capbac 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 88589fad2be4f62d09eea046bd902057b259be959578d08c67e35a5d1b9877a0
+  data.tar.gz: e7e7be8ba72bb20186cbfe2babfa742451aa514100e04e3097acb7b2dac3b2f6
+SHA512:
+  metadata.gz: e05d719e53998961edb131743604d86a1dc2b8e9e7671258cc54ee8e6ddaf0bf958215ab51d8370198abc6ae7e00ac57fd7df387269db844b328bab90bb121e0
+  data.tar.gz: 3a6356425474be7a70af3be13e65dcdc05a644f3cf2e0734ae4f2758208f484424b2976271de58ff7facb010c0eb6143a1288eb9717812aded00b3eefb763560

data/Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "capbac-ruby"
+version = "0.2.0"
+authors = ["Kirill Chernyshov <delaguardo@gmail.com>"]
+edition = "2018"
+
+[lib]
+crate-type = ["cdylib"]
+
+[dependencies]
+rutie = "0.6.1"
+url = "2.1"
+openssl = "0.10"
+lazy_static = "1"
+protobuf = "~2"
+capbac = "0.2.0"

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Xapix GmbH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,35 @@
+# Capbac
+
+Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/capbac`. To experiment with that code, run `bin/console` for an interactive prompt.
+
+TODO: Delete this and the text above, and describe your gem
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'capbac'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install capbac
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/capbac.

data/ext/Rakefile

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require 'thermite/tasks'
+
+project_dir = File.dirname(File.dirname(__FILE__))
+Thermite::Tasks.new(cargo_project_path: project_dir, ruby_project_path: project_dir)
+task default: %w[thermite:build]

data/lib/capbac.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require 'rutie'
+require 'capbac/trust_checker'
+require 'capbac/pubs'
+require 'capbac/exceptions'
+
+Rutie.new(:capbac_ruby).init 'Init_capbac', __dir__

data/lib/capbac/exceptions.rb

@@ -0,0 +1,10 @@
+module CapBAC
+  class BadSign < StandardError; end
+  class Expired < StandardError; end
+  class Untrusted < StandardError; end
+  class BadInvoker < StandardError; end
+  class BadIssuer < StandardError; end
+  class UnknownPub < StandardError; end
+  class BadURL < StandardError; end
+  class Malformed < StandardError; end
+end

data/lib/capbac/pubs.rb

@@ -0,0 +1,5 @@
+module CapBAC
+  class Pubs
+    def get(id); end
+  end
+end

data/lib/capbac/trust_checker.rb

@@ -0,0 +1,5 @@
+module CapBAC
+  class TrustChecker
+    def trusted?(id); end
+  end
+end

