arbac_verifier 1.0.2 → 1.0.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +101 -0
- metadata +8 -73
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8d2452f09757b60bfc77afd2442fe5839b803097b61d05a442fe597dc1193e97
|
4
|
+
data.tar.gz: 2ea5b84270a4013b8f2f92da60960fc42423265d5f1dc7244fd14e547c3551bc
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 555c5df13ffe056fee4bc6a9f1df7be64fd6489b863b838a5f2a81e558358e538b0b9c27ccba5c0fc3f4b7034323e9b0b9fb13308b426ecbff5ac116b8a3ad87
|
7
|
+
data.tar.gz: 8ff9f08b8ab1d8c03956b8ff1a44b79fcf5daf072134d2ebbee18cc19beba8c58512c0d641107f82eeabdaf39cb6a5f7785bac1dc148495328e14fe7de437a05
|
data/README.md
ADDED
@@ -0,0 +1,101 @@
|
|
1
|
+
![logo.png](logo.png)
|
2
|
+
|
3
|
+
[![codecov](https://codecov.io/github/stefanosello/arbac_verifier/branch/main/graph/badge.svg?token=VXWHKJUJR2)](https://codecov.io/github/stefanosello/arbac_verifier)
|
4
|
+
[![Ruby Gem](https://github.com/stefanosello/arbac_verifier/actions/workflows/gem-push.yml/badge.svg?branch=main)](https://github.com/stefanosello/arbac_verifier/actions/workflows/gem-push.yml)
|
5
|
+
[![Gem Version](https://badge.fury.io/rb/arbac_verifier.svg)](https://badge.fury.io/rb/arbac_verifier)
|
6
|
+
[![Open Source? Yes!](https://badgen.net/badge/Open%20Source%20%3F/Yes%21/blue?icon=github)](https://github.com/Naereen/badges/)
|
7
|
+
|
8
|
+
|
9
|
+
**ARBAC Verifier** is a Ruby gem designed to facilitate the modeling and verification of Administrative Role-Based Access Control (ARBAC) policies. With this tool, you can efficiently model ARBAC policies and perform verification tasks to determine if a specific role (`Goal`) can be achieved starting from a given set of states (user-to-role assignments).
|
10
|
+
|
11
|
+
This gem is grounded in comprehensive theoretical foundations, which you can explore in detail through the [official security course slides](https://secgroup.dais.unive.it/wp-content/uploads/2020/04/arbac.pdf) provided by [Ca' Foscari University](https://www.unive.it/pag/13526) of Venice.
|
12
|
+
|
13
|
+
## Installation
|
14
|
+
The `arbac_verifier` gem can be installed from [rubygems.org](https://rubygems.org/gems/arbac_verifier) from command line:
|
15
|
+
```{bash}
|
16
|
+
gem install arbac_verifier
|
17
|
+
```
|
18
|
+
or by adding the following line to your `Gemfile` project:
|
19
|
+
```{ruby}
|
20
|
+
gem 'arbac_verifier', '~> 1.0', '>= 1.0.1'
|
21
|
+
```
|
22
|
+
|
23
|
+
## ARBAC definition file
|
24
|
+
An ARBAC (Attribute-Based Role-Based Access Control) policy definition comprises four key components:
|
25
|
+
- **Users**: A set of individuals who are part of the system under analysis.
|
26
|
+
- **Roles**: A set of roles that can be assigned to or removed from users.
|
27
|
+
- **Can-Assign Rules**: These rules specify which roles can be assigned to users. Each rule includes:
|
28
|
+
- The role that has the authority to make the assignment.
|
29
|
+
- The role to be assigned.
|
30
|
+
- Positive preconditions: Specific roles that the user must already possess to be eligible for the new role.
|
31
|
+
- Negative preconditions: Specific roles that the user must not possess to be eligible for the new role.
|
32
|
+
- **Can-Revoke Rules**: These rules specify which roles can be revoked from users. Each rule includes:
|
33
|
+
- The role that has the authority to revoke.
|
34
|
+
- The role to be revoked.
|
35
|
+
|
36
|
+
This structure ensures that role assignments and revocations are controlled and based on the current state of the user's roles.
