diff options
Diffstat (limited to 'lib/authorization.rb')
| -rw-r--r-- | lib/authorization.rb | 156 |
1 files changed, 78 insertions, 78 deletions
diff --git a/lib/authorization.rb b/lib/authorization.rb index 27ae734..d447f88 100644 --- a/lib/authorization.rb +++ b/lib/authorization.rb @@ -2,52 +2,52 @@ module OpenTox #Module for Authorization and Authentication #@example Authentication - # require "opentox-ruby" + # require "opentox-client" # OpenTox::Authorization::AA_SERVER = "https://opensso.in-silico.ch" #if not set in .opentox/conf/[environment].yaml - # token = OpenTox::Authorization.authenticate("benutzer", "passwort") + # token = OpenTox::Authorization.authenticate("benutzer", "passwort") #@see http://www.opentox.org/dev/apis/api-1.2/AA OpenTox A&A API 1.2 specification - + module Authorization #Helper Class AA to create and send default policies out of xml templates - #@example Creating a default policy to a URI - # aa=OpenTox::Authorization::AA.new(tok) + #@example Creating a default policy to a URI + # aa=OpenTox::Authorization::AA.new(tok) # xml=aa.get_xml('http://uri....') - # OpenTox::Authorization.create_policy(xml,tok) - + # OpenTox::Authorization.create_policy(xml,tok) + class AA - attr_accessor :user, :subjectid, :policy - + attr_accessor :user, :subjectid, :policy + #Generates AA object - requires subjectid - # @param [String] subjectid + # @param [String] subjectid def initialize(subjectid) @user = Authorization.get_user(subjectid) @subjectid = subjectid @policy = Policies.new() end - + #Cleans AA Policies and loads default xml file into policy attribute - #set uri and user, returns Policyfile(XML) for open-sso + #set uri and user, returns Policyfile(XML) for open-sso # @param [String] URI to create a policy for def get_xml(uri) @policy.drop_policies @policy.load_default_policy(@user, uri) return @policy.to_xml - end - + end + #Loads and sends Policyfile(XML) to open-sso server - # @param [String] URI to create a policy for - def send(uri) + # @param [String] URI to create a policy for + def send(uri) xml = get_xml(uri) ret = false - ret = Authorization.create_policy(xml, @subjectid) + ret = Authorization.create_policy(xml, @subjectid) LOGGER.debug "Policy send with subjectid: #{@subjectid}" LOGGER.warn "Not created Policy is: #{xml}" if !ret - ret + ret end - + end - + #Returns the open-sso server set in the config file .opentox/config/[environment].yaml # @return [String, nil] the openSSO server URI or nil def self.server @@ -55,11 +55,11 @@ module OpenTox end #Authentication against OpenSSO. Returns token. Requires Username and Password. - # @param [String, String]Username,Password + # @param [String, String]Username,Password # @return [String, nil] gives subjectid or nil def self.authenticate(user, pw) return nil if !AA_SERVER - begin + begin resource = RestClient::Resource.new("#{AA_SERVER}/auth/authenticate") out = resource.post(:username=>user, :password => pw).sub("token.id=","").sub("\n","") return out @@ -67,20 +67,20 @@ module OpenTox return nil end end - + #Logout on opensso. Make token invalid. Requires token - # @param [String]subjectid the subjectid + # @param [String]subjectid the subjectid # @return [Boolean] true if logout is OK def self.logout(subjectid) begin resource = RestClient::Resource.new("#{AA_SERVER}/auth/logout") resource.post(:subjectid => subjectid) - return true + return true rescue return false end - end - + end + #Authorization against OpenSSO for a URI with request-method (action) [GET/POST/PUT/DELETE] # @param [String,String,String]uri,action,subjectid # @return [Boolean, nil] returns true, false or nil (if authorization-request fails). @@ -91,12 +91,12 @@ module OpenTox return true if resource.post(:uri => uri, :action => action, :subjectid => subjectid) == "boolean=true\n" rescue return nil - end + end end - #Checks if a token is a valid token - # @param [String]subjectid subjectid from openSSO session - # @return [Boolean] subjectid is valid or not. + #Checks if a token is a valid token + # @param [String]subjectid subjectid from openSSO session + # @return [Boolean] subjectid is valid or not. def self.is_token_valid(subjectid) return true if !AA_SERVER begin @@ -106,7 +106,7 @@ module OpenTox return false end end - + #Returns array with all policies of the token owner # @param [String]subjectid requires subjectid # @return [Array, nil] returns an Array of policy names or nil if request fails @@ -116,15 +116,15 @@ module OpenTox out = resource.get(:subjectid => subjectid) return out.split("\n") rescue RestClient::InternalServerError => e - raise e.response + raise e.response rescue return nil end end #Returns a policy in xml-format - # @param [String, String]policy,subjectid - # @return [String] XML of the policy + # @param [String, String]policy,subjectid + # @return [String] XML of the policy def self.list_policy(policy, subjectid) begin resource = RestClient::Resource.new("#{AA_SERVER}/pol") @@ -133,7 +133,7 @@ module OpenTox return nil end end - + # Lists policies alongside with affected uris # @param [String] subjectid # @return [Hash] keys: all policies of the subjectid owner, values: uris affected by those policies @@ -154,7 +154,7 @@ module OpenTox p.load_xml( list_policy(policy, subjectid) ) p.uris end - + #Returns the owner (who created the first policy) of an URI # @param [String, String]uri,subjectid # return [String, nil]owner,nil returns owner of the URI @@ -164,39 +164,39 @@ module OpenTox return resource.get(:uri => uri, :subjectid => subjectid).sub("\n","") rescue return nil - end - end - + end + end + #Checks if a policy exists to a URI. Requires URI and token. # @param [String, String]uri,subjectid - # return [Boolean] + # return [Boolean] def self.uri_has_policy(uri, subjectid) owner = get_uri_owner(uri, subjectid) return true if owner and owner != "null" false end - + #List all policynames for a URI. Requires URI and token. # @param [String, String]uri,subjectid - # return [Array, nil] returns an Array of policy names or nil if request fails + # return [Array, nil] returns an Array of policy names or nil if request fails def self.list_uri_policies(uri, subjectid) begin resource = RestClient::Resource.new("#{AA_SERVER}/pol") - out = resource.get(:uri => uri, :polnames => true, :subjectid => subjectid) + out = resource.get(:uri => uri, :polnames => true, :subjectid => subjectid) policies = []; notfirstline = false out.split("\n").each do |line| policies << line if notfirstline - notfirstline = true + notfirstline = true end - return policies + return policies rescue return nil - end - end + end + end #Sends a policy in xml-format to opensso server. Requires policy-xml and token. # @param [String, String]policyxml,subjectid - # return [Boolean] returns true if policy is created + # return [Boolean] returns true if policy is created def self.create_policy(policy, subjectid) begin resource = RestClient::Resource.new("#{AA_SERVER}/Pol/opensso-pol") @@ -206,7 +206,7 @@ module OpenTox return false end end - + #Deletes a policy # @param [String, String]policyname,subjectid # @return [Boolean,nil] @@ -214,7 +214,7 @@ module OpenTox begin resource = RestClient::Resource.new("#{AA_SERVER}/pol") LOGGER.debug "OpenTox::Authorization.delete_policy policy: #{policy} with token: #{subjectid}" - return true if resource.delete(:subjectid => subjectid, :id => policy) + return true if resource.delete(:subjectid => subjectid, :id => policy) rescue return nil end @@ -222,7 +222,7 @@ module OpenTox #Returns array of all possible LDAP-Groups # @param [String]subjectid - # @return [Array] + # @return [Array] def self.list_groups(subjectid) begin resource = RestClient::Resource.new("#{AA_SERVER}/opensso/identity/search") @@ -233,8 +233,8 @@ module OpenTox rescue [] end - end - + end + #Returns array of the LDAP-Groups of an user # @param [String]subjectid # @return [Array] gives array of LDAP groups of a user @@ -244,17 +244,17 @@ module OpenTox out = resource.post(:name => user, :admin => subjectid, :attributes_names => "group") grps = [] out.split("\n").each do |line| - grps << line.sub("identitydetails.group=","") if line.include?("identitydetails.group=") + grps << line.sub("identitydetails.group=","") if line.include?("identitydetails.group=") end return grps rescue [] end - end - + end + #Returns the owner (user id) of a token # @param [String]subjectid - # @return [String]user + # @return [String]user def self.get_user(subjectid) begin resource = RestClient::Resource.new("#{AA_SERVER}/opensso/identity/attributes") @@ -265,14 +265,14 @@ module OpenTox user = line.sub("userdetails.attribute.value=","") if line.include?("userdetails.attribute.value=") check = false end - check = true if line.include?("userdetails.attribute.name=uid") + check = true if line.include?("userdetails.attribute.name=uid") end return user rescue nil end end - + #Send default policy with Authorization::AA class # @param [String, String]URI,subjectid def self.send_policy(uri, subjectid) @@ -282,7 +282,7 @@ module OpenTox LOGGER.debug "OpenTox::Authorization send policy for URI: #{uri} | subjectid: #{subjectid} - policy created: #{ret}" ret end - + #Deletes all policies of an URI # @param [String, String]URI,subjectid # @return [Boolean] @@ -303,20 +303,20 @@ module OpenTox # @return [Boolean] true if policy checked/created successfully (or no uri/subjectid given), false else def self.check_policy(uri, subjectid) return true unless uri and subjectid - token_valid = OpenTox::Authorization.is_token_valid(subjectid) + token_valid = OpenTox::Authorization.is_token_valid(subjectid) LOGGER.debug "OpenTox::Authorization.check_policy with uri: #{uri}, subjectid: #{subjectid} is valid: #{token_valid}" # check if subjectid is valid unless token_valid # abort if invalid - LOGGER.error "OpenTox::Authorization.check_policy, subjectid NOT valid: #{subjectid}" + LOGGER.error "OpenTox::Authorization.check_policy, subjectid NOT valid: #{subjectid}" return false end - + if !uri_has_policy(uri, subjectid) # if no policy exists, create a policy, return result of send policy send_policy(uri, subjectid) else - # if policy exists check for POST rights + # if policy exists check for POST rights if authorize(uri, "POST", subjectid) true else @@ -325,19 +325,19 @@ module OpenTox end end true - end + end - class << self + class << self alias :token_valid? :is_token_valid end - # Check Authorization for a resource (identified via URI) with method and subjectid. + # Check Authorization for a resource (identified via URI) with method and subjectid. # @param [String] uri # @param [String] request_method, should be GET, POST, PUT, DELETE # @param [String] subjectid # @return [Boolean] true if access granted, else otherwise def self.authorized?(uri, request_method, subjectid) - if CONFIG[:authorization][:free_request].include?(request_method) + if CONFIG[:authorization][:free_request].include?(request_method) #LOGGER.debug "authorized? >>true<< (request is free), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" true elsif OpenTox::Authorization.free_uri?(uri, request_method) @@ -355,38 +355,38 @@ module OpenTox ret = OpenTox::Authorization.authorize(uri, request_method, subjectid) LOGGER.debug "authorized? >>#{ret}<< (uri (not) authorized), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret ret - else + else LOGGER.error "invalid request/uri method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" false end end - + private def self.free_uri?(uri, request_method) if CONFIG[:authorization][:free_uris] CONFIG[:authorization][:free_uris].each do |request_methods,uris| - if request_methods and uris and request_methods.include?(request_method.to_sym) + if request_methods and uris and request_methods.include?(request_method.to_sym) uris.each do |u| return true if u.match uri end end end - end + end return false end - + def self.authorize_exception?(uri, request_method) if CONFIG[:authorization][:authorize_exceptions] CONFIG[:authorization][:authorize_exceptions].each do |request_methods,uris| - if request_methods and uris and request_methods.include?(request_method.to_sym) + if request_methods and uris and request_methods.include?(request_method.to_sym) uris.each do |u| return true if u.match uri end end end - end + end return false - end - + end + end end |