Class: OMF::SFA::AM::RPC::AMAuthorizer

Inherits:

DefaultAuthorizer

• Object
• LObject
• DefaultAuthorizer
• OMF::SFA::AM::RPC::AMAuthorizer

Defined in:

lib/omf-sfa/am/am-rpc/am_authorizer.rb

Overview

This class implements the decision logic for determining access of a user in a specific context to specific functionality in the AM

Instance Attribute Summary

• #account ⇒ Object readonly

  Returns the value of attribute account.

• #certificate ⇒ Hash readonly

  The certificate associated with this caller.

• #project ⇒ Object readonly

  Returns the value of attribute project.

• #user ⇒ Object readonly

  Returns the value of attribute user.

Class Method Summary

• .create_for_sfa_request(account_urn, credentials, request, am_manager) ⇒ Object

  Create an instance from the information provided by the rack’s ‘req’ object.

Instance Method Summary

• #can_release_resource?(resource) ⇒ Boolean

  RESOURCE.

• #can_renew_account?(account, expiration_time) ⇒ Boolean

  ACCOUNT.

Instance Attribute Details

#account ⇒ Object (readonly)

Returns the value of attribute account.

# File 'lib/omf-sfa/am/am-rpc/am_authorizer.rb', line 18

def account
  @account
end

#certificate ⇒ Hash (readonly)

Returns The certificate associated with this caller.

Returns:

• (Hash) —

  The certificate associated with this caller

# File 'lib/omf-sfa/am/am-rpc/am_authorizer.rb', line 29

#project ⇒ Object (readonly)

Returns the value of attribute project.

# File 'lib/omf-sfa/am/am-rpc/am_authorizer.rb', line 22

def project
  @project
end

#user ⇒ Object (readonly)

Returns the value of attribute user.

# File 'lib/omf-sfa/am/am-rpc/am_authorizer.rb', line 26

def user
  @user
end

Class Method Details

.create_for_sfa_request(account_urn, credentials, request, am_manager) ⇒ Object

Create an instance from the information provided by the rack’s ‘req’ object.

Parameters:

• Request (Rack::Request) —

  provided by the Rack API

• AM (AbstractAmManager#get_account) —

  Manager for retrieving AM context

# File 'lib/omf-sfa/am/am-rpc/am_authorizer.rb', line 40

def self.create_for_sfa_request(account_urn, credentials, request, am_manager)

  begin
    raise "Missing peer cert" unless cert_s = request.env['rack.peer_cert']
    peer = OMF::SFA::AM::UserCredential.unmarshall(cert_s)
  end
  debug "Requester: #{peer.subject} :: #{peer.user_urn}"

  raise OMF::SFA::AM::InsufficientPrivilegesException.new "Credentials are missing." if credentials.nil?

  unless peer.valid_at?     
    OMF::SFA::AM::InsufficientPrivilegesException.new "The certificate has expired or not valid yet. Check the dates."
  end
  user = am_manager.find_or_create_user({:uuid => peer.user_uuid, :urn => peer.user_urn})

  creds = credentials.map do |cs|
    cs = OMF::SFA::AM::PrivilegeCredential.unmarshall(cs)
    cs.tap do |c|
      unless c.valid_at?
        OMF::SFA::AM::InsufficientPrivilegesException.new "The credentials have expired or not valid yet. Check the dates."
      end
    end
  end

        
  self.new(account_urn, peer, creds, am_manager)
end

Instance Method Details

#can_release_resource?(resource) ⇒ Boolean

RESOURCE

Returns:

• (Boolean)

# File 'lib/omf-sfa/am/am-rpc/am_authorizer.rb', line 82

def can_release_resource?(resource)
  unless resource.account == @account && @permissions[:can_release_resource?]
    raise OMF::SFA::AM::InsufficientPrivilegesException.new      
  end
end

#can_renew_account?(account, expiration_time) ⇒ Boolean

ACCOUNT

Returns:

• (Boolean)

# File 'lib/omf-sfa/am/am-rpc/am_authorizer.rb', line 71

def can_renew_account?(account, expiration_time)
  debug "Check permission 'can_renew_account?' (#{account == @account}, #{@permissions[:can_renew_account?]}, #{@user_cred.valid_at?(expiration_time)})"
  unless account == @account && 
      @permissions[:can_renew_account?] && 
      @user_cred.valid_at?(expiration_time) # not sure if this is the right check
    raise OMF::SFA::AM::InsufficientPrivilegesException.new("Can't renew account after the expiration of the credentials")
  end
end