CHANGED
@@ -1,3 +1,4 @@
1
+ # typed: strict
1
2
  # Public: Specific exception to throw when a certain computation time exceeds a predefined limit
2
3
  class ComputationTimedOutException < StandardError
3
4
  end
data/lib/arbac_verifier/modules/arbac_utils_module.rb CHANGED
@@ -1,7 +1,6 @@
1
- # typed: true
1
+ # typed: strict
2
2
  require 'sorbet-runtime'
3
3
 
4
- # Collection of utilities to manipulate .arbac files (defining an ARBAC role reachability problem) to parse and eventually solve the problem
5
4
  module ArbacUtilsModule
6
5
  extend T::Sig
7
6
 
data/lib/arbac_verifier.rb CHANGED
@@ -1 +1,2 @@
1
+ # typed: strict
1
2
  require 'arbac_verifier/classes/arbac_reachability_verifier'
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: arbac_verifier
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.1
4
+ version: 1.0.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Stefano Sello
@@ -80,13 +80,15 @@ dependencies:
80
80
  - - "~>"
81
81
  - !ruby/object:Gem::Version
82
82
  version: '3.12'
83
- description: A simple solutor for role reachability problem instances expressed in
84
- ARBAC format.
83
+ description: " A way to solve simple ARBAC role reachability problems, given an
84
+ .arbac definition file or a pre-built problem instance."
85
85
  email: sellostefano@gmail.com
86
86
  executables: []
87
87
  extensions: []
88
- extra_rdoc_files: []
88
+ extra_rdoc_files:
89
+ - README.md
89
90
  files:
91
+ - README.md
90
92
  - lib/arbac_verifier.rb
91
93
  - lib/arbac_verifier/classes/arbac_instance.rb
92
94
  - lib/arbac_verifier/classes/arbac_reachability_verifier.rb
@@ -95,7 +97,7 @@ files:
95
97
  - lib/arbac_verifier/classes/user_role.rb
96
98
  - lib/arbac_verifier/exceptions/computation_timed_out_exception.rb
97
99
  - lib/arbac_verifier/modules/arbac_utils_module.rb
98
- homepage: https://rubygems.org/gems/arbac_verifier
100
+ homepage: https://github.com/stefanosello/arbac_verifier
99
101
  licenses:
100
102
  - Apache-2.0
101
103
  metadata: {}
@@ -107,7 +109,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
107
109
  requirements:
108
110
  - - ">="
109
111
  - !ruby/object:Gem::Version
110
- version: '0'
112
+ version: 3.0.0
111
113
  required_rubygems_version: !ruby/object:Gem::Requirement
112
114
  requirements:
113
115
  - - ">="