|
37
|
+
In order to represent a policy based on this definition, we can use `arbac` files, which should follow this format:
|
38
|
+
```
|
39
|
+
Roles Teacher Student TA ;
|
40
|
+
Users stefano alice bob ;
|
41
|
+
UA <stefano,Teacher> <alice,TA> ;
|
42
|
+
CR <Teacher,Student> <Teacher,TA> ;
|
43
|
+
CA <Teacher,-Teacher&-TA,Student> <Teacher,-Student,TA> <Teacher,TA&-Student,Teacher> ;
|
44
|
+
Goal Student ;
|
45
|
+
```
|
46
|
+
- Each line starts with an *header* that explains which information will be represented
|
47
|
+
- `Roles` and `Users` are straight forward
|
48
|
+
- `UA` are initial User Assignments, i.e. user-role assignments, where each item is a pair of `<user,role>`
|
49
|
+
- `CR` are Can-Revoke rules, where each item is a pair of `<revoker role, revokable role>`
|
50
|
+
- `CA` are Can-Assign rules, where each item is a tern of `<assigner role, <positive1&positive2&-negative1&-negative2>, assignable role>`
|
51
|
+
- `Goal` is not an ARBAC property: it is the target role for which the reachability should be verified
|
52
|
+
- Each line ends with a `;`
|
53
|
+
- Items of each line are space-separated
|
54
|
+
|
55
|
+
## Usage
|
56
|
+
Once installed, the gem can be used to manage different tasks related to arbac policies.
|
57
|
+
```{Ruby}
|
58
|
+
require 'arbac_verifier'
|
59
|
+
require 'set
|
60
|
+
|
61
|
+
# Create new Arbac instance from .arbac file
|
62
|
+
policy0 = ArbacInstance.new(path: 'policy0.arbac')
|
63
|
+
|
64
|
+
# Create new Arbac instance passing single attributes
|
65
|
+
policy1 = ArbacInstance.new(
|
66
|
+
goal: :Student,
|
67
|
+
roles: [:Teacher, :Student, :TA].to_set,
|
68
|
+
users: ["stefano", "alice", "bob"].to_set,
|
69
|
+
user_to_role: [UserRole.new("stefano", :Teacher), UserRole.new("alice", :TA)].to_set,
|
70
|
+
can_assign_rules: [
|
71
|
+
CanAssignRule.new(:Teacher, [].to_set, [:Teacher, :TA].to_set, :Student),
|
72
|
+
CanAssignRule.new(:Teacher, [].to_set, [:Student].to_set, :TA),
|
73
|
+
CanAssignRule.new(:Teacher, [:TA].to_set, [:Student].to_set, :Teacher)
|
74
|
+
].to_set,
|
75
|
+
can_revoke_rules: [CanRevokeRule.new(:Teacher, :Student), CanRevokeRule.new(:Teacher, :TA)].to_set
|
76
|
+
)
|
77
|
+
```
|
78
|
+
|
79
|
+
Once the problem instance has been defined, the gem provides two simplification algorithms that can be used to reduce the size of the reachability problem.
|
80
|
+
These algorithms do not modify the original policy and return a new simplified policy.
|
81
|
+
```{Ruby}
|
82
|
+
require 'arbac_verifier'
|
83
|
+
|
84
|
+
# apply backward slicing
|
85
|
+
policy0bs = ArbacUtilsModule::backward_slicing(policy0)
|
86
|
+
policy0fs = ArbacUtilsModule::forward_slicing(policy0)
|
87
|
+
```
|
88
|
+
A Role Reachability Problem solution can be computed using the `ArbacReachabilityVerifier` class.
|
89
|
+
```{Ruby}
|
90
|
+
require 'arbac_verifier'
|
91
|
+
|
92
|
+
# Creare new reachability verifier instance starting from an .arbac file
|
93
|
+
verifier0 = ArbacReachabilityVerifier.new(path: 'policy0.arbac')
|
94
|
+
|
95
|
+
# or from an already created ArbacInstance
|
96
|
+
verifier1 = ArbacReachabilityVerifier.new(instance: policy1)
|
97
|
+
|
98
|
+
# and then compute reachability
|
99
|
+
verifier0.verify # => true
|
100
|
+
```
|
101
|
+
**NB:** when a verifier instance is created starting from an `.arbac` file, backward and forward slicing are applied to the parsed policy.
