soar_pl 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: c635718cebea5cd51e3b6f06355fb3d23f1e3b80
+  data.tar.gz: ede26601dc1055a1b3ab7130fbe5e998c5e0a7f5
+SHA512:
+  metadata.gz: 29f328e7bc225aad9f6fa486a64443955dee7f92c33599b61714757f5162795f8b35f63a7065b21c8e6175cba2eb3431a15299c132e9b1bfe87bf66a2781c997
+  data.tar.gz: 96c0599aa1b467be1b27a0ff36b12408731fe4bd6aee799175935d739ce0b018b4eac56441703537bb3ce49b0bac9689bf1da48495e5bb3b5ed56689445310cc

data/.gitignore

@@ -0,0 +1,11 @@
+.byebug_history
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.gem

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in soar_pl.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Ernst van Graan
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,42 @@
+# SoarPl
+
+SoarPl is a generic authorization policy implementation. It was designed for use in the SOAR architecture. Extend the AuthorizationPolicy class with your own, and provide the needed IDM interaction and rule set for interrogating subject_identifier, requestor_identifier, resource_identifier and request in order to make an authorization decision. The policy communicates the result using jsend.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+		gem 'soar_pl'
+
+And then execute:
+
+    bundle
+
+Or install it yourself as:
+
+    gem install soar_pl
+
+## Usage
+	  spec.add_development_dependency 'soar_pl'
+	  bundle exec irb
+
+Extend the AuthorizationPolicy class to create a policy. Examples can be found here: https://github.hetzner.co.za/hetznerZA/soar_policies/tree/master/production
+
+The implementation reaches out to the IDM provided and retrieves entity roles and attributes.
+The IDM provided must adhere to the following API:
+
+		subject_identifier = "string identifier"
+		subject_roles = @idm.get_roles(subject_identifier)
+		# [ 'role1', 'role2']
+		attributes = {}
+		attributes = @idm.get_attributes(subject_identifier, role)
+		# { 'role1' => {'attribute1' => 'value1', 'attribute2' => 'value2'}, 'role2' => {'attribute3' => 'value3', 'attribute4' => 'value4'}}
+
+## Contributing
+
+Bug reports and feature requests are welcome by email to ernst dot van dot graan at hetzner dot co dot za. This gem is sponsored by Hetzner (Pty) Ltd (http://hetzner.co.za)
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/lib/soar_pl/authorization_policy.rb

@@ -0,0 +1,148 @@
+require 'jsender'
+
+module SoarPl
+  class AuthorizationPolicy
+    include Jsender
+
+    attr_reader :policy_identifier
+    attr_reader :policy_configuration
+    attr_reader :subject_identifier
+    attr_reader :requestor_identifier
+    attr_reader :request
+    attr_reader :configuration
+    attr_reader :rule_set
+    attr_reader :idm
+    attr_reader :roles
+    attr_accessor :status
+    attr_accessor :request_debug_allow
+
+    def initialize(policy_identifier, policy_configuration)
+      data = { 'dependencies' => 
+               { 'configuration' => 'invalid',
+                 'policy_identifier' => 'invalid',
+                 'rule_set' => 'invalid' } }
+      @roles = []
+      @policy_identifier = policy_identifier
+      @configuration = policy_configuration
+
+      valid_policy_identifier = valid_non_empty_string?(policy_identifier)
+      valid_configuration = @configuration.is_a?(Hash)
+      #byebug
+      valid_rule_set = (self.class.name != 'SoarPl::AuthorizationPolicy')
+      
+      if (policy_identifier.nil?)
+        @status = fail('no identifier provided')
+      elsif (not valid_policy_identifier)
+        @status = fail('invalid identifier provided')
+      elsif policy_configuration.nil?
+        @status = fail('no configuration provided')
+      elsif not valid_configuration
+        @status = fail('invalid configuration provided', data) 
+      elsif not valid_rule_set
+        # Must extend this class and provide a rule set in apply_rule_set(...)
+        @status = fail('invalid rule set provided')
+      else
+        @status = success_data(data)
+      end
+      data['dependencies']['configuration'] = (valid_configuration ? 'valid' : 'invalid')
+      data['dependencies']['rule_set'] = (valid_rule_set ? 'valid' : 'invalid')
+      data['dependencies']['policy_identifier'] = (valid_policy_identifier ? 'valid' : 'invalid')
+      setup
+    end
+
+    def requires_roles(roles)
+      roles = [roles] if not roles.is_a?(Array)
+
+      @roles = roles
+    end
+
+    def has_idm(idm)
+      @idm = idm
+    end
+
+    def authorize(subject_identifier, requestor_identifier, resource_identifier, request)
+      #byebug
+      requested = request
+      begin
+        requested = JSON.parse(request) if not request.is_a?(Hash)
+      rescue => ex
+        return fail("Invalid request", build_result(false, "Invalid request", @idm))        
+      end
+      return fail_invalid("resource identifier") if not valid_non_empty_string?(resource_identifier)
+      return fail("Invalid request", build_result(false, "Invalid request", @idm)) if requested and not requested.is_a?(Hash)
+      return fail_invalid("requestor identifier") if not valid_non_empty_string?(requestor_identifier)
+      return fail_invalid("subject identifier") if not valid_non_empty_string?(subject_identifier)
+
+      subject_roles = []
+      attributes = {}
+      begin
+        subject_roles = discover_subject_roles(subject_identifier) if @idm
+      rescue => ex
+        error = 'Entity error (IDM)'
+        return fail(error, build_result(false, error, @idm))
+      end
+
+      return success_data(build_result(false, "Role missing", @idm)) if not roles_present?(subject_roles, @roles)
+
+      begin
+        attributes = discover_subject_role_attributes(subject_identifier, subject_roles) if @idm
+      rescue => ex
+        error = 'Entity error (IDM)'
+        return fail(error, build_result(false, error, @idm))
+      end
+
+      result, message = apply_rule_set(subject_identifier, requestor_identifier, resource_identifier, requested, subject_roles, attributes)
+
+      if (result)
+        success_data(build_result(true, message, @idm))
+      else
+        success_data(build_result(false, message, @idm))
+      end
+    end
+
+    protected
+
+    def setup
+    end
+
+    def apply_rule_set(subject_identifier, requestor_identifier, resource_identifier, request, subject_roles, attribures)
+      # override me
+    end
+
+    def discover_subject_roles(subject_identifier)
+      subject_roles = @idm.get_roles(subject_identifier)
+    end
+
+    def discover_subject_role_attributes(subject_identifier, subject_roles)
+      attributes = {}
+      @roles.each do |role|
+        attributes[role] = @idm.get_role_attributes(subject_identifier, role)
+      end
+      attributes
+    end
+
+    private
+
+    def fail_invalid(description)
+      fail("Invalid #{description}", build_result(false, "Invalid #{description}", @idm))      
+    end
+
+    def valid_non_empty_string?(value)
+      not (value.nil? or (not value.is_a?(String)) or (value.strip == ''))
+    end
+
+    def build_result(allow, message, idm)
+      {'allowed' => allow, 'detail' => message, 'idm' => idm, 'rule_set' => self.class.name}
+    end
+
+    def roles_present?(subject_roles, required_roles)
+      return true if required_roles.nil? or required_roles.empty?
+      return false if subject_roles.nil?
+      required_roles.each do |role|
+        return false if not subject_roles.include?(role)
+      end
+      true
+    end
+  end
+end
+

data/lib/soar_pl/version.rb

@@ -0,0 +1,3 @@
+module SoarPl
+  VERSION = "0.0.1"
+end

data/lib/soar_pl.rb

@@ -0,0 +1,5 @@
+require "soar_pl/version"
+require 'jsender'
+
+module SoarPl
+end

data/soar_pl.gemspec

@@ -0,0 +1,28 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'soar_pl/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "soar_pl"
+  spec.version       = SoarPl::VERSION
+  spec.authors       = ["Ernst van Graan"]
+  spec.email         = ["ernst.van.graan@hetzner.co.za"]
+
+  spec.summary       = %q{Generic implementation of a SOAR authorization policy}
+  spec.description   = %q{Generic implementation of a SOAR authorization policy}
+#  spec.homepage      = "TODO: Put your gem's website or public repo URL here."
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+#  spec.required_ruby_version = ['>=2.0.0']
+
+  spec.add_development_dependency "bundler", "~> 1.10"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec"
+  #spec.add_development_dependency "byebug"
+  spec.add_dependency "jsender"
+end

metadata

@@ -0,0 +1,110 @@
+--- !ruby/object:Gem::Specification
+name: soar_pl
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Ernst van Graan
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2016-02-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jsender
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Generic implementation of a SOAR authorization policy
+email:
+- ernst.van.graan@hetzner.co.za
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/soar_pl.rb
+- lib/soar_pl/authorization_policy.rb
+- lib/soar_pl/version.rb
+- soar_pl.gemspec
+homepage: 
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: Generic implementation of a SOAR authorization policy
+test_files: []
+has_rdoc: