Class: RoadForest::Authorization::Manager

Inherits:

Object

• Object
• RoadForest::Authorization::Manager

Defined in:

lib/roadforest/authorization/manager.rb

Overview

Resources describe a set of permissions that are allowed to access them, on a per-method case.

An overall Policy object provides permission grants to authenticated entities (typically users, but could be e.g. applications acting on their behalf)

The ultimate grant/refuse decision comes down to: is there a shared permission in the list required by the resource and those granted to the entity.

Permissions have a name and an optional set of parameters, and can be referred to as such within the application on the server. They’re stored as digests of those names, which should be safe to communicate to the user application, which can make interaction decisions based on the permissions presented.

The default ServicesHost exposes a Manager as #authz

Constant Summary

HASH_FUNCTION =

"SHA256".freeze

Instance Attribute Summary

• #authenticator ⇒ Object

  Returns the value of attribute authenticator.

• #grants ⇒ Object readonly

  Returns the value of attribute grants.

• #policy ⇒ Object

  Returns the value of attribute policy.

Instance Method Summary

• #authorization(request, required_grants) ⇒ Object

  :public means the request doesn’t need authorization :granted means that it does need authz but the credentials passed are allowed to access the resource :refused means that the credentials passed are not allowed to access the resource.

• #build_grants(&block) ⇒ Object
• #challenge(options) ⇒ Object
• #cleartext_grants! ⇒ Object
• #initialize(salt = nil, authenticator = nil, policy = nil) ⇒ Manager constructor

  A new instance of Manager.

Constructor Details

#initialize(salt = nil, authenticator = nil, policy = nil) ⇒ Manager

Returns a new instance of Manager.

# File 'lib/roadforest/authorization/manager.rb', line 35

def initialize(salt = nil, authenticator = nil, policy = nil)
  #XXX consider launch-time randomized salt
  @grants = GrantsHolder.new(salt || "roadforest-insecure", HASH_FUNCTION)

  @store = DefaultAuthenticationStore.new
  @authenticator = authenticator || AuthenticationChain.new(@store)
  @policy = policy || Policy.new
  @policy.grants_holder = @grants
end

Instance Attribute Details

#authenticator ⇒ Object

Returns the value of attribute authenticator.

# File 'lib/roadforest/authorization/manager.rb', line 29

def authenticator
  @authenticator
end

#grants ⇒ Object (readonly)

Returns the value of attribute grants.

# File 'lib/roadforest/authorization/manager.rb', line 31

def grants
  @grants
end

#policy ⇒ Object

Returns the value of attribute policy.

# File 'lib/roadforest/authorization/manager.rb', line 30

def policy
  @policy
end

Instance Method Details

#authorization(request, required_grants) ⇒ Object

:public means the request doesn’t need authorization :granted means that it does need authz but the credentials passed are

allowed to access the resource

:refused means that the credentials passed are not allowed to access

the resource

TODO: Resource needs to add s-maxage=0 for :granted requests or public for :public requests to the CacheControl header

# File 'lib/roadforest/authorization/manager.rb', line 67

def authorization(request, required_grants)
  entity = nil
  if entity.nil?
    entity = authenticator.authenticate(request)
  end

  return :refused if entity.nil?

  available_grants = policy.grants_for(entity)

  if required_grants.any?{|required| available_grants.include?(required)}
    return :granted
  else
    return :refused
  end
end

#build_grants(&block) ⇒ Object

# File 'lib/roadforest/authorization/manager.rb', line 49

def build_grants(&block)
  @grants.build_grants(&block)
end

#challenge(options) ⇒ Object

# File 'lib/roadforest/authorization/manager.rb', line 53

def challenge(options)
  @authenticator.challenge(options)
end

#cleartext_grants! ⇒ Object

# File 'lib/roadforest/authorization/manager.rb', line 45

def cleartext_grants!
  @grants.conceal = false
end