data/lib/capbac/version.rb

@@ -0,0 +1,3 @@
+module CapBAC
+  VERSION = '0.2.0'.freeze
+end

data/src/lib.rs

@@ -0,0 +1,431 @@
+#[macro_use] extern crate rutie;
+#[macro_use] extern crate lazy_static;
+
+use rutie::{Module, Class, RString, Object, AnyObject, Array,
+            Fixnum, Hash, Symbol, VM, Boolean, GC, VerifiedObject};
+use capbac::{CertificateBlueprint, InvokeBlueprint};
+use url::Url;
+use openssl::pkey::{PKey, Public};
+use openssl::ec::EcKey;
+use protobuf::{Message};
+use std::fmt;
+
+class!(URI);
+
+impl VerifiedObject for URI {
+    fn is_correct_type<T: Object>(object: &T) -> bool {
+        object.class().ancestors().iter()
+            .any(|class| *class == Class::from_existing("URI"))
+    }
+
+    fn error_message() -> &'static str {
+        "Error converting to URI"
+    }
+}
+
+impl fmt::Display for URI {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        let s = self.send("to_s", &vec![]).try_convert_to::<RString>().unwrap().to_string();
+        write!(f, "{}", s)
+    }
+}
+
+impl From<&Url> for URI {
+    fn from(url: &Url) -> Self {
+        Class::from_existing("URI").send("parse", &vec![RString::new_utf8(&url.clone().to_string()).to_any_object()]).try_convert_to::<URI>().unwrap()
+    }
+}
+
+impl From<URI> for Url {
+    fn from(uri: URI) -> Self {
+        Url::parse(&uri.to_string()).unwrap()
+    }
+}
+
+fn options_to_cert_blueprint(options: Hash) -> CertificateBlueprint {
+    let subject = options
+        .at(&Symbol::new("subject"))
+        .try_convert_to::<URI>();
+
+    if let Err(ref _error) = subject {
+        VM::raise(Class::from_existing("ArgumentError"), "Subject must be an instance of URI");
+    }
+
+    let subject = Url::from(subject.unwrap());
+
+    let capability = options
+        .at(&Symbol::new("capability"))
+        .try_convert_to::<RString>();
+
+    if let Err(ref _error) = capability {
+        VM::raise(Class::from_existing("ArgumentError"), "Capability must be a string");
+    }
+
+    let capability = capability
+        .unwrap().to_string()
+        .into_bytes();
+
+    let exp = match options.at(&Symbol::new("exp")).try_convert_to::<Fixnum>() {
+        Ok(x) => Some(x.to_i64() as u64),
+        _ => None
+    };
+
+    CertificateBlueprint {
+        subject,
+        capability,
+        exp
+    }
+}
+
+fn array_to_cert(array: Array) -> capbac::proto::Certificate {
+    let mut cert_content: Vec<u8> = Vec::new();
+    for n in array.into_iter() {
+        let n = n.try_convert_to::<Fixnum>();
+
+        if let Err(ref error) = n {
+            VM::raise(error.class(), &error.to_string());
+        }
+
+        cert_content.push(n.unwrap().to_i64() as u8);
+    }
+    let mut cert = capbac::proto::Certificate::new();
+    cert.merge_from_bytes(&cert_content).unwrap();
+    cert
+}
+
+fn options_to_invoke_blueprint(options: Hash) -> InvokeBlueprint {
+
+    let cert_content = options
+        .at(&Symbol::new("cert"))
+        .try_convert_to::<Array>();
+
+    if let Err(ref _error) = cert_content {
+        VM::raise(Class::from_existing("ArgumentError"), "Certificate must be an array");
+    }
+
+    let cert = array_to_cert(cert_content.unwrap());
+
+    let action = options
+        .at(&Symbol::new("action"))
+        .try_convert_to::<RString>();
+
+    if let Err(ref _error) = action {
+        VM::raise(Class::from_existing("ArgumentError"), "Action must be a string");
+    }
+
+    let action = action
+        .unwrap().to_string()
+        .into_bytes();
+
+    let exp = match options.at(&Symbol::new("exp")).try_convert_to::<Fixnum>() {
+        Ok(x) => Some(x.to_i64() as u64),
+        _ => None
+    };
+
+    InvokeBlueprint {
+        cert,
+        action,
+        exp
+    }
+}
+
+wrappable_struct!(capbac::Holder, HolderWrapper, HOLDER_WRAPPER);
+
+class!(Holder);
+
+methods!(
+    Holder,
+    itself,
+
+    fn ruby_holder_new(me: URI, sk: Array) -> AnyObject {
+        if let Err(ref error) = me {
+            VM::raise(error.class(), &error.to_string());
+        }
