arbac_verifier 1.0.2 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +113 -0
- data/lib/arbac_verifier/classes/instance.rb +151 -0
- data/lib/arbac_verifier/classes/reachability_verifier.rb +154 -0
- data/lib/arbac_verifier/classes/rules/can_assign.rb +57 -0
- data/lib/arbac_verifier/classes/rules/can_revoke.rb +43 -0
- data/lib/arbac_verifier/classes/user_role.rb +22 -20
- data/lib/arbac_verifier/modules/utils.rb +76 -0
- data/lib/arbac_verifier.rb +1 -1
- data/logo.png +0 -0
- metadata +29 -80
- data/lib/arbac_verifier/classes/arbac_instance.rb +0 -149
- data/lib/arbac_verifier/classes/arbac_reachability_verifier.rb +0 -70
- data/lib/arbac_verifier/classes/rules/can_assign_rule.rb +0 -53
- data/lib/arbac_verifier/classes/rules/can_revoke_rule.rb +0 -39
- data/lib/arbac_verifier/exceptions/computation_timed_out_exception.rb +0 -4
- data/lib/arbac_verifier/modules/arbac_utils_module.rb +0 -65
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 16f5236fed8bc1a233deb5cf6b2c866704c2ef658dff494fbb2f636c96174cbe
|
|
4
|
+
data.tar.gz: e14caa0d96905d68a57cec19ca55c44dd6467268ed5da9e6d1950ed91b3a5ac8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8faf2cb1888330e0d0559f340423f3d07e972c1539b561556d661edbf3a1c3475cb7665e0b603934b0d289f8e90c691d39a711941f8f8885db9d5ccc42f09027
|
|
7
|
+
data.tar.gz: f85fa7100e6376127296e106ec2d09b53c785eadfa873589907197489563c815a08904e05ae6cc376ebc79a821e430d6f166b3b3795193a190fc43cce68b7645
|
data/README.md
ADDED
|
@@ -0,0 +1,113 @@
|
|
|
1
|
+
|
|
2
|
+
|
|
3
|
+
[](https://codecov.io/github/stefanosello/arbac_verifier)
|
|
4
|
+
[](https://github.com/stefanosello/arbac_verifier/actions/workflows/gem-push.yml)
|
|
5
|
+
[](https://badge.fury.io/rb/arbac_verifier)
|
|
6
|
+
[](https://github.com/Naereen/badges/)
|
|
7
|
+
|
|
8
|
+
|
|
9
|
+
**ARBAC Verifier** is a Ruby gem designed to facilitate the modeling and verification of Administrative Role-Based Access Control (ARBAC) policies. With this tool, you can efficiently model ARBAC policies and perform verification tasks to determine if a specific role (`Goal`) can be achieved starting from a given set of states (user-to-role assignments).
|
|
10
|
+
|
|
11
|
+
This gem is grounded in comprehensive theoretical foundations, which you can explore in detail through the [official security course slides](https://secgroup.dais.unive.it/wp-content/uploads/2020/04/arbac.pdf) provided by [Ca' Foscari University](https://www.unive.it/pag/13526) of Venice.
|
|
12
|
+
|
|
13
|
+
## Installation
|
|
14
|
+
The `arbac_verifier` gem can be installed from [rubygems.org](https://rubygems.org/gems/arbac_verifier) from command line:
|
|
15
|
+
```{bash}
|
|
16
|
+
gem install arbac_verifier
|
|
17
|
+
```
|
|
18
|
+
or by adding the following line to your `Gemfile` project:
|
|
19
|
+
```{ruby}
|
|
20
|
+
gem 'arbac_verifier', '~> 1.0', '>= 1.0.1'
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
## ARBAC definition file
|
|
24
|
+
An ARBAC (Attribute-Based Role-Based Access Control) policy definition comprises four key components:
|
|
25
|
+
- **Users**: A set of individuals who are part of the system under analysis.
|
|
26
|
+
- **Roles**: A set of roles that can be assigned to or removed from users.
|
|
27
|
+
- **Can-Assign Rules**: These rules specify which roles can be assigned to users. Each rule includes:
|
|
28
|
+
- The role that has the authority to make the assignment.
|
|
29
|
+
- The role to be assigned.
|
|
30
|
+
- Positive preconditions: Specific roles that the user must already possess to be eligible for the new role.
|
|
31
|
+
- Negative preconditions: Specific roles that the user must not possess to be eligible for the new role.
|
|
32
|
+
- **Can-Revoke Rules**: These rules specify which roles can be revoked from users. Each rule includes:
|
|
33
|
+
- The role that has the authority to revoke.
|
|
34
|
+
- The role to be revoked.
|
|
35
|
+
|
|
36
|
+
This structure ensures that role assignments and revocations are controlled and based on the current state of the user's roles.
|
|
37
|
+
In order to represent a policy based on this definition, we can use `arbac` files, which should follow this format:
|
|
38
|
+
```
|
|
39
|
+
Roles Teacher Student TA ;
|
|
40
|
+
Users stefano alice bob ;
|
|
41
|
+
UA <stefano,Teacher> <alice,TA> ;
|
|
42
|
+
CR <Teacher,Student> <Teacher,TA> ;
|
|
43
|
+
CA <Teacher,-Teacher&-TA,Student> <Teacher,-Student,TA> <Teacher,TA&-Student,Teacher> ;
|
|
44
|
+
Goal Student ;
|
|
45
|
+
```
|
|
46
|
+
- Each line starts with an *header* that explains which information will be represented
|
|
47
|
+
- `Roles` and `Users` are straight forward
|
|
48
|
+
- `UA` are initial User Assignments, i.e. user-role assignments, where each item is a pair of `<user,role>`
|
|
49
|
+
- `CR` are Can-Revoke rules, where each item is a pair of `<revoker role, revokable role>`
|
|
50
|
+
- `CA` are Can-Assign rules, where each item is a tern of `<assigner role, <positive1&positive2&-negative1&-negative2>, assignable role>`
|
|
51
|
+
- `Goal` is not an ARBAC property: it is the target role for which the reachability should be verified
|
|
52
|
+
- Each line ends with a `;`
|
|
53
|
+
- Items of each line are space-separated
|
|
54
|
+
|
|
55
|
+
## Usage
|
|
56
|
+
Once installed, the gem can be used to manage different tasks related to arbac policies.
|
|
57
|
+
### Create ARBAC instance
|
|
58
|
+
ARBAC instances can be created by providing the path of an `.arbac` definition file or passing explicit instance attributes.
|
|
59
|
+
```{Ruby}
|
|
60
|
+
require 'arbac_verifier'
|
|
61
|
+
require 'set
|
|
62
|
+
|
|
63
|
+
# Create new Arbac instance from .arbac file
|
|
64
|
+
policy0 = ARBACVerifier::Instance.new(path: 'policy0.arbac')
|
|
65
|
+
|
|
66
|
+
# Create new Arbac instance passing single attributes
|
|
67
|
+
policy1 = ARBACVerifier::Instance.new(
|
|
68
|
+
goal: :Student,
|
|
69
|
+
roles: [:Teacher, :Student, :TA].to_set,
|
|
70
|
+
users: ["stefano", "alice", "bob"].to_set,
|
|
71
|
+
user_to_role: [ARBACVerifier::UserRole.new("stefano", :Teacher), ARBACVerifier::UserRole.new("alice", :TA)].to_set,
|
|
72
|
+
can_assign_rules: [
|
|
73
|
+
ARBACVerifier::Rules::CanAssign.new(:Teacher, [].to_set, [:Teacher, :TA].to_set, :Student),
|
|
74
|
+
ARBACVerifier::Rules::CanAssign.new(:Teacher, [].to_set, [:Student].to_set, :TA),
|
|
75
|
+
ARBACVerifier::Rules::CanAssign.new(:Teacher, [:TA].to_set, [:Student].to_set, :Teacher)
|
|
76
|
+
].to_set,
|
|
77
|
+
can_revoke_rules: [
|
|
78
|
+
ARBACVerifier::Rules::CanRevoke.new(:Teacher, :Student),
|
|
79
|
+
ARBACVerifier::Rules::CanRevoke.new(:Teacher, :TA)
|
|
80
|
+
].to_set
|
|
81
|
+
)
|
|
82
|
+
```
|
|
83
|
+
### Instance pruning
|
|
84
|
+
Once the problem instance has been defined, the gem provides two simplification algorithms that can be used to reduce the size of the reachability problem.
|
|
85
|
+
These algorithms do not modify the original policy and return a new simplified policy.
|
|
86
|
+
```{Ruby}
|
|
87
|
+
require 'arbac_verifier'
|
|
88
|
+
|
|
89
|
+
include ARBACVerifier::Utils
|
|
90
|
+
|
|
91
|
+
# apply backward slicing
|
|
92
|
+
policy0bs = backward_slicing(policy0)
|
|
93
|
+
|
|
94
|
+
# apply forward slicing
|
|
95
|
+
policy0fs = forward_slicing(policy0)
|
|
96
|
+
```
|
|
97
|
+
### Role reachability solution
|
|
98
|
+
A Role Reachability Problem solution can be computed using the `ArbacReachabilityVerifier` class.
|
|
99
|
+
```{Ruby}
|
|
100
|
+
require 'arbac_verifier'
|
|
101
|
+
|
|
102
|
+
# Creare new reachability verifier instance starting from an .arbac file
|
|
103
|
+
verifier0 = ARBACVerifier::ReachabilityVerifier.new(path: 'policy0.arbac')
|
|
104
|
+
|
|
105
|
+
# or from an already created ArbacInstance
|
|
106
|
+
verifier1 = ARBACVerifier::ReachabilityVerifier.new(instance: policy1)
|
|
107
|
+
|
|
108
|
+
# and then compute reachability
|
|
109
|
+
verifier0.verify # => true
|
|
110
|
+
```
|
|
111
|
+
**NB:** when a verifier instance is created starting from an `.arbac` file, backward and forward slicing are applied to the parsed policy.
|
|
112
|
+
### Logging
|
|
113
|
+
By default, `ARBACVerifier::ReachabilityVerifier` logs context info to `$stdout`. Custom loggers can be set using `ARBACVerifier::ReachabilityVerifier#set_logger(logger)`.
|
|
@@ -0,0 +1,151 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
# typed: true
|
|
3
|
+
require 'sorbet-runtime'
|
|
4
|
+
require 'set'
|
|
5
|
+
require 'arbac_verifier/classes/user_role'
|
|
6
|
+
require 'arbac_verifier/classes/rules/can_assign'
|
|
7
|
+
require 'arbac_verifier/classes/rules/can_revoke'
|
|
8
|
+
|
|
9
|
+
module ARBACVerifier
|
|
10
|
+
class Instance
|
|
11
|
+
extend T::Sig
|
|
12
|
+
|
|
13
|
+
sig { returns T::Set[Symbol] }
|
|
14
|
+
attr_reader :roles
|
|
15
|
+
|
|
16
|
+
sig { returns T::Set[String] }
|
|
17
|
+
attr_reader :users
|
|
18
|
+
|
|
19
|
+
sig { returns T::Set[UserRole] }
|
|
20
|
+
attr_reader :user_to_role
|
|
21
|
+
|
|
22
|
+
sig { returns T::Set[Rules::CanRevoke]}
|
|
23
|
+
attr_reader :can_revoke_rules
|
|
24
|
+
|
|
25
|
+
sig { returns T::Set[Rules::CanAssign]}
|
|
26
|
+
attr_reader :can_assign_rules
|
|
27
|
+
|
|
28
|
+
sig { returns Symbol }
|
|
29
|
+
attr_reader :goal
|
|
30
|
+
|
|
31
|
+
sig { params(params: T.any(Symbol, T::Set[String], T::Set[Symbol], T::Set[UserRole], T::Set[Rules::CanAssign], T::Set[Rules::CanRevoke], String)).void }
|
|
32
|
+
def initialize(**params)
|
|
33
|
+
if params[:path].nil?
|
|
34
|
+
initialize_by_attributes(
|
|
35
|
+
T.cast(params[:goal], Symbol),
|
|
36
|
+
T.cast(params[:roles], T::Set[Symbol]),
|
|
37
|
+
T.cast(params[:users], T::Set[String]),
|
|
38
|
+
T.cast(params[:user_to_role], T::Set[UserRole]),
|
|
39
|
+
T.cast(params[:can_assign_rules], T::Set[Rules::CanAssign]),
|
|
40
|
+
T.cast(params[:can_revoke_rules], T::Set[Rules::CanRevoke])
|
|
41
|
+
)
|
|
42
|
+
else
|
|
43
|
+
initialize_by_file_path(T.cast(params[:path], String))
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
sig { params(goal: Symbol, roles: T::Set[Symbol], users: T::Set[String], user_to_role: T::Set[UserRole], can_assign_rules: T::Set[Rules::CanAssign], can_revoke_rules: T::Set[Rules::CanRevoke]).void }
|
|
48
|
+
private def initialize_by_attributes(goal, roles, users, user_to_role, can_assign_rules, can_revoke_rules)
|
|
49
|
+
@goal = goal
|
|
50
|
+
@roles = roles
|
|
51
|
+
@users = users
|
|
52
|
+
@user_to_role = user_to_role
|
|
53
|
+
@can_assign_rules = can_assign_rules
|
|
54
|
+
@can_revoke_rules = can_revoke_rules
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
sig { params(path: String).void }
|
|
58
|
+
private def initialize_by_file_path(path)
|
|
59
|
+
file = File.open(path)
|
|
60
|
+
spec_key_to_line_content = get_lines(file)
|
|
61
|
+
@goal = get_goal(T.must(spec_key_to_line_content[:Goal]))
|
|
62
|
+
@roles = get_roles(T.must(spec_key_to_line_content[:Roles]))
|
|
63
|
+
@users = T.must(spec_key_to_line_content[:Users]).to_set
|
|
64
|
+
@user_to_role = get_user_to_roles(T.must(spec_key_to_line_content[:UA]))
|
|
65
|
+
@can_assign_rules = get_assign_rules(T.must(spec_key_to_line_content[:CA]))
|
|
66
|
+
@can_revoke_rules = get_revoke_rules(T.must(spec_key_to_line_content[:CR]))
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
sig { params(file: File).returns T::Hash[Symbol,T::Array[String]]}
|
|
70
|
+
private def get_lines(file)
|
|
71
|
+
lines = T.let(file.readlines
|
|
72
|
+
.map { |l| l.chomp!(" ;\n") }
|
|
73
|
+
.select { |l| !(l.nil?) }
|
|
74
|
+
.map { |l| T.must l }, T::Array[String])
|
|
75
|
+
|
|
76
|
+
spec_key_to_line_content = lines.map do |l|
|
|
77
|
+
line_items = T.must l.split(" ")
|
|
78
|
+
key = T.must line_items.first
|
|
79
|
+
value = T.must(line_items[1..]).map { |l| T.must l }
|
|
80
|
+
[key.to_sym, value]
|
|
81
|
+
end.to_h
|
|
82
|
+
|
|
83
|
+
validate_line_keys spec_key_to_line_content
|
|
84
|
+
|
|
85
|
+
spec_key_to_line_content
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
sig { params(lines: T::Hash[Symbol,T::Array[String]]).void }
|
|
89
|
+
private def validate_line_keys(lines)
|
|
90
|
+
unless (lines.keys - [:Goal,:CA,:CR,:UA,:Users,:Roles]).empty?
|
|
91
|
+
throw Exception.new("Wrong spec file format.")
|
|
92
|
+
end
|
|
93
|
+
end
|
|
94
|
+
|
|
95
|
+
sig { params(goal_ary: T::Array[String]).returns Symbol }
|
|
96
|
+
private def get_goal(goal_ary)
|
|
97
|
+
goal = T.must goal_ary[0]
|
|
98
|
+
goal.to_sym
|
|
99
|
+
end
|
|
100
|
+
|
|
101
|
+
sig { params(roles_ary: T::Array[String]).returns T::Set[Symbol] }
|
|
102
|
+
private def get_roles(roles_ary)
|
|
103
|
+
not_null_roles = T.must roles_ary.reject(&:nil?)
