soar-policy-access_manager 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 25513f1e46e2e8a111b246d653f94550937ea03c
+  data.tar.gz: a91e20fb7a8360de3c25dfdaddfa85734480c74c
+SHA512:
+  metadata.gz: e8c7cb96934366974567a139347a70a7f978042e90fba5e6c054bef1ebaf1b54a101f40d68aef4b95958148d9059f2d8a17ac7b852c497d5039a925516f5f4e8
+  data.tar.gz: deecf71bd5b3a85fb89210c9e31b1302f19b449eee5b8994b021c16a67489044cdbb48cdbc1b9d9bb97fd73b1fbdcaef65728d3374beac1dfd27c9a97a0211aa

data/.gitignore

@@ -0,0 +1,13 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+.byebug_history
+*.gem
+*.swp
+*.swo

data/.rspec

@@ -0,0 +1,3 @@
+--color
+--format documentation
+--require spec_helper

data/.ruby-gemset

@@ -0,0 +1 @@
+soar-policy-access_manager

data/.ruby-version

@@ -0,0 +1 @@
+ruby-2.3.0

data/Dockerfile.policies

@@ -0,0 +1,6 @@
+FROM ruby:2.3.1
+WORKDIR /usr/local/src
+RUN gem install jsender rack 
+ADD config.ru /usr/local/src/
+CMD rackup -E production ./config.ru -p 8080 --host 0.0.0.0
+

data/Dockerfile.tests

@@ -0,0 +1,14 @@
+FROM ruby:2.3.1
+ARG USER_ID
+ARG USER_NAME
+RUN useradd -u $USER_ID $USER_NAME -m
+RUN gem install bundler 
+RUN chown -R $USER_NAME:$USER_NAME /usr/local
+USER $USER_NAME
+WORKDIR /usr/local/src
+ADD Gemfile /usr/local/src/
+ADD soar-policy-access_manager.gemspec /usr/local/src/
+RUN bundle install --without development --with test
+VOLUME /usr/local/src
+CMD bundle exec cucumber && bundle exec rspec
+

data/Gemfile

@@ -0,0 +1,13 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in soar_policy_access_manager.gemspec
+gemspec
+
+group :test do
+  gem 'rspec', '~> 3.5'
+  gem 'rspec-expectations', '~> 3.5'
+  gem 'cucumber', '~> 2.4'
+end
+
+
+

