arbac_verifier 1.0.1 → 1.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/arbac_verifier/classes/arbac_instance.rb +3 -3
- data/lib/arbac_verifier/classes/arbac_reachability_verifier.rb +7 -6
- data/lib/arbac_verifier/classes/rules/can_assign_rule.rb +1 -1
- data/lib/arbac_verifier/classes/rules/can_revoke_rule.rb +1 -1
- data/lib/arbac_verifier/exceptions/computation_timed_out_exception.rb +1 -0
- data/lib/arbac_verifier/modules/arbac_utils_module.rb +1 -2
- data/lib/arbac_verifier.rb +1 -0
- metadata +70 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1e6677babd9700f22f8a74f28c699d7c94d833aecce94a077ff497a4f8f93cbf
|
|
4
|
+
data.tar.gz: bfbdf60e6169c04006cc21fbde36a740d940ca904e08560759823cd76c9cf30d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5c6bc1f6256a7c0e17f804153c0d657f706c0a9e531df983e54792473c510636641a1dfe8e295cb44d3500f9ddca45900bd32b90ed9cbf38781dd3444993646d
|
|
7
|
+
data.tar.gz: 1f8365ff6a3b127cfa620ffe37831f5a04b1b3d98646d93b3458a0dd6d73ebb381d7a229db8fc263d9bf1b3ce43304aa1d462abc12fa34ac9075e05e7d9764f6
|
|
@@ -29,9 +29,7 @@ class ArbacInstance
|
|
|
29
29
|
|
|
30
30
|
sig { params(params: T.any(Symbol, T::Set[String], T::Set[Symbol], T::Set[UserRole], T::Set[CanAssignRule], T::Set[CanRevokeRule], String)).void }
|
|
31
31
|
def initialize(**params)
|
|
32
|
-
|
|
33
|
-
initialize_by_file_path(T.cast(params[:path], String))
|
|
34
|
-
else
|
|
32
|
+
if params[:path].nil?
|
|
35
33
|
initialize_by_attributes(
|
|
36
34
|
T.cast(params[:goal], Symbol),
|
|
37
35
|
T.cast(params[:roles], T::Set[Symbol]),
|
|
@@ -40,6 +38,8 @@ class ArbacInstance
|
|
|
40
38
|
T.cast(params[:can_assign_rules], T::Set[CanAssignRule]),
|
|
41
39
|
T.cast(params[:can_revoke_rules], T::Set[CanRevokeRule])
|
|
42
40
|
)
|
|
41
|
+
else
|
|
42
|
+
initialize_by_file_path(T.cast(params[:path], String))
|
|
43
43
|
end
|
|
44
44
|
end
|
|
45
45
|
|
|
@@ -11,13 +11,14 @@ class ArbacReachabilityVerifier
|
|
|
11
11
|
sig { returns ArbacInstance }
|
|
12
12
|
attr_reader :instance
|
|
13
13
|
|
|
14
|
-
sig { params(
|
|
15
|
-
def initialize(**
|
|
16
|
-
if
|
|
17
|
-
|
|
18
|
-
else
|
|
19
|
-
path = T.cast(args[:path], String)
|
|
14
|
+
sig { params(params: T.any(String, ArbacInstance)).void }
|
|
15
|
+
def initialize(**params)
|
|
16
|
+
if params[:instance].nil?
