soar_pl 0.0.5 → 0.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a33dc515b79a055e58c4cd8322db826b7e8ea527
-  data.tar.gz: b8efb7557335ff3438c1c3ac61a434c397743ad1
+  metadata.gz: e2b08e955891c93d88edb864c6699ac241c236d6
+  data.tar.gz: 0d2615ff9cf68374b1f865aa0246264d33859c9d
 SHA512:
-  metadata.gz: 8d864b0032344dcbdb3651c52708c76ed4765279867af052eef98d30f94a19e4615ee5f89c31a6df2764729b14194c7fa6477c240acbfa7805225453336fa835
-  data.tar.gz: 36fc2a86fd22f232ec34dc1b10c23335a8b5fd58a1bb179b43095d7c01af4225863ccb74a4979d83b12c4e305d05ea1de2ab4c54bf19ec9537b1a1dfdb5c1b65
+  metadata.gz: 0b94c726c2dd3507818944dd314973446edd3a04d9af421a167c5b8d6f1c63ea34eb16ae25ef809a4dd6efcfce4719f1a9d4b4153e8962f30374c445daebabec
+  data.tar.gz: 487f45e98d1da42adf7aa04d1c7d82c5e1f9cc251eb229dd18b639f60eda1e2749ee9e6f8e62d23e2160096865565225effd4931e87410818369b44b6441baa9

data/README.md

@@ -2,6 +2,8 @@
 
 SoarPl is a generic authorization policy implementation. It was designed for use in the SOAR architecture. Extend the AuthorizationPolicy class with your own, and provide the needed IDM interaction and rule set for interrogating subject_identifier, requestor_identifier, resource_identifier and request in order to make an authorization decision. The policy communicates the result using jsend.
 
+The policy can be given a subject identifier, representing the subject to be authorized. Optionally, the resource identifier of the resource the subject wants to access can be supplied, as well as details of the request itself. Additionally, the identifier of the requestor asking the authorization question of the policy can also be supplied. This information in conjunction with the subject's roles and attributes as discovered from the (optional) IDM provided, form the full information set that the rule set can use to make the authorization decision.
+
 ## Installation
 
 Add this line to your application's Gemfile:
@@ -20,7 +22,8 @@ Or install it yourself as:
 	  spec.add_development_dependency 'soar_pl'
 	  bundle exec irb
 
-Extend the AuthorizationPolicy class to create a policy. Examples can be found here: https://github.hetzner.co.za/hetznerZA/soar_policies/tree/master/production
+In the examples that follow, @iut refers to 'implementation under test' a.k.a 'item under test'
+Extend the {SoarPl::AuthorizationPolicy AuthorizationPolicy} class to create a policy. Examples can be found here: https://github.hetzner.co.za/hetznerZA/soar_policies/tree/master/production
 
 The implementation reaches out to the IDM provided and retrieves entity roles and attributes.
 The IDM provided must adhere to the following API:
@@ -53,7 +56,7 @@ Optionally, require roles to be present for an entity that you identify with a s
 
 If requiring roles, you must provide an IDM to retrieve the entity's roles, and the attributes for each role, from:
 
-    @iut.has_idm(@idm_instance)
+    @iut.use_idm(@idm_instance)
 
 Check authorization for a subject identifier, (optionally) providing it with all your rule set (MyRules) needs to make the authorization decision:
 
@@ -93,3 +96,8 @@ Bug reports and feature requests are welcome by email to ernst dot van dot graan
 
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
 
+## TODO
+
+- The IDM API will be published in a future gem, along with a SOAR reference identity registry implementation
+- Examples are currently in a private repo, this will be made public as the use matures
+- Helper methods for interrogating status may be added (e.g. valid?, configuration_valid?, allowed?, denied?, etc.)

data/lib/soar_pl/authorization_policy.rb

@@ -17,89 +17,36 @@ module SoarPl
     attr_accessor :request_debug_allow
 
     def initialize(policy_identifier, policy_configuration)
-      data = { 'dependencies' => 
-               { 'configuration' => 'invalid',
-                 'policy_identifier' => 'invalid',
-                 'rule_set' => 'invalid' } }
       @roles = []
       @policy_identifier = policy_identifier
       @configuration = policy_configuration
-
-      valid_policy_identifier = valid_non_empty_string?(policy_identifier)
-      valid_configuration = @configuration.is_a?(Hash)
-      #byebug
-      valid_rule_set = (self.class.name != 'SoarPl::AuthorizationPolicy')
-      
-      if (policy_identifier.nil?)
-        @status = fail('no identifier provided')
-      elsif (not valid_policy_identifier)
-        @status = fail('invalid identifier provided')
-      elsif policy_configuration.nil?
-        @status = fail('no configuration provided')
-      elsif not valid_configuration
-        @status = fail('invalid configuration provided', data) 
-      elsif not valid_rule_set
-        # Must extend this class and provide a rule set in apply_rule_set(...)
-        @status = fail('invalid rule set provided')
-      else
-        @status = success_data(data)
-      end
-      data['dependencies']['configuration'] = (valid_configuration ? 'valid' : 'invalid')
-      data['dependencies']['rule_set'] = (valid_rule_set ? 'valid' : 'invalid')
-      data['dependencies']['policy_identifier'] = (valid_policy_identifier ? 'valid' : 'invalid')
+      validate_bootstrap(policy_identifier, policy_configuration)
       setup
     end
 
     def requires_roles(roles)
       roles = [roles] if not roles.is_a?(Array)
-
       @roles = roles
     end
 
-    def has_idm(idm)
+    def use_idm(idm)
       @idm = idm
     end
 
     def authorize(subject_identifier, requestor_identifier, resource_identifier, request)
-      #byebug
-      if request
-        requested = request
-        begin
-          requested = JSON.parse(request) if not request.is_a?(Hash)
-        rescue => ex
-          return fail("Invalid request", build_result(false, "Invalid request", @idm))        
-        end
-      end
-      return fail_invalid("resource identifier") if resource_identifier and (not valid_non_empty_string?(resource_identifier))
-      return fail("Invalid request", build_result(false, "Invalid request", @idm)) if requested and (not requested.is_a?(Hash))
-      return fail_invalid("requestor identifier") if requestor_identifier and (not valid_non_empty_string?(requestor_identifier))
-      return fail_invalid("subject identifier") if subject_identifier and (not valid_non_empty_string?(subject_identifier))
+      result = translate_request(request)
+      return result if result['status'] == 'fail'
+      requested = result['data']['requested']
 
-      subject_roles = []
-      attributes = {}
-      begin
-        subject_roles = discover_subject_roles(subject_identifier) if @idm
-      rescue => ex
-        error = 'Entity error (IDM)'
-        return fail(error, build_result(false, error, @idm))
-      end
-
-      return success_data(build_result(false, "Role missing", @idm)) if not roles_present?(subject_roles, @roles)
-
-      begin
-        attributes = discover_subject_role_attributes(subject_identifier, subject_roles) if @idm
-      rescue => ex
-        error = 'Entity error (IDM)'
-        return fail(error, build_result(false, error, @idm))
-      end
+      validation_error = validate_authorization(subject_identifier, requestor_identifier, resource_identifier, requested)
+      return validation_error if validation_error
 
-      result, message = apply_rule_set(subject_identifier, requestor_identifier, resource_identifier, requested, subject_roles, attributes)
+      result = discover_entity(subject_identifier)
+      error = result['data']['notifications'].first
+      return fail(error, build_result(false, error, @idm)) if result['status'] == 'fail'
 
-      if (result)
-        success_data(build_result(true, message, @idm))
-      else
-        success_data(build_result(false, message, @idm))
-      end
+      result, message = apply_rule_set(subject_identifier, requestor_identifier, resource_identifier, requested, result['data']['subject_roles'], result['data']['attributes'])
+      build_response(result, message)
     end
 
     protected
@@ -111,6 +58,16 @@ module SoarPl
       # override me
     end
 
+    def discover_entity(subject_identifier)
+      subject_roles = discover_subject_roles(subject_identifier) if @idm
+      return fail("Role missing") if not roles_present?(subject_roles, @roles)
+      attributes = discover_subject_role_attributes(subject_identifier, subject_roles) if @idm
+      success_data( { 'subject_roles' => subject_roles, 'attributes' => attributes } )
+
+      rescue => ex
+        return fail('Entity error (IDM)')
+    end
+
     def discover_subject_roles(subject_identifier)
       subject_roles = @idm.get_roles(subject_identifier)
     end
@@ -125,6 +82,70 @@ module SoarPl
 
     private
 
+    def validate_bootstrap(policy_identifier, policy_configuration)
+      valid_policy_identifier = valid_non_empty_string?(policy_identifier)
+      valid_configuration = @configuration.is_a?(Hash)
+      valid_rule_set = (self.class.name != 'SoarPl::AuthorizationPolicy')
+      set_bootstrap_status(policy_identifier, policy_configuration, valid_configuration, valid_rule_set, valid_policy_identifier)
+
+      return valid_configuration, valid_rule_set, valid_policy_identifier
+    end
+
+    def data_invalidated
+      { 'dependencies' => 
+        { 'configuration' => 'invalid',
+          'policy_identifier' => 'invalid',
+          'rule_set' => 'invalid' } }
+    end      
+
+    def set_bootstrap_status(policy_identifier, policy_configuration, valid_configuration, valid_rule_set, valid_policy_identifier)
+      data = data_invalidated
+
+      if (policy_identifier.nil?)
+        @status = fail('no identifier provided')
+      elsif (not valid_policy_identifier)
+        @status = fail('invalid identifier provided')
+      elsif policy_configuration.nil?
+        @status = fail('no configuration provided')
+      elsif not valid_configuration
+        @status = fail('invalid configuration provided', data) 
+      elsif not valid_rule_set
+        # Must extend this class and provide a rule set in apply_rule_set(...)
+        @status = fail('invalid rule set provided')
+      else
+        @status = success_data(data)
+      end
+
+      data['dependencies']['configuration'] = (valid_configuration ? 'valid' : 'invalid')
+      data['dependencies']['rule_set'] = (valid_rule_set ? 'valid' : 'invalid')
+      data['dependencies']['policy_identifier'] = (valid_policy_identifier ? 'valid' : 'invalid')      
+    end
+
+    def translate_request(request)
+      requested = {}
+      if request
+        requested = request
+        begin
+          requested = JSON.parse(request) if not request.is_a?(Hash)
+        rescue => ex
+          return fail("Invalid request", build_result(false, "Invalid request", @idm))        
+        end
+      end
+      success_data({'requested' => requested})
+    end
+
+    def validate_authorization(subject_identifier, requestor_identifier, resource_identifier, requested)
+      return fail_invalid("resource identifier") if resource_identifier and (not valid_non_empty_string?(resource_identifier))
+      return fail("Invalid request", build_result(false, "Invalid request", @idm)) if requested and (not requested.is_a?(Hash))
+      return fail_invalid("requestor identifier") if requestor_identifier and (not valid_non_empty_string?(requestor_identifier))
+      return fail_invalid("subject identifier") if subject_identifier and (not valid_non_empty_string?(subject_identifier))
+    end
+
+    def build_response(result, message)
+      return success_data(build_result(true, message, @idm)) if result
+      success_data(build_result(false, message, @idm))
+    end
+
     def fail_invalid(description)
       fail("Invalid #{description}", build_result(false, "Invalid #{description}", @idm))      
     end

data/lib/soar_pl/version.rb

@@ -1,3 +1,3 @@
 module SoarPl
-  VERSION = "0.0.5"
+  VERSION = "0.0.6"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: soar_pl
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.0.6
 platform: ruby
 authors:
 - Ernst van Graan