data/README.md

@@ -0,0 +1,183 @@
+# SoarPolicyAccessManager
+
+This Access Manager adheres to SoarAm::AmApi. It is initialized with a soar_sr service registy client (https://rubygems.org/gems/soar_sr)
+
+This access manager denies access for unauthenticated requests, that is, request that do not have request.session['user'] set. If set, this access manager then queries the service registry for meta regarding the service identifier in question.
+
+If the service meta indicates no policy, the request is allowed. It the service meta indicates a policy, the policy service is asked, given the authenticated subject identifier, service identifier, resource identifier and request parameters, whether the request should be allowed. This access manager then allows / denies accordingly.
+
+In the case of the service not found in the service registry, or a failure of any kind, the request is denied. In the interest of security, exceptions while authorizing will be swallowed by this access manager. Only the last exception message will be reported to STDERR.
+
+## Quickstart
+When using soar_sc the [soar_authorization](https://github.com/hetznerZA/soar_authorization) gem automagically passes values set in [your router](https://github.com/hetznerZA/soar_sc_routing) as post parameters in authorization requests to policies.
+
+SoarSc Routing params | SoarAuthorization params  | AccessManager Params      | Policy Params
+----------------------|---------------------------|---------------------------|-----------------------
+service_name          |                           | service_identifier        | requestor_identifier
+path                  |                           | resource_identifier       | resource_identifier
+                      | authentication.identifier | authentication_identifier | subject_identifier
+
+### Stub provider
+> Use this provider during tests and development when you don't want any http policy authorization requests.
+
+Create meta variable mapping services to policy identifiers (names)
+```ruby
+> meta = {
+    'service_identifier1' => {
+        'policy' => 'policy1'
+    }
+}
+```
+Create policies variable mapping policy identifiers to resources. Access to a resource is allowed if your authentication identifier (uuid) is present in the array.
+```ruby
+> policies = {
+    'policy1' => {
+        '/resource_identifier1' => ['authentication_identifier1'],
+        '/resource_identifier2' => []
+    }
+}
+```
+Instantiate the stub provider and pass it to the access manager model.
+```ruby
+> provider = Soar::Policy::AccessManager::ModelProvider::Stub.new(meta: meta, policies: policies})
+> policy_am = Soar::Policy::AccessManager::Model.new(provider)
+> puts policy_am.authorized?({
+    service_identifier: 'service_identifier1', 
+    resource_identifier: '/resource_identifier1', 
+    request: {
+      params: {},
+      authentication_identifier: 'authentication_identifier1'
+    }
+})
+```
+
+### Policy provider
+> Use this provider during tests and development to send authorization requests directly to a policy. 
+
+Create meta variable mapping services to policy identifiers (names)
+```ruby
+> meta = {
+    'service_identifier1' => 'policy1',
+    'service_identifier2' => 'policy2'
+}
+```
+Create policies variable mapping policy identifiers to policy endpoints.
+```ruby
+> policies = {
+    'policy1' => 'http://localhost:8080/allow',
+    'policy2' => 'http://localhost:8080/deny'
+}
+```
+
+Instantiate the stub provider and pass it to the access manager model.
+```ruby
+> provider = Soar::Policy::AccessManager::ModelProvider::Policy.new(meta: meta, policies: policies})
+> policy_am = Soar::Policy::AccessManager::Model.new(provider)
+> puts policy_am.authorized?({
+    service_identifier: 'service_identifier1', 
+    resource_identifier: '', 
+    request: {
+      params: {},
+      authentication_identifier: ''
+    }
+})
+```
+
+### Service registry provider
+> Use this provider during production. It reaches out to the service registry and policies. It's used by soar sc.
+
+```ruby
+> service_registry = SoarSc::service_registry
+> provider = Soar::Policy::AccessManager::ModelProvider::ServiceRegistry.new(service_registry)
+> policy_am = Soar::Policy::AccessManager::Model.new(provider)
+> puts policy_am.authorized?({
+    service_identifier: 'service_identifier1',
+    resource_identifier: '/path', 
+    request: {
+      params: request.params,
+      authentication_identifier: SoarAuthentication::Authentication.new(request).identifier
+    }
+})
+```
+
+This access manager can be used with the SoarAuthorization::Authorize middleware:
+
+```ruby
+> SoarAuthorization::Authorize::register_access_manager('/path', 'path-service', policy_am)
+> use SoarAuthorization::Authorize
+```
+
+## Tests
+
+### Local
+
+#### Unit Tests
+
+```bash
+$ bundle exec rspec
+```
+
+#### Provider Integration Tests
+
+##### Stub provider
+```bash
+$ TEST_ORCHESTRATION_PROVIDER=Stub bundle exec cucumber
+```
+
+##### Service Registry provider
+
+Serve two policies, *allow all* and *deny all*, locally via file *config.ru* using [Rack webserver](https://rack.github.io/).
+```bash
+$ docker-compose up
+```
+
+Test providers for the stub and service registry via the model api interface
+```bash
+$ TEST_ORCHESTRATION_PROVIDER=ServiceRegistry bundle exec cucumber
+```
+
+##### Policy provider
+
+Serve two policies, *allow all* and *deny all*, locally via file *config.ru* using [Rack webserver](https://rack.github.io/).
+```bash
+$ docker-compose up
+```
+
+Test providers for the stub and service registry via the model api interface
+```bash
+$ TEST_ORCHESTRATION_PROVIDER=Policy bundle exec cucumber
+```
+
+### CI
+```
+$ USER_NAME=$USER USER_ID=$(id -u) POLICY_HOST=policy:8080 TEST_ORCHESTRATION_PROVIDER=ServiceRegistry docker-compose --file docker-compose.test.yml up --abort-on-container-exit --remove-orphans 
+EXIT_CODE=$(docker ps -a -f "name=soar-policy-access_manager-tests" -q | xargs docker inspect -f "{{ .State.ExitCode }}")
+exit $EXIT_CODE
+```
+
+#### Enviroment Variables explained
+Sets USER_NAME and USER_ID to your currently logged in user. This is important when you're mounting volumes into a container. Root in the container = root on your local.
+```bash
+USER_NAME=$USER
+USER_ID=$(id -u)
+```
+
+Select whether you're testing the *ServiceRegistry* , *Policy* or *Stub* provider. Defaults to *Stub*
+```bash
+TEST_ORCHESTRATION_PROVIDER=Stub
+```
+
+## Contributing
+
+Please send feedback and comments to the author at:
+
+Ernst van Graan <ernst.van.graan@hetzner.co.za>
+
+This gem is sponsored by Hetzner (Pty) Ltd - http://hetzner.co.za
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+
+## Resources
+* [soar_am](https://github.com/hetznerZA/soar_am)

