Class: RoadForest::Authorization::Manager
- Inherits:
-
Object
- Object
- RoadForest::Authorization::Manager
- Defined in:
- lib/roadforest/authorization/manager.rb
Overview
Resources describe a set of permissions that are allowed to access them, on a per-method case.
An overall Policy object provides permission grants to authenticated entities (typically users, but could be e.g. applications acting on their behalf)
The ultimate grant/refuse decision comes down to: is there a shared permission in the list required by the resource and those granted to the entity.
Permissions have a name and an optional set of parameters, and can be referred to as such within the application on the server. They’re stored as digests of those names, which should be safe to communicate to the user application, which can make interaction decisions based on the permissions presented.
The default ServicesHost exposes a Manager as #authz
Constant Summary collapse
- HASH_FUNCTION =
"SHA256".freeze
Instance Attribute Summary collapse
-
#authenticator ⇒ Object
Returns the value of attribute authenticator.
-
#grants ⇒ Object
readonly
Returns the value of attribute grants.
-
#policy ⇒ Object
Returns the value of attribute policy.
Instance Method Summary collapse
-
#authorization(request, required_grants) ⇒ Object
:public means the request doesn’t need authorization :granted means that it does need authz but the credentials passed are allowed to access the resource :refused means that the credentials passed are not allowed to access the resource.
- #build_grants(&block) ⇒ Object
- #challenge(options) ⇒ Object
- #cleartext_grants! ⇒ Object
-
#initialize(salt = nil, authenticator = nil, policy = nil) ⇒ Manager
constructor
A new instance of Manager.
Constructor Details
#initialize(salt = nil, authenticator = nil, policy = nil) ⇒ Manager
Returns a new instance of Manager.
35 36 37 38 39 40 41 42 43 |
# File 'lib/roadforest/authorization/manager.rb', line 35 def initialize(salt = nil, authenticator = nil, policy = nil) #XXX consider launch-time randomized salt @grants = GrantsHolder.new(salt || "roadforest-insecure", HASH_FUNCTION) @store = DefaultAuthenticationStore.new @authenticator = authenticator || AuthenticationChain.new(@store) @policy = policy || Policy.new @policy.grants_holder = @grants end |
Instance Attribute Details
#authenticator ⇒ Object
Returns the value of attribute authenticator.
29 30 31 |
# File 'lib/roadforest/authorization/manager.rb', line 29 def authenticator @authenticator end |
#grants ⇒ Object (readonly)
Returns the value of attribute grants.
31 32 33 |
# File 'lib/roadforest/authorization/manager.rb', line 31 def grants @grants end |
#policy ⇒ Object
Returns the value of attribute policy.
30 31 32 |
# File 'lib/roadforest/authorization/manager.rb', line 30 def policy @policy end |
Instance Method Details
#authorization(request, required_grants) ⇒ Object
:public means the request doesn’t need authorization :granted means that it does need authz but the credentials passed are
allowed to access the resource
:refused means that the credentials passed are not allowed to access
the resource
TODO: Resource needs to add s-maxage=0 for :granted requests or public for :public requests to the CacheControl header
67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 |
# File 'lib/roadforest/authorization/manager.rb', line 67 def (request, required_grants) entity = nil if entity.nil? entity = authenticator.authenticate(request) end return :refused if entity.nil? available_grants = policy.grants_for(entity) if required_grants.any?{|required| available_grants.include?(required)} return :granted else return :refused end end |
#build_grants(&block) ⇒ Object
49 50 51 |
# File 'lib/roadforest/authorization/manager.rb', line 49 def build_grants(&block) @grants.build_grants(&block) end |
#challenge(options) ⇒ Object
53 54 55 |
# File 'lib/roadforest/authorization/manager.rb', line 53 def challenge() @authenticator.challenge() end |
#cleartext_grants! ⇒ Object
45 46 47 |
# File 'lib/roadforest/authorization/manager.rb', line 45 def cleartext_grants! @grants.conceal = false end |