Class: OMF::SFA::AM::RPC::AMAuthorizer

Inherits:
DefaultAuthorizer show all
Defined in:
lib/omf-sfa/am/am-rpc/am_authorizer.rb

Overview

This class implements the decision logic for determining access of a user in a specific context to specific functionality in the AM

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#accountObject (readonly)

Returns the value of attribute account.



18
19
20
# File 'lib/omf-sfa/am/am-rpc/am_authorizer.rb', line 18

def 
  @account
end

#certificateHash (readonly)

Returns The certificate associated with this caller.

Returns:

  • (Hash)

    The certificate associated with this caller



# File 'lib/omf-sfa/am/am-rpc/am_authorizer.rb', line 29

#projectObject (readonly)

Returns the value of attribute project.



22
23
24
# File 'lib/omf-sfa/am/am-rpc/am_authorizer.rb', line 22

def project
  @project
end

#userObject (readonly)

Returns the value of attribute user.



26
27
28
# File 'lib/omf-sfa/am/am-rpc/am_authorizer.rb', line 26

def user
  @user
end

Class Method Details

.create_for_sfa_request(account_urn, credentials, request, am_manager) ⇒ Object

Create an instance from the information provided by the rack’s ‘req’ object.

Parameters:

  • Request (Rack::Request)

    provided by the Rack API

  • AM (AbstractAmManager#get_account)

    Manager for retrieving AM context



40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# File 'lib/omf-sfa/am/am-rpc/am_authorizer.rb', line 40

def self.create_for_sfa_request(, credentials, request, am_manager)

  begin
    raise "Missing peer cert" unless cert_s = request.env['rack.peer_cert']
    peer = OMF::SFA::AM::UserCredential.unmarshall(cert_s)
  end
  debug "Requester: #{peer.subject} :: #{peer.user_urn}"

  raise OMF::SFA::AM::InsufficientPrivilegesException.new "Credentials are missing." if credentials.nil?

  unless peer.valid_at?     
    OMF::SFA::AM::InsufficientPrivilegesException.new "The certificate has expired or not valid yet. Check the dates."
  end
  user = am_manager.find_or_create_user({:uuid => peer.user_uuid, :urn => peer.user_urn})

  creds = credentials.map do |cs|
    cs = OMF::SFA::AM::PrivilegeCredential.unmarshall(cs)
    cs.tap do |c|
      unless c.valid_at?
        OMF::SFA::AM::InsufficientPrivilegesException.new "The credentials have expired or not valid yet. Check the dates."
      end
    end
  end

        
  self.new(, peer, creds, am_manager)
end

Instance Method Details

#can_release_resource?(resource) ⇒ Boolean

RESOURCE

Returns:

  • (Boolean)


82
83
84
85
86
# File 'lib/omf-sfa/am/am-rpc/am_authorizer.rb', line 82

def can_release_resource?(resource)
  unless resource. == @account && @permissions[:can_release_resource?]
    raise OMF::SFA::AM::InsufficientPrivilegesException.new      
  end
end

#can_renew_account?(account, expiration_time) ⇒ Boolean

ACCOUNT

Returns:

  • (Boolean)


71
72
73
74
75
76
77
78
# File 'lib/omf-sfa/am/am-rpc/am_authorizer.rb', line 71

def can_renew_account?(, expiration_time)
  debug "Check permission 'can_renew_account?' (#{ == @account}, #{@permissions[:can_renew_account?]}, #{@user_cred.valid_at?(expiration_time)})"
  unless  == @account && 
      @permissions[:can_renew_account?] && 
      @user_cred.valid_at?(expiration_time) # not sure if this is the right check
    raise OMF::SFA::AM::InsufficientPrivilegesException.new("Can't renew account after the expiration of the credentials")
  end
end