data/config.ru

@@ -0,0 +1,37 @@
+require 'rack'
+require 'rack/server'
+require 'json'
+
+##
+# Simulates two policies available on the network. One allows all requests, the other, denies all requests.
+# Used for testing the access manager model with both the stub and service registry providers
+##
+class StubPolicies
+
+  def self.call(env)
+    request = Rack::Request.new env
+    case request.path
+    when '/allow'
+      [200, {"Context-Type" => "application/json"}, [{ 'status' => 'success', 'data' => { 'allowed' => true, 'detail' => '', 'idm' => nil, 'rule_set' => 'allow all', 'notifications' => ['Policy approved authorization request'] }}.to_json]]
+    when '/deny'
+      [200, {"Context-Type" => "application/json"}, [{ 'status' => 'success', 'data' => { 'allowed' => false, 'detail' => '', 'idm' => nil, 'rule_set' => 'allow all', 'notifications' => ['Policy rejected authorization request'] }}.to_json]]
+    else
+      [200, {"Context-Type" => "application/json"}, [{ 'status' => 'success', 'data' => { 'notifications' => ['No policy associated with service'] }}.to_json]]
+    end
+
+  end
+end
+
+class PrintPolicies
+  def self.call(env)
+    request = Rack::Request.new env
+    [200, {"Context-Type" => "application/json"}, [{
+      "is a post request?" => request.post?,
+      "request path" => request.path,
+      "request params" => request.params
+    }.to_json]]
+  end
+end
+
+Rack::Server.start :app => StubPolicies
+#Rack::Server.start :app => PrintPolicies

data/docker-compose.test.yml

@@ -0,0 +1,30 @@
+version: "2"
+services:
+    policy:
+        build:
+            context: .
+            dockerfile: Dockerfile.policies
+        image: soar-policy-access_manager-policy
+        container_name: soar-policy-access_manager-policy
+        expose: 
+            - "8080"
+
+    tests:
+        build:
+            context: .
+            dockerfile: Dockerfile.tests
+            args:
+                - USER_NAME
+                - USER_ID
+        image: soar-policy-access_manager-tests
+        container_name: soar-policy-access_manager-tests
+        volumes: 
+            - .:/usr/local/src
+        links:
+            - policy
+        environment:
+            - TEST_ORCHESTRATION_PROVIDER=Stub
+            - POLICY_HOST=http://policy:8080
+
+
+

data/docker-compose.yml

@@ -0,0 +1,14 @@
+version: "2"
+services:
+    stub_policy:
+        build:
+            context: .
+            dockerfile: Dockerfile.policies
+        ports:
+            - "8080:8080"
+        expose: 
+            - "8080"
+        network_mode: "host"
+
+
+