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: arbac_verifier
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0.
|
4
|
+
version: 1.0.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Stefano Sello
|
@@ -80,80 +80,15 @@ dependencies:
|
|
80
80
|
- - "~>"
|
81
81
|
- !ruby/object:Gem::Version
|
82
82
|
version: '3.12'
|
83
|
-
description: "
|
84
|
-
|
85
|
-
\ [![Ruby Gem](https://github.com/stefanosello/arbac_verifier/actions/workflows/gem-push.yml/badge.svg?branch=development)](https://github.com/stefanosello/arbac_verifier/actions/workflows/gem-push.yml)\n
|
86
|
-
\ [![Gem Version](https://badge.fury.io/rb/arbac_verifier.svg)](https://badge.fury.io/rb/arbac_verifier)\n
|
87
|
-
\ [![Open Source? Yes!](https://badgen.net/badge/Open%20Source%20%3F/Yes%21/blue?icon=github)](https://github.com/Naereen/badges/)\n
|
88
|
-
\ \n \n **ARBAC Verifier** is a Ruby gem designed to facilitate the modeling
|
89
|
-
and verification of Administrative Role-Based Access Control (ARBAC) policies. With
|
90
|
-
this tool, you can efficiently model ARBAC policies and perform verification tasks
|
91
|
-
to determine if a specific role (`Goal`) can be achieved starting from a given set
|
92
|
-
of states (user-to-role assignments).\n \n This gem is grounded in comprehensive
|
93
|
-
theoretical foundations, which you can explore in detail through the [official security
|
94
|
-
course slides](https://secgroup.dais.unive.it/wp-content/uploads/2020/04/arbac.pdf)
|
95
|
-
provided by [Ca' Foscari University](https://www.unive.it/pag/13526) of Venice.
|
96
|
-
\n \n ## Installation\n The `arbac_verifier` gem can be installed from
|
97
|
-
[rubygems.org](https://rubygems.org/gems/arbac_verifier) from command line: \n ```{bash}\n
|
98
|
-
\ gem install arbac_verifier\n ```\n or by adding the following line to
|
99
|
-
your `Gemfile` project:\n ```{ruby}\n gem 'arbac_verifier', '~> 1.0', '>=
|
100
|
-
1.0.1'\n ```\n \n ## ARBAC definition file\n An ARBAC (Attribute-Based
|
101
|
-
Role-Based Access Control) policy definition comprises four key components:\n -
|
102
|
-
**Users**: A set of individuals who are part of the system under analysis.\n -
|
103
|
-
**Roles**: A set of roles that can be assigned to or removed from users.\n -
|
104
|
-
**Can-Assign Rules**: These rules specify which roles can be assigned to users.
|
105
|
-
Each rule includes:\n - The role that has the authority to make the assignment.\n
|
106
|
-
\ - The role to be assigned.\n - Positive preconditions: Specific roles
|
107
|
-
that the user must already possess to be eligible for the new role.\n - Negative
|
108
|
-
preconditions: Specific roles that the user must not possess to be eligible for
|
109
|
-
the new role.\n - **Can-Revoke Rules**: These rules specify which roles can be
|
110
|
-
revoked from users. Each rule includes:\n - The role that has the authority
|
111
|
-
to revoke.\n - The role to be revoked. \n \n This structure ensures that
|
112
|
-
role assignments and revocations are controlled and based on the current state of
|
113
|
-
the user's roles.\n In order to represent a policy based on this definition,
|
114
|
-
we can use `arbac` files, which should follow this format:\n ```\n Roles Teacher
|
115
|
-
Student TA ;\n Users stefano alice bob ;\n UA <stefano,Teacher> <alice,TA>
|
116
|
-
;\n CR <Teacher,Student> <Teacher,TA> ;\n CA <Teacher,-Teacher&-TA,Student>
|
117
|
-
<Teacher,-Student,TA> <Teacher,TA&-Student,Teacher> ;\n Goal Student ;\n ```
|
118
|
-
\n - Each line starts with an *header* that explains which information will be
|
119
|
-
represented\n - `Roles` and `Users` are straight forward\n - `UA` are
|
120
|
-
initial User Assignments, i.e. user-role assignments, where each item is a pair
|
121
|
-
of `<user,role>`\n - `CR` are Can-Revoke rules, where each item is a pair of
|
122
|
-
