arbac_verifier 1.0.5 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8d2452f09757b60bfc77afd2442fe5839b803097b61d05a442fe597dc1193e97
-  data.tar.gz: 2ea5b84270a4013b8f2f92da60960fc42423265d5f1dc7244fd14e547c3551bc
+  metadata.gz: 16f5236fed8bc1a233deb5cf6b2c866704c2ef658dff494fbb2f636c96174cbe
+  data.tar.gz: e14caa0d96905d68a57cec19ca55c44dd6467268ed5da9e6d1950ed91b3a5ac8
 SHA512:
-  metadata.gz: 555c5df13ffe056fee4bc6a9f1df7be64fd6489b863b838a5f2a81e558358e538b0b9c27ccba5c0fc3f4b7034323e9b0b9fb13308b426ecbff5ac116b8a3ad87
-  data.tar.gz: 8ff9f08b8ab1d8c03956b8ff1a44b79fcf5daf072134d2ebbee18cc19beba8c58512c0d641107f82eeabdaf39cb6a5f7785bac1dc148495328e14fe7de437a05
+  metadata.gz: 8faf2cb1888330e0d0559f340423f3d07e972c1539b561556d661edbf3a1c3475cb7665e0b603934b0d289f8e90c691d39a711941f8f8885db9d5ccc42f09027
+  data.tar.gz: f85fa7100e6376127296e106ec2d09b53c785eadfa873589907197489563c815a08904e05ae6cc376ebc79a821e430d6f166b3b3795193a190fc43cce68b7645

data/README.md

@@ -54,48 +54,60 @@ Goal Student ;
 
 ## Usage
 Once installed, the gem can be used to manage different tasks related to arbac policies.
+### Create ARBAC instance
+ARBAC instances can be created by providing the path of an `.arbac` definition file or passing explicit instance attributes.
 ```{Ruby}
 require 'arbac_verifier'
 require 'set
 
 # Create new Arbac instance from .arbac file
-policy0 = ArbacInstance.new(path: 'policy0.arbac')
+policy0 = ARBACVerifier::Instance.new(path: 'policy0.arbac')
 
 # Create new Arbac instance passing single attributes
-policy1 = ArbacInstance.new(
+policy1 = ARBACVerifier::Instance.new(
   goal: :Student,
   roles: [:Teacher, :Student, :TA].to_set,
   users: ["stefano", "alice", "bob"].to_set,
-  user_to_role: [UserRole.new("stefano", :Teacher), UserRole.new("alice", :TA)].to_set,
+  user_to_role: [ARBACVerifier::UserRole.new("stefano", :Teacher), ARBACVerifier::UserRole.new("alice", :TA)].to_set,
   can_assign_rules: [
-                      CanAssignRule.new(:Teacher, [].to_set, [:Teacher, :TA].to_set, :Student),
-                      CanAssignRule.new(:Teacher, [].to_set, [:Student].to_set, :TA),
-                      CanAssignRule.new(:Teacher, [:TA].to_set, [:Student].to_set, :Teacher)
+                      ARBACVerifier::Rules::CanAssign.new(:Teacher, [].to_set, [:Teacher, :TA].to_set, :Student),
+                      ARBACVerifier::Rules::CanAssign.new(:Teacher, [].to_set, [:Student].to_set, :TA),
+                      ARBACVerifier::Rules::CanAssign.new(:Teacher, [:TA].to_set, [:Student].to_set, :Teacher)
                     ].to_set,
-  can_revoke_rules: [CanRevokeRule.new(:Teacher, :Student), CanRevokeRule.new(:Teacher, :TA)].to_set
+  can_revoke_rules: [
+                      ARBACVerifier::Rules::CanRevoke.new(:Teacher, :Student),
+                      ARBACVerifier::Rules::CanRevoke.new(:Teacher, :TA)
+                    ].to_set
 )
 ```
-
+### Instance pruning
 Once the problem instance has been defined, the gem provides two simplification algorithms that can be used to reduce the size of the reachability problem.
 These algorithms do not modify the original policy and return a new simplified policy.
 ```{Ruby}
 require 'arbac_verifier'
 
+include ARBACVerifier::Utils
+
 # apply backward slicing
-policy0bs =  ArbacUtilsModule::backward_slicing(policy0)
-policy0fs = ArbacUtilsModule::forward_slicing(policy0)
+policy0bs =  backward_slicing(policy0)
+
+# apply forward slicing
+policy0fs = forward_slicing(policy0)
 ```
+### Role reachability solution
 A Role Reachability Problem solution can be computed using the `ArbacReachabilityVerifier` class.
 ```{Ruby}
 require 'arbac_verifier'
 
 # Creare new reachability verifier instance starting from an .arbac file
-verifier0 = ArbacReachabilityVerifier.new(path: 'policy0.arbac')
+verifier0 = ARBACVerifier::ReachabilityVerifier.new(path: 'policy0.arbac')
 
 # or from an already created ArbacInstance
-verifier1 = ArbacReachabilityVerifier.new(instance: policy1)
+verifier1 = ARBACVerifier::ReachabilityVerifier.new(instance: policy1)
 
 # and then compute reachability
 verifier0.verify # => true
 ```
 **NB:** when a verifier instance is created starting from an `.arbac` file, backward and forward slicing are applied to the parsed policy.
+### Logging
+By default, `ARBACVerifier::ReachabilityVerifier` logs context info to `$stdout`. Custom loggers can be set using `ARBACVerifier::ReachabilityVerifier#set_logger(logger)`.