+
+        if let Err(ref error) = sk {
+            VM::raise(error.class(), &error.to_string());
+        }
+
+        let me = Url::parse(&me.unwrap().to_string());
+
+        if let Err(ref error) = me {
+            VM::raise(Class::from_existing("ArgumentError"), &error.to_string())
+        }
+
+        let mut sk_content: Vec<u8> = Vec::new();
+        for n in sk.unwrap().into_iter() {
+            let n = n.try_convert_to::<Fixnum>();
+
+            if let Err(ref error) = n {
+                VM::raise(error.class(), &error.to_string());
+            }
+
+            sk_content.push(n.unwrap().to_i64() as u8);
+        }
+
+        let holder = capbac::Holder::new(me.unwrap(), PKey::private_key_from_pkcs8(&sk_content).unwrap().ec_key().unwrap());
+
+        Class::from_existing("CapBAC")
+            .get_nested_class("Holder")
+            .wrap_data(holder, &*HOLDER_WRAPPER)
+    }
+
+    fn ruby_holder_forge(options: Hash) -> Array {
+        if let Err(ref _error) = options {
+            VM::raise(Class::from_existing("ArgumentError"), "Options must be a hash");
+        }
+
+        let options = options_to_cert_blueprint(options.unwrap());
+
+        let holder = itself.get_data(&*HOLDER_WRAPPER);
+        let cert = holder.forge(options).unwrap();
+
+        let mut res = Array::new();
+        for item in cert.write_to_bytes().unwrap().iter() {
+            res.push(Fixnum::new(i64::from(*item)));
+        };
+        res
+    }
+
+    fn ruby_holder_delegate(cert: Array, options: Hash) -> Array {
+        if let Err(ref _error) = options {
+            VM::raise(Class::from_existing("ArgumentError"), "Options must be a hash");
+        }
+
+        let options = options_to_cert_blueprint(options.unwrap());
+        let holder = itself.get_data(&*HOLDER_WRAPPER);
+        let cert = array_to_cert(cert.unwrap());
+
+        let cert = holder.delegate(cert, options).unwrap();
+        let mut res = Array::new();
+        for item in cert.write_to_bytes().unwrap().iter() {
+            res.push(Fixnum::new(i64::from(*item)));
+        };
+        res
+    }
+
+    fn ruby_holder_invoke(options: Hash) -> Array {
+        if let Err(ref _error) = options {
+            VM::raise(Class::from_existing("ArgumentError"), "Options must be a hash");
+        }
+
+        let options = options_to_invoke_blueprint(options.unwrap());
+        let holder = itself.get_data(&*HOLDER_WRAPPER);
+
+        let invocation = holder.invoke(options).unwrap();
+        let mut res = Array::new();
+        for item in invocation.write_to_bytes().unwrap().iter() {
+            res.push(Fixnum::new(i64::from(*item)));
+        };
+        res
+    }
+);
+
+pub struct IntValidator {
+    trust_checker: AnyObject,
+    pubs: AnyObject,
+}
+
+impl IntValidator {
+    fn new(trust_checker: AnyObject, pubs: AnyObject) -> Self {
+        IntValidator {
+            trust_checker,
+            pubs
+        }
+    }
+}
+
+impl capbac::TrustChecker for IntValidator {
+    fn is_trusted(&self, id: &Url) -> bool {
+        let args = vec![URI::from(id).to_any_object()];
+        self.trust_checker
+            .send("trusted?", &args)
+            .try_convert_to::<Boolean>()
+            .unwrap_or(Boolean::new(false))
+            .to_bool()
+    }
+}
+
+impl capbac::Pubs for IntValidator {
+    fn get(&self, id: &Url) -> Option<EcKey<Public>> {
+        let res = self.pubs.send("get", &vec![URI::from(id).to_any_object()]).try_convert_to::<Array>();
+        if let Err(ref _error) = res {
+            return None
+        }
+        let mut pk_content: Vec<u8> = Vec::new();
+        for n in res.unwrap().into_iter() {
+            let n = n.try_convert_to::<Fixnum>();
+
+            if let Err(ref error) = n {
+                VM::raise(error.class(), &error.to_string());
+            }
+
+            pk_content.push(n.unwrap().to_i64() as u8);
+        }
+        Some(PKey::public_key_from_der(&pk_content).unwrap().ec_key().unwrap())
+    }
+}
+