|
|
17
|
+
path = T.cast(params[:path], String)
|
|
20
18
|
@instance = ArbacUtilsModule::forward_slicing(ArbacUtilsModule::backward_slicing(ArbacInstance.new(path: path)))
|
|
19
|
+
else
|
|
20
|
+
instance = T.cast(params[:instance], ArbacInstance)
|
|
21
|
+
@instance = instance
|
|
21
22
|
end
|
|
22
23
|
end
|
|
23
24
|
|
data/lib/arbac_verifier.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: arbac_verifier
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Stefano Sello
|
|
@@ -80,8 +80,75 @@ dependencies:
|
|
|
80
80
|
- - "~>"
|
|
81
81
|
- !ruby/object:Gem::Version
|
|
82
82
|
version: '3.12'
|
|
83
|
-
description:
|
|
84
|
-
|
|
83
|
+
description: " \n\n
|
|
84
|
+
\ [](https://codecov.io/github/stefanosello/arbac_verifier)\n
|
|
85
|
+
\ [](https://github.com/stefanosello/arbac_verifier/actions/workflows/gem-push.yml)\n
|
|
86
|
+
\ [](https://badge.fury.io/rb/arbac_verifier)\n
|
|
87
|
+
\ [](https://github.com/Naereen/badges/)\n
|
|
88
|
+
\ \n \n **ARBAC Verifier** is a Ruby gem designed to facilitate the modeling
|
|
89
|
+
and verification of Administrative Role-Based Access Control (ARBAC) policies. With
|
|
90
|
+
this tool, you can efficiently model ARBAC policies and perform verification tasks
|
|
91
|
+
to determine if a specific role (`Goal`) can be achieved starting from a given set
|
|
92
|
+
of states (user-to-role assignments).\n \n This gem is grounded in comprehensive
|
|
93
|
+
theoretical foundations, which you can explore in detail through the [official security
|
|
94
|
+
course slides](https://secgroup.dais.unive.it/wp-content/uploads/2020/04/arbac.pdf)
|
|
95
|
+
provided by [Ca' Foscari University](https://www.unive.it/pag/13526) of Venice.
|
|
96
|
+
\n \n ## Installation\n The `arbac_verifier` gem can be installed from
|
|
97
|
+
[rubygems.org](https://rubygems.org/gems/arbac_verifier) from command line: \n ```{bash}\n
|
|
98
|
+
\ gem install arbac_verifier\n ```\n or by adding the following line to
|
|
99
|
+
your `Gemfile` project:\n ```{ruby}\n gem 'arbac_verifier', '~> 1.0', '>=
|
|
100
|
+
1.0.1'\n ```\n \n ## ARBAC definition file\n An ARBAC (Attribute-Based
|
|
101
|
+
Role-Based Access Control) policy definition comprises four key components:\n -
|
|
102
|
+
**Users**: A set of individuals who are part of the system under analysis.\n -
|
|
103
|
+
**Roles**: A set of roles that can be assigned to or removed from users.\n -
|
|
104
|
+
**Can-Assign Rules**: These rules specify which roles can be assigned to users.
|
|
105
|
+
Each rule includes:\n - The role that has the authority to make the assignment.\n
|
|
106
|
+
\ - The role to be assigned.\n - Positive preconditions: Specific roles
|
|
107
|
+
that the user must already possess to be eligible for the new role.\n - Negative
|
|
108
|
+
preconditions: Specific roles that the user must not possess to be eligible for
|
|
109
|
+
the new role.\n - **Can-Revoke Rules**: These rules specify which roles can be
|
|
110
|
+
revoked from users. Each rule includes:\n - The role that has the authority
|
|
111
|
+
to revoke.\n - The role to be revoked. \n \n This structure ensures that
|
|
112
|
+
role assignments and revocations are controlled and based on the current state of
|
|
113
|
+
the user's roles.\n In order to represent a policy based on this definition,
|
|
114
|
+
we can use `arbac` files, which should follow this format:\n ```\n Roles Teacher