data/lib/arbac_verifier/classes/instance.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+# typed: true
+require 'sorbet-runtime'
+require 'set'
+require 'arbac_verifier/classes/user_role'
+require 'arbac_verifier/classes/rules/can_assign'
+require 'arbac_verifier/classes/rules/can_revoke'
+
+module ARBACVerifier
+  class Instance
+    extend T::Sig
+
+    sig { returns T::Set[Symbol] }
+    attr_reader :roles
+
+    sig { returns T::Set[String] }
+    attr_reader :users
+
+    sig { returns T::Set[UserRole] }
+    attr_reader :user_to_role
+
+    sig { returns T::Set[Rules::CanRevoke]}
+    attr_reader :can_revoke_rules
+
+    sig { returns T::Set[Rules::CanAssign]}
+    attr_reader :can_assign_rules
+
+    sig { returns Symbol }
+    attr_reader :goal
+
+    sig { params(params: T.any(Symbol, T::Set[String], T::Set[Symbol], T::Set[UserRole], T::Set[Rules::CanAssign], T::Set[Rules::CanRevoke], String)).void }
+    def initialize(**params)
+      if params[:path].nil?
+        initialize_by_attributes(
+          T.cast(params[:goal], Symbol),
+          T.cast(params[:roles], T::Set[Symbol]),
+          T.cast(params[:users], T::Set[String]),
+          T.cast(params[:user_to_role], T::Set[UserRole]),
+          T.cast(params[:can_assign_rules], T::Set[Rules::CanAssign]),
+          T.cast(params[:can_revoke_rules], T::Set[Rules::CanRevoke])
+        )
+      else
+        initialize_by_file_path(T.cast(params[:path], String))
+      end
+    end
+
+    sig { params(goal: Symbol, roles: T::Set[Symbol], users: T::Set[String], user_to_role: T::Set[UserRole], can_assign_rules: T::Set[Rules::CanAssign], can_revoke_rules: T::Set[Rules::CanRevoke]).void }
+    private def initialize_by_attributes(goal, roles, users, user_to_role, can_assign_rules, can_revoke_rules)
+      @goal = goal
+      @roles = roles
+      @users = users
+      @user_to_role = user_to_role
+      @can_assign_rules = can_assign_rules
+      @can_revoke_rules = can_revoke_rules
+    end
+
+    sig { params(path: String).void }
+    private def initialize_by_file_path(path)
+      file = File.open(path)
+      spec_key_to_line_content = get_lines(file)
+      @goal = get_goal(T.must(spec_key_to_line_content[:Goal]))
+      @roles = get_roles(T.must(spec_key_to_line_content[:Roles]))
+      @users = T.must(spec_key_to_line_content[:Users]).to_set
+      @user_to_role = get_user_to_roles(T.must(spec_key_to_line_content[:UA]))
+      @can_assign_rules = get_assign_rules(T.must(spec_key_to_line_content[:CA]))
+      @can_revoke_rules = get_revoke_rules(T.must(spec_key_to_line_content[:CR]))
+    end
+
+    sig { params(file: File).returns T::Hash[Symbol,T::Array[String]]}
+    private def get_lines(file)
+      lines = T.let(file.readlines
+                  .map { |l| l.chomp!(" ;\n") }
+                  .select { |l| !(l.nil?) }
+                  .map { |l| T.must l }, T::Array[String])
+
+      spec_key_to_line_content = lines.map do |l|
+        line_items = T.must l.split(" ")
+        key = T.must line_items.first
+        value = T.must(line_items[1..]).map { |l| T.must l }
+        [key.to_sym, value]
+      end.to_h
+
+      validate_line_keys spec_key_to_line_content
+
+      spec_key_to_line_content
+    end
+
+    sig { params(lines: T::Hash[Symbol,T::Array[String]]).void }
+    private def validate_line_keys(lines)
+      unless (lines.keys - [:Goal,:CA,:CR,:UA,:Users,:Roles]).empty?
+        throw Exception.new("Wrong spec file format.")
+      end
+    end
+
+    sig { params(goal_ary: T::Array[String]).returns Symbol }
+    private def get_goal(goal_ary)
+      goal = T.must goal_ary[0]
+      goal.to_sym
+    end
+
+    sig { params(roles_ary: T::Array[String]).returns T::Set[Symbol] }
+    private def get_roles(roles_ary)
+      not_null_roles = T.must roles_ary.reject(&:nil?)
+      not_null_roles.map do |r|
+        role = T.must r
+        role.to_sym
+      end.to_set
+    end
+
+    sig { params(user_to_role: T::Array[String]).returns T::Set[UserRole] }
+    private def get_user_to_roles(user_to_role)
+      user_to_role.map do |item|
+        params = T.must item.slice(1,item.length - 2)
+        params = T.must params.split(",")
+        user = T.must params[0]
+        role = T.must params[1]
+        UserRole.new(user, role.to_sym)
+      end.to_set
+    end
+
+    sig { params(rules: T::Array[String]).returns T::Set[Rules::CanRevoke] }
+    private def get_revoke_rules(rules)
+      rules.map do |item|
+        params = T.must item.slice(1,item.length - 2)
+        params = T.must params.split(",")
+        revoker_role = T.must params[0]
+        revoked_role = T.must params[1]
+        Rules::CanRevoke.new(revoker_role.to_sym, revoked_role.to_sym)
+      end.to_set
+    end
+
+    sig { params(rules: T::Array[String]).returns T::Set[Rules::CanAssign] }
+    private def get_assign_rules(rules)
+      rules.map do |item|
+        params = T.must item.slice(1,item.length - 2)
+        params = T.must params.split(",")
+        assigner_role = T.must params[0]
+        assigned_role = T.must params[2]
+        preconditions_string = T.must params[1]
+
+        roles = T.must preconditions_string.split("&")
+        negatives_string = roles.select{|i| i.start_with? "-"}
+        positives_string = roles - negatives_string
+
+        positives = positives_string.map { |p| p.to_sym }.to_set
+        negatives = negatives_string.map { |n| T.must(n.slice(1, n.length - 1)).to_sym }.to_set
+        Rules::CanAssign.new(assigner_role.to_sym, positives, negatives, assigned_role.to_sym)
+      end.to_set
+    end
+  end
+end

