soar_policy_access_manager 0.1.1 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +1 -1
- data/lib/soar_policy_access_manager.rb +42 -14
- data/lib/soar_policy_access_manager/version.rb +1 -1
- data/soar_policy_access_manager.gemspec +2 -1
- metadata +18 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9e367292c1d1e3befbeef9b45e449ff3e1974b60
|
4
|
+
data.tar.gz: 99b8c32092b799fb868e37c35e62f51482f741f8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3df22f7f2ccc32064d834da6a8c07da61b10f90bf0a9dab58f214155b2edfea3414ee5e94d7cf0d639fc3c588f76725ca47fbdc01dae2f1101e5e1a0d94173f0
|
7
|
+
data.tar.gz: 59fa3e45bdd321521b383a54591b139518f446e87bbcfcfa49e4beeeb6f6861ffea82ef71993867ffdd3f5fc13716f1704b816726ae14242d3be4716ab804e68
|
data/README.md
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
This Access Manager adheres to SoarAm::AmApi. It is initialized with a soar_sr service registy client (https://rubygems.org/gems/soar_sr)
|
4
4
|
|
5
|
-
This access manager denies access for unauthenticated requests, that is, request that do not
|
5
|
+
This access manager denies access for unauthenticated requests, that is, request that do not have request.session['user'] set. If set, this access manager then queries the service registry for meta regarding the service identifier in question.
|
6
6
|
|
7
7
|
If the service meta indicates no policy, the request is allowed. It the service meta indicates a policy, the policy service is asked, given the authenticated subject identifier, service identifier, resource identifier and request parameters, whether the request should be allowed. This access manager then allows / denies accordingly.
|
8
8
|
|
@@ -1,4 +1,5 @@
|
|
1
1
|
require "soar_policy_access_manager/version"
|
2
|
+
require 'jsender'
|
2
3
|
require "soar_am"
|
3
4
|
|
4
5
|
module SoarPolicyAccessManager
|
@@ -6,6 +7,7 @@ module SoarPolicyAccessManager
|
|
6
7
|
end
|
7
8
|
|
8
9
|
class PolicyAccessManager < SoarAm::AmApi
|
10
|
+
include Jsender
|
9
11
|
attr_reader :service_registry
|
10
12
|
|
11
13
|
def initialize(service_registry)
|
@@ -13,25 +15,47 @@ module SoarPolicyAccessManager
|
|
13
15
|
end
|
14
16
|
|
15
17
|
def authorize(service_identifier, resource_identifier, authentication_identifier, request)
|
16
|
-
|
18
|
+
#byebug
|
19
|
+
notifications = []
|
20
|
+
decision = false
|
17
21
|
|
18
|
-
|
22
|
+
begin
|
23
|
+
if ENV['RACK_ENV'] == 'development'
|
24
|
+
notifications << 'Authorized in development environment'
|
25
|
+
decision = true
|
26
|
+
end
|
19
27
|
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
+
subject_identifier = authentication_identifier
|
29
|
+
|
30
|
+
meta = @service_registry.services.meta_for_service(service_identifier)
|
31
|
+
policy = meta['policy'] if meta and meta.is_a?(Hash) and meta['policy']
|
32
|
+
|
33
|
+
if policy.nil?
|
34
|
+
decision = true
|
35
|
+
notifications << 'No policy associated with service'
|
36
|
+
else
|
37
|
+
decision, detail = ask_policy(policy, subject_identifier, service_identifier, resource_identifier, request)
|
38
|
+
notifications.concat(detail) if not detail.empty?
|
39
|
+
notifications << 'Policy rejected authorization request' if not decision
|
40
|
+
notifications << 'Policy approved authorization request' if decision
|
41
|
+
end
|
42
|
+
rescue SoarSr::ValidationError
|
43
|
+
notifications << "AccessManager error authorizing #{service_identifier} for #{resource_identifier}: #{ex.message}"
|
44
|
+
decision = false
|
45
|
+
end
|
46
|
+
|
47
|
+
success(notifications, { 'approved' => decision } )
|
28
48
|
end
|
29
49
|
|
30
50
|
private
|
31
51
|
|
32
52
|
def ask_policy(policy, subject_identifier, service_identifier, resource_identifier, request)
|
53
|
+
notifications = []
|
33
54
|
uri = find_first_uri(policy)
|
34
|
-
|
55
|
+
if uri.nil?
|
56
|
+
notifications << "Could not retrieve policy for service"
|
57
|
+
return false, notifications
|
58
|
+
end
|
35
59
|
url = URI.parse(uri)
|
36
60
|
params = { 'resource_identifier' => resource_identifier,
|
37
61
|
'subject_identifier' => subject_identifier,
|
@@ -40,10 +64,14 @@ module SoarPolicyAccessManager
|
|
40
64
|
'flow_identifier' => request['flow_identifier'] }
|
41
65
|
res = Net::HTTP.post_form(url, params)
|
42
66
|
result = JSON.parse(res.body)
|
43
|
-
|
44
|
-
|
67
|
+
if result['status'] == 'error'
|
68
|
+
notifications << 'Policy query result was not success'
|
69
|
+
return false, notifications
|
70
|
+
end
|
71
|
+
return result['data']['allowed'], notifications
|
45
72
|
rescue => ex
|
46
|
-
|
73
|
+
notifications << "Exception while asking policy #{ex.message}"
|
74
|
+
return false, notifications
|
47
75
|
end
|
48
76
|
|
49
77
|
def find_first_uri(policy)
|
@@ -27,7 +27,8 @@ Gem::Specification.new do |spec|
|
|
27
27
|
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
28
28
|
spec.require_paths = ["lib"]
|
29
29
|
|
30
|
-
spec.add_dependency "soar_am", "~>0.1.
|
30
|
+
spec.add_dependency "soar_am", "~>0.1.2"
|
31
|
+
spec.add_dependency "jsender", "~> 0.2.0"
|
31
32
|
|
32
33
|
spec.add_development_dependency "bundler", "~> 1.12"
|
33
34
|
spec.add_development_dependency "rake", "~> 10.0"
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: soar_policy_access_manager
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ernst Van Graan
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-07-
|
11
|
+
date: 2016-07-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: soar_am
|
@@ -16,14 +16,28 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.1.
|
19
|
+
version: 0.1.2
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.1.
|
26
|
+
version: 0.1.2
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: jsender
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - "~>"
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: 0.2.0
|
34
|
+
type: :runtime
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - "~>"
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: 0.2.0
|
27
41
|
- !ruby/object:Gem::Dependency
|
28
42
|
name: bundler
|
29
43
|
requirement: !ruby/object:Gem::Requirement
|