data/lib/soar/policy/access_manager/error.rb

@@ -0,0 +1,10 @@
+
+module Soar
+  module Policy
+    module AccessManager
+      module Error
+        class PolicyAccessManagerException < StandardError; end;
+      end
+    end
+  end
+end

data/lib/soar/policy/access_manager/model.rb

@@ -0,0 +1,23 @@
+module Soar
+  module Policy
+    module AccessManager
+      class Model 
+
+        def initialize(provider)
+          @provider = provider
+        end
+
+        ##
+        # @param service_identifier [String] 
+        # @param resource_identifier [String] 
+        # @param request [Hash]
+        ##
+        def authorized?(service_identifier: nil, resource_identifier: nil, request: nil)
+          @provider.authorized?(service_identifier, resource_identifier, request)
+        end
+
+      end
+
+    end
+  end
+end

data/lib/soar/policy/access_manager/model_provider/policy.rb

@@ -0,0 +1,94 @@
+require 'jsender'
+require 'json'
+require 'soar/policy/access_manager/error'
+
+module Soar
+  module Policy
+    module AccessManager
+      module ModelProvider
+
+        class Policy
+
+          include Jsender
+
+          def initialize(meta: {}, policies: {})
+            @meta = meta
+            @policies = policies
+          end
+
+          def authorized?(service_identifier, resource_identifier, request)
+            notifications = []
+            decision = false
+
+            begin
+              if ENV['RACK_ENV'] == 'development'
+                notifications << 'Authorized in development environment'
+                decision = true
+              end
+
+              policy = get_policy(service_identifier)
+
+              if policy.nil?
+                decision = true
+                notifications << 'No policy associated with service'
+              else
+                decision, detail = ask_policy(policy, request[:authentication_identifier], service_identifier, resource_identifier, request)
+                notifications.concat(detail) if not detail.empty?
+                notifications << 'Policy rejected authorization request' if not decision
+                notifications << 'Policy approved authorization request' if decision
+              end
+            rescue SoarSr::ValidationError => ex
+              notifications << "AccessManager error authorizing #{service_identifier} for #{resource_identifier}: #{ex.message}"
+              decision = false
+            rescue Exception => ex
+              notifications << "AccessManager error authorizing #{service_identifier} for #{resource_identifier}: #{ex.message}"
+              decision = false
+            end
+
+            success(notifications, { 'approved' => decision } )
+          end
+
+          private
+
+          def get_policy(service_identifier)
+            @meta[service_identifier]
+          end
+
+          def ask_policy(policy, subject_identifier, service_identifier, resource_identifier, request)
+            notifications = []
+            uri = find_uri(policy)
+            if uri.nil?
+              notifications << "Could not retrieve policy for service"
+              return false, notifications
+            end
+            url = URI.parse(uri)
+            params = { 
+              'resource_identifier' => resource_identifier,
+              'subject_identifier' => subject_identifier,
+              'service_identifier' => service_identifier,
+              'request' => {
+                'params' => request['params']
+              }.to_json,
+              'flow_identifier' => request['flow_identifier'] 
+            }
+            res = Net::HTTP.post_form(url, params)
+            result = JSON.parse(res.body)
+            if result['status'] == 'error'
+              notifications << 'Policy query result was not success'
+              return false, notifications
+            end
+            return result['data']['allowed'], notifications
+          rescue => ex
+            notifications << "Exception while asking policy #{ex.message}"
+            return false, notifications
+          end
+
+          def find_uri(policy)
+            @policies[policy]
+          end
+        end
+      end
+    end
+  end
+end
+