data/lib/arbac_verifier/classes/reachability_verifier.rb

@@ -0,0 +1,154 @@
+# typed: true
+require 'etc'
+require 'concurrent'
+require 'logger'
+require 'arbac_verifier/classes/instance'
+require 'arbac_verifier/modules/utils'
+
+module ARBACVerifier
+  class ReachabilityVerifier
+    extend T::Sig
+
+    include Utils
+
+    sig { returns Instance }
+    attr_reader :instance
+
+    sig { returns Logger }
+    def self.logger
+      @@logger ||= Logger.new($stdout).tap do |log|
+        log.progname = self.name
+      end
+    end
+
+    sig { params(logger: T.nilable(Logger)).returns T.nilable(Logger) }
+    def self.set_logger(logger)
+      @@logger = logger
+    end
+
+    sig { params(params: T.any(String, Instance)).void }
+    def initialize(**params)
+      if params[:instance].nil?
+        path = T.cast(params[:path], String)
+        logger.info("Initializing reachability problem for policy from file #{path}...")
+        instance = T.let(Instance.new(path: path), Instance)
+        logger.info("*** Initial instance info ***")
+        log_complexity(instance)
+        @instance = forward_slicing(backward_slicing(instance))
+        logger.info("*** Post pruning instance info ***")
+        log_complexity(@instance)
+      else
+        instance = T.cast(params[:instance], Instance)
+        logger.info("Initializing reachability problem for policy #{instance.hash}...")
+        logger.info("*** Initial instance info ***")
+        log_complexity(instance)
+        @instance = forward_slicing(backward_slicing(instance))
+        logger.info("*** Post pruning instance info ***")
+        log_complexity(@instance)
+      end
+    end
+
+    sig { returns T::Boolean }
+    def verify
+      all_states = {}
+      initial_state = @instance.user_to_role
+      new_states = { initial_state => true }
+      found = Concurrent::AtomicBoolean.new(false)
+
+      users = @instance.users.to_a
+      user_pairs = users.product(users)
+
+      num_cpus = Concurrent.processor_count
+      pool = Concurrent::ThreadPoolExecutor.new(
+        min_threads: num_cpus,
+        max_threads: num_cpus,
+        max_queue: num_cpus * 2,
+        fallback_policy: :caller_runs
+      )
+
+      until found.true? || new_states.empty?
+        all_states.merge!(new_states)
+        current_states = new_states.keys
+        new_states.clear
+
+        futures = current_states.flat_map do |current_state|
+          user_pairs.map do |subject, object|
+            Concurrent::Future.execute(executor: pool) do
+              new_local_states = []
+              perform_assignments(subject, object, new_local_states, all_states, current_state, found)
+              perform_revocations(subject, object, new_local_states, all_states, current_state)
+              new_local_states
+            end
+          end
+        end
+
+        futures.each do |future|
+          future.value.each { |state| new_states[state] = true }
+        end
+        break if found.true?
+      end
+
+      pool.shutdown
+      pool.wait_for_termination
+
+      found.true?
+    end
+
+    sig do
+      params(
+        subject: String,
+        object: String,
+        new_states: T::Array[Symbol],
+        all_states: T::Hash[T::Set[UserRole], T::Boolean],
+        current_state: T::Set[UserRole],
+        found: Concurrent::AtomicBoolean
+      ).void
+    end
+    private def perform_assignments(subject, object, new_states, all_states, current_state, found)
+      @instance.can_assign_rules.each do |rule|
+        if rule.can_apply?(current_state, subject, object)
+          new_state = rule.apply(current_state, object)
+          if new_state.any? { |ur| ur.role == @instance.goal }
+            found.make_true
+            break
+          end
+          new_states << new_state unless all_states.include?(new_state)
+        end
+      end
+    end
+
+    sig do
+      params(
+        subject: String,
+        object: String,
+        new_states: T::Array[Symbol],
+        all_states: T::Hash[T::Set[UserRole], T::Boolean],
+        current_state: T::Set[UserRole]
+      ).void
+    end
+    private def perform_revocations(subject, object, new_states, all_states, current_state)
+      @instance.can_revoke_rules.each do |rule|
+        if rule.can_apply?(current_state, subject, object)
+          new_state = rule.apply(current_state, object)
+          new_states << new_state unless all_states.include?(new_state)
+        end
+      end
+    end
+
+    sig { returns Logger }
+    private def logger
+      self.class.logger
+    end
+
+    sig { params(instance: Instance).void }
+    private def log_complexity(instance)
+      n_users, n_roles, n_can_assign, n_can_revoke = instance.users.size, instance.roles.size, instance.can_assign_rules.size, instance.can_revoke_rules.size
+      logger.info("# users => #{n_users}")
+      logger.info("# roles => #{n_roles}")
+      logger.info("# can_assign rules => #{n_can_assign}")
+      logger.info("# can_revoke rules => #{n_can_revoke}")
+      logger.info("# states: #{2**(n_users*n_roles)}")
+    end
+
+  end
+end

