Module: OpenTox::Authorization
- Defined in:
- lib/authorization.rb
Overview
Module for Authorization and Authentication
Defined Under Namespace
Classes: AA
Class Method Summary collapse
-
.authenticate(user, pw) ⇒ String?
Authentication against OpenSSO.
-
.authorize(uri, action, subjectid) ⇒ Boolean?
Authorization against OpenSSO for a URI with request-method (action) [GET/POST/PUT/DELETE].
-
.authorized?(uri, request_method, subjectid) ⇒ Boolean
Check Authorization for a resource (identified via URI) with method and subjectid.
-
.check_policy(uri, subjectid) ⇒ Boolean
Checks (if subjectid is valid) if a policy exist and create default policy if not.
-
.create_policy(policy, subjectid) ⇒ Object
Sends a policy in xml-format to opensso server.
-
.delete_policies_from_uri(uri, subjectid) ⇒ Boolean
Deletes all policies of an URI.
-
.delete_policy(policy, subjectid) ⇒ Boolean?
Deletes a policy.
-
.get_uri_owner(uri, subjectid) ⇒ Object
Returns the owner (who created the first policy) of an URI return [String, nil]owner,nil returns owner of the URI.
-
.get_user(subjectid) ⇒ String
Returns the owner (user id) of a token.
-
.is_token_valid(subjectid) ⇒ Boolean
(also: token_valid?)
Checks if a token is a valid token.
-
.list_groups(subjectid) ⇒ Array
Returns array of all possible LDAP-Groups.
-
.list_policies(subjectid) ⇒ Array?
Returns array with all policies of the token owner.
-
.list_policies_uris(subjectid) ⇒ Hash
Lists policies alongside with affected uris.
-
.list_policy(policy, subjectid) ⇒ String
Returns a policy in xml-format.
-
.list_policy_uris(policy, subjectid) ⇒ Hash
Lists policies alongside with affected uris.
-
.list_uri_policies(uri, subjectid) ⇒ Object
List all policynames for a URI.
-
.list_user_groups(user, subjectid) ⇒ Array
Returns array of the LDAP-Groups of an user.
-
.logout(subjectid) ⇒ Boolean
Logout on opensso.
-
.send_policy(uri, subjectid) ⇒ Object
Send default policy with Authorization::AA class.
-
.server ⇒ String?
Returns the open-sso server set in the config file .opentox/config/.yaml.
-
.uri_has_policy(uri, subjectid) ⇒ Object
Checks if a policy exists to a URI.
Class Method Details
.authenticate(user, pw) ⇒ String?
Authentication against OpenSSO. Returns token. Requires Username and Password.
60 61 62 63 64 65 66 67 68 69 |
# File 'lib/authorization.rb', line 60 def self.authenticate(user, pw) return nil if !AA_SERVER begin resource = RestClient::Resource.new("#{AA_SERVER}/auth/authenticate") out = resource.post(:username=>user, :password => pw).sub("token.id=","").sub("\n","") return out rescue return nil end end |
.authorize(uri, action, subjectid) ⇒ Boolean?
Authorization against OpenSSO for a URI with request-method (action) [GET/POST/PUT/DELETE]
87 88 89 90 91 92 93 94 95 |
# File 'lib/authorization.rb', line 87 def self.(uri, action, subjectid) return true if !AA_SERVER begin resource = RestClient::Resource.new("#{AA_SERVER}/auth/authorize") return true if resource.post(:uri => uri, :action => action, :subjectid => subjectid) == "boolean=true\n" rescue return nil end end |
.authorized?(uri, request_method, subjectid) ⇒ Boolean
Check Authorization for a resource (identified via URI) with method and subjectid.