data/lib/soar/policy/access_manager/model_provider/service_registry.rb

@@ -0,0 +1,99 @@
+require 'jsender'
+require "soar_sr"
+require 'soar/policy/access_manager/error'
+
+module Soar
+  module Policy
+    module AccessManager
+      module ModelProvider
+
+        class ServiceRegistry 
+
+          include Jsender
+          attr_reader :service_registry
+
+          def initialize(service_registry)
+            @service_registry = service_registry
+          end
+
+          def authorized?(service_identifier, resource_identifier, request)
+            notifications = []
+            decision = false
+
+            begin
+              if ENV['RACK_ENV'] == 'development'
+                notifications << 'Authorized in development environment'
+                decision = true
+              end
+
+              meta = @service_registry.services.meta_for_service(service_identifier)
+              policy = meta['policy'] if meta and meta.is_a?(Hash) and meta['policy']
+
+              if policy.nil?
+                decision = true
+                notifications << 'No policy associated with service'
+              else
+                decision, detail = ask_policy(policy, request[:authentication_identifier], service_identifier, resource_identifier, request)
+                notifications.concat(detail) if not detail.empty?
+                notifications << 'Policy rejected authorization request' if not decision
+                notifications << 'Policy approved authorization request' if decision
+              end
+            rescue SoarSr::ValidationError => ex
+              notifications << "AccessManager error authorizing #{service_identifier} for #{resource_identifier}: #{ex.message}"
+              decision = false
+            rescue Exception => ex
+              notifications << "AccessManager error authorizing #{service_identifier} for #{resource_identifier}: #{ex.message}"
+              decision = false
+            end
+
+            success(notifications, { 'approved' => decision } )
+          end
+
+          private
+
+          def ask_policy(policy, subject_identifier, service_identifier, resource_identifier, request)
+            notifications = []
+            uri = find_first_uri(policy)
+            if uri.nil?
+              notifications << "Could not retrieve policy for service"
+              return false, notifications
+            end
+            url = URI.parse(uri)
+            params = { 
+              'resource_identifier' => resource_identifier,
+              'subject_identifier' => subject_identifier,
+              'service_identifier' => service_identifier,
+              'request' => {
+                'params' => request['params'],
+              }.to_json,
+              'flow_identifier' => request['flow_identifier'] 
+            }
+            res = Net::HTTP.post_form(url, params)
+
+            result = JSON.parse(res.body)
+            if result['status'] == 'error'
+              notifications << 'Policy query result was not success'
+              return false, notifications
+            end
+            return result['data']['allowed'], notifications
+          rescue => ex
+            notifications << "Exception while asking policy #{ex.message}"
+            return false, notifications
+          end
+
+          def find_first_uri(policy)
+            result = @service_registry.services.service_by_name(policy)
+            return nil if not result['status'] == 'success'
+            return nil if result['data']['services'].nil? or result['data']['services'].first.nil?
+            service = result['data']['services'].first
+            return nil if service[1].nil? or service[1]['uris'].nil?
+            access = service[1]['uris'].first
+            return nil if access.nil? or access[1].nil? or access[1]['access_point'].nil?
+            access[1]['access_point']
+          end
+        end
+      end
+    end
+  end
+end
+