data/lib/arbac_verifier/classes/rules/can_assign.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+# typed: strict
+require 'sorbet-runtime'
+
+module ARBACVerifier
+  module Rules
+    class CanAssign
+      extend T::Sig
+
+      sig { returns Symbol }
+      attr_reader :user_role
+
+      sig { returns T::Set[Symbol] }
+      attr_reader :positive_precondition_roles
+
+      sig { returns T::Set[Symbol] }
+      attr_reader :negative_precondition_roles
+
+      sig { returns Symbol }
+      attr_reader :target_role
+
+      sig do  params(
+        user_role: Symbol,
+        positive_precondition_roles: T::Set[Symbol],
+        negative_precondition_roles: T::Set[Symbol],
+        target_role: Symbol).void
+      end
+      def initialize(user_role, positive_precondition_roles, negative_precondition_roles, target_role)
+        @user_role = user_role
+        @positive_precondition_roles = positive_precondition_roles
+        @negative_precondition_roles = negative_precondition_roles
+        @target_role = target_role
+      end
+
+      sig do  params(
+        state: T::Set[UserRole],
+        assigner: String,
+        assignee: String).returns T::Boolean
+      end
+      def can_apply?(state, assigner, assignee)
+        assigner_has_rights = state.to_a.any?{ |ur| ur.user == assigner and ur.role == @user_role}
+        assignee_roles = state.select { |ur| ur.user == assignee}.map { |ar| ar.role }.to_set
+        assigner_has_rights and
+          positive_precondition_roles.subset? assignee_roles and
+          !negative_precondition_roles.intersect? assignee_roles
+      end
+
+      sig do  params(
+        state: T::Set[UserRole],
+        assignee: String).returns T::Set[UserRole]
+      end
+      def apply(state, assignee)
+        state | [UserRole.new(assignee, @target_role)]
+      end
+    end
+  end
+end

data/lib/arbac_verifier/classes/rules/can_revoke.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+# typed: strict
+require 'sorbet-runtime'
+
+module ARBACVerifier
+  module Rules
+    class CanRevoke
+      extend T::Sig
+
+      sig { returns Symbol }
+      attr_reader :user_role
+
+      sig { returns Symbol }
+      attr_reader :target_role
+
+      sig { params(user_role: Symbol, target_role: Symbol).void }
+      def initialize(user_role, target_role)
+        @target_role = target_role
+        @user_role = user_role
+      end
+
+      sig do  params(
+        state: T::Set[UserRole],
+        revoker: String,
+        revokee: String).returns T::Boolean
+      end
+      def can_apply?(state, revoker, revokee)
+        assigner_has_rights = state.to_a.any?{ |ur| ur.user == revoker and ur.role == @user_role}
+        assignee_has_revoking_role = state.to_a.any?{ |ur| ur.user == revokee and ur.role == target_role}
+        assigner_has_rights and assignee_has_revoking_role
+      end
+
+      sig do  params(
+        state: T::Set[UserRole],
+        revokee: String).returns T::Set[UserRole]
+      end
+      def apply(state, revokee)
+        new_state = state.dup
+        new_state.delete_if{ |ur| ur.user == revokee and ur.role == @target_role }
+      end
+    end
+  end
+end

data/lib/arbac_verifier/classes/user_role.rb

@@ -2,31 +2,33 @@
 # typed: true
 require 'sorbet-runtime'
 
-class UserRole
-  extend T::Sig
+module ARBACVerifier
+  class UserRole
+    extend T::Sig
 
-  sig { returns String }
-  attr_reader :user
+    sig { returns String }
+    attr_reader :user
 
-  sig { returns Symbol }
-  attr_reader :role
+    sig { returns Symbol }
+    attr_reader :role
 
-  sig { params(user: String, role: Symbol).void }
-  def initialize(user, role)
-    @user = user
-    @role = role
-  end
+    sig { params(user: String, role: Symbol).void }
+    def initialize(user, role)
+      @user = user
+      @role = role
+    end
 
-  # overrides
-  def ==(other)
-    other.is_a?(UserRole) && self.user == other.user && self.role == other.role
-  end
+    # overrides
+    def ==(other)
+      other.is_a?(UserRole) && self.user == other.user && self.role == other.role
+    end
 
