soar_policy_access_manager 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: e50e4478abec389e99c825177ae9c17fd3e931b2
4
- data.tar.gz: 71b88ae4ccc26913cd90dd81bb379b5a6d7afb4d
3
+ metadata.gz: 9e367292c1d1e3befbeef9b45e449ff3e1974b60
4
+ data.tar.gz: 99b8c32092b799fb868e37c35e62f51482f741f8
5
5
  SHA512:
6
- metadata.gz: 17b58096035aa645952fa228eb66ee0099fec851b04193cf47d764fc57c8a8db5a00ba9bce940400d66b7c8c3cd8f092ee12d1093d075f75f542d9b1ca36079d
7
- data.tar.gz: f52f4b048d2f0c0b8bae04d1a5563870dc99b5f40d3185b883633a44c659e85100d40120b50f230059a1690a29c2975d7694f4ee6cb339627450676549df66d2
6
+ metadata.gz: 3df22f7f2ccc32064d834da6a8c07da61b10f90bf0a9dab58f214155b2edfea3414ee5e94d7cf0d639fc3c588f76725ca47fbdc01dae2f1101e5e1a0d94173f0
7
+ data.tar.gz: 59fa3e45bdd321521b383a54591b139518f446e87bbcfcfa49e4beeeb6f6861ffea82ef71993867ffdd3f5fc13716f1704b816726ae14242d3be4716ab804e68
data/README.md CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  This Access Manager adheres to SoarAm::AmApi. It is initialized with a soar_sr service registy client (https://rubygems.org/gems/soar_sr)
4
4
 
5
- This access manager denies access for unauthenticated requests, that is, request that do not habe request.session['user'] set. If set, this access manager then queries the service registry for meta regarding the service identifier in question.
5
+ This access manager denies access for unauthenticated requests, that is, request that do not have request.session['user'] set. If set, this access manager then queries the service registry for meta regarding the service identifier in question.
6
6
 
7
7
  If the service meta indicates no policy, the request is allowed. It the service meta indicates a policy, the policy service is asked, given the authenticated subject identifier, service identifier, resource identifier and request parameters, whether the request should be allowed. This access manager then allows / denies accordingly.
8
8
 
@@ -1,4 +1,5 @@
1
1
  require "soar_policy_access_manager/version"
2
+ require 'jsender'
2
3
  require "soar_am"
3
4
 
4
5
  module SoarPolicyAccessManager
@@ -6,6 +7,7 @@ module SoarPolicyAccessManager
6
7
  end
7
8
 
8
9
  class PolicyAccessManager < SoarAm::AmApi
10
+ include Jsender
9
11
  attr_reader :service_registry
10
12
 
11
13
  def initialize(service_registry)
@@ -13,25 +15,47 @@ module SoarPolicyAccessManager
13
15
  end
14
16
 
15
17
  def authorize(service_identifier, resource_identifier, authentication_identifier, request)
16
- return true if ENV['RACK_ENV'] == 'development'
18
+ #byebug
19
+ notifications = []
20
+ decision = false
17
21
 
18
- subject_identifier = authentication_identifier
22
+ begin
23
+ if ENV['RACK_ENV'] == 'development'
24
+ notifications << 'Authorized in development environment'
25
+ decision = true
26
+ end
19
27
 
20
- meta = @service_registry.services.meta_for_service(service_identifier)
21
- policy = meta['policy'] if meta and meta.is_a?(Hash) and meta['policy']
22
- policy.nil? ? true : ask_policy(policy, subject_identifier, service_identifier, resource_identifier, request)
23
- rescue SoarSr::ValidationError
24
- return false
25
- rescue => ex
26
- STDERR.puts "AccessManager error authorizing #{service_identifier} for #{resource_identifier}: #{ex.message}"
27
- return false
28
+ subject_identifier = authentication_identifier
29
+
30
+ meta = @service_registry.services.meta_for_service(service_identifier)
31
+ policy = meta['policy'] if meta and meta.is_a?(Hash) and meta['policy']
32
+
33
+ if policy.nil?
34
+ decision = true
35
+ notifications << 'No policy associated with service'
36
+ else
37
+ decision, detail = ask_policy(policy, subject_identifier, service_identifier, resource_identifier, request)
38
+ notifications.concat(detail) if not detail.empty?
39
+ notifications << 'Policy rejected authorization request' if not decision
40
+ notifications << 'Policy approved authorization request' if decision
41
+ end
42
+ rescue SoarSr::ValidationError
43
+ notifications << "AccessManager error authorizing #{service_identifier} for #{resource_identifier}: #{ex.message}"
44
+ decision = false
45
+ end
46
+
47
+ success(notifications, { 'approved' => decision } )
28
48
  end
29
49
 
30
50
  private
31
51
 
32
52
  def ask_policy(policy, subject_identifier, service_identifier, resource_identifier, request)
53
+ notifications = []
33
54
  uri = find_first_uri(policy)
34
- return false if uri.nil?
55
+ if uri.nil?
56
+ notifications << "Could not retrieve policy for service"
57
+ return false, notifications
58
+ end
35
59
  url = URI.parse(uri)
36
60
  params = { 'resource_identifier' => resource_identifier,
37
61
  'subject_identifier' => subject_identifier,
@@ -40,10 +64,14 @@ module SoarPolicyAccessManager
40
64
  'flow_identifier' => request['flow_identifier'] }
41
65
  res = Net::HTTP.post_form(url, params)
42
66
  result = JSON.parse(res.body)
43
- return false if not result['status'] == 'success'
44
- result['data']['allowed']
67
+ if result['status'] == 'error'
68
+ notifications << 'Policy query result was not success'
69
+ return false, notifications
70
+ end
71
+ return result['data']['allowed'], notifications
45
72
  rescue => ex
46
- false
73
+ notifications << "Exception while asking policy #{ex.message}"
74
+ return false, notifications
47
75
  end
48
76
 
49
77
  def find_first_uri(policy)
@@ -1,3 +1,3 @@
1
1
  module SoarPolicyAccessManager
2
- VERSION = "0.1.1"
2
+ VERSION = "0.2.0"
3
3
  end
@@ -27,7 +27,8 @@ Gem::Specification.new do |spec|
27
27
  spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
28
28
  spec.require_paths = ["lib"]
29
29
 
30
- spec.add_dependency "soar_am", "~>0.1.1"
30
+ spec.add_dependency "soar_am", "~>0.1.2"
31
+ spec.add_dependency "jsender", "~> 0.2.0"
31
32
 
32
33
  spec.add_development_dependency "bundler", "~> 1.12"
33
34
  spec.add_development_dependency "rake", "~> 10.0"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: soar_policy_access_manager
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.1
4
+ version: 0.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ernst Van Graan
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2016-07-19 00:00:00.000000000 Z
11
+ date: 2016-07-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: soar_am
@@ -16,14 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - "~>"
18
18
  - !ruby/object:Gem::Version
19
- version: 0.1.1
19
+ version: 0.1.2
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - "~>"
25
25
  - !ruby/object:Gem::Version
26
- version: 0.1.1
26
+ version: 0.1.2
27
+ - !ruby/object:Gem::Dependency
28
+ name: jsender
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: 0.2.0
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: 0.2.0
27
41
  - !ruby/object:Gem::Dependency
28
42
  name: bundler
29
43
  requirement: !ruby/object:Gem::Requirement