data/lib/soar/policy/access_manager/model_provider/stub.rb

@@ -0,0 +1,95 @@
+require 'jsender'
+
+module Soar
+  module Policy
+    module AccessManager
+      module ModelProvider
+        class Stub
+
+          include Jsender
+
+          ##
+          # @param [Hash] meta mapping service identifiers to policy identifiers
+          # @param [Hash] policies, policy identifiers map to resource identifiers, that map to an array of authentication_identifiers that are allowed access
+          ##
+          def initialize(meta: {}, policies: {})
+            @meta = meta
+            @policies = policies
+          end
+
+          ##
+          # @param [String] service_identifier
+          # @param [String] resource_identifier
+          # @param [Hash] request
+          # @return [Hash] a jsend hash
+          ##
+          def authorized?(service_identifier, resource_identifier, request)
+            notifications = []
+            decision = false
+
+            begin
+              if ENV['RACK_ENV'] == 'development'
+                notifications << 'Authorized in development environment'
+                decision = true
+              end
+
+              meta = get_meta(service_identifier)
+              policy = meta['policy'] if meta and meta.is_a?(Hash) and meta['policy']
+
+              if policy.nil?
+                decision = true
+                notifications << 'No policy associated with service'
+              else
+                decision, detail = ask_policy(policy, request[:authentication_identifier], service_identifier, resource_identifier, request)
+                notifications.concat(detail) if not detail.empty?
+                notifications << 'Policy rejected authorization request' if not decision
+                notifications << 'Policy approved authorization request' if decision
+              end
+            rescue SoarSr::ValidationError => ex
+              notifications << "AccessManager error authorizing #{service_identifier} for #{resource_identifier}: #{ex.message}"
+              decision = false
+            rescue Exception => ex
+              notifications << "AccessManager error authorizing #{service_identifier} for #{resource_identifier}: #{ex.message}"
+              decision = false
+            end
+            success(notifications, { 'approved' => decision } )
+          end
+
+          private 
+
+          ##
+          # @param [String] service identifier
+          # @return [Hash, nil] policy hash or nil
+          ##
+          def get_meta(service_identifier)
+            @meta[service_identifier]
+          end
+
+          ##
+          # @param [String] policy
+          # @param [String] authentication_identifier
+          # @param [String] service_identifier
+          # @param [String] resource_identifier
+          # @param [Hash] request
+          # @return [Bool] result
+          # @return [Array] notifications
+          ##
+          def ask_policy(policy, authentication_identifier, service_identifier, resource_identifier, params)
+            notifications = []
+            result = @policies[policy][resource_identifier].include?(authentication_identifier)
+
+            if not result
+              notifications << 'Policy query result was not success'
+              return false, notifications
+            end
+            return result, notifications
+          rescue => ex
+            notifications << "Exception while asking policy #{ex.message}"
+            return false, notifications
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/soar/policy/access_manager/test/orchestration_provider/policy.rb

@@ -0,0 +1,68 @@
+require 'soar/policy/access_manager/model_provider/policy'
+require 'soar/policy/access_manager/model'
+require 'jsender'
+require 'uri'
+require 'ostruct'
+
+module Soar
+  module Policy
+    module AccessManager
+      module Test
+        module OrchestrationProvider
+          class Policy
+
+            ##
+            # for a specific path and service
+            # I want to tell the access manager to query a specific url and paramaters for a policy
+            # service_identifier = service_name in router
+            # resource_identifier = path in router
+            ##
+            def initialize
+              policy_host = ENV['POLICY_HOST'] || 'localhost:8080'
+              @meta = {
+                'service_identifier1' => 'allow_policy',
+                'service_identifier2' => 'deny_policy'
+              }
+              @policies = {
+                'allow_policy' => "http://#{policy_host}/allow",
+                'deny_policy' => "http://#{policy_host}/deny"
+              }
+              @request = {
+                authentication_identifier: 'authentication_identifier1',
+                params: {},
+              }
+              @resource_identifier = 'resource_identifier1'
+            end
+
+            def grant_access
+              @service_identifier = 'service_identifier1'
+            end
+
+            def deny_access
+              @service_identifier = 'service_identifier2'
+            end
+
+            def no_policy
+              @service_identifier = 'service_identifier3'
+            end
+
+            def notification
+              @response['data']['notifications']
+            end
+
+            def authorized?
+              model_provider = Soar::Policy::AccessManager::ModelProvider::Policy.new(meta: @meta, policies: @policies )
+              model = Soar::Policy::AccessManager::Model.new(model_provider)
+              @response = model.authorized?(service_identifier: @service_identifier, resource_identifier: @resource_identifier, request: @request)
+            end
+
+            def authorized
+              @response['data']['approved']
+            end
+
+          end
+        end
+      end
+    end
+  end
+end

data/lib/soar/policy/access_manager/test/orchestration_provider/service_registry.rb