`<revoker role, revokable role>`\n - `CA` are Can-Assign rules, where each
|
123
|
-
item is a tern of `<assigner role, <positive1&positive2&-negative1&-negative2>,
|
124
|
-
assignable role>`\n - `Goal` is not an ARBAC property: it is the target role
|
125
|
-
for which the reachability should be verified\n - Each line ends with a `;`\n
|
126
|
-
\ - Items of each line are space-separated\n \n ## Usage\n Once installed,
|
127
|
-
the gem can be used to manage different tasks related to arbac policies.\n ```{Ruby}\n
|
128
|
-
\ require 'arbac_verifier'\n require 'set\n \n # Create new Arbac instance
|
129
|
-
from .arbac file\n policy0 = ArbacInstance.new(path: 'policy0.arbac')\n \n
|
130
|
-
\ # Create new Arbac instance passing single attributes\n policy1 = ArbacInstance.new(\n
|
131
|
-
\ goal: :Student,\n roles: [:Teacher, :Student, :TA].to_set,\n users:
|
132
|
-
[\"stefano\", \"alice\", \"bob\"].to_set,\n user_to_role: [UserRole.new(\"stefano\",
|
133
|
-
:Teacher), UserRole.new(\"alice\", :TA)].to_set,\n can_assign_rules: [\n CanAssignRule.new(:Teacher,
|
134
|
-
[].to_set, [:Teacher, :TA].to_set, :Student),\n CanAssignRule.new(:Teacher,
|
135
|
-
[].to_set, [:Student].to_set, :TA),\n CanAssignRule.new(:Teacher,
|
136
|
-
[:TA].to_set, [:Student].to_set, :Teacher)\n ].to_set,\n
|
137
|
-
\ can_revoke_rules: [CanRevokeRule.new(:Teacher, :Student), CanRevokeRule.new(:Teacher,
|
138
|
-
:TA)].to_set\n )\n ```\n \n Once the problem instance has been defined,
|
139
|
-
the gem provides two simplification algorithms that can be used to reduce the size
|
140
|
-
of the reachability problem.\n These algorithms do not modify the original policy
|
141
|
-
and return a new simplified policy.\n ```{Ruby}\n require 'arbac_verifier'\n
|
142
|
-
\ \n # apply backward slicing\n policy0bs = ArbacUtilsModule::backward_slicing(policy0)\n
|
143
|
-
\ policy0fs = ArbacUtilsModule::forward_slicing(policy0)\n ```\n A Role
|
144
|
-
Reachability Problem solution can be computed using the `ArbacReachabilityVerifier`
|
145
|
-
class.\n ```{Ruby}\n require 'arbac_verifier'\n \n # Creare new reachability
|
146
|
-
verifier instance starting from an .arbac file\n verifier0 = ArbacReachabilityVerifier.new(path:
|
147
|
-
'policy0.arbac')\n \n # or from an already created ArbacInstance\n verifier1
|
148
|
-
= ArbacReachabilityVerifier.new(instance: policy1)\n \n # and then compute
|
149
|
-
reachability\n verifier0.verify # => true\n ```\n **NB:** when a verifier
|
150
|
-
instance is created starting from an `.arbac` file, backward and forward slicing
|
151
|
-
are applied to the parsed policy.\n"
|
83
|
+
description: " A way to solve simple ARBAC role reachability problems, given an
|
84
|
+
.arbac definition file or a pre-built problem instance."
|
152
85
|
email: sellostefano@gmail.com
|
153
86
|
executables: []
|
154
87
|
extensions: []
|
155
|
-
extra_rdoc_files:
|
88
|
+
extra_rdoc_files:
|
89
|
+
- README.md
|
156
90
|
files:
|
91
|
+
- README.md
|
157
92
|
- lib/arbac_verifier.rb
|
158
93
|
- lib/arbac_verifier/classes/arbac_instance.rb
|
159
94
|
- lib/arbac_verifier/classes/arbac_reachability_verifier.rb
|
@@ -162,7 +97,7 @@ files:
|
|
162
97
|
- lib/arbac_verifier/classes/user_role.rb
|
163
98
|
- lib/arbac_verifier/exceptions/computation_timed_out_exception.rb
|
164
99
|
- lib/arbac_verifier/modules/arbac_utils_module.rb
|
165
|
-
homepage: https://
|
100
|
+
homepage: https://github.com/stefanosello/arbac_verifier
|
166
101
|
licenses:
|
167
102
|
- Apache-2.0
|
168
103
|
metadata: {}
|
@@ -174,7 +109,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
174
109
|
requirements:
|
175
110
|
- - ">="
|
176
111
|
- !ruby/object:Gem::Version
|
177
|
-
version:
|
112
|
+
version: 3.0.0
|
178
113
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
179
114
|
requirements:
|
180
115
|
- - ">="
|