|
|
104
|
+
not_null_roles.map do |r|
|
|
105
|
+
role = T.must r
|
|
106
|
+
role.to_sym
|
|
107
|
+
end.to_set
|
|
108
|
+
end
|
|
109
|
+
|
|
110
|
+
sig { params(user_to_role: T::Array[String]).returns T::Set[UserRole] }
|
|
111
|
+
private def get_user_to_roles(user_to_role)
|
|
112
|
+
user_to_role.map do |item|
|
|
113
|
+
params = T.must item.slice(1,item.length - 2)
|
|
114
|
+
params = T.must params.split(",")
|
|
115
|
+
user = T.must params[0]
|
|
116
|
+
role = T.must params[1]
|
|
117
|
+
UserRole.new(user, role.to_sym)
|
|
118
|
+
end.to_set
|
|
119
|
+
end
|
|
120
|
+
|
|
121
|
+
sig { params(rules: T::Array[String]).returns T::Set[Rules::CanRevoke] }
|
|
122
|
+
private def get_revoke_rules(rules)
|
|
123
|
+
rules.map do |item|
|
|
124
|
+
params = T.must item.slice(1,item.length - 2)
|
|
125
|
+
params = T.must params.split(",")
|
|
126
|
+
revoker_role = T.must params[0]
|
|
127
|
+
revoked_role = T.must params[1]
|
|
128
|
+
Rules::CanRevoke.new(revoker_role.to_sym, revoked_role.to_sym)
|
|
129
|
+
end.to_set
|
|
130
|
+
end
|
|
131
|
+
|
|
132
|
+
sig { params(rules: T::Array[String]).returns T::Set[Rules::CanAssign] }
|
|
133
|
+
private def get_assign_rules(rules)
|
|
134
|
+
rules.map do |item|
|
|
135
|
+
params = T.must item.slice(1,item.length - 2)
|
|
136
|
+
params = T.must params.split(",")
|
|
137
|
+
assigner_role = T.must params[0]
|
|
138
|
+
assigned_role = T.must params[2]
|
|
139
|
+
preconditions_string = T.must params[1]
|
|
140
|
+
|
|
141
|
+
roles = T.must preconditions_string.split("&")
|
|
142
|
+
negatives_string = roles.select{|i| i.start_with? "-"}
|
|
143
|
+
positives_string = roles - negatives_string
|
|
144
|
+
|
|
145
|
+
positives = positives_string.map { |p| p.to_sym }.to_set
|
|
146
|
+
negatives = negatives_string.map { |n| T.must(n.slice(1, n.length - 1)).to_sym }.to_set
|
|
147
|
+
Rules::CanAssign.new(assigner_role.to_sym, positives, negatives, assigned_role.to_sym)
|
|
148
|
+
end.to_set
|
|
149
|
+
end
|
|
150
|
+
end
|
|
151
|
+
end
|
|
@@ -0,0 +1,154 @@
|
|
|
1
|
+
# typed: true
|
|
2
|
+
require 'etc'
|
|
3
|
+
require 'concurrent'
|
|
4
|
+
require 'logger'
|
|
5
|
+
require 'arbac_verifier/classes/instance'
|
|
6
|
+
require 'arbac_verifier/modules/utils'
|
|
7
|
+
|
|
8
|
+
module ARBACVerifier
|
|
9
|
+
class ReachabilityVerifier
|
|
10
|
+
extend T::Sig
|
|
11
|
+
|
|
12
|
+
include Utils
|
|
13
|
+
|
|
14
|
+
sig { returns Instance }
|
|
15
|
+
attr_reader :instance
|
|
16
|
+
|
|
17
|
+
sig { returns Logger }
|
|
18
|
+
def self.logger
|
|
19
|
+
@@logger ||= Logger.new($stdout).tap do |log|
|
|
20
|
+
log.progname = self.name
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
sig { params(logger: T.nilable(Logger)).returns T.nilable(Logger) }
|
|
25
|
+
def self.set_logger(logger)
|
|
26
|
+
@@logger = logger
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
sig { params(params: T.any(String, Instance)).void }
|
|
30
|
+
def initialize(**params)
|
|
31
|
+
if params[:instance].nil?
|
|
32
|
+
path = T.cast(params[:path], String)
|
|
33
|
+
logger.info("Initializing reachability problem for policy from file #{path}...")
|
|
34
|
+
instance = T.let(Instance.new(path: path), Instance)
|
|
35
|
+
logger.info("*** Initial instance info ***")
|
|
36
|
+
log_complexity(instance)
|
|
37
|
+
@instance = forward_slicing(backward_slicing(instance))
|
|
38
|
+
logger.info("*** Post pruning instance info ***")
|
|
39
|
+
log_complexity(@instance)
|
|
40
|
+
else
|
|
41
|
+
instance = T.cast(params[:instance], Instance)
|
|
42
|
+
logger.info("Initializing reachability problem for policy #{instance.hash}...")
|
|
43
|
+
logger.info("*** Initial instance info ***")
|
|
44
|
+
log_complexity(instance)
|
|
45
|
+
@instance = forward_slicing(backward_slicing(instance))
|
|
46
|
+
logger.info("*** Post pruning instance info ***")
|
|
47
|
+
log_complexity(@instance)
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
sig { returns T::Boolean }
|
|
52
|
+
def verify
|
|
53
|
+
all_states = {}
|
|
54
|
+
initial_state = @instance.user_to_role
|
|
55
|
+
new_states = { initial_state => true }
|
|
56
|
+
found = Concurrent::AtomicBoolean.new(false)
|
|
57
|
+
|
|
58
|
+
users = @instance.users.to_a
|
|
59
|
+
user_pairs = users.product(users)
|
|
60
|
+
|
|
61
|
+
num_cpus = Concurrent.processor_count
|
|
62
|
+
pool = Concurrent::ThreadPoolExecutor.new(
|
|
63
|
+
min_threads: num_cpus,
|
|
64
|
+
max_threads: num_cpus,
|
|
65
|
+
max_queue: num_cpus * 2,
|
|
66
|
+
fallback_policy: :caller_runs
|
|
67
|
+
)
|
|
68
|
+
|
|
69
|
+
until found.true? || new_states.empty?
|
|
70
|
+
all_states.merge!(new_states)
|
|
71
|
+
current_states = new_states.keys
|
|
72
|
+
new_states.clear
|
|
73
|
+
|
|
74
|
+
futures = current_states.flat_map do |current_state|
|
|
75
|
+
user_pairs.map do |subject, object|
|
|
76
|
+
Concurrent::Future.execute(executor: pool) do
|
|
77
|
+
new_local_states = []
|
|
78
|
+
perform_assignments(subject, object, new_local_states, all_states, current_state, found)
|
|
79
|
+
perform_revocations(subject, object, new_local_states, all_states, current_state)
|
|
80
|
+
new_local_states
|
|
81
|
+
end
|
|
82
|
+
end
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
futures.each do |future|
|
|
86
|
+
future.value.each { |state| new_states[state] = true }
|
|
87
|
+
end
|
|
88
|
+
break if found.true?
|
|
89
|
+
end
|
|
90
|
+
|
|
91
|
+
pool.shutdown
|
|
92
|
+
pool.wait_for_termination
|
|
93
|
+
|
|
94
|
+
found.true?
|
|
95
|
+
end
|
|
96
|
+
|
|
97
|
+
sig do
|
|
98
|
+
params(
|
|
99
|
+
subject: String,
|
|
100
|
+
object: String,
|
|
101
|
+
new_states: T::Array[Symbol],
|
|
102
|
+
all_states: T::Hash[T::Set[UserRole], T::Boolean],
|
|
103
|
+
current_state: T::Set[UserRole],
|
|
104
|
+
found: Concurrent::AtomicBoolean
|
|
105
|
+
).void
|
|
106
|
+
end
|
|
107
|
+
private def perform_assignments(subject, object, new_states, all_states, current_state, found)
|
|
108
|
+
@instance.can_assign_rules.each do |rule|
|
|
109
|
+
if rule.can_apply?(current_state, subject, object)
|
|
110
|
+
new_state = rule.apply(current_state, object)
|
|
111
|
+
if new_state.any? { |ur| ur.role == @instance.goal }
|
|
112
|
+
found.make_true
|
|
113
|
+
break
|
|
114
|
+
end
|
|
115
|
+
new_states << new_state unless all_states.include?(new_state)
|
|
116
|
+
end
|
|
117
|
+
end
|
|
118
|
+
end
|
|
119
|
+
|
|
120
|
+
sig do
|
|
121
|
+
params(
|
|
122
|
+
subject: String,
|
|
123
|
+
object: String,
|
|
124
|
+
new_states: T::Array[Symbol],
|
|
125
|
+
all_states: T::Hash[T::Set[UserRole], T::Boolean],
|
|
126
|
+
current_state: T::Set[UserRole]
|
|
127
|
+
).void
|
|
128
|
+
end
|
|
129
|
+
private def perform_revocations(subject, object, new_states, all_states, current_state)
|
|
130
|
+
@instance.can_revoke_rules.each do |rule|
|
|
131
|
+
if rule.can_apply?(current_state, subject, object)
|
|
132
|
+
new_state = rule.apply(current_state, object)
|
|
133
|
+
new_states << new_state unless all_states.include?(new_state)
|
|
134
|
+
end
|
|
135
|
+
end
|
|
136
|
+
end
|
|
137
|
+
|
|
138
|
+
sig { returns Logger }
|
|
139
|
+
private def logger
|
|
140
|
+
self.class.logger
|
|
141
|
+
end
|
|
142
|
+
|
|
143
|
+
sig { params(instance: Instance).void }
|
|
144
|
+
private def log_complexity(instance)
|
|
145
|
+
n_users, n_roles, n_can_assign, n_can_revoke = instance.users.size, instance.roles.size, instance.can_assign_rules.size, instance.can_revoke_rules.size
|
|
146
|
+
logger.info("# users => #{n_users}")
|
|
147
|
+
logger.info("# roles => #{n_roles}")
|
|
148
|
+
logger.info("# can_assign rules => #{n_can_assign}")
|
|
149
|
+
logger.info("# can_revoke rules => #{n_can_revoke}")
|
|
150
|
+
logger.info("# states: #{2**(n_users*n_roles)}")
|
|
151
|
+
end
|
|
152
|
+
|
|
153
|
+
end
|
|
154
|
+
end
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
