summaryrefslogtreecommitdiff
path: root/lib/authorization.rb
blob: 100bd1521650d927478faf077274a458842feeff (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
module OpenTox

  if defined?($aa) and $aa.has_key?(:uri) and !$aa.nil?
    AA = $aa[:uri] 
  else
    AA = "https://opensso.in-silico.ch" #if not set in .opentox/conf/[SERVICE].rb
  end

  #Module for Authorization and Authentication
  #@example Authentication
  #  require "opentox-client"
  #  OpenTox::Authorization::AA = "https://opensso.in-silico.ch" #if not set in .opentox/conf/[SERVICE].rb
  #  OpenTox::Authorization.authenticate("username", "password")
  #  puts OpenTox::Authorization.authorize("http://example.uri/testpath/", "GET")
  #@see http://www.opentox.org/dev/apis/api-1.2/AA OpenTox A&A API 1.2 specification

  module Authorization

    #Helper Class to create and send default policies out of xml templates
    #@example Creating a default policy to a URI
    #  aa=OpenTox::Authorization::Helper.new(tok)
    #  xml=aa.get_xml('http://uri....')
    #  OpenTox::Authorization.create_policy(xml,tok)

    class Helper
      attr_accessor :user, :policy

      #Generates AA object - requires subjectid
      # @param [String] subjectid
      def initialize
        @user = Authorization.get_user
        @policy = Policies.new()
      end

      #Cleans AA Policies and loads default xml file into policy attribute
      #set uri and user, returns Policyfile(XML) for open-sso
      # @param uri [String] URI to create a policy for
      def get_xml(uri)
        @policy.drop_policies
        @policy.load_default_policy(@user, uri)
        return @policy.to_xml
      end

      #Loads and sends Policyfile(XML) to open-sso server
      # @param uri [String] URI to create a policy for
      def send(uri)
        xml = get_xml(uri)
        ret = false
        ret = Authorization.create_policy(xml)
        $logger.warn "Create policy on openSSO failed for URI: #{uri} subjectid: #{RestClientWrapper.subjectid}. Will try again." if !ret
        ret = Authorization.create_policy(xml) if !ret
        $logger.debug "Policy send with subjectid: #{RestClientWrapper.subjectid}"
        $logger.error "Not created Policy is: #{xml}" if !ret
        ret
      end
    end

    #Returns the open-sso server set in the config file .opentox/config/[environment].yaml
    # @return [String, nil] the openSSO server URI or nil
    def self.server
      return AA
    end

    #Authentication against OpenSSO. Returns token. Requires Username and Password.
    # @param user [String] Username
    # @param pw [String] Password
    # @return [Boolean] true if successful
    def self.authenticate(user, pw)
      return nil if !AA
      begin
        res = RestClientWrapper.post("#{AA}/auth/authenticate",{:username=>user, :password => pw},{:subjectid => ""}).sub("token.id=","").sub("\n","")
        if is_token_valid(res)
          RestClientWrapper.subjectid = res
          return true
        else
          bad_request_error "Authentication failed #{res.inspect}"
        end
      rescue
        bad_request_error "Authentication failed #{res.inspect}"
      end
    end

    #Logout on opensso. Make token invalid. Requires token
    # @param [String] subjectid the subjectid
    # @return [Boolean] true if logout is OK
    def self.logout(subjectid=RestClientWrapper.subjectid)
      begin
        out = RestClientWrapper.post("#{AA}/auth/logout", :subjectid => subjectid)
        return true unless is_token_valid(subjectid)
      rescue
        return false
      end
      return false
    end

    #Authorization against OpenSSO for a URI with request-method (action) [GET/POST/PUT/DELETE]
    # @param [String] uri URI to request
    # @param [String] action request method
    # @param [String] subjectid
    # @return [Boolean, nil]  returns true, false or nil (if authorization-request fails).
    def self.authorize(uri, action, subjectid=RestClientWrapper.subjectid)
      return true if !AA
      return true if RestClientWrapper.post("#{AA}/auth/authorize",{:subjectid => subjectid, :uri => uri, :action => action})== "boolean=true\n"
      return false
    end

    #Checks if a token is a valid token
    # @param [String]subjectid subjectid from openSSO session
    # @return [Boolean] subjectid is valid or not.
    def self.is_token_valid(subjectid=RestClientWrapper.subjectid)
      return true if !AA
      begin
        return true if RestClientWrapper.post("#{AA}/auth/isTokenValid",:tokenid => subjectid) == "boolean=true\n"
      rescue #do rescue because openSSO throws 401
        return false
      end
      return false
    end