339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 |
# File 'lib/authorization.rb', line 339 def self.(uri, request_method, subjectid) if CONFIG[:authorization][:free_request].include?(request_method) #LOGGER.debug "authorized? >>true<< (request is free), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" true elsif OpenTox::Authorization.free_uri?(uri, request_method) #LOGGER.debug "authorized? >>true<< (uris is free_uri), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" true elsif CONFIG[:authorization][:authenticate_request].include?(request_method) ret = OpenTox::Authorization.is_token_valid(subjectid) LOGGER.debug "authorized? >>#{ret}<< (token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret ret elsif OpenTox::Authorization.(uri, request_method) ret = OpenTox::Authorization.is_token_valid(subjectid) LOGGER.debug "authorized? >>#{ret}<< (uris is authorize exception, token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret ret elsif CONFIG[:authorization][:authorize_request].include?(request_method) ret = OpenTox::Authorization.(uri, request_method, subjectid) LOGGER.debug "authorized? >>#{ret}<< (uri (not) authorized), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret ret else LOGGER.error "invalid request/uri method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" false end end |
.check_policy(uri, subjectid) ⇒ Boolean
Checks (if subjectid is valid) if a policy exist and create default policy if not
304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 |
# File 'lib/authorization.rb', line 304 def self.check_policy(uri, subjectid) return true unless uri and subjectid token_valid = OpenTox::Authorization.is_token_valid(subjectid) LOGGER.debug "OpenTox::Authorization.check_policy with uri: #{uri}, subjectid: #{subjectid} is valid: #{token_valid}" # check if subjectid is valid unless token_valid # abort if invalid LOGGER.error "OpenTox::Authorization.check_policy, subjectid NOT valid: #{subjectid}" return false end if !uri_has_policy(uri, subjectid) # if no policy exists, create a policy, return result of send policy send_policy(uri, subjectid) else # if policy exists check for POST rights if (uri, "POST", subjectid) true else LOGGER.error "OpenTox::Authorization.check_policy, already exists, but no POST-authorization with subjectid: #{subjectid}" false end end true end |
.create_policy(policy, subjectid) ⇒ Object
Sends a policy in xml-format to opensso server. Requires policy-xml and token. return [Boolean] returns true if policy is created
200 201 202 203 204 205 206 207 208 |
# File 'lib/authorization.rb', line 200 def self.create_policy(policy, subjectid) begin resource = RestClient::Resource.new("#{AA_SERVER}/Pol/opensso-pol") LOGGER.debug "OpenTox::Authorization.create_policy policy: #{policy[168,43]} with token:" + subjectid.to_s + " length: " + subjectid.length.to_s return true if resource.post(policy, :subjectid => subjectid, :content_type => "application/xml") rescue return false end end |
.delete_policies_from_uri(uri, subjectid) ⇒ Boolean
Deletes all policies of an URI
289 290 291 292 293 294 295 296 297 298 |
# File 'lib/authorization.rb', line 289 def self.delete_policies_from_uri(uri, subjectid) policies = list_uri_policies(uri, subjectid) if policies policies.each do |policy| ret = delete_policy(policy, subjectid) LOGGER.debug "OpenTox::Authorization delete policy: #{policy} - with result: #{ret}" end end return true end |
.delete_policy(policy, subjectid) ⇒ Boolean?
Deletes a policy
213 214 215 216 217 218 219 220 221 |
# File 'lib/authorization.rb', line 213 def self.delete_policy(policy, subjectid) begin resource = RestClient::Resource.new("#{AA_SERVER}/pol") LOGGER.debug "OpenTox::Authorization.delete_policy policy: #{policy} with token: #{subjectid}" return true if resource.delete(:subjectid => subjectid, :id => policy) rescue return nil end end |
.get_uri_owner(uri, subjectid) ⇒ Object
Returns the owner (who created the first policy) of an URI return [String, nil]owner,nil returns owner of the URI
161 162 163 164 165 166 167 168 |
# File 'lib/authorization.rb', line 161 def self.get_uri_owner(uri, subjectid) begin resource = RestClient::Resource.new("#{AA_SERVER}/pol") return resource.get(:uri => uri, :subjectid => subjectid).sub("\n","") rescue return nil end end |
.get_user(subjectid) ⇒ String
Returns the owner (user id) of a token
258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 |
# File 'lib/authorization.rb', line 258 def self.get_user(subjectid) begin resource = RestClient::Resource.new("#{AA_SERVER}/opensso/identity/attributes") out = resource.post(:subjectid => subjectid, :attributes_names => "uid") user = ""; check = false out.split("\n").each do |line| if check user = line.sub("userdetails.attribute.value=","") if line.include?("userdetails.attribute.value=") check = false end check = true if line.include?("userdetails.attribute.name=uid") end return user rescue nil end end |
.is_token_valid(subjectid) ⇒ Boolean Also known as: token_valid?
Checks if a token is a valid token
100 101 102 103 104 105 106 107 108 |
# File 'lib/authorization.rb', line 100 def self.is_token_valid(subjectid) return true if !AA_SERVER begin resource = RestClient::Resource.new("#{AA_SERVER}/auth/isTokenValid") return true if resource.post(:tokenid => subjectid) == "boolean=true\n" rescue return false end end |
.list_groups(subjectid) ⇒ Array
Returns array of all possible LDAP-Groups
226 227 228 229 230 231 232 233 234 235 236 |
# File 'lib/authorization.rb', line 226 def self.list_groups(subjectid) begin resource = RestClient::Resource.new("#{AA_SERVER}/opensso/identity/search") grps = resource.post(:admin => subjectid, :attributes_names => "objecttype", :attributes_values_objecttype => "group") grps = grps.split("\n").collect{|x| x.sub("string=","")} grps.delete_if{|g|g=="MemberManagement"||g=="Webmasters"} grps rescue [] end end |
.list_policies(subjectid) ⇒ Array?