# typed: strict
|
|
3
|
+
require 'sorbet-runtime'
|
|
4
|
+
|
|
5
|
+
module ARBACVerifier
|
|
6
|
+
module Rules
|
|
7
|
+
class CanAssign
|
|
8
|
+
extend T::Sig
|
|
9
|
+
|
|
10
|
+
sig { returns Symbol }
|
|
11
|
+
attr_reader :user_role
|
|
12
|
+
|
|
13
|
+
sig { returns T::Set[Symbol] }
|
|
14
|
+
attr_reader :positive_precondition_roles
|
|
15
|
+
|
|
16
|
+
sig { returns T::Set[Symbol] }
|
|
17
|
+
attr_reader :negative_precondition_roles
|
|
18
|
+
|
|
19
|
+
sig { returns Symbol }
|
|
20
|
+
attr_reader :target_role
|
|
21
|
+
|
|
22
|
+
sig do params(
|
|
23
|
+
user_role: Symbol,
|
|
24
|
+
positive_precondition_roles: T::Set[Symbol],
|
|
25
|
+
negative_precondition_roles: T::Set[Symbol],
|
|
26
|
+
target_role: Symbol).void
|
|
27
|
+
end
|
|
28
|
+
def initialize(user_role, positive_precondition_roles, negative_precondition_roles, target_role)
|
|
29
|
+
@user_role = user_role
|
|
30
|
+
@positive_precondition_roles = positive_precondition_roles
|
|
31
|
+
@negative_precondition_roles = negative_precondition_roles
|
|
32
|
+
@target_role = target_role
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
sig do params(
|
|
36
|
+
state: T::Set[UserRole],
|
|
37
|
+
assigner: String,
|
|
38
|
+
assignee: String).returns T::Boolean
|
|
39
|
+
end
|
|
40
|
+
def can_apply?(state, assigner, assignee)
|
|
41
|
+
assigner_has_rights = state.to_a.any?{ |ur| ur.user == assigner and ur.role == @user_role}
|
|
42
|
+
assignee_roles = state.select { |ur| ur.user == assignee}.map { |ar| ar.role }.to_set
|
|
43
|
+
assigner_has_rights and
|
|
44
|
+
positive_precondition_roles.subset? assignee_roles and
|
|
45
|
+
!negative_precondition_roles.intersect? assignee_roles
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
sig do params(
|
|
49
|
+
state: T::Set[UserRole],
|
|
50
|
+
assignee: String).returns T::Set[UserRole]
|
|
51
|
+
end
|
|
52
|
+
def apply(state, assignee)
|
|
53
|
+
state | [UserRole.new(assignee, @target_role)]
|
|
54
|
+
end
|
|
55
|
+
end
|
|
56
|
+
end
|
|
57
|
+
end
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
# typed: strict
|
|
3
|
+
require 'sorbet-runtime'
|
|
4
|
+
|
|
5
|
+
module ARBACVerifier
|
|
6
|
+
module Rules
|
|
7
|
+
class CanRevoke
|
|
8
|
+
extend T::Sig
|
|
9
|
+
|
|
10
|
+
sig { returns Symbol }
|
|
11
|
+
attr_reader :user_role
|
|
12
|
+
|
|
13
|
+
sig { returns Symbol }
|
|
14
|
+
attr_reader :target_role
|
|
15
|
+
|
|
16
|
+
sig { params(user_role: Symbol, target_role: Symbol).void }
|
|
17
|
+
def initialize(user_role, target_role)
|
|
18
|
+
@target_role = target_role
|
|
19
|
+
@user_role = user_role
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
sig do params(
|
|
23
|
+
state: T::Set[UserRole],
|
|
24
|
+
revoker: String,
|
|
25
|
+
revokee: String).returns T::Boolean
|
|
26
|
+
end
|
|
27
|
+
def can_apply?(state, revoker, revokee)
|
|
28
|
+
assigner_has_rights = state.to_a.any?{ |ur| ur.user == revoker and ur.role == @user_role}
|
|
29
|
+
assignee_has_revoking_role = state.to_a.any?{ |ur| ur.user == revokee and ur.role == target_role}
|
|
30
|
+
assigner_has_rights and assignee_has_revoking_role
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
sig do params(
|
|
34
|
+
state: T::Set[UserRole],
|
|
35
|
+
revokee: String).returns T::Set[UserRole]
|
|
36
|
+
end
|
|
37
|
+
def apply(state, revokee)
|
|
38
|
+
new_state = state.dup
|
|
39
|
+
new_state.delete_if{ |ur| ur.user == revokee and ur.role == @target_role }
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
end
|
|
@@ -2,31 +2,33 @@
|
|
|
2
2
|
# typed: true
|
|
3
3
|
require 'sorbet-runtime'
|
|
4
4
|
|
|
5
|
-
|
|
6
|
-
|
|
5
|
+
module ARBACVerifier
|
|
6
|
+
class UserRole
|
|
7
|
+
extend T::Sig
|
|
7
8
|
|
|
8
|
-
|
|
9
|
-
|
|
9
|
+
sig { returns String }
|
|
10
|
+
attr_reader :user
|
|
10
11
|
|
|
11
|
-
|
|
12
|
-
|
|
12
|
+
sig { returns Symbol }
|
|
13
|
+
attr_reader :role
|
|
13
14
|
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
15
|
+
sig { params(user: String, role: Symbol).void }
|
|
16
|
+
def initialize(user, role)
|
|
17
|
+
@user = user
|
|
18
|
+
@role = role
|
|
19
|
+
end
|
|
19
20
|
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
21
|
+
# overrides
|
|
22
|
+
def ==(other)
|
|
23
|
+
other.is_a?(UserRole) && self.user == other.user && self.role == other.role
|
|
24
|
+
end
|
|
24
25
|
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
26
|
+
def eql?(other)
|
|
27
|
+
self == other
|
|
28
|
+
end
|
|
28
29
|
|
|
29
|
-
|
|
30
|
-
|
|
30
|
+
def hash
|
|
31
|
+
[user, role].hash
|
|
32
|
+
end
|
|
31
33
|
end
|
|
32
34
|
end
|
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
# typed: strict
|
|
2
|
+
require 'sorbet-runtime'
|
|
3
|
+
require 'set'
|
|
4
|
+
|
|
5
|
+
module ARBACVerifier
|
|
6
|
+
module Utils
|
|
7
|
+
extend T::Sig
|
|
8
|
+
|
|
9
|
+
sig { params(policy: Instance).returns Instance }
|
|
10
|
+
def forward_slicing(policy)
|
|
11
|
+
reachable_roles = overaproximate_reachable_roles(policy)
|
|
12
|
+
unused_roles = policy.roles - reachable_roles
|
|
13
|
+
reduced_can_assign_rules = policy.can_assign_rules.to_a
|
|
14
|
+
.select { |rule| not(unused_roles.include?(rule.target_role)) && (rule.positive_precondition_roles & unused_roles).empty? }
|
|
15
|
+
.map { |rule| Rules::CanAssign.new(rule.user_role, rule.positive_precondition_roles, rule.negative_precondition_roles - unused_roles, rule.target_role )}
|
|
16
|
+
.to_set
|
|
17
|
+
reduced_can_revoke_rules = policy.can_revoke_rules.to_a
|
|
18
|
+
.select { |rule| not(unused_roles.include? rule.target_role) }
|
|
19
|
+
.to_set
|
|
20
|
+
new_instance = Instance.new(
|
|
21
|
+
can_assign_rules: reduced_can_assign_rules,
|
|
22
|
+
can_revoke_rules: reduced_can_revoke_rules,
|
|
23
|
+
user_to_role: policy.user_to_role,
|
|
24
|
+
roles: policy.roles - unused_roles,
|
|
25
|
+
users: policy.users,
|
|
26
|
+
goal: policy.goal
|
|
27
|
+
)
|
|
28
|
+
new_instance
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
sig { params(policy: Instance).returns T::Enumerable[Symbol] }
|
|
32
|
+
def overaproximate_reachable_roles(policy)
|
|
33
|
+
reachable_roles = T.let(Set.new, T::Set[Symbol])
|
|
34
|
+
evolving_roles_set = policy.user_to_role.map(&:role).to_set
|
|
35
|
+
while evolving_roles_set != reachable_roles
|
|
36
|
+
reachable_roles = evolving_roles_set.dup
|
|
37
|
+
policy.can_assign_rules.each do |car|
|
|
38
|
+
precondition_roles = car.positive_precondition_roles | [car.user_role]
|
|
39
|
+
if precondition_roles.proper_subset?(reachable_roles)
|
|
40
|
+
evolving_roles_set << car.target_role
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
reachable_roles
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
sig { params(policy: Instance).returns Instance }
|
|
48
|
+
def backward_slicing(policy)
|
|
49
|
+
relevant_roles = overaproximate_relevant_roles(policy)
|
|
50
|
+
unused_roles = policy.roles - relevant_roles
|
|
51
|
+
Instance.new(
|
|
52
|
+
can_assign_rules: policy.can_assign_rules.to_a.select { |rule| !unused_roles.include? rule.target_role }.to_set,
|
|
53
|
+
can_revoke_rules: policy.can_revoke_rules.to_a.select { |rule| !unused_roles.include? rule.target_role }.to_set,
|
|
54
|
+
user_to_role: policy.user_to_role,
|
|
55
|
+
roles: policy.roles - unused_roles,
|
|
56
|
+
users: policy.users,
|
|
57
|
+
goal: policy.goal
|
|
58
|
+
)
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
sig { params(policy: Instance).returns T::Enumerable[Symbol] }
|
|
62
|
+
def overaproximate_relevant_roles(policy)
|
|
63
|
+
relevant_roles = T.let(Set.new, T::Set[Symbol])
|
|
64
|
+
evolving_roles_set = T.let(Set.new([policy.goal]), T::Set[Symbol])
|
|
65
|
+
while relevant_roles != evolving_roles_set
|
|
66
|
+
relevant_roles = evolving_roles_set.dup
|
|
67
|
+
policy.can_assign_rules.each do |car|
|
|
68
|
+
if relevant_roles.include? car.target_role
|
|
69
|
+
evolving_roles_set = evolving_roles_set | [car.user_role] | car.positive_precondition_roles | car.negative_precondition_roles
|
|
70
|
+
end
|
|
71
|
+
end
|
|
72
|
+
end
|
|
73
|
+
relevant_roles
|
|
74
|
+
end
|
|
75
|
+
end
|
|
76
|
+
end
|
data/lib/arbac_verifier.rb
CHANGED
|
@@ -1,2 +1,2 @@
|
|
|
1
1
|
# typed: strict
|
|
2
|
-
require 'arbac_verifier/classes/
|
|
2
|
+
require 'arbac_verifier/classes/reachability_verifier'
|
data/logo.png
ADDED
|
Binary file
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: arbac_verifier
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0
|
|
4
|
+
version: 1.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Stefano Sello
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-07-
|
|
11
|
+
date: 2024-07-28 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: sorbet-runtime-stub
|
|
@@ -24,6 +24,20 @@ dependencies:
|
|
|
24
24
|
- - "~>"
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
26
|
version: '0.2'
|
|
27
|
+
- !ruby/object:Gem::Dependency
|
|
28
|
+
name: concurrent-ruby
|
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
|
30
|
+
requirements:
|
|
31
|
+
- - "~>"
|
|
32
|
+
- !ruby/object:Gem::Version
|
|
33
|
+
version: '1.3'
|
|
34
|
+
type: :runtime
|
|
35
|
+
prerelease: false
|
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
37
|
+
requirements:
|
|
38
|
+
- - "~>"
|
|
39
|
+
- !ruby/object:Gem::Version
|
|
40
|
+
version: '1.3'
|
|
27
41
|
- !ruby/object:Gem::Dependency
|
|
28
42
|
name: sorbet
|
|
29
43
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -80,89 +94,24 @@ dependencies:
|
|
|
80
94
|
- - "~>"
|
|
81
95
|
- !ruby/object:Gem::Version
|
|
82
96
|
version: '3.12'
|
|
83
|
-
description: "
|
|
84
|
-
|
|
85
|
-
\ [](https://github.com/stefanosello/arbac_verifier/actions/workflows/gem-push.yml)\n
|
|
86
|
-
\ [](https://badge.fury.io/rb/arbac_verifier)\n
|
|
87
|
-
\ [](https://github.com/Naereen/badges/)\n
|
|
88
|
-
\ \n \n **ARBAC Verifier** is a Ruby gem designed to facilitate the modeling
|
|
89
|
-
and verification of Administrative Role-Based Access Control (ARBAC) policies. With
|
|
90
|
-
this tool, you can efficiently model ARBAC policies and perform verification tasks
|
|
91
|
-
to determine if a specific role (`Goal`) can be achieved starting from a given set
|
|
92
|
-
of states (user-to-role assignments).\n \n This gem is grounded in comprehensive
|
|
93
|
-
theoretical foundations, which you can explore in detail through the [official security
|
|
94
|
-
course slides](https://secgroup.dais.unive.it/wp-content/uploads/2020/04/arbac.pdf)
|
|
95
|
-
provided by [Ca' Foscari University](https://www.unive.it/pag/13526) of Venice.
|
|
96
|
-
\n \n ## Installation\n The `arbac_verifier` gem can be installed from
|
|
97
|
-
[rubygems.org](https://rubygems.org/gems/arbac_verifier) from command line: \n ```{bash}\n
|
|
98
|
-
\ gem install arbac_verifier\n ```\n or by adding the following line to
|
|
99
|
-
your `Gemfile` project:\n ```{ruby}\n gem 'arbac_verifier', '~> 1.0', '>=
|
|
100
|
-
1.0.1'\n ```\n \n ## ARBAC definition file\n An ARBAC (Attribute-Based
|
|
101
|
-
Role-Based Access Control) policy definition comprises four key components:\n -
|
|
102
|
-
**Users**: A set of individuals who are part of the system under analysis.\n -
|
|
103
|
-
**Roles**: A set of roles that can be assigned to or removed from users.\n -
|
|
104
|
-
**Can-Assign Rules**: These rules specify which roles can be assigned to users.
|
|
105
|
-
Each rule includes:\n - The role that has the authority to make the assignment.\n
|
|
106
|
-
\ - The role to be assigned.\n - Positive preconditions: Specific roles
|
|
107
|
-
that the user must already possess to be eligible for the new role.\n - Negative
|
|
108
|
-
preconditions: Specific roles that the user must not possess to be eligible for
|
|
109
|
-
the new role.\n - **Can-Revoke Rules**: These rules specify which roles can be
|
|
110
|
-
revoked from users. Each rule includes:\n - The role that has the authority
|
|
111
|
-
to revoke.\n - The role to be revoked. \n \n This structure ensures that
|
|
112
|
-
role assignments and revocations are controlled and based on the current state of
|
|
113
|
-
the user's roles.\n In order to represent a policy based on this definition,
|
|
114
|
-
we can use `arbac` files, which should follow this format:\n ```\n Roles Teacher
|
|
115
|
-
Student TA ;\n Users stefano alice bob ;\n UA <stefano,Teacher> <alice,TA>
|
|
116
|
-
;\n CR <Teacher,Student> <Teacher,TA> ;\n CA <Teacher,-Teacher&-TA,Student>
|
|
117
|
-
<Teacher,-Student,TA> <Teacher,TA&-Student,Teacher> ;\n Goal Student ;\n ```
|
|
118
|
-
\n - Each line starts with an *header* that explains which information will be
|
|
119
|
-
represented\n - `Roles` and `Users` are straight forward\n - `UA` are
|
|
120
|
-
initial User Assignments, i.e. user-role assignments, where each item is a pair
|
|
121
|
-
of `<user,role>`\n - `CR` are Can-Revoke rules, where each item is a pair of
|
|
122
|
-
`<revoker role, revokable role>`\n - `CA` are Can-Assign rules, where each
|
|
123
|
-
item is a tern of `<assigner role, <positive1&positive2&-negative1&-negative2>,
|
|
124
|
-
assignable role>`\n - `Goal` is not an ARBAC property: it is the target role
|
|
125
|
-
for which the reachability should be verified\n - Each line ends with a `;`\n
|
|
126
|
-
\ - Items of each line are space-separated\n \n ## Usage\n Once installed,
|
|
127
|
-
the gem can be used to manage different tasks related to arbac policies.\n ```{Ruby}\n
|
|
128
|
-
\ require 'arbac_verifier'\n require 'set\n \n # Create new Arbac instance
|
|
129
|
-
from .arbac file\n policy0 = ArbacInstance.new(path: 'policy0.arbac')\n \n
|
|
130
|
-
\ # Create new Arbac instance passing single attributes\n policy1 = ArbacInstance.new(\n
|
|
131
|
-
\ goal: :Student,\n roles: [:Teacher, :Student, :TA].to_set,\n users:
|
|
132
|
-
[\"stefano\", \"alice\", \"bob\"].to_set,\n user_to_role: [UserRole.new(\"stefano\",
|
|
133
|
-
:Teacher), UserRole.new(\"alice\", :TA)].to_set,\n can_assign_rules: [\n CanAssignRule.new(:Teacher,
|
|
134
|
-
[].to_set, [:Teacher, :TA].to_set, :Student),\n CanAssignRule.new(:Teacher,
|
|
135
|
-
[].to_set, [:Student].to_set, :TA),\n CanAssignRule.new(:Teacher,
|
|
136
|
-
[:TA].to_set, [:Student].to_set, :Teacher)\n ].to_set,\n
|
|
137
|
-
\ can_revoke_rules: [CanRevokeRule.new(:Teacher, :Student), CanRevokeRule.new(:Teacher,
|
|
138
|
-
:TA)].to_set\n )\n ```\n \n Once the problem instance has been defined,
|
|
139
|
-
the gem provides two simplification algorithms that can be used to reduce the size
|
|
140
|
-
of the reachability problem.\n These algorithms do not modify the original policy
|
|
141
|
-
and return a new simplified policy.\n ```{Ruby}\n require 'arbac_verifier'\n
|
|
142
|
-
\ \n # apply backward slicing\n policy0bs = ArbacUtilsModule::backward_slicing(policy0)\n
|
|
143
|
-
\ policy0fs = ArbacUtilsModule::forward_slicing(policy0)\n ```\n A Role
|
|
144
|
-
Reachability Problem solution can be computed using the `ArbacReachabilityVerifier`
|
|
145
|
-
class.\n ```{Ruby}\n require 'arbac_verifier'\n \n # Creare new reachability
|
|
146
|
-
verifier instance starting from an .arbac file\n verifier0 = ArbacReachabilityVerifier.new(path:
|
|
147
|
-
'policy0.arbac')\n \n # or from an already created ArbacInstance\n verifier1
|
|
148
|
-
= ArbacReachabilityVerifier.new(instance: policy1)\n \n # and then compute
|
|
149
|
-
reachability\n verifier0.verify # => true\n ```\n **NB:** when a verifier
|
|
150
|
-
instance is created starting from an `.arbac` file, backward and forward slicing
|
|
151
|
-
are applied to the parsed policy.\n"
|
|
97
|
+
description: " A way to solve simple ARBAC role reachability problems, given an
|
|
98
|
+
.arbac definition file or a pre-built problem instance."