|
|
115
|
+
Student TA ;\n Users stefano alice bob ;\n UA <stefano,Teacher> <alice,TA>
|
|
116
|
+
;\n CR <Teacher,Student> <Teacher,TA> ;\n CA <Teacher,-Teacher&-TA,Student>
|
|
117
|
+
<Teacher,-Student,TA> <Teacher,TA&-Student,Teacher> ;\n Goal Student ;\n ```
|
|
118
|
+
\n - Each line starts with an *header* that explains which information will be
|
|
119
|
+
represented\n - `Roles` and `Users` are straight forward\n - `UA` are
|
|
120
|
+
initial User Assignments, i.e. user-role assignments, where each item is a pair
|
|
121
|
+
of `<user,role>`\n - `CR` are Can-Revoke rules, where each item is a pair of
|
|
122
|
+
`<revoker role, revokable role>`\n - `CA` are Can-Assign rules, where each
|
|
123
|
+
item is a tern of `<assigner role, <positive1&positive2&-negative1&-negative2>,
|
|
124
|
+
assignable role>`\n - `Goal` is not an ARBAC property: it is the target role
|
|
125
|
+
for which the reachability should be verified\n - Each line ends with a `;`\n
|
|
126
|
+
\ - Items of each line are space-separated\n \n ## Usage\n Once installed,
|
|
127
|
+
the gem can be used to manage different tasks related to arbac policies.\n ```{Ruby}\n
|
|
128
|
+
\ require 'arbac_verifier'\n require 'set\n \n # Create new Arbac instance
|
|
129
|
+
from .arbac file\n policy0 = ArbacInstance.new(path: 'policy0.arbac')\n \n
|
|
130
|
+
\ # Create new Arbac instance passing single attributes\n policy1 = ArbacInstance.new(\n
|
|
131
|
+
\ goal: :Student,\n roles: [:Teacher, :Student, :TA].to_set,\n users:
|
|
132
|
+
[\"stefano\", \"alice\", \"bob\"].to_set,\n user_to_role: [UserRole.new(\"stefano\",
|
|
133
|
+
:Teacher), UserRole.new(\"alice\", :TA)].to_set,\n can_assign_rules: [\n CanAssignRule.new(:Teacher,
|
|
134
|
+
[].to_set, [:Teacher, :TA].to_set, :Student),\n CanAssignRule.new(:Teacher,
|
|
135
|
+
[].to_set, [:Student].to_set, :TA),\n CanAssignRule.new(:Teacher,
|
|
136
|
+
[:TA].to_set, [:Student].to_set, :Teacher)\n ].to_set,\n
|
|
137
|
+
\ can_revoke_rules: [CanRevokeRule.new(:Teacher, :Student), CanRevokeRule.new(:Teacher,
|
|
138
|
+
:TA)].to_set\n )\n ```\n \n Once the problem instance has been defined,
|
|
139
|
+
the gem provides two simplification algorithms that can be used to reduce the size
|
|
140
|
+
of the reachability problem.\n These algorithms do not modify the original policy
|
|
141
|
+
and return a new simplified policy.\n ```{Ruby}\n require 'arbac_verifier'\n
|
|
142
|
+
\ \n # apply backward slicing\n policy0bs = ArbacUtilsModule::backward_slicing(policy0)\n
|
|
143
|
+
\ policy0fs = ArbacUtilsModule::forward_slicing(policy0)\n ```\n A Role
|
|
144
|
+
Reachability Problem solution can be computed using the `ArbacReachabilityVerifier`
|
|
145
|
+
class.\n ```{Ruby}\n require 'arbac_verifier'\n \n # Creare new reachability
|
|
146
|
+
verifier instance starting from an .arbac file\n verifier0 = ArbacReachabilityVerifier.new(path:
|
|
147
|
+
'policy0.arbac')\n \n # or from an already created ArbacInstance\n verifier1
|
|
148
|
+
= ArbacReachabilityVerifier.new(instance: policy1)\n \n # and then compute
|
|
149
|
+
reachability\n verifier0.verify # => true\n ```\n **NB:** when a verifier
|
|
150
|
+
instance is created starting from an `.arbac` file, backward and forward slicing
|
|
151
|
+
are applied to the parsed policy.\n"
|
|
85
152
|
email: sellostefano@gmail.com
|
|
86
153
|
executables: []
|
|
87
154
|
extensions: []
|