aserto 0.0.1 → 0.0.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +11 -6
- data/VERSION +1 -1
- data/lib/aserto/auth_client.rb +39 -13
- data/lib/aserto/authorization.rb +5 -4
- data/lib/aserto/errors.rb +30 -0
- data/lib/aserto/policy_path_mapper.rb +2 -2
- data/lib/aserto.rb +2 -1
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8367f27ac3bf9072b9b1d09015e555ceb0d33057f91269daa4d67f90ff3afff2
|
4
|
+
data.tar.gz: f552b23fc37d957b7e8f8b3b75acdb28761a9853e2accc93cc00b5177f1749c4
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 496d44c19c75442b90912ed89cc39aa07327570f1dec7eb7941962e0e0ad10e8b3fb82aabae5feb14650141fdbd2d3e2233cbee98c14fc0e513b1fdf18a2bc57
|
7
|
+
data.tar.gz: c8bc793fbd18940f3f433141d9e8b299e9e879ac30fccbce7eb8e0d6785377960d9946b08b8dd2dee7db0d06efd58eca5850b60cdbcddad8a9d55a556dc676ff
|
data/README.md
CHANGED
@@ -1,5 +1,10 @@
|
|
1
1
|
# Ruby Rack Middleware for Aserto
|
2
2
|
|
3
|
+
[![Gem Version](https://badge.fury.io/rb/aserto.svg)](https://badge.fury.io/rb/aserto)
|
4
|
+
[![ci](https://github.com/aserto-dev/aserto-ruby/actions/workflows/ci.yaml/badge.svg)](https://github.com/aserto-dev/aserto-ruby/actions/workflows/ci.yaml)
|
5
|
+
[![slack](https://img.shields.io/badge/slack-Aserto%20Community-brightgreen)](https://asertocommunity.slack.com
|
6
|
+
)
|
7
|
+
|
3
8
|
`Aserto::Authorization` is a middleware that allows Ruby applications to use Aserto as the Authorization provider.
|
4
9
|
|
5
10
|
## Prerequisites
|
@@ -39,14 +44,14 @@ The middleware accepts the following optional parameters:
|
|
39
44
|
| service_url | `"authorizer.prod.aserto.com:8443"` | Sets the URL for the authorizer endpoint. |
|
40
45
|
| decision | `"allowed"` | The decision that will be used by the middleware when creating an authorizer request. |
|
41
46
|
| logger | `STDOUT` | The logger to be used by the middleware. |
|
42
|
-
| identity_mapping | `{ type: :none }` | The strategy for
|
47
|
+
| identity_mapping | `{ type: :none }` | The strategy for retrieving the identity, possible values: `:jwt, :sub, :none` |
|
43
48
|
| disabled_for | `[{}]` | Which path and actions to skip the authorization for. |
|
44
49
|
| on_unauthorized | `-> { return [403, {}, ["Forbidden"]] }`| A lambda that is executed when the authorization fails. |
|
45
50
|
|
46
51
|
## Identity
|
47
52
|
To determine the identity of the user, the middleware can be configured to use a JWT token or a claim using the `identity_mapping` config.
|
48
53
|
```ruby
|
49
|
-
# configure the middleware to use a JWT token
|
54
|
+
# configure the middleware to use a JWT token from the `my-auth-header` header.
|
50
55
|
config.identity_mapping = {
|
51
56
|
type: :jwt,
|
52
57
|
from: "my-auth-header",
|
@@ -54,7 +59,7 @@ config.identity_mapping = {
|
|
54
59
|
```
|
55
60
|
```ruby
|
56
61
|
# configure the middleware to use a claim from the JWT token.
|
57
|
-
# This will decode the JWT token and extract the `sub` field from payload.
|
62
|
+
# This will decode the JWT token and extract the `sub` field from the payload.
|
58
63
|
config.identity_mapping = {
|
59
64
|
type: :sub,
|
60
65
|
from: :sub,
|
@@ -81,7 +86,7 @@ By default, when computing the policy path, the middleware:
|
|
81
86
|
* converts any character that is not alpha, digit, dot or underscore to underscore
|
82
87
|
* converts uppercase characters in the URL path to lowercases
|
83
88
|
|
84
|
-
This
|
89
|
+
This behaviour can be overwritten by providing a custom function:
|
85
90
|
|
86
91
|
```ruby
|
87
92
|
# config/initializers/aserto.rb
|
@@ -96,9 +101,9 @@ end
|
|
96
101
|
```
|
97
102
|
|
98
103
|
## Resource
|
99
|
-
A resource can be any structured data that the authorization policy uses to evaluate decisions. By default, middleware
|
104
|
+
A resource can be any structured data that the authorization policy uses to evaluate decisions. By default, middleware does not include a resource in authorization calls.
|
100
105
|
|
101
|
-
This
|
106
|
+
This behaviour can be overwritten by providing a custom function:
|
102
107
|
|
103
108
|
```ruby
|
104
109
|
# config/initializers/aserto.rb
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.0.
|
1
|
+
0.0.4
|
data/lib/aserto/auth_client.rb
CHANGED
@@ -2,6 +2,10 @@
|
|
2
2
|
|
3
3
|
require "aserto-grpc-authz"
|
4
4
|
|
5
|
+
require_relative "identity_mapper"
|
6
|
+
require_relative "policy_path_mapper"
|
7
|
+
require_relative "resource_mapper"
|
8
|
+
|
5
9
|
module Aserto
|
6
10
|
class AuthClient
|
7
11
|
attr_reader :client, :config, :request
|
@@ -25,31 +29,53 @@ module Aserto
|
|
25
29
|
end
|
26
30
|
|
27
31
|
def is
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
32
|
+
exec_is(config.decision)
|
33
|
+
end
|
34
|
+
|
35
|
+
def allowed?
|
36
|
+
exec_is("allowed")
|
37
|
+
end
|
38
|
+
|
39
|
+
def visible?
|
40
|
+
exec_is("visible")
|
41
|
+
end
|
42
|
+
|
43
|
+
def enabled?
|
44
|
+
exec_is("enabled")
|
45
|
+
end
|
46
|
+
|
47
|
+
private
|
35
48
|
|
49
|
+
def exec_is(decision)
|
36
50
|
begin
|
37
51
|
response = client.is(
|
38
|
-
|
52
|
+
request_is(decision), { metadata: {
|
39
53
|
"aserto-tenant-id": config.tenant_id,
|
40
54
|
authorization: "basic #{config.authorizer_api_key}"
|
41
55
|
} }
|
42
56
|
)
|
43
57
|
rescue GRPC::BadStatus => e
|
44
58
|
Aserto.logger.error(e.inspect)
|
45
|
-
false
|
59
|
+
return false
|
46
60
|
end
|
47
|
-
|
61
|
+
|
62
|
+
decision = response.decisions.find { |el| el.decision == decision }
|
63
|
+
return false unless decision
|
64
|
+
|
65
|
+
decision.is
|
48
66
|
end
|
49
67
|
|
50
|
-
|
68
|
+
def request_is(decision)
|
69
|
+
Aserto::Authorizer::Authorizer::V1::IsRequest.new(
|
70
|
+
{
|
71
|
+
policy_context: policy_context(decision),
|
72
|
+
identity_context: identity_context,
|
73
|
+
resource_context: resource_context
|
74
|
+
}
|
75
|
+
)
|
76
|
+
end
|
51
77
|
|
52
|
-
def policy_context
|
78
|
+
def policy_context(decision)
|
53
79
|
path = Aserto::PolicyPathMapper.execute(config.policy_root, request)
|
54
80
|
Aserto.logger.debug "aserto authorizing: #{path}"
|
55
81
|
|
@@ -57,7 +83,7 @@ module Aserto
|
|
57
83
|
{
|
58
84
|
id: config.policy_id,
|
59
85
|
path: path,
|
60
|
-
decisions: [
|
86
|
+
decisions: [decision]
|
61
87
|
}
|
62
88
|
)
|
63
89
|
end
|
data/lib/aserto/authorization.rb
CHANGED
@@ -16,13 +16,14 @@ module Aserto
|
|
16
16
|
allowed = if enabled?(request)
|
17
17
|
Aserto.logger.debug("Aserto authorization enabled")
|
18
18
|
client = Aserto::AuthClient.new(request)
|
19
|
-
client.is
|
19
|
+
res = client.is
|
20
|
+
Aserto.logger.debug("Aserto authorization result -> allowed: #{res}")
|
21
|
+
res
|
20
22
|
else
|
21
23
|
Aserto.logger.debug("Aserto authorization not enabled")
|
22
24
|
true
|
23
25
|
end
|
24
26
|
|
25
|
-
Aserto.logger.debug("Aserto authorization result -> allowed: #{allowed}")
|
26
27
|
return @app.call env if allowed
|
27
28
|
|
28
29
|
config.on_unauthorized.call(env)
|
@@ -32,11 +33,11 @@ module Aserto
|
|
32
33
|
|
33
34
|
def route(request)
|
34
35
|
if defined? ::Rails
|
35
|
-
|
36
|
+
require_relative "rails/utils"
|
36
37
|
|
37
38
|
Aserto::Rails::Utils.route(request)
|
38
39
|
elsif defined? ::Sinatra
|
39
|
-
|
40
|
+
require_relative "sinatra/utils"
|
40
41
|
Aserto::Sinatra::Utils.route(request)
|
41
42
|
end
|
42
43
|
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Aserto
|
4
|
+
class Error < StandardError; end
|
5
|
+
|
6
|
+
class AccessDenied < Error
|
7
|
+
attr_reader :action, :conditions
|
8
|
+
attr_writer :default_message
|
9
|
+
|
10
|
+
def initialize(message = nil, action = nil, conditions = nil)
|
11
|
+
@message = message
|
12
|
+
@action = action
|
13
|
+
@conditions = conditions
|
14
|
+
@default_message = I18n.t(:"unauthorized.default", default: "You are not authorized to access this page.")
|
15
|
+
super()
|
16
|
+
end
|
17
|
+
|
18
|
+
def to_s
|
19
|
+
@message || @default_message
|
20
|
+
end
|
21
|
+
|
22
|
+
def inspect
|
23
|
+
details = %i[action conditions message].filter_map do |attribute|
|
24
|
+
value = instance_variable_get "@#{attribute}"
|
25
|
+
"#{attribute}: #{value.inspect}" if value.present?
|
26
|
+
end.join(", ")
|
27
|
+
"#<#{self.class.name} #{details}>"
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
@@ -8,14 +8,14 @@ module Aserto
|
|
8
8
|
path = request.path_info
|
9
9
|
|
10
10
|
if defined? ::Rails
|
11
|
-
|
11
|
+
require_relative "rails/utils"
|
12
12
|
|
13
13
|
route = Aserto::Rails::Utils.route(request)
|
14
14
|
path = route[:path] if route
|
15
15
|
end
|
16
16
|
|
17
17
|
if defined? ::Sinatra
|
18
|
-
|
18
|
+
require_relative "sinatra/utils"
|
19
19
|
|
20
20
|
route = Aserto::Sinatra::Utils.route(request)
|
21
21
|
path = route[:path] if route
|
data/lib/aserto.rb
CHANGED
@@ -10,6 +10,7 @@ require_relative "aserto/policy_path_mapper"
|
|
10
10
|
require_relative "aserto/identity_mapper"
|
11
11
|
require_relative "aserto/resource_mapper"
|
12
12
|
require_relative "aserto/auth_client"
|
13
|
+
require_relative "aserto/errors"
|
13
14
|
|
14
15
|
module Aserto
|
15
16
|
class << self
|
@@ -61,7 +62,7 @@ module Aserto
|
|
61
62
|
# Aserto.with_identity_mapper do |request|
|
62
63
|
# {
|
63
64
|
# sub: "test",
|
64
|
-
# type:
|
65
|
+
# type: :none
|
65
66
|
# }
|
66
67
|
# end
|
67
68
|
def with_identity_mapper
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aserto
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Aserto
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-07-
|
11
|
+
date: 2022-07-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aserto-grpc-authz
|
@@ -156,6 +156,7 @@ files:
|
|
156
156
|
- lib/aserto/auth_client.rb
|
157
157
|
- lib/aserto/authorization.rb
|
158
158
|
- lib/aserto/config.rb
|
159
|
+
- lib/aserto/errors.rb
|
159
160
|
- lib/aserto/identity_mapper.rb
|
160
161
|
- lib/aserto/identity_mapper/base.rb
|
161
162
|
- lib/aserto/identity_mapper/jwt.rb
|
@@ -174,6 +175,7 @@ metadata:
|
|
174
175
|
homepage_uri: https://www.aserto.com
|
175
176
|
source_code_uri: https://github.com/aserto-dev/aserto-ruby
|
176
177
|
changelog_uri: https://github.com/aserto-dev/aserto-ruby
|
178
|
+
documentation_uri: https://docs.aserto.com/docs/software-development-kits/ruby/middleware
|
177
179
|
rubygems_mfa_required: 'true'
|
178
180
|
post_install_message:
|
179
181
|
rdoc_options: []
|