    #Returns array with all policies of the token owner
    # @param [String]subjectid requires subjectid
    # @return [Array, nil] returns an Array of policy names or nil if request fails
    def self.list_policies
      begin
        out = RestClientWrapper.get("#{AA}/pol",nil)
        return out.split("\n")
      rescue
        return nil
      end
    end

    #Returns a policy in xml-format
    # @param policy [String] policyname
    # @param subjectid [String]
    # @return [String] XML of the policy
    def self.list_policy(policy)
      begin
        return RestClientWrapper.get("#{AA}/pol",nil,{:id => policy})
      rescue
        return nil
      end
    end

    # Lists policies alongside with affected uris
    # @param [String] subjectid
    # @return [Hash] keys: all policies of the subjectid owner, values: uris affected by those policies
    def self.list_policies_uris
      names = list_policies
      policies = {}
      names.each do |n|
        policies[n] = list_policy_uris n 
      end
      policies
    end

    # Lists policies alongside with affected uris
    # @param [String] subjectid
    # @return [Hash] keys: all policies of the subjectid owner, values: uris affected by those policies
    def self.list_policy_uris( policy )
      p = OpenTox::Policies.new
      p.load_xml( list_policy(policy) )
      p.uris
    end

    #Returns the owner (who created the first policy) of an URI
    # @param uri [String] URI
    # @param subjectid [String] subjectid
    # return [String, nil]owner,nil returns owner of the URI
    def self.get_uri_owner(uri)
      begin
        return RestClientWrapper.get("#{AA}/pol",nil,{:uri => uri}).sub("\n","")
      rescue
        return nil
      end
    end

    #Returns true or false if owner (who created the first policy) of an URI
    # @param uri [String] URI
    # @param subjectid [String]
    # return [Boolean]true,false status of ownership of the URI
    def self.uri_owner?(uri)
      get_uri_owner(uri) == get_user
    end

    #Checks if a policy exists to a URI. Requires URI and token.
    # @param uri [String] URI
    # @param subjectid [String]
    # return [Boolean]
    def self.uri_has_policy(uri)
      owner = get_uri_owner(uri)
      return true if owner and owner != "null"
      false
    end

    #List all policynames for a URI. Requires URI and token.
    # @param uri [String] URI
    # @param subjectid [String]
    # return [Array, nil] returns an Array of policy names or nil if request fails
    def self.list_uri_policies(uri)
      begin
        out = RestClientWrapper.get("#{AA}/pol",nil,{:uri => uri, :polnames => true})
        policies = []; notfirstline = false
        out.split("\n").each do |line|
          policies << line if notfirstline
          notfirstline = true
        end
        return policies
      rescue
        return nil
      end
    end

    #Sends a policy in xml-format to opensso server. Requires policy-xml and token.
    # @param policy [String] XML string of a policy
    # @param subjectid [String]
    # return [Boolean] returns true if policy is created
    def self.create_policy(policy)
      begin
        $logger.debug "OpenTox::Authorization.create_policy policy: #{policy[168,43]} with token: #{RestClientWrapper.subjectid} ."
        return true if RestClientWrapper.post("#{AA}/Pol/opensso-pol",policy, {:content_type =>  "application/xml"})
      rescue
        return false
      end
    end

    #Deletes a policy
    # @param policy [String] policyname
    # @param subjectid [String]
    # @return [Boolean,nil]
    def self.delete_policy(policy)
      begin
        $logger.debug "OpenTox::Authorization.delete_policy policy: #{policy} with token: #{RestClientWrapper.subjectid}"
        return true if RestClientWrapper.delete("#{AA}/pol",nil, {:id => policy})
      rescue
        return nil
      end
    end

    #Returns array of the LDAP-Groups of an user
    # @param [String]subjectid
    # @return [Array] gives array of LDAP groups of a user
    def self.list_user_groups(user)
      begin
        out = RestClientWrapper.post("#{AA}/opensso/identity/read", {:name => user, :admin => RestClientWrapper.subjectid, :attributes_names => "group"})
        grps = []
        out.split("\n").each do |line|
          grps << line.sub("identitydetails.group=","") if line.include?("identitydetails.group=")
        end
        return grps
      rescue
        []
      end
    end

