RubyGems - soar_policy_access_manager - Versions diffs - 0.1.1 → 0.2.0 - Mend

soar_policy_access_manager 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/README.md +1 -1
data/lib/soar_policy_access_manager.rb +42 -14
data/lib/soar_policy_access_manager/version.rb +1 -1
data/soar_policy_access_manager.gemspec +2 -1
metadata +18 -4

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e50e4478abec389e99c825177ae9c17fd3e931b2
-  data.tar.gz: 71b88ae4ccc26913cd90dd81bb379b5a6d7afb4d
+  metadata.gz: 9e367292c1d1e3befbeef9b45e449ff3e1974b60
+  data.tar.gz: 99b8c32092b799fb868e37c35e62f51482f741f8
 SHA512:
-  metadata.gz: 17b58096035aa645952fa228eb66ee0099fec851b04193cf47d764fc57c8a8db5a00ba9bce940400d66b7c8c3cd8f092ee12d1093d075f75f542d9b1ca36079d
-  data.tar.gz: f52f4b048d2f0c0b8bae04d1a5563870dc99b5f40d3185b883633a44c659e85100d40120b50f230059a1690a29c2975d7694f4ee6cb339627450676549df66d2
+  metadata.gz: 3df22f7f2ccc32064d834da6a8c07da61b10f90bf0a9dab58f214155b2edfea3414ee5e94d7cf0d639fc3c588f76725ca47fbdc01dae2f1101e5e1a0d94173f0
+  data.tar.gz: 59fa3e45bdd321521b383a54591b139518f446e87bbcfcfa49e4beeeb6f6861ffea82ef71993867ffdd3f5fc13716f1704b816726ae14242d3be4716ab804e68

data/README.md CHANGED

@@ -2,7 +2,7 @@
 This Access Manager adheres to SoarAm::AmApi. It is initialized with a soar_sr service registy client (https://rubygems.org/gems/soar_sr)
-This access manager denies access for unauthenticated requests, that is, request that do not habe request.session['user'] set. If set, this access manager then queries the service registry for meta regarding the service identifier in question.
+This access manager denies access for unauthenticated requests, that is, request that do not have request.session['user'] set. If set, this access manager then queries the service registry for meta regarding the service identifier in question.
 If the service meta indicates no policy, the request is allowed. It the service meta indicates a policy, the policy service is asked, given the authenticated subject identifier, service identifier, resource identifier and request parameters, whether the request should be allowed. This access manager then allows / denies accordingly.

data/lib/soar_policy_access_manager.rb CHANGED

@@ -1,4 +1,5 @@
 require "soar_policy_access_manager/version"
+require 'jsender'
 require "soar_am"
 module SoarPolicyAccessManager
@@ -6,6 +7,7 @@ module SoarPolicyAccessManager
   end
   class PolicyAccessManager < SoarAm::AmApi
+    include Jsender
     attr_reader :service_registry
     def initialize(service_registry)
@@ -13,25 +15,47 @@ module SoarPolicyAccessManager
     end
     def authorize(service_identifier, resource_identifier, authentication_identifier, request)
-      return true if ENV['RACK_ENV'] == 'development'
+      #byebug
+      notifications = []
+      decision = false
-      subject_identifier = authentication_identifier
+      begin
+        if ENV['RACK_ENV'] == 'development'
+          notifications << 'Authorized in development environment'
+          decision = true
+        end
-      meta = @service_registry.services.meta_for_service(service_identifier)
-      policy = meta['policy'] if meta and meta.is_a?(Hash) and meta['policy']
-      policy.nil? ? true : ask_policy(policy, subject_identifier, service_identifier, resource_identifier, request)
-    rescue SoarSr::ValidationError
-      return false
-    rescue => ex
-      STDERR.puts "AccessManager error authorizing #{service_identifier} for #{resource_identifier}: #{ex.message}"
-      return false
+        subject_identifier = authentication_identifier
+        meta = @service_registry.services.meta_for_service(service_identifier)
+        policy = meta['policy'] if meta and meta.is_a?(Hash) and meta['policy']
+        if policy.nil?
+          decision = true
+          notifications << 'No policy associated with service'
+        else
+          decision, detail = ask_policy(policy, subject_identifier, service_identifier, resource_identifier, request)
+          notifications.concat(detail) if not detail.empty?
+          notifications << 'Policy rejected authorization request' if not decision
+          notifications << 'Policy approved authorization request' if decision
+        end
+      rescue SoarSr::ValidationError
+        notifications << "AccessManager error authorizing #{service_identifier} for #{resource_identifier}: #{ex.message}"
+        decision = false
+      end
+      success(notifications, { 'approved' => decision } )
     end
     private
     def ask_policy(policy, subject_identifier, service_identifier, resource_identifier, request)
+      notifications = []
       uri = find_first_uri(policy)
-      return false if uri.nil?
+      if uri.nil?
+        notifications << "Could not retrieve policy for service"
+        return false, notifications
+      end
       url = URI.parse(uri)
       params = { 'resource_identifier' => resource_identifier,
                  'subject_identifier' => subject_identifier,
@@ -40,10 +64,14 @@ module SoarPolicyAccessManager
                  'flow_identifier' => request['flow_identifier'] }
       res = Net::HTTP.post_form(url, params)
       result = JSON.parse(res.body)
-      return false if not result['status'] == 'success'
-      result['data']['allowed']
+      if result['status'] == 'error'
+        notifications << 'Policy query result was not success'
+        return false, notifications
+      end
+      return result['data']['allowed'], notifications
     rescue => ex
-      false
+      notifications << "Exception while asking policy #{ex.message}"
+      return false, notifications
     end
     def find_first_uri(policy)

data/lib/soar_policy_access_manager/version.rb CHANGED

@@ -1,3 +1,3 @@
 module SoarPolicyAccessManager
-  VERSION = "0.1.1"
+  VERSION = "0.2.0"
 end

data/soar_policy_access_manager.gemspec CHANGED

@@ -27,7 +27,8 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
-  spec.add_dependency "soar_am", "~>0.1.1"
+  spec.add_dependency "soar_am", "~>0.1.2"
+  spec.add_dependency "jsender", "~> 0.2.0"
   spec.add_development_dependency "bundler", "~> 1.12"
   spec.add_development_dependency "rake", "~> 10.0"

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: soar_policy_access_manager
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Ernst Van Graan
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2016-07-19 00:00:00.000000000 Z
+date: 2016-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: soar_am
@@ -16,14 +16,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.1
+        version: 0.1.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.1
+        version: 0.1.2
+- !ruby/object:Gem::Dependency
+  name: jsender
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement