From 26c0b93a02fddb60175747f7733d13e973257cd8 Mon Sep 17 00:00:00 2001 From: mr Date: Tue, 1 Feb 2011 16:34:20 +0100 Subject: A&A for validations --- lib/authorization.rb | 79 ++++++++++++++++++++++++++++------------------------ 1 file changed, 42 insertions(+), 37 deletions(-) (limited to 'lib/authorization.rb') diff --git a/lib/authorization.rb b/lib/authorization.rb index b4c1ee5..12be037 100644 --- a/lib/authorization.rb +++ b/lib/authorization.rb @@ -328,55 +328,60 @@ module OpenTox # @param [String] subjectid # @return [Boolean] true if access granted, else otherwise def self.authorized?(uri, request_method, subjectid) - if OpenTox::Authorization.whitelisted?(uri, request_method) - LOGGER.debug "authorized? >>true<< (uris is whitelisted), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" - true - elsif CONFIG[:authorization][:authorize_request].include?(request_method) - ret = OpenTox::Authorization.authorize(uri, request_method, subjectid) - LOGGER.debug "authorized? >>#{ret}<< (uri authorized), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" - ret + if CONFIG[:authorization][:free_request].include?(request_method) + #LOGGER.debug "authorized? >>true<< (request is free), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" + true + elsif OpenTox::Authorization.free_uri?(uri, request_method) + #LOGGER.debug "authorized? >>true<< (uris is free_uri), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" + true elsif CONFIG[:authorization][:authenticate_request].include?(request_method) ret = OpenTox::Authorization.is_token_valid(subjectid) - LOGGER.debug "authorized? >>#{ret}<< (token is valid), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" + #LOGGER.debug "authorized? >>#{ret}<< (token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" + ret + elsif OpenTox::Authorization.authorize_exception?(uri, request_method) + ret = OpenTox::Authorization.is_token_valid(subjectid) + #LOGGER.debug "authorized? >>#{ret}<< (uris is authorize exception, token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" + ret + elsif CONFIG[:authorization][:authorize_request].include?(request_method) + ret = OpenTox::Authorization.authorize(uri, request_method, subjectid) + LOGGER.debug "authorized? >>#{ret}<< (uri (not) authorized), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" ret else - LOGGER.debug "authorized? >>true<< (request is free), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" - true + LOGGER.error "invalid request/uri method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" + false end end - @@whitelist = {} - private - def self.whitelisted?(uri, request_method) - return false unless @@whitelist[request_method] - @@whitelist[request_method].each do |regexp,invert| - if invert - return true if !regexp.match(uri) - else - return true if regexp.match(uri) + def self.free_uri?(uri, request_method) + if CONFIG[:authorization][:free_uris] + CONFIG[:authorization][:free_uris].each do |request_methods,uris| + LOGGER.info "free uris "+request_methods.inspect+" -> "+uris.inspect + if request_methods and uris and request_methods.include?(request_method.to_sym) + uris.each do |u| + return true if u.match uri + end + end end - end + end return false end - public - # adds uri/regexp-for-matching-uri to the whitelist for a request-method (i.e. access will be granted without cheking the A&A service) - # @param [String or Regexp] uri_match if string match must be ecaxt - # @param [String] request_method, must be GET, POST, PUT, DELETE - # @param [Boolean,optional] invert, set to true if you want to whitelist everything that does not match (careful!) - def self.whitelist(uri_match, request_method, invert=false) - if uri_match.is_a?(Regexp) - uri_regex = uri_match - elsif uri_match.is_a?(String) - uri_regex = Regexp.new("^"+uri_match+"$") - else - raise "uri-match param is neither string(->exact uri match) nor regexp: "+uri_match.class.to_s - end - LOGGER.info("whitelisted "+request_method.to_s+" "+uri_regex.to_s) - @@whitelist[request_method] = [] unless @@whitelist[request_method] - @@whitelist[request_method] << [ uri_regex, invert ] - end + def self.authorize_exception?(uri, request_method) + if CONFIG[:authorization][:authorize_exceptions] + CONFIG[:authorization][:authorize_exceptions].each do |request_methods,uris| + if request_methods and uris and request_methods.include?(request_method.to_sym) + uris.each do |u| + return true if u.match uri + end + end + end + end + return false + end + + + end end -- cgit v1.2.3 From e4a32e37ab8708aa8ae4dbfc6069e5ea75928f3f Mon Sep 17 00:00:00 2001 From: mr Date: Tue, 8 Feb 2011 12:58:30 +0100 Subject: manually insert code from mguetlein repository | restclientwrapper.post event with changed method call --- lib/authorization.rb | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) (limited to 'lib/authorization.rb') diff --git a/lib/authorization.rb b/lib/authorization.rb index 12be037..16f1ee4 100644 --- a/lib/authorization.rb +++ b/lib/authorization.rb @@ -192,10 +192,10 @@ module OpenTox # return [Boolean] returns true if policy is created def self.create_policy(policy, subjectid) begin -# resource = RestClient::Resource.new("#{AA_SERVER}/Pol/opensso-pol") + resource = RestClient::Resource.new("#{AA_SERVER}/Pol/opensso-pol") LOGGER.debug "OpenTox::Authorization.create_policy policy: #{policy[168,43]} with token:" + subjectid.to_s + " length: " + subjectid.length.to_s -# return true if resource.post(policy, :subjectid => subjectid, :content_type => "application/xml") - return true if RestClientWrapper.post("#{AA_SERVER}/pol", {:subjectid => subjectid, :content_type => "application/xml"}, policy) + return true if resource.post(policy, :subjectid => subjectid, :content_type => "application/xml") + #return true if RestClientWrapper.post("#{AA_SERVER}/pol", {:subjectid => subjectid, :content_type => "application/xml"}, policy) rescue return false end @@ -306,7 +306,6 @@ module OpenTox # if no policy exists, create a policy, return result of send policy send_policy(uri, subjectid) else - LOGGER.debug "OpenTox::Authorization.check_policy URI: #{uri} has already a Policy." # if policy exists check for POST rights if authorize(uri, "POST", subjectid) true @@ -356,7 +355,6 @@ module OpenTox def self.free_uri?(uri, request_method) if CONFIG[:authorization][:free_uris] CONFIG[:authorization][:free_uris].each do |request_methods,uris| - LOGGER.info "free uris "+request_methods.inspect+" -> "+uris.inspect if request_methods and uris and request_methods.include?(request_method.to_sym) uris.each do |u| return true if u.match uri @@ -380,9 +378,6 @@ module OpenTox return false end - - - end end -- cgit v1.2.3 From 4109a5256e953a9962a6e46acb074b2d7d8d2bd9 Mon Sep 17 00:00:00 2001 From: mr Date: Wed, 9 Feb 2011 15:53:46 +0100 Subject: minor fix --- lib/authorization.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/authorization.rb') diff --git a/lib/authorization.rb b/lib/authorization.rb index 16f1ee4..b647bca 100644 --- a/lib/authorization.rb +++ b/lib/authorization.rb @@ -58,7 +58,7 @@ module OpenTox # @param [String, String]Username,Password # @return [String, nil] gives subjectid or nil def self.authenticate(user, pw) - return true if !AA_SERVER + return nil if !AA_SERVER begin resource = RestClient::Resource.new("#{AA_SERVER}/auth/authenticate") out = resource.post(:username=>user, :password => pw).sub("token.id=","").sub("\n","") -- cgit v1.2.3