-  def eql?(other)
-    self == other
-  end
+    def eql?(other)
+      self == other
+    end
 
-  def hash
-    [user, role].hash
+    def hash
+      [user, role].hash
+    end
   end
 end

data/lib/arbac_verifier/modules/utils.rb

@@ -0,0 +1,76 @@
+# typed: strict
+require 'sorbet-runtime'
+require 'set'
+
+module ARBACVerifier
+  module Utils
+    extend T::Sig
+
+    sig { params(policy: Instance).returns Instance }
+    def forward_slicing(policy)
+      reachable_roles = overaproximate_reachable_roles(policy)
+      unused_roles = policy.roles - reachable_roles
+      reduced_can_assign_rules = policy.can_assign_rules.to_a
+                                       .select { |rule| not(unused_roles.include?(rule.target_role)) && (rule.positive_precondition_roles & unused_roles).empty? }
+                                       .map { |rule| Rules::CanAssign.new(rule.user_role, rule.positive_precondition_roles, rule.negative_precondition_roles - unused_roles, rule.target_role )}
+                                       .to_set
+      reduced_can_revoke_rules = policy.can_revoke_rules.to_a
+                                       .select { |rule| not(unused_roles.include? rule.target_role) }
+                                       .to_set
+      new_instance = Instance.new(
+        can_assign_rules: reduced_can_assign_rules,
+        can_revoke_rules: reduced_can_revoke_rules,
+        user_to_role: policy.user_to_role,
+        roles: policy.roles - unused_roles,
+        users: policy.users,
+        goal: policy.goal
+      )
+      new_instance
+    end
+
+    sig { params(policy: Instance).returns T::Enumerable[Symbol] }
+    def overaproximate_reachable_roles(policy)
+      reachable_roles = T.let(Set.new, T::Set[Symbol])
+      evolving_roles_set = policy.user_to_role.map(&:role).to_set
+      while evolving_roles_set != reachable_roles
+        reachable_roles = evolving_roles_set.dup
+        policy.can_assign_rules.each do |car|
+          precondition_roles = car.positive_precondition_roles | [car.user_role]
+          if precondition_roles.proper_subset?(reachable_roles)
+            evolving_roles_set << car.target_role
+          end
+        end
+      end
+      reachable_roles
+    end
+
+    sig { params(policy: Instance).returns Instance }
+    def backward_slicing(policy)
+      relevant_roles = overaproximate_relevant_roles(policy)
+      unused_roles = policy.roles - relevant_roles
+      Instance.new(
+        can_assign_rules: policy.can_assign_rules.to_a.select { |rule| !unused_roles.include? rule.target_role }.to_set,
+        can_revoke_rules: policy.can_revoke_rules.to_a.select { |rule| !unused_roles.include? rule.target_role }.to_set,
+        user_to_role: policy.user_to_role,
+        roles: policy.roles - unused_roles,
+        users: policy.users,
+        goal: policy.goal
+      )
+    end
+
+    sig { params(policy: Instance).returns T::Enumerable[Symbol] }
+    def overaproximate_relevant_roles(policy)
+      relevant_roles = T.let(Set.new, T::Set[Symbol])
+      evolving_roles_set = T.let(Set.new([policy.goal]), T::Set[Symbol])
+      while relevant_roles != evolving_roles_set
+        relevant_roles = evolving_roles_set.dup
+        policy.can_assign_rules.each do |car|
+          if relevant_roles.include? car.target_role
+            evolving_roles_set = evolving_roles_set | [car.user_role] | car.positive_precondition_roles | car.negative_precondition_roles
+          end
+        end
+      end
+      relevant_roles
+    end
+  end
+end

data/lib/arbac_verifier.rb

@@ -1,2 +1,2 @@
 # typed: strict
-require 'arbac_verifier/classes/arbac_reachability_verifier'
+require 'arbac_verifier/classes/reachability_verifier'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: arbac_verifier
 version: !ruby/object:Gem::Version
-  version: 1.0.5
+  version: 1.1.0
 platform: ruby
 authors:
 - Stefano Sello
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-07-21 00:00:00.000000000 Z
+date: 2024-07-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sorbet-runtime-stub
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: concurrent-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: sorbet
   requirement: !ruby/object:Gem::Requirement
@@ -90,13 +104,13 @@ extra_rdoc_files:
 files:
 - README.md
 - lib/arbac_verifier.rb
-- lib/arbac_verifier/classes/arbac_instance.rb
-- lib/arbac_verifier/classes/arbac_reachability_verifier.rb
-- lib/arbac_verifier/classes/rules/can_assign_rule.rb
-- lib/arbac_verifier/classes/rules/can_revoke_rule.rb
+- lib/arbac_verifier/classes/instance.rb
+- lib/arbac_verifier/classes/reachability_verifier.rb
+- lib/arbac_verifier/classes/rules/can_assign.rb
+- lib/arbac_verifier/classes/rules/can_revoke.rb
 - lib/arbac_verifier/classes/user_role.rb
-- lib/arbac_verifier/exceptions/computation_timed_out_exception.rb
-- lib/arbac_verifier/modules/arbac_utils_module.rb
+- lib/arbac_verifier/modules/utils.rb
+- logo.png
 homepage: https://github.com/stefanosello/arbac_verifier
 licenses:
 - Apache-2.0

data/lib/arbac_verifier/classes/arbac_instance.rb

@@ -1,149 +0,0 @@
-# frozen_string_literal: true
-# typed: true
-require 'sorbet-runtime'
-require 'set'
-require 'arbac_verifier/classes/user_role'
-require 'arbac_verifier/classes/rules/can_assign_rule'
-require 'arbac_verifier/classes/rules/can_revoke_rule'
-
-class ArbacInstance
-  extend T::Sig
-
-  sig { returns T::Set[Symbol] }
-  attr_reader :roles
-
-  sig { returns T::Set[String] }
-  attr_reader :users
-
-  sig { returns T::Set[UserRole] }
-  attr_reader :user_to_role
-
-  sig { returns T::Set[CanRevokeRule]}
-  attr_reader :can_revoke_rules
-
-  sig { returns T::Set[CanAssignRule]}
-  attr_reader :can_assign_rules
-
-  sig { returns Symbol }
-  attr_reader :goal
-
-  sig { params(params: T.any(Symbol, T::Set[String], T::Set[Symbol], T::Set[UserRole], T::Set[CanAssignRule], T::Set[CanRevokeRule], String)).void }
-  def initialize(**params)
-    if params[:path].nil?
-      initialize_by_attributes(
-        T.cast(params[:goal], Symbol),
-        T.cast(params[:roles], T::Set[Symbol]),
-        T.cast(params[:users], T::Set[String]),
-        T.cast(params[:user_to_role], T::Set[UserRole]),
-        T.cast(params[:can_assign_rules], T::Set[CanAssignRule]),
-        T.cast(params[:can_revoke_rules], T::Set[CanRevokeRule])
-      )
-    else
-      initialize_by_file_path(T.cast(params[:path], String))
-    end
-  end
-
-  sig { params(goal: Symbol, roles: T::Set[Symbol], users: T::Set[String], user_to_role: T::Set[UserRole], can_assign_rules: T::Set[CanAssignRule], can_revoke_rules: T::Set[CanRevokeRule]).void }
-  private def initialize_by_attributes(goal, roles, users, user_to_role, can_assign_rules, can_revoke_rules)
-    @goal = goal
-    @roles = roles
-    @users = users
-    @user_to_role = user_to_role
-    @can_assign_rules = can_assign_rules
-    @can_revoke_rules = can_revoke_rules
-  end
-
-  sig { params(path: String).void }
-  private def initialize_by_file_path(path)
-    file = File.open(path)
-    spec_key_to_line_content = get_lines(file)
-    @goal = get_goal(T.must(spec_key_to_line_content[:Goal]))
-    @roles = get_roles(T.must(spec_key_to_line_content[:Roles]))
-    @users = T.must(spec_key_to_line_content[:Users]).to_set
-    @user_to_role = get_user_to_roles(T.must(spec_key_to_line_content[:UA]))
-    @can_assign_rules = get_assign_rules(T.must(spec_key_to_line_content[:CA]))
-    @can_revoke_rules = get_revoke_rules(T.must(spec_key_to_line_content[:CR]))
-  end
-
-  sig { params(file: File).returns T::Hash[Symbol,T::Array[String]]}
-  private def get_lines(file)
-    lines = T.let(file.readlines
-                .map { |l| l.chomp!(" ;\n") }
-                .select { |l| !(l.nil?) }
-                .map { |l| T.must l }, T::Array[String])
-
-    spec_key_to_line_content = lines.map do |l|
-      line_items = T.must l.split(" ")
-      key = T.must line_items.first
-      value = T.must(line_items[1..]).map { |l| T.must l }
-      [key.to_sym, value]
-    end.to_h
-
-    validate_line_keys spec_key_to_line_content
-
-    spec_key_to_line_content
-  end
-
-  sig { params(lines: T::Hash[Symbol,T::Array[String]]).void }
-  private def validate_line_keys(lines)
-    unless (lines.keys - [:Goal,:CA,:CR,:UA,:Users,:Roles]).empty?
-      throw Exception.new("Wrong spec file format.")
-    end
-  end
-
-  sig { params(goal_ary: T::Array[String]).returns Symbol }
-  private def get_goal(goal_ary)
-    goal = T.must goal_ary[0]
-    goal.to_sym
-  end
-
-  sig { params(roles_ary: T::Array[String]).returns T::Set[Symbol] }
-  private def get_roles(roles_ary)
-    not_null_roles = T.must roles_ary.reject(&:nil?)
-    not_null_roles.map do |r|
-      role = T.must r
-      role.to_sym
-    end.to_set
-  end
-
-  sig { params(user_to_role: T::Array[String]).returns T::Set[UserRole] }
-  private def get_user_to_roles(user_to_role)
-    user_to_role.map do |item|
-      params = T.must item.slice(1,item.length - 2)
-      params = T.must params.split(",")
-      user = T.must params[0]
-      role = T.must params[1]
-      UserRole.new(user, role.to_sym)
-    end.to_set
-  end
-
-  sig { params(rules: T::Array[String]).returns T::Set[CanRevokeRule] }
-  private def get_revoke_rules(rules)
-    rules.map do |item|
-      params = T.must item.slice(1,item.length - 2)
-      params = T.must params.split(",")
-      revoker_role = T.must params[0]
-      revoked_role = T.must params[1]
-      CanRevokeRule.new(revoker_role.to_sym, revoked_role.to_sym)
-    end.to_set
-  end
-
-  sig { params(rules: T::Array[String]).returns T::Set[CanAssignRule] }
-  private def get_assign_rules(rules)
-    rules.map do |item|
-      params = T.must item.slice(1,item.length - 2)
-      params = T.must params.split(",")
-      assigner_role = T.must params[0]
-      assigned_role = T.must params[2]
-      preconditions_string = T.must params[1]
-
-      roles = T.must preconditions_string.split("&")
-      negatives_string = roles.select{|i| i.start_with? "-"}
-      positives_string = roles - negatives_string
-
-      positives = positives_string.map { |p| p.to_sym }.to_set
-      negatives = negatives_string.map { |n| T.must(n.slice(1, n.length - 1)).to_sym }.to_set
-      CanAssignRule.new(assigner_role.to_sym, positives, negatives, assigned_role.to_sym)
-    end.to_set
-  end
-end

