Module: OpenTox::Authorization

Defined in:

lib/authorization.rb

Overview

Module for Authorization and Authentication

Examples:

Authentication

require "opentox-ruby-api-wrapper" 
OpenTox::Authorization::AA_SERVER = "https://opensso.in-silico.ch" #if not set in .opentox/conf/[environment].yaml 
token = OpenTox::Authorization.authenticate("benutzer", "passwort") 

See Also:

• OpenTox A&A API 1.2 specification

Defined Under Namespace

Classes: AA

Class Method Summary

• .authenticate(user, pw) ⇒ String^?

  Authentication against OpenSSO.

• .authorize(uri, action, subjectid) ⇒ Boolean^?

  Authorization against OpenSSO for a URI with request-method (action) [GET/POST/PUT/DELETE].

• .authorized?(uri, request_method, subjectid) ⇒ Boolean

  Check Authorization for a resource (identified via URI) with method and subjectid.

• .check_policy(uri, subjectid) ⇒ Boolean

  Checks (if subjectid is valid) if a policy exist and create default policy if not.

• .create_policy(policy, subjectid) ⇒ Object

  Sends a policy in xml-format to opensso server.

• .delete_policies_from_uri(uri, subjectid) ⇒ Boolean

  Deletes all policies of an URI.

• .delete_policy(policy, subjectid) ⇒ Boolean^?

  Deletes a policy.

• .get_uri_owner(uri, subjectid) ⇒ Object

  Returns the owner (who created the first policy) of an URI return [String, nil]owner,nil returns owner of the URI.

• .get_user(subjectid) ⇒ String

  Returns the owner (user id) of a token.

• .is_token_valid(subjectid) ⇒ Boolean (also: token_valid?)

  Checks if a token is a valid token.

• .list_groups(subjectid) ⇒ Array

  Returns array of all possible LDAP-Groups.

• .list_policies(subjectid) ⇒ Array^?

  Returns array with all policies of the token owner.

• .list_policies_uris(subjectid) ⇒ Hash

  Lists policies alongside with affected uris.

• .list_policy(policy, subjectid) ⇒ String

  Returns a policy in xml-format.

• .list_policy_uris(policy, subjectid) ⇒ Hash

  Lists policies alongside with affected uris.

• .list_uri_policies(uri, subjectid) ⇒ Object

  List all policynames for a URI.

• .list_user_groups(user, subjectid) ⇒ Array

  Returns array of the LDAP-Groups of an user.

• .logout(subjectid) ⇒ Boolean

  Logout on opensso.

• .send_policy(uri, subjectid) ⇒ Object

  Send default policy with Authorization::AA class.

• .server ⇒ String^?

  Returns the open-sso server set in the config file .opentox/config/.yaml.

• .uri_has_policy(uri, subjectid) ⇒ Object

  Checks if a policy exists to a URI.

Class Method Details

.authenticate(user, pw) ⇒ String^?

Authentication against OpenSSO. Returns token. Requires Username and Password.

Parameters:

• Username,Password (String, String)

Returns:

• (String, nil) —

  gives subjectid or nil

# File 'lib/authorization.rb', line 62

def self.authenticate(user, pw)
  return nil if !AA_SERVER
  begin 
    resource = RestClient::Resource.new("#{AA_SERVER}/auth/authenticate")
    out = resource.post(:username=>user, :password => pw).sub("token.id=","").sub("\n","")
    return out
  rescue
    return nil
  end
end

.authorize(uri, action, subjectid) ⇒ Boolean^?

Authorization against OpenSSO for a URI with request-method (action) [GET/POST/PUT/DELETE]

Parameters:

• uri,action,subjectid (String, String, String)

Returns:

• (Boolean, nil) —

  returns true, false