    #Returns the owner (user id) of a token
    # @param [String]subjectid optional (normally only used for testing)
    # @return [String]user
    def self.get_user subjectid=RestClientWrapper.subjectid
      begin
        out = RestClientWrapper.post("#{AA}/opensso/identity/attributes", {:subjectid => subjectid, :attributes_names => "uid"})
        user = ""; check = false
        out.split("\n").each do |line|
          if check
            user = line.sub("userdetails.attribute.value=","") if line.include?("userdetails.attribute.value=")
            check = false
          end
          check = true if line.include?("userdetails.attribute.name=uid")
        end
        return user
      rescue
        nil
      end
    end

    #Send default policy with Authorization::Helper class
    # @param uri [String] URI
    # @param subjectid [String]
    def self.send_policy(uri)
      return true if !AA
      aa  = Authorization::Helper.new
      ret = aa.send(uri)
      $logger.debug "OpenTox::Authorization send policy for URI: #{uri} | subjectid: #{RestClientWrapper.subjectid} - policy created: #{ret}"
      ret
    end

    #Deletes all policies of an URI
    # @param uri [String] URI
    # @param subjectid [String]
    # @return [Boolean]
    def self.delete_policies_from_uri(uri)
      policies = list_uri_policies(uri)
      if policies
        policies.each do |policy|
          ret = delete_policy(policy)
          $logger.debug "OpenTox::Authorization delete policy: #{policy} - with result: #{ret}"
        end
      end
      return true
    end

    # Checks (if subjectid is valid) if a policy exist and create default policy if not
    # @param [String] uri
    # @param [String] subjectid
    # @return [Boolean] true if policy checked/created successfully (or no uri/subjectid given), false else
    def self.check_policy(uri)
      return true unless uri and RestClientWrapper.subjectid
      unless OpenTox::Authorization.is_token_valid(RestClientWrapper.subjectid)
        $logger.error "OpenTox::Authorization.check_policy, subjectid NOT valid: #{RestClientWrapper.subjectid}"
        return false
      end

      if !uri_has_policy(uri)
        # if no policy exists, create a policy, return result of send policy
        send_policy(uri)
      else
        # if policy exists check for POST rights
        if authorize(uri, "POST")
          true
       else
          $logger.error "OpenTox::Authorization.check_policy, already exists, but no POST-authorization with subjectid: #{RestClientWrapper.subjectid}"
          false
        end
      end
      true
    end

    class << self
      alias :token_valid? :is_token_valid
    end

    # Check Authorization for a resource (identified via URI) with method and subjectid.
    # @param uri [String] URI
    # @param request_method [String] GET, POST, PUT, DELETE
    # @param subjectid [String]
    # @return [Boolean] true if access granted, else otherwise
    def self.authorized?(uri, request_method)
      return true if !AA
      request_method = request_method.to_sym if request_method
      if $aa[:free_request].include?(request_method)
        true
      elsif OpenTox::Authorization.free_uri?(uri, request_method)
        true
      elsif $aa[:authenticate_request].include?(request_method)
        ret = OpenTox::Authorization.is_token_valid(RestClientWrapper.subjectid)
        $logger.debug "authorized? >>#{ret}<< (token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{RestClientWrapper.subjectid}" unless ret
        ret
      elsif OpenTox::Authorization.authorize_exception?(uri, request_method)
        ret = OpenTox::Authorization.is_token_valid(RestClientWrapper.subjectid)
        $logger.debug "authorized? >>#{ret}<< (uris is authorize exception, token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{RestClientWrapper.subjectid}" unless ret
        ret
      elsif $aa[:authorize_request].include?(request_method)
        ret = OpenTox::Authorization.authorize(uri, request_method)
        $logger.debug "authorized? >>#{ret}<< (uri (not) authorized), method: #{request_method}, URI: #{uri}, subjectid: #{RestClientWrapper.subjectid}" unless ret
        ret
      else
        $logger.error "invalid request/uri method: #{request_method}, URI: #{uri}, subjectid: #{RestClientWrapper.subjectid}"
        false
      end
    end

    private
    # extend class methods
    class << self
      # methods: free_uri and authorize_exception
      # @return [Boolean] checks if uri-method pair is included in $aa[:free_uri] or $aa[:authorize_exception]
      [:free_uri, :authorize_exception].each do |method|
        define_method "#{method}?".to_sym do |uri, request_method|
          if $aa["#{method}s".to_sym]
            $aa["#{method}s".to_sym].each do |request_methods, uris|
              if request_methods and uris and request_methods.include?(request_method.to_sym)
                uris.each do |u|
                  return true if u.match uri
                end
              end
            end
          end
          return false
        end
      end
    end
  end
end