+wrappable_struct!(IntValidator, IntValidatorWrapper, INT_VALIDATOR_WRAPPER, mark(data) {
+    GC::mark(&data.trust_checker);
+    GC::mark(&data.pubs);
+});
+
+class!(Validator);
+
+methods!(
+    Validator,
+    itself,
+
+    fn ruby_validator_new(trust_checker: AnyObject, pubs: AnyObject) -> AnyObject {
+        let validator = IntValidator::new(trust_checker.unwrap(), pubs.unwrap());
+
+        Class::from_existing("CapBAC")
+            .get_nested_class("Validator")
+            .wrap_data(validator, &*INT_VALIDATOR_WRAPPER)
+    }
+
+    fn ruby_validator_validate_cert(cert: Array, now: Fixnum) -> Boolean {
+        if let Err(ref error) = cert {
+            VM::raise(error.class(), &error.to_string());
+        }
+
+        if let Err(ref error) = now {
+            VM::raise(error.class(), &error.to_string());
+        }
+
+        let mut cert_content: Vec<u8> = Vec::new();
+        for n in cert.unwrap().into_iter() {
+            let n = n.try_convert_to::<Fixnum>();
+
+            if let Err(ref error) = n {
+                VM::raise(error.class(), &error.to_string());
+            }
+
+            cert_content.push(n.unwrap().to_i64() as u8);
+        }
+        let mut cert = capbac::proto::Certificate::new();
+        cert.merge_from_bytes(&cert_content).unwrap();
+
+        let now = now.unwrap().to_i64() as u64;
+
+        let x = itself.get_data(&*INT_VALIDATOR_WRAPPER);
+        let validator = capbac::Validator::new(x, x);
+
+        match validator.validate_cert(&cert, now) {
+            Result::Ok(_) => Boolean::new(true),
+            Err(x) =>  {
+                let capbac_class = Class::from_existing("CapBAC");
+                match x {
+                    capbac::ValidateError::Malformed { .. } => {
+                        VM::raise(capbac_class.get_nested_class("Malformed"), &format!("{}", x))
+                    },
+                    capbac::ValidateError::BadURL { .. } => {
+                        VM::raise(capbac_class.get_nested_class("BadURL"), &format!("{}", x))
+                    },
+                    capbac::ValidateError::UnknownPub { .. } => {
+                        VM::raise(capbac_class.get_nested_class("UnknownPub"), &format!("{}", x))
+                    },
+                    capbac::ValidateError::BadIssuer { .. } => {
+                        VM::raise(capbac_class.get_nested_class("BadIssuer"), &format!("{}", x))
+                    },
+                    capbac::ValidateError::BadInvoker { .. } => {
+                        VM::raise(capbac_class.get_nested_class("BadInvoker"), &format!("{}", x))
+                    },
+                    capbac::ValidateError::Untrusted { .. } => {
+                        VM::raise(capbac_class.get_nested_class("Untrusted"), &format!("{}", x))
+                    },
+                    capbac::ValidateError::Expired => {
+                        VM::raise(capbac_class.get_nested_class("Expired"), &format!("{}", x))
+                    }
+                    capbac::ValidateError::BadSign => {
+                        VM::raise(capbac_class.get_nested_class("BadSign"), &format!("{}", x))
+                    }
+                }
+                Boolean::new(false)
+            }
+        }
+    }
+
+    fn ruby_validator_validate_invocation(invocation: Array, now: Fixnum) -> Boolean {
+        if let Err(ref error) = invocation {
+            VM::raise(error.class(), &error.to_string());
+        }
+
+        if let Err(ref error) = now {
+            VM::raise(error.class(), &error.to_string());
+        }
+
+        let mut invocation_content: Vec<u8> = Vec::new();
+        for n in invocation.unwrap().into_iter() {
+            let n = n.try_convert_to::<Fixnum>();
+
+            if let Err(ref error) = n {
+                VM::raise(error.class(), &error.to_string());
+            }
+
+            invocation_content.push(n.unwrap().to_i64() as u8);
+        }
+        let mut invocation = capbac::proto::Invocation::new();
+        invocation.merge_from_bytes(&invocation_content).unwrap();
+