Returns array with all policies of the token owner
113 114 115 116 117 118 119 120 121 122 123 |
# File 'lib/authorization.rb', line 113 def self.list_policies(subjectid) begin resource = RestClient::Resource.new("#{AA_SERVER}/pol") out = resource.get(:subjectid => subjectid) return out.split("\n") rescue RestClient::InternalServerError => e raise e.response rescue return nil end end |
.list_policies_uris(subjectid) ⇒ Hash
Lists policies alongside with affected uris
140 141 142 143 144 145 146 147 |
# File 'lib/authorization.rb', line 140 def self.list_policies_uris( subjectid ) names = list_policies(subjectid) policies = {} names.each do |n| policies[n] = list_policy_uris( n, subjectid ) end policies end |
.list_policy(policy, subjectid) ⇒ String
Returns a policy in xml-format
128 129 130 131 132 133 134 135 |
# File 'lib/authorization.rb', line 128 def self.list_policy(policy, subjectid) begin resource = RestClient::Resource.new("#{AA_SERVER}/pol") return resource.get(:subjectid => subjectid,:id => policy) rescue return nil end end |
.list_policy_uris(policy, subjectid) ⇒ Hash
Lists policies alongside with affected uris
152 153 154 155 156 |
# File 'lib/authorization.rb', line 152 def self.list_policy_uris( policy, subjectid ) p = OpenTox::Policies.new p.load_xml( list_policy(policy, subjectid) ) p.uris end |
.list_uri_policies(uri, subjectid) ⇒ Object
List all policynames for a URI. Requires URI and token. return [Array, nil] returns an Array of policy names or nil if request fails
182 183 184 185 186 187 188 189 190 191 192 193 194 195 |
# File 'lib/authorization.rb', line 182 def self.list_uri_policies(uri, subjectid) begin resource = RestClient::Resource.new("#{AA_SERVER}/pol") out = resource.get(:uri => uri, :polnames => true, :subjectid => subjectid) policies = []; notfirstline = false out.split("\n").each do |line| policies << line if notfirstline notfirstline = true end return policies rescue return nil end end |
.list_user_groups(user, subjectid) ⇒ Array
Returns array of the LDAP-Groups of an user
241 242 243 244 245 246 247 248 249 250 251 252 253 |
# File 'lib/authorization.rb', line 241 def self.list_user_groups(user, subjectid) begin resource = RestClient::Resource.new("#{AA_SERVER}/opensso/identity/read") out = resource.post(:name => user, :admin => subjectid, :attributes_names => "group") grps = [] out.split("\n").each do |line| grps << line.sub("identitydetails.group=","") if line.include?("identitydetails.group=") end return grps rescue [] end end |
.logout(subjectid) ⇒ Boolean
Logout on opensso. Make token invalid. Requires token
74 75 76 77 78 79 80 81 82 |
# File 'lib/authorization.rb', line 74 def self.logout(subjectid) begin resource = RestClient::Resource.new("#{AA_SERVER}/auth/logout") resource.post(:subjectid => subjectid) return true rescue return false end end |
.send_policy(uri, subjectid) ⇒ Object
Send default policy with Authorization::AA class
278 279 280 281 282 283 284 |
# File 'lib/authorization.rb', line 278 def self.send_policy(uri, subjectid) return true if !AA_SERVER aa = Authorization::AA.new(subjectid) ret = aa.send(uri) LOGGER.debug "OpenTox::Authorization send policy for URI: #{uri} | subjectid: #{subjectid} - policy created: #{ret}" ret end |
.server ⇒ String?
Returns the open-sso server set in the config file .opentox/config/.yaml
53 54 55 |
# File 'lib/authorization.rb', line 53 def self.server return AA_SERVER end |
.uri_has_policy(uri, subjectid) ⇒ Object
Checks if a policy exists to a URI. Requires URI and token. return [Boolean]
173 174 175 176 177 |
# File 'lib/authorization.rb', line 173 def self.uri_has_policy(uri, subjectid) owner = get_uri_owner(uri, subjectid) return true if owner and owner != "null" false end |