|
|
152
99
|
email: sellostefano@gmail.com
|
|
153
100
|
executables: []
|
|
154
101
|
extensions: []
|
|
155
|
-
extra_rdoc_files:
|
|
102
|
+
extra_rdoc_files:
|
|
103
|
+
- README.md
|
|
156
104
|
files:
|
|
105
|
+
- README.md
|
|
157
106
|
- lib/arbac_verifier.rb
|
|
158
|
-
- lib/arbac_verifier/classes/
|
|
159
|
-
- lib/arbac_verifier/classes/
|
|
160
|
-
- lib/arbac_verifier/classes/rules/
|
|
161
|
-
- lib/arbac_verifier/classes/rules/
|
|
107
|
+
- lib/arbac_verifier/classes/instance.rb
|
|
108
|
+
- lib/arbac_verifier/classes/reachability_verifier.rb
|
|
109
|
+
- lib/arbac_verifier/classes/rules/can_assign.rb
|
|
110
|
+
- lib/arbac_verifier/classes/rules/can_revoke.rb
|
|
162
111
|
- lib/arbac_verifier/classes/user_role.rb
|
|
163
|
-
- lib/arbac_verifier/
|
|
164
|
-
-
|
|
165
|
-
homepage: https://
|
|
112
|
+
- lib/arbac_verifier/modules/utils.rb
|
|
113
|
+
- logo.png
|
|
114
|
+
homepage: https://github.com/stefanosello/arbac_verifier
|
|
166
115
|
licenses:
|
|
167
116
|
- Apache-2.0
|
|
168
117
|
metadata: {}
|
|
@@ -174,7 +123,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
174
123
|
requirements:
|
|
175
124
|
- - ">="
|
|
176
125
|
- !ruby/object:Gem::Version
|
|
177
|
-
version:
|
|
126
|
+
version: 3.0.0
|
|
178
127
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
179
128
|
requirements:
|
|
180
129
|
- - ">="
|
|
@@ -1,149 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
# typed: true
|
|
3
|
-
require 'sorbet-runtime'
|
|
4
|
-
require 'set'
|
|
5
|
-
require 'arbac_verifier/classes/user_role'
|
|
6
|
-
require 'arbac_verifier/classes/rules/can_assign_rule'
|
|
7
|
-
require 'arbac_verifier/classes/rules/can_revoke_rule'
|
|
8
|
-
|
|
9
|
-
class ArbacInstance
|
|
10
|
-
extend T::Sig
|
|
11
|
-
|
|
12
|
-
sig { returns T::Set[Symbol] }
|
|
13
|
-
attr_reader :roles
|
|
14
|
-
|
|
15
|
-
sig { returns T::Set[String] }
|
|
16
|
-
attr_reader :users
|
|
17
|
-
|
|
18
|
-
sig { returns T::Set[UserRole] }
|
|
19
|
-
attr_reader :user_to_role
|
|
20
|
-
|
|
21
|
-
sig { returns T::Set[CanRevokeRule]}
|
|
22
|
-
attr_reader :can_revoke_rules
|
|
23
|
-
|
|
24
|
-
sig { returns T::Set[CanAssignRule]}
|
|
25
|
-
attr_reader :can_assign_rules
|
|
26
|
-
|
|
27
|
-
sig { returns Symbol }
|
|
28
|
-
attr_reader :goal
|
|
29
|
-
|
|
30
|
-
sig { params(params: T.any(Symbol, T::Set[String], T::Set[Symbol], T::Set[UserRole], T::Set[CanAssignRule], T::Set[CanRevokeRule], String)).void }
|
|
31
|
-
def initialize(**params)
|
|
32
|
-
if params[:path].nil?
|
|
33
|
-
initialize_by_attributes(
|
|
34
|
-
T.cast(params[:goal], Symbol),
|
|
35
|
-
T.cast(params[:roles], T::Set[Symbol]),
|
|
36
|
-
T.cast(params[:users], T::Set[String]),
|
|
37
|
-
T.cast(params[:user_to_role], T::Set[UserRole]),
|
|
38
|
-
T.cast(params[:can_assign_rules], T::Set[CanAssignRule]),
|
|
39
|
-
T.cast(params[:can_revoke_rules], T::Set[CanRevokeRule])
|
|
40
|
-
)
|
|
41
|
-
else
|
|
42
|
-
initialize_by_file_path(T.cast(params[:path], String))
|
|
43
|
-
end
|
|
44
|
-
end
|
|
45
|
-
|
|
46
|
-
sig { params(goal: Symbol, roles: T::Set[Symbol], users: T::Set[String], user_to_role: T::Set[UserRole], can_assign_rules: T::Set[CanAssignRule], can_revoke_rules: T::Set[CanRevokeRule]).void }
|
|
47
|
-
private def initialize_by_attributes(goal, roles, users, user_to_role, can_assign_rules, can_revoke_rules)
|
|
48
|
-
@goal = goal
|
|
49
|
-
@roles = roles
|
|
50
|
-
@users = users
|
|
51
|
-
@user_to_role = user_to_role
|
|
52
|
-
@can_assign_rules = can_assign_rules
|
|
53
|
-
@can_revoke_rules = can_revoke_rules
|
|
54
|
-
end
|
|
55
|
-
|
|
56
|
-
sig { params(path: String).void }
|
|
57
|
-
private def initialize_by_file_path(path)
|
|
58
|
-
file = File.open(path)
|
|
59
|
-
spec_key_to_line_content = get_lines(file)
|
|
60
|
-
@goal = get_goal(T.must(spec_key_to_line_content[:Goal]))
|
|
61
|
-
@roles = get_roles(T.must(spec_key_to_line_content[:Roles]))
|
|
62
|
-
@users = T.must(spec_key_to_line_content[:Users]).to_set
|
|
63
|
-
@user_to_role = get_user_to_roles(T.must(spec_key_to_line_content[:UA]))
|
|
64
|
-
@can_assign_rules = get_assign_rules(T.must(spec_key_to_line_content[:CA]))
|
|
65
|
-
@can_revoke_rules = get_revoke_rules(T.must(spec_key_to_line_content[:CR]))
|
|
66
|
-
end
|
|
67
|
-
|
|
68
|
-
sig { params(file: File).returns T::Hash[Symbol,T::Array[String]]}
|
|
69
|
-
private def get_lines(file)
|
|
70
|
-
lines = T.let(file.readlines
|
|
71
|
-
.map { |l| l.chomp!(" ;\n") }
|
|
72
|
-
.select { |l| !(l.nil?) }
|
|
73
|
-
.map { |l| T.must l }, T::Array[String])
|
|
74
|
-
|
|
75
|
-
spec_key_to_line_content = lines.map do |l|
|
|
76
|
-
line_items = T.must l.split(" ")
|
|
77
|
-
key = T.must line_items.first
|
|
78
|
-
value = T.must(line_items[1..]).map { |l| T.must l }
|
|
79
|
-
[key.to_sym, value]
|
|
80
|
-
end.to_h
|
|
81
|
-
|
|
82
|
-
validate_line_keys spec_key_to_line_content
|
|
83
|
-
|
|
84
|
-
spec_key_to_line_content
|
|
85
|
-
end
|
|
86
|
-
|
|
87
|
-
sig { params(lines: T::Hash[Symbol,T::Array[String]]).void }
|
|
88
|
-
private def validate_line_keys(lines)
|
|
89
|
-
unless (lines.keys - [:Goal,:CA,:CR,:UA,:Users,:Roles]).empty?