+        let now = now.unwrap().to_i64() as u64;
+
+        let x = itself.get_data(&*INT_VALIDATOR_WRAPPER);
+        let validator = capbac::Validator::new(x, x);
+
+        match validator.validate_invocation(&invocation, now) {
+            Result::Ok(_) => Boolean::new(true),
+            Err(x) =>  {
+                let capbac_class = Class::from_existing("CapBAC");
+                match x {
+                    capbac::ValidateError::Malformed { .. } => {
+                        VM::raise(capbac_class.get_nested_class("Malformed"), &format!("{}", x))
+                    },
+                    capbac::ValidateError::BadURL { .. } => {
+                        VM::raise(capbac_class.get_nested_class("BadURL"), &format!("{}", x))
+                    },
+                    capbac::ValidateError::UnknownPub { .. } => {
+                        VM::raise(capbac_class.get_nested_class("UnknownPub"), &format!("{}", x))
+                    },
+                    capbac::ValidateError::BadIssuer { .. } => {
+                        VM::raise(capbac_class.get_nested_class("BadIssuer"), &format!("{}", x))
+                    },
+                    capbac::ValidateError::BadInvoker { .. } => {
+                        VM::raise(capbac_class.get_nested_class("BadInvoker"), &format!("{}", x))
+                    },
+                    capbac::ValidateError::Untrusted { .. } => {
+                        VM::raise(capbac_class.get_nested_class("Untrusted"), &format!("{}", x))
+                    },
+                    capbac::ValidateError::Expired => {
+                        VM::raise(capbac_class.get_nested_class("Expired"), &format!("{}", x))
+                    }
+                    capbac::ValidateError::BadSign => {
+                        VM::raise(capbac_class.get_nested_class("BadSign"), &format!("{}", x))
+                    }
+                }
+                Boolean::new(false)
+            }
+        }
+
+    }
+);
+
+#[allow(non_snake_case)]
+#[no_mangle]
+pub extern "C" fn Init_capbac() {
+    Module::from_existing("CapBAC").define(|itself| {
+        itself.define_nested_class("Holder", None).define(|itself| {
+            itself.def_self("new", ruby_holder_new);
+            itself.def("forge", ruby_holder_forge);
+            itself.def("delegate", ruby_holder_delegate);
+            itself.def("invoke", ruby_holder_invoke);
+        });
+
+        itself.define_nested_class("Validator", None).define(|itself| {
+            itself.def_self("new", ruby_validator_new);
+            itself.def("validate_cert", ruby_validator_validate_cert);
+            itself.def("validate_invocation", ruby_validator_validate_invocation);
+        });
+    });
+}

metadata

@@ -0,0 +1,137 @@
+--- !ruby/object:Gem::Specification
+name: capbac
+version: !ruby/object:Gem::Version
+  version: 0.2.0
+platform: ruby
+authors:
+- Kirill Chernyshov
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2020-07-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: thermite
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rutie
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.3
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 13.0.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 13.0.1
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.87.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.87.1
+- !ruby/object:Gem::Dependency
+  name: rubygems-tasks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.5
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.5
+description:
+email: delaguardo@gmail.com
+executables: []
+extensions:
+- ext/Rakefile
+extra_rdoc_files: []
+files:
+- Cargo.toml
+- LICENSE
+- README.md
+- ext/Rakefile
+- lib/capbac.rb
+- lib/capbac/exceptions.rb
+- lib/capbac/pubs.rb
+- lib/capbac/trust_checker.rb
+- lib/capbac/version.rb
+- src/lib.rs
+homepage: http://capbac.org
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key:
+specification_version: 4
+summary: Ruby implementation for Capability-based Access Control model
+test_files: []