soar_pl 0.0.1 → 0.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +51 -0
- data/lib/soar_pl/authorization_policy.rb +1 -1
- data/lib/soar_pl/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0c29481be40d566195451c3e9bd78e080ab120a1
|
|
4
|
+
data.tar.gz: 2d98e776ca3c8f4953be65b021381b67e63b97b2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: af990036978a47d85e5dfe6216de6a05c50c22f5573771842f58c798dfababe8be2bd4738e288e37af9d05769cacc8779ab53b0c3f0c6c2cc201a10ed4298942
|
|
7
|
+
data.tar.gz: 66b001df7b86d41181299af9924e15a4a91a64cce487ab9c77b394d774771ff88ef115fd0504253ca772fa799d58ca3a27f248d3b73e9629c1732d3c1f024759
|
data/README.md
CHANGED
|
@@ -32,6 +32,57 @@ The IDM provided must adhere to the following API:
|
|
|
32
32
|
attributes = @idm.get_attributes(subject_identifier, role)
|
|
33
33
|
# { 'role1' => {'attribute1' => 'value1', 'attribute2' => 'value2'}, 'role2' => {'attribute3' => 'value3', 'attribute4' => 'value4'}}
|
|
34
34
|
|
|
35
|
+
Initialize your policy with an identifier and a configuration:
|
|
36
|
+
|
|
37
|
+
@iut = MyRules.new('my-rules-policy', { 'clearance-threshold' => 7 })
|
|
38
|
+
|
|
39
|
+
The initialization may fail due to an error or validation failure (invalid parameters.) The initializer will always return a sane object though, on which you can call
|
|
40
|
+
|
|
41
|
+
@iut.status
|
|
42
|
+
|
|
43
|
+
in order to see whether initialization succeeded. Status will be of the form:
|
|
44
|
+
|
|
45
|
+
{ 'dependencies' =>
|
|
46
|
+
{ 'configuration' => 'valid|invalid',
|
|
47
|
+
'policy_identifier' => 'valid|invalid',
|
|
48
|
+
'rule_set' => 'valid|invalid' } }
|
|
49
|
+
|
|
50
|
+
Optionally, require roles to be present for an entity that you identify with a subject identifier:
|
|
51
|
+
|
|
52
|
+
@iut.requires_roles(['client', 'owner'])
|
|
53
|
+
|
|
54
|
+
If providing roles, you must provide an IDM to retrieve the entity's roles, and the attributes for each role, from:
|
|
55
|
+
|
|
56
|
+
@iut.has_idm(@idm_instance)
|
|
57
|
+
|
|
58
|
+
Check authorization for a subject identifier, (optionally) providing it with all your rule set (MyRules) needs to make the authorization decision:
|
|
59
|
+
|
|
60
|
+
result = @iut.authorize(@subject_identifier, @requestor_identifier, @resource_identifier, @request)
|
|
61
|
+
|
|
62
|
+
The subject identifier (non-empty string) is required. The requestor identifier (non-empty string) and request details (in a format you specify, but must be a Hash) as well as the resource identifier (non-empty string) are optional.
|
|
63
|
+
|
|
64
|
+
The result is jsend of the form:
|
|
65
|
+
|
|
66
|
+
{ 'allowed' => true|false, 'detail' => 'a validation message', 'idm' => 'the IDM you specified or nil', 'rule_set' => 'the name of the rule set class' }
|
|
67
|
+
|
|
68
|
+
The result status will be 'fail' if something goes wrong, such as a validation failure. The status will be 'success' if the authorization took place, regardless of a true or false value for 'allowed'.
|
|
69
|
+
|
|
70
|
+
When building your rule set, you can use both your configuration as well as the parameters passed to the authorize method, and roles and attributes obtained from the IDM. You only have to override the apply_rule_set method as below. By the time apply_rule_set is called, you can rest assured that all required roles have been checked, if you specified an IDM. IDM failures result in an Entity error being reported. E.g.:
|
|
71
|
+
|
|
72
|
+
require 'soar_pl'
|
|
73
|
+
|
|
74
|
+
class MyRules < SoarPl::AuthorizationPolicy
|
|
75
|
+
def apply_rule_set(subject_identifier, requestor_identifier, resource_identifier, request, subject_roles, attributes)
|
|
76
|
+
allow = attributes['client']['clearance'] > @configuration['clearance-threshold']
|
|
77
|
+
message = allow ? 'Clearance level high enough' : 'Clearance level too low'
|
|
78
|
+
return allow, message
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
|
|
82
|
+
## Deploying
|
|
83
|
+
|
|
84
|
+
This authorization policy framework can be deployed in-process in any ruby application or application server. It was intended for the SOAR architecture and to be deployed on soar_sc service components.
|
|
85
|
+
|
|
35
86
|
## Contributing
|
|
36
87
|
|
|
37
88
|
Bug reports and feature requests are welcome by email to ernst dot van dot graan at hetzner dot co dot za. This gem is sponsored by Hetzner (Pty) Ltd (http://hetzner.co.za)
|
|
@@ -105,7 +105,7 @@ module SoarPl
|
|
|
105
105
|
def setup
|
|
106
106
|
end
|
|
107
107
|
|
|
108
|
-
def apply_rule_set(subject_identifier, requestor_identifier, resource_identifier, request, subject_roles,
|
|
108
|
+
def apply_rule_set(subject_identifier, requestor_identifier, resource_identifier, request, subject_roles, attributes)
|
|
109
109
|
# override me
|
|
110
110
|
end
|
|
111
111
|
|
data/lib/soar_pl/version.rb
CHANGED