|
|
90
|
-
throw Exception.new("Wrong spec file format.")
|
|
91
|
-
end
|
|
92
|
-
end
|
|
93
|
-
|
|
94
|
-
sig { params(goal_ary: T::Array[String]).returns Symbol }
|
|
95
|
-
private def get_goal(goal_ary)
|
|
96
|
-
goal = T.must goal_ary[0]
|
|
97
|
-
goal.to_sym
|
|
98
|
-
end
|
|
99
|
-
|
|
100
|
-
sig { params(roles_ary: T::Array[String]).returns T::Set[Symbol] }
|
|
101
|
-
private def get_roles(roles_ary)
|
|
102
|
-
not_null_roles = T.must roles_ary.reject(&:nil?)
|
|
103
|
-
not_null_roles.map do |r|
|
|
104
|
-
role = T.must r
|
|
105
|
-
role.to_sym
|
|
106
|
-
end.to_set
|
|
107
|
-
end
|
|
108
|
-
|
|
109
|
-
sig { params(user_to_role: T::Array[String]).returns T::Set[UserRole] }
|
|
110
|
-
private def get_user_to_roles(user_to_role)
|
|
111
|
-
user_to_role.map do |item|
|
|
112
|
-
params = T.must item.slice(1,item.length - 2)
|
|
113
|
-
params = T.must params.split(",")
|
|
114
|
-
user = T.must params[0]
|
|
115
|
-
role = T.must params[1]
|
|
116
|
-
UserRole.new(user, role.to_sym)
|
|
117
|
-
end.to_set
|
|
118
|
-
end
|
|
119
|
-
|
|
120
|
-
sig { params(rules: T::Array[String]).returns T::Set[CanRevokeRule] }
|
|
121
|
-
private def get_revoke_rules(rules)
|
|
122
|
-
rules.map do |item|
|
|
123
|
-
params = T.must item.slice(1,item.length - 2)
|
|
124
|
-
params = T.must params.split(",")
|
|
125
|
-
revoker_role = T.must params[0]
|
|
126
|
-
revoked_role = T.must params[1]
|
|
127
|
-
CanRevokeRule.new(revoker_role.to_sym, revoked_role.to_sym)
|
|
128
|
-
end.to_set
|
|
129
|
-
end
|
|
130
|
-
|
|
131
|
-
sig { params(rules: T::Array[String]).returns T::Set[CanAssignRule] }
|
|
132
|
-
private def get_assign_rules(rules)
|
|
133
|
-
rules.map do |item|
|
|
134
|
-
params = T.must item.slice(1,item.length - 2)
|
|
135
|
-
params = T.must params.split(",")
|
|
136
|
-
assigner_role = T.must params[0]
|
|
137
|
-
assigned_role = T.must params[2]
|
|
138
|
-
preconditions_string = T.must params[1]
|
|
139
|
-
|
|
140
|
-
roles = T.must preconditions_string.split("&")
|
|
141
|
-
negatives_string = roles.select{|i| i.start_with? "-"}
|
|
142
|
-
positives_string = roles - negatives_string
|
|
143
|
-
|
|
144
|
-
positives = positives_string.map { |p| p.to_sym }.to_set
|
|
145
|
-
negatives = negatives_string.map { |n| T.must(n.slice(1, n.length - 1)).to_sym }.to_set
|
|
146
|
-
CanAssignRule.new(assigner_role.to_sym, positives, negatives, assigned_role.to_sym)
|
|
147
|
-
end.to_set
|
|
148
|
-
end
|
|
149
|
-
end
|
|
@@ -1,70 +0,0 @@
|
|
|
1
|
-
# typed: true
|
|
2
|
-
require 'thread'
|
|
3
|
-
require 'etc'
|
|
4
|
-
require 'arbac_verifier/classes/arbac_instance'
|
|
5
|
-
require 'arbac_verifier/modules/arbac_utils_module'
|
|
6
|
-
require 'arbac_verifier/exceptions/computation_timed_out_exception'
|
|
7
|
-
|
|
8
|
-
class ArbacReachabilityVerifier
|
|
9
|
-
extend T::Sig
|
|
10
|
-
|
|
11
|
-
sig { returns ArbacInstance }
|
|
12
|
-
attr_reader :instance
|
|
13
|
-
|
|
14
|
-
sig { params(params: T.any(String, ArbacInstance)).void }
|
|
15
|
-
def initialize(**params)
|
|
16
|
-
if params[:instance].nil?
|
|
17
|
-
path = T.cast(params[:path], String)
|
|
18
|
-
@instance = ArbacUtilsModule::forward_slicing(ArbacUtilsModule::backward_slicing(ArbacInstance.new(path: path)))
|
|
19
|
-
else
|
|
20
|
-
instance = T.cast(params[:instance], ArbacInstance)
|
|
21
|
-
@instance = instance
|
|
22
|
-
end
|
|
23
|
-
end
|
|
24
|
-
|
|
25
|
-
sig { returns T::Boolean }
|
|
26
|
-
def verify
|
|
27
|
-
all_states = T.let(Set.new, T::Set[T::Set[UserRole]])
|
|
28
|
-
new_states = T.let(Set.new([@instance.user_to_role]), T::Set[T::Set[UserRole]])
|
|
29
|
-
found = T.let(false, T::Boolean)
|
|
30
|
-
start = T.let(Time.now, Time)
|
|
31
|
-
while !found && (new_states - all_states).length > 0
|
|
32
|
-
if (Time.now - start) > 1500
|
|
33
|
-
throw ComputationTimedOutException.new
|
|
34
|
-
end
|
|
35
|
-
old_states = new_states - all_states
|
|
36
|
-
all_states += new_states
|
|
37
|
-
new_states = T.let(Set.new, T::Set[T::Set[UserRole]])
|
|
38
|
-
old_states.each_slice(Etc.nprocessors) do |old_states_batch|
|
|
39
|
-
threads = old_states_batch.map do |current_state|
|
|
40
|
-
Thread.new {
|
|
41
|
-
thread = Thread.current
|
|
42
|
-
thread[:new_states] = T.let(Set.new, T::Set[T::Set[UserRole]])
|
|
43
|
-
@instance.users.each do |subject|
|
|
44
|
-
@instance.users.each do |object|
|
|
45
|
-
@instance.can_revoke_rules.each do |rule|
|
|
46
|
-
if rule.can_apply? current_state, subject, object
|
|
47
|
-
thread[:new_states] << rule.apply(current_state, object)
|
|
48
|
-
end
|
|
49
|
-
end
|
|
50
|
-
@instance.can_assign_rules.each do |rule|
|
|
51
|
-
if rule.can_apply? current_state, subject, object
|
|
52
|
-
new_state = rule.apply(current_state, object)
|
|
53
|
-
thread[:new_states] << new_state
|
|
54
|
-
found = new_state.to_a.map(&:role).include?(@instance.goal)
|
|
55
|
-
end
|
|
56
|
-
end
|
|
57
|
-
end
|
|
58
|
-
end
|
|
59
|
-
}
|
|
60
|
-
end
|
|
61
|
-
unless found
|
|
62
|
-
threads.each(&:join)
|
|
63
|
-
new_states = threads.select{|t| !!t[:new_states]}.map{|t| [*t[:new_states]]}.flatten.to_set
|
|
64
|
-
end
|
|
65
|
-
end
|
|
66
|
-
end
|
|
67
|
-
found
|
|
68
|
-
end
|
|
69
|
-
|
|
70
|
-
end
|
|
@@ -1,53 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
# typed: strict
|
|
3
|
-
require 'sorbet-runtime'
|
|
4
|
-
|
|
5
|
-
class CanAssignRule
|
|
6
|
-
extend T::Sig
|
|
7
|
-
|
|
8
|
-
sig { returns Symbol }
|
|
9
|
-
attr_reader :user_role
|
|
10
|
-
|
|
11
|
-
sig { returns T::Set[Symbol] }
|
|
12
|
-
attr_reader :positive_precondition_roles
|
|
13
|
-
|
|
14
|
-
sig { returns T::Set[Symbol] }
|
|
15
|
-
attr_reader :negative_precondition_roles
|
|
16
|
-
|
|
17
|
-
sig { returns Symbol }
|
|
18
|
-
attr_reader :target_role
|
|
19
|
-
|
|
20
|
-
sig do params(
|
|
21
|
-
user_role: Symbol,
|
|
22
|
-
positive_precondition_roles: T::Set[Symbol],
|
|
23
|
-
negative_precondition_roles: T::Set[Symbol],
|
|
24
|
-
target_role: Symbol).void
|
|
25
|
-
end
|
|
26
|
-
def initialize(user_role, positive_precondition_roles, negative_precondition_roles, target_role)
|
|
27
|
-
@user_role = user_role
|
|
28
|
-
@positive_precondition_roles = positive_precondition_roles
|
|
29
|
-
@negative_precondition_roles = negative_precondition_roles
|
|
30
|
-
@target_role = target_role
|
|
31
|
-
end
|
|
32
|
-
|
|
33
|
-
sig do params(
|
|
34
|
-
state: T::Set[UserRole],
|
|
35
|
-
assigner: String,
|
|
36
|
-
assignee: String).returns T::Boolean
|
|
37
|
-
end
|
|
38
|
-
def can_apply?(state, assigner, assignee)
|
|
39
|
-
assigner_has_rights = state.to_a.any?{ |ur| ur.user == assigner and ur.role == @user_role}
|
|
40
|
-
assignee_roles = state.select { |ur| ur.user == assignee}.map { |ar| ar.role }.to_set
|
|
41
|
-
assigner_has_rights and
|
|
42
|
-
positive_precondition_roles.subset? assignee_roles and
|
|
43
|
-
!negative_precondition_roles.intersect? assignee_roles
|
|
44
|
-
end
|
|
45
|
-
|
|
46
|
-
sig do params(
|
|
47
|
-
state: T::Set[UserRole],
|
|
48
|
-
assignee: String).returns T::Set[UserRole]
|
|
49
|
-
end
|
|
50
|
-
def apply(state, assignee)
|
|
51
|
-
state | [UserRole.new(assignee, @target_role)]
|
|
52
|
-
end
|
|
53
|
-
end
|
|
@@ -1,39 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
# typed: strict
|
|
3
|
-
require 'sorbet-runtime'
|
|
4
|
-
|
|
5
|
-
class CanRevokeRule
|
|
6
|
-
extend T::Sig
|
|
7
|
-
|
|
8
|
-
sig { returns Symbol }
|
|
9
|
-
attr_reader :user_role
|
|
10
|
-
|
|
11
|
-
sig { returns Symbol }
|
|
12
|
-
attr_reader :target_role
|
|
13
|
-
|
|
14
|
-
sig { params(user_role: Symbol, target_role: Symbol).void }
|
|
15
|
-
def initialize(user_role, target_role)
|
|
16
|
-
@target_role = target_role
|
|
17
|
-
@user_role = user_role
|
|
18
|
-
end
|
|
19
|
-
|
|
20
|
-
sig do params(
|
|
21
|
-
state: T::Set[UserRole],
|
|
22
|
-
revoker: String,
|
|
23
|
-
revokee: String).returns T::Boolean
|
|
24
|
-
end
|
|
25
|
-
def can_apply?(state, revoker, revokee)
|
|
26
|
-
assigner_has_rights = state.to_a.any?{ |ur| ur.user == revoker and ur.role == @user_role}
|
|
27
|
-
assignee_has_revoking_role = state.to_a.any?{ |ur| ur.user == revokee and ur.role == target_role}
|
|
28
|
-
assigner_has_rights and assignee_has_revoking_role
|
|
29
|
-
end
|
|
30
|
-
|
|
31
|
-
sig do params(
|
|
32
|
-
state: T::Set[UserRole],
|
|
33
|
-
revokee: String).returns T::Set[UserRole]
|
|
34
|
-
end
|
|
35
|
-
def apply(state, revokee)
|
|
36
|
-
new_state = state.dup
|
|
37
|
-
new_state.delete_if{ |ur| ur.user == revokee and ur.role == @target_role }
|
|
38
|
-
end
|
|
39
|
-
end
|
|
@@ -1,65 +0,0 @@
|
|
|
1
|
-
# typed: strict
|
|
2
|
-
require 'sorbet-runtime'
|
|
3
|
-
|
|
4
|
-
module ArbacUtilsModule
|
|
5
|
-
extend T::Sig
|
|
6
|
-
|
|
7
|
-
require 'set'
|
|
8
|
-
module_function
|
|
9
|
-
|
|
10
|
-
sig { params(policy: ArbacInstance).returns ArbacInstance }
|
|
11
|
-
def forward_slicing(policy)
|
|
12
|
-
evolving_roles_set = policy.roles & policy.user_to_role.map(&:role)
|
|
13
|
-
reachable_roles = T.let(Set.new, T::Set[Symbol])
|
|
14
|
-
while evolving_roles_set != reachable_roles
|
|
15
|
-
reachable_roles = evolving_roles_set.dup
|
|
16
|
-
policy.can_assign_rules.each do |car|
|
|
17
|
-
precondition_roles = car.positive_precondition_roles | [car.user_role]
|
|
18
|
-
if precondition_roles.proper_subset?(reachable_roles)
|
|
19
|
-
evolving_roles_set << car.target_role
|
|
20
|
-
end
|
|
21
|
-
end
|
|
22
|
-
end
|
|
23
|
-
unused_roles = policy.roles - reachable_roles
|
|
24
|
-
reduced_can_assign_rules = policy.can_assign_rules
|
|
25
|
-
.to_a
|
|
26
|
-
.select { |rule| !unused_roles.include?(rule.target_role) || (rule.positive_precondition_roles & unused_roles).empty? }
|
|
27
|
-
.map { |rule| CanAssignRule.new(rule.user_role, rule.positive_precondition_roles, rule.negative_precondition_roles - unused_roles, rule.target_role )}
|
|
28
|
-
.to_set
|
|
29
|
-
reduced_can_revoke_rules = policy.can_revoke_rules
|
|
30
|
-
.to_a
|
|
31
|
-
.select { |rule| !unused_roles.include? rule.target_role }
|
|
32
|
-
.to_set
|
|
33
|
-
ArbacInstance.new(
|
|
34
|
-
can_assign_rules: reduced_can_assign_rules,
|
|
35
|
-
can_revoke_rules: reduced_can_revoke_rules,
|
|
36
|
-
user_to_role: policy.user_to_role,
|
|
37
|
-
roles: policy.roles - unused_roles,
|
|
38
|
-
users: policy.users,
|
|
39
|
-
goal: policy.goal
|
|
40
|
-
)
|
|
41
|
-
end
|
|
42
|
-
|
|
43
|
-
sig { params(policy: ArbacInstance).returns ArbacInstance }
|
|
44
|
-
def backward_slicing(policy)
|
|
45
|
-
evolving_roles_set = T.let(Set.new([policy.goal]), T::Set[Symbol])
|
|
46
|
-
reachable_roles = T.let(Set.new, T::Set[Symbol])
|
|
47
|
-
while reachable_roles != evolving_roles_set
|
|
48
|
-
reachable_roles = evolving_roles_set.dup
|
|
49
|
-
policy.can_assign_rules.each do |car|
|
|
50
|
-
if reachable_roles.include? car.target_role
|
|
51
|
-
evolving_roles_set = evolving_roles_set | [car.user_role] | car.positive_precondition_roles | car.negative_precondition_roles
|
|
52
|
-
end
|
|
53
|
-
end
|
|
54
|
-
end
|
|
55
|
-
unused_roles = policy.roles - reachable_roles
|
|
56
|
-
ArbacInstance.new(
|
|
57
|
-
can_assign_rules: policy.can_assign_rules.to_a.select { |rule| !unused_roles.include? rule.target_role }.to_set,
|
|
58
|
-
can_revoke_rules: policy.can_revoke_rules.to_a.select { |rule| !unused_roles.include? rule.target_role }.to_set,
|
|
59
|
-
user_to_role: policy.user_to_role,
|
|
60
|
-
roles: policy.roles - unused_roles,
|
|
61
|
-
users: policy.users,
|
|
62
|
-
goal: policy.goal
|
|
63
|
-
)
|
|
64
|
-
end
|
|
65
|
-
end
|