@@ -0,0 +1,103 @@
+require 'soar/policy/access_manager/model_provider/service_registry'
+require 'soar/policy/access_manager/model'
+require 'jsender'
+require 'uri'
+require 'ostruct'
+
+module Soar
+  module Policy
+    module AccessManager
+      module Test
+        module OrchestrationProvider
+          class ServiceRegistry 
+
+            class Services
+              include Jsender
+
+              def initialize()
+                @policy_host = ENV['POLICY_HOST'] || 'localhost:8080'
+                @meta = {
+                  'service_identifier1' => {
+                    'policy' => 'allow'
+                  },
+                  'service_identifier2' => {
+                    'policy' => 'deny'
+                  }
+                }
+              end
+
+              def service_by_name(policy)
+                case policy
+                  when 'allow' # allow policy
+                    success_data({
+                      "services" => [[{}, { "uris" => [[{}, { "access_point" => "http://#{@policy_host}/allow" }]]}]]
+                    })
+                  when 'deny' # deny policy
+                    success_data({
+                      "services" => [[{}, { "uris" => [[{}, { "access_point" => "http://#{@policy_host}/deny" }]]}]]
+                    })
+                  else # no policy
+                    success_data({
+                      "services" => [[{}, { "uris" => [[{}, { "access_point" => "http://#{@policy_host}/" }]]}]]
+                    })
+                end
+              end
+
+              def meta_for_service(service_identifier)
+                @meta[service_identifier]
+              end
+
+            end
+
+            class Stub 
+              include Jsender
+
+              attr_accessor :services
+
+              def initialize(services)
+                @services = services
+              end
+
+            end
+
+            def initialize
+              @resource_identifier = 'resource_identifier1'
+              @request = {
+                params: {},
+                authentication_identifier: 'authentication_identifier1'
+              }
+            end
+
+            def grant_access
+              @service_identifier = 'service_identifier1'
+            end
+
+            def deny_access
+              @service_identifier = 'service_identifier2'
+            end
+
+            def no_policy
+              @service_identifier = 'service_identifier3'
+            end
+
+            def notification
+              @response['data']['notifications']
+            end
+
+            def authorized?
+              service_registry = Stub.new(Services.new)
+              model_provider = Soar::Policy::AccessManager::ModelProvider::ServiceRegistry.new(service_registry)
+              model = Soar::Policy::AccessManager::Model.new(model_provider)
+              @response = model.authorized?(service_identifier: @service_identifier, resource_identifier: @resource_identifier, request: @request)
+            end
+
+            def authorized
+              @response['data']['approved']
+            end
+
+          end
+        end
+      end
+    end
+  end
+end

data/lib/soar/policy/access_manager/test/orchestration_provider/stub.rb

@@ -0,0 +1,64 @@
+require 'securerandom'
+require 'soar/policy/access_manager/model_provider/stub'
+require 'soar/policy/access_manager/model'
+
+module Soar
+  module Policy
+    module AccessManager
+      module Test
+        module OrchestrationProvider
+          class Stub 
+
+            def initialize
+              @meta = {
+                'service_identifier1' => {
+                  'policy' => 'policy1'
+                }
+              }
+              @policies = {
+                'policy1' => {
+                  'resource_identifier1' => ['authentication_identifier1'],
+                  'resource_identifier2' => []
+                }
+              }
+              @request = {
+                params: {},
+                authentication_identifier: 'authentication_identifier1'
+              }
+            end
+
+            def grant_access
+              @service_identifier = 'service_identifier1'
+              @resource_identifier = 'resource_identifier1'
+            end
+
+            def deny_access
+              @service_identifier = 'service_identifier1'
+              @resource_identifier = 'resource_identifier2'
+            end
+
+            def no_policy
+              @service_identifier = 'service_identifier2'
+              @resource_identifier = nil
+            end
+
+            def notification
+              @response['data']['notifications']
+            end
+
+            def authorized?
+              model_provider = Soar::Policy::AccessManager::ModelProvider::Stub.new(meta: @meta, policies: @policies)
+              model = Soar::Policy::AccessManager::Model.new(model_provider)
+              @response = model.authorized?(service_identifier: @service_identifier, resource_identifier: @resource_identifier, request: @request)
+            end
+
+            def authorized
+              @response['data']['approved']
+            end
+
+          end
+        end
+      end
+    end
+  end
+end

