soar_policy_access_manager 0.1.1 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +1 -1
- data/lib/soar_policy_access_manager.rb +42 -14
- data/lib/soar_policy_access_manager/version.rb +1 -1
- data/soar_policy_access_manager.gemspec +2 -1
- metadata +18 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9e367292c1d1e3befbeef9b45e449ff3e1974b60
|
4
|
+
data.tar.gz: 99b8c32092b799fb868e37c35e62f51482f741f8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3df22f7f2ccc32064d834da6a8c07da61b10f90bf0a9dab58f214155b2edfea3414ee5e94d7cf0d639fc3c588f76725ca47fbdc01dae2f1101e5e1a0d94173f0
|
7
|
+
data.tar.gz: 59fa3e45bdd321521b383a54591b139518f446e87bbcfcfa49e4beeeb6f6861ffea82ef71993867ffdd3f5fc13716f1704b816726ae14242d3be4716ab804e68
|
data/README.md
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
This Access Manager adheres to SoarAm::AmApi. It is initialized with a soar_sr service registy client (https://rubygems.org/gems/soar_sr)
|
4
4
|
|
5
|
-
This access manager denies access for unauthenticated requests, that is, request that do not
|
5
|
+
This access manager denies access for unauthenticated requests, that is, request that do not have request.session['user'] set. If set, this access manager then queries the service registry for meta regarding the service identifier in question.
|
6
6
|
|
7
7
|
If the service meta indicates no policy, the request is allowed. It the service meta indicates a policy, the policy service is asked, given the authenticated subject identifier, service identifier, resource identifier and request parameters, whether the request should be allowed. This access manager then allows / denies accordingly.
|
8
8
|
|
@@ -1,4 +1,5 @@
|
|
1
1
|
require "soar_policy_access_manager/version"
|
2
|
+
require 'jsender'
|
2
3
|
require "soar_am"
|
3
4
|
|
4
5
|
module SoarPolicyAccessManager
|
@@ -6,6 +7,7 @@ module SoarPolicyAccessManager
|
|
6
7
|
end
|
7
8
|
|
8
9
|
class PolicyAccessManager < SoarAm::AmApi
|
10
|
+
include Jsender
|
9
11
|
attr_reader :service_registry
|
10
12
|
|
11
13
|
def initialize(service_registry)
|
@@ -13,25 +15,47 @@ module SoarPolicyAccessManager
|
|
13
15
|
end
|
14
16
|
|
15
17
|
def authorize(service_identifier, resource_identifier, authentication_identifier, request)
|
16
|
-
|
18
|
+
#byebug
|
19
|
+
notifications = []
|
20
|
+
decision = false
|
17
21
|
|
18
|
-
|
22
|
+
begin
|
23
|
+
if ENV['RACK_ENV'] == 'development'
|
24
|
+
notifications << 'Authorized in development environment'
|
25
|
+
decision = true
|
26
|
+
end
|
19
27
|
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
+
subject_identifier = authentication_identifier
|
29
|
+
|
30
|
+
meta = @service_registry.services.meta_for_service(service_identifier)
|
31
|
+
policy = meta['policy'] if meta and meta.is_a?(Hash) and meta['policy']
|
32
|
+
|
33
|
+
if policy.nil?
|
34
|
+
decision = true
|
35
|
+
notifications << 'No policy associated with service'
|
36
|
+
else
|
37
|
+
decision, detail = ask_policy(policy, subject_identifier, service_identifier, resource_identifier, request)
|
38
|
+
notifications.concat(detail) if not detail.empty?
|
39
|
+
notifications << 'Policy rejected authorization request' if not decision
|
40
|
+
notifications << 'Policy approved authorization request' if decision
|
41
|
+
end
|
42
|
+
rescue SoarSr::ValidationError
|
43
|
+
notifications << "AccessManager error authorizing #{service_identifier} for #{resource_identifier}: #{ex.message}"
|
44
|
+
decision = false
|
45
|
+
end
|
46
|
+
|
47
|
+
success(notifications, { 'approved' => decision } )
|
28
48
|
end
|
29
49
|
|
30
50
|
private
|
31
51
|
|
32
52
|
def ask_policy(policy, subject_identifier, service_identifier, resource_identifier, request)
|
53
|
+
notifications = []
|
33
54
|
uri = find_first_uri(policy)
|
34
|
-
|
55
|
+
if uri.nil?
|
56
|
+
notifications << "Could not retrieve policy for service"
|
57
|
+
return false, notifications
|
58
|
+
end
|
35
59
|
url = URI.parse(uri)
|
36
60
|
params = { 'resource_identifier' => resource_identifier,
|
37
61
|
'subject_identifier' => subject_identifier,
|
@@ -40,10 +64,14 @@ module SoarPolicyAccessManager
|
|
40
64
|
'flow_identifier' => request['flow_identifier'] }
|
41
65
|
res = Net::HTTP.post_form(url, params)
|
42
66
|
result = JSON.parse(res.body)
|
43
|
-
|
44
|
-
|
67
|
+
if result['status'] == 'error'
|
68
|
+
notifications << 'Policy query result was not success'
|
69
|
+
return false, notifications
|
70
|
+
end
|
71
|
+
return result['data']['allowed'], notifications
|
45
72
|
rescue => ex
|
46
|
-
|
73
|
+
notifications << "Exception while asking policy #{ex.message}"
|
74
|
+
return false, notifications
|
47
75
|
end
|
48
76
|
|
49
77
|
def find_first_uri(policy)
|
@@ -27,7 +27,8 @@ Gem::Specification.new do |spec|
|
|
27
27
|
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
28
28
|
spec.require_paths = ["lib"]
|
29
29
|
|
30
|
-
spec.add_dependency "soar_am", "~>0.1.
|
30
|
+
spec.add_dependency "soar_am", "~>0.1.2"
|
31
|
+
spec.add_dependency "jsender", "~> 0.2.0"
|
31
32
|
|
32
33
|
spec.add_development_dependency "bundler", "~> 1.12"
|
33
34
|
spec.add_development_dependency "rake", "~> 10.0"
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: soar_policy_access_manager
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ernst Van Graan
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-07-
|
11
|
+
date: 2016-07-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: soar_am
|
@@ -16,14 +16,28 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.1.
|
19
|
+
version: 0.1.2
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.1.
|
26
|
+
version: 0.1.2
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: jsender
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - "~>"
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: 0.2.0
|
34
|
+
type: :runtime
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - "~>"
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: 0.2.0
|
27
41
|
- !ruby/object:Gem::Dependency
|
28
42
|
name: bundler
|
29
43
|
requirement: !ruby/object:Gem::Requirement
|