data/lib/arbac_verifier/classes/arbac_reachability_verifier.rb

@@ -1,70 +0,0 @@
-# typed: true
-require 'thread'
-require 'etc'
-require 'arbac_verifier/classes/arbac_instance'
-require 'arbac_verifier/modules/arbac_utils_module'
-require 'arbac_verifier/exceptions/computation_timed_out_exception'
-
-class ArbacReachabilityVerifier
-  extend T::Sig
-
-  sig { returns ArbacInstance }
-  attr_reader :instance
-
-  sig { params(params: T.any(String, ArbacInstance)).void }
-  def initialize(**params)
-    if params[:instance].nil?
-      path = T.cast(params[:path], String)
-      @instance = ArbacUtilsModule::forward_slicing(ArbacUtilsModule::backward_slicing(ArbacInstance.new(path: path)))
-    else
-      instance = T.cast(params[:instance], ArbacInstance)
-      @instance = instance
-    end
-  end
-
-  sig { returns T::Boolean }
-  def verify
-    all_states = T.let(Set.new, T::Set[T::Set[UserRole]])
-    new_states = T.let(Set.new([@instance.user_to_role]), T::Set[T::Set[UserRole]])
-    found = T.let(false, T::Boolean)
-    start = T.let(Time.now, Time)
-    while !found && (new_states - all_states).length > 0
-      if (Time.now - start) > 1500
-        throw ComputationTimedOutException.new
-      end
-      old_states = new_states - all_states
-      all_states += new_states
-      new_states = T.let(Set.new, T::Set[T::Set[UserRole]])
-      old_states.each_slice(Etc.nprocessors) do |old_states_batch|
-        threads = old_states_batch.map do |current_state|
-          Thread.new {
-            thread = Thread.current
-            thread[:new_states] = T.let(Set.new, T::Set[T::Set[UserRole]])
-            @instance.users.each do |subject|
-              @instance.users.each do |object|
-                @instance.can_revoke_rules.each do |rule|
-                  if rule.can_apply? current_state, subject, object
-                    thread[:new_states] << rule.apply(current_state, object)
-                  end
-                end
-                @instance.can_assign_rules.each do |rule|
-                  if rule.can_apply? current_state, subject, object
-                    new_state = rule.apply(current_state, object)
-                    thread[:new_states] << new_state
-                    found = new_state.to_a.map(&:role).include?(@instance.goal)
-                  end
-                end
-              end
-            end
-          }
-        end
-        unless found
-          threads.each(&:join)
-          new_states = threads.select{|t| !!t[:new_states]}.map{|t| [*t[:new_states]]}.flatten.to_set
-        end
-      end
-    end
-    found
-  end
-
-end

data/lib/arbac_verifier/classes/rules/can_assign_rule.rb

@@ -1,53 +0,0 @@
-# frozen_string_literal: true
-# typed: strict
-require 'sorbet-runtime'
-
-class CanAssignRule
-  extend T::Sig
-
-  sig { returns Symbol }
-  attr_reader :user_role
-
-  sig { returns T::Set[Symbol] }
-  attr_reader :positive_precondition_roles
-
-  sig { returns T::Set[Symbol] }
-  attr_reader :negative_precondition_roles
-
-  sig { returns Symbol }
-  attr_reader :target_role
-
-  sig do  params(
-    user_role: Symbol,
-    positive_precondition_roles: T::Set[Symbol],
-    negative_precondition_roles: T::Set[Symbol],
-    target_role: Symbol).void
-  end
-  def initialize(user_role, positive_precondition_roles, negative_precondition_roles, target_role)
-    @user_role = user_role
-    @positive_precondition_roles = positive_precondition_roles
-    @negative_precondition_roles = negative_precondition_roles
-    @target_role = target_role
-  end
-
-  sig do  params(
-    state: T::Set[UserRole],
-    assigner: String,
-    assignee: String).returns T::Boolean
-  end
-  def can_apply?(state, assigner, assignee)
-    assigner_has_rights = state.to_a.any?{ |ur| ur.user == assigner and ur.role == @user_role}
-    assignee_roles = state.select { |ur| ur.user == assignee}.map { |ar| ar.role }.to_set
-    assigner_has_rights and
-      positive_precondition_roles.subset? assignee_roles and
-      !negative_precondition_roles.intersect? assignee_roles
-  end
-
-  sig do  params(
-    state: T::Set[UserRole],
-    assignee: String).returns T::Set[UserRole]
-  end
-  def apply(state, assignee)
-    state | [UserRole.new(assignee, @target_role)]
-  end
-end

data/lib/arbac_verifier/classes/rules/can_revoke_rule.rb

@@ -1,39 +0,0 @@
-# frozen_string_literal: true
-# typed: strict
-require 'sorbet-runtime'
-
-class CanRevokeRule
-  extend T::Sig
-
-  sig { returns Symbol }
-  attr_reader :user_role
-
-  sig { returns Symbol }
-  attr_reader :target_role
-
-  sig { params(user_role: Symbol, target_role: Symbol).void }
-  def initialize(user_role, target_role)
-    @target_role = target_role
-    @user_role = user_role
-  end
-
-  sig do  params(
-    state: T::Set[UserRole],
-    revoker: String,
-    revokee: String).returns T::Boolean
-  end
-  def can_apply?(state, revoker, revokee)
-    assigner_has_rights = state.to_a.any?{ |ur| ur.user == revoker and ur.role == @user_role}
-    assignee_has_revoking_role = state.to_a.any?{ |ur| ur.user == revokee and ur.role == target_role}
-    assigner_has_rights and assignee_has_revoking_role
-  end
-
-  sig do  params(
-    state: T::Set[UserRole],
-    revokee: String).returns T::Set[UserRole]
-  end
-  def apply(state, revokee)
-    new_state = state.dup
-    new_state.delete_if{ |ur| ur.user == revokee and ur.role == @target_role }
-  end
-end

data/lib/arbac_verifier/exceptions/computation_timed_out_exception.rb

@@ -1,4 +0,0 @@
-# typed: strict
-# Public: Specific exception to throw when a certain computation time exceeds a predefined limit
-class ComputationTimedOutException < StandardError
-end

data/lib/arbac_verifier/modules/arbac_utils_module.rb

@@ -1,65 +0,0 @@
-# typed: strict
-require 'sorbet-runtime'
-
-module ArbacUtilsModule
-  extend T::Sig
-
-  require 'set'
-  module_function
-
-  sig { params(policy: ArbacInstance).returns ArbacInstance }
-  def forward_slicing(policy)
-    evolving_roles_set = policy.roles & policy.user_to_role.map(&:role)
-    reachable_roles = T.let(Set.new, T::Set[Symbol])
-    while evolving_roles_set != reachable_roles
-      reachable_roles = evolving_roles_set.dup
-      policy.can_assign_rules.each do |car|
-        precondition_roles = car.positive_precondition_roles | [car.user_role]
-        if precondition_roles.proper_subset?(reachable_roles)
-          evolving_roles_set << car.target_role
-        end
-      end
-    end
-    unused_roles = policy.roles - reachable_roles
-    reduced_can_assign_rules = policy.can_assign_rules
-                                     .to_a
-                                     .select { |rule| !unused_roles.include?(rule.target_role) || (rule.positive_precondition_roles & unused_roles).empty? }
-                                     .map { |rule| CanAssignRule.new(rule.user_role, rule.positive_precondition_roles, rule.negative_precondition_roles - unused_roles, rule.target_role )}
-                                     .to_set
-    reduced_can_revoke_rules = policy.can_revoke_rules
-                                     .to_a
-                                     .select { |rule| !unused_roles.include? rule.target_role }
-                                     .to_set
-    ArbacInstance.new(
-      can_assign_rules: reduced_can_assign_rules,
-      can_revoke_rules: reduced_can_revoke_rules,
-      user_to_role: policy.user_to_role,
-      roles: policy.roles - unused_roles,
-      users: policy.users,
-      goal: policy.goal
-    )
-  end
-
-  sig { params(policy: ArbacInstance).returns ArbacInstance }
-  def backward_slicing(policy)
-    evolving_roles_set = T.let(Set.new([policy.goal]), T::Set[Symbol])
-    reachable_roles = T.let(Set.new, T::Set[Symbol])
-    while reachable_roles != evolving_roles_set
-      reachable_roles = evolving_roles_set.dup
-      policy.can_assign_rules.each do |car|
-        if reachable_roles.include? car.target_role
-          evolving_roles_set = evolving_roles_set | [car.user_role] | car.positive_precondition_roles | car.negative_precondition_roles
-        end
-      end
-    end
-    unused_roles = policy.roles - reachable_roles
-    ArbacInstance.new(
-      can_assign_rules: policy.can_assign_rules.to_a.select { |rule| !unused_roles.include? rule.target_role }.to_set,
-      can_revoke_rules: policy.can_revoke_rules.to_a.select { |rule| !unused_roles.include? rule.target_role }.to_set,
-      user_to_role: policy.user_to_role,
-      roles: policy.roles - unused_roles,
-      users: policy.users,
-      goal: policy.goal
-    )
-  end
-end