data/lib/soar/policy/access_manager/test/orchestrator.rb

@@ -0,0 +1,40 @@
+module Soar
+  module Policy
+    module AccessManager
+      module Test
+        class Orchestrator
+
+          def initialize(orchestration_provider)
+            @orchestration_provider = orchestration_provider
+          end
+
+          def grant_access
+            @orchestration_provider.grant_access
+          end
+
+          def deny_access
+            @orchestration_provider.deny_access
+          end
+
+          def no_policy
+            @orchestration_provider.no_policy
+          end
+
+          def notification
+            @orchestration_provider.notification
+          end
+
+          def authorized?
+            @orchestration_provider.authorized?
+          end
+
+          def authorized
+            @orchestration_provider.authorized
+          end
+
+        end
+      end
+    end
+  end
+end
+  

data/soar-policy-access_manager.gemspec

@@ -0,0 +1,32 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+Gem::Specification.new do |spec|
+  spec.name          = "soar-policy-access_manager"
+  spec.version       = "1.0.0"
+  spec.authors       = ["Ernst Van Graan", "Charles Mulder"]
+  spec.email         = ["ernst.van.graan@hetzner.co.za", "charles.mulder@hetzner.co.za"]
+
+  spec.summary       = %q{Access Manager that uses policy services to determine authorization}
+  spec.description   = %q{Access Manager that uses policy services to determine authorization}
+  spec.homepage      = "https://github.com/hetznerZA/soar_policy_access_manager"
+  spec.license       = "MIT"
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  # if spec.respond_to?(:metadata)
+  #   spec.metadata['allowed_push_host'] = "TODO: Set to 'http://mygemserver.com'"
+  # else
+  #   raise "RubyGems 2.0 or newer is required to protect against public gem pushes."
+  # end
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency 'soar_sr', "~> 1.1.24"
+  spec.add_dependency "jsender", "~> 0.2.0"
+
+end

metadata

@@ -0,0 +1,95 @@
+--- !ruby/object:Gem::Specification
+name: soar-policy-access_manager
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Ernst Van Graan
+- Charles Mulder
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2016-11-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: soar_sr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.24
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.24
+- !ruby/object:Gem::Dependency
+  name: jsender
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+description: Access Manager that uses policy services to determine authorization
+email:
+- ernst.van.graan@hetzner.co.za
+- charles.mulder@hetzner.co.za
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".ruby-gemset"
+- ".ruby-version"
+- Dockerfile.policies
+- Dockerfile.tests
+- Gemfile
+- README.md
+- config.ru
+- docker-compose.test.yml
+- docker-compose.yml
+- lib/soar/policy/access_manager/error.rb
+- lib/soar/policy/access_manager/model.rb
+- lib/soar/policy/access_manager/model_provider/policy.rb
+- lib/soar/policy/access_manager/model_provider/service_registry.rb
+- lib/soar/policy/access_manager/model_provider/stub.rb
+- lib/soar/policy/access_manager/test/orchestration_provider/policy.rb
+- lib/soar/policy/access_manager/test/orchestration_provider/service_registry.rb
+- lib/soar/policy/access_manager/test/orchestration_provider/stub.rb
+- lib/soar/policy/access_manager/test/orchestrator.rb
+- soar-policy-access_manager.gemspec
+homepage: https://github.com/hetznerZA/soar_policy_access_manager
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Access Manager that uses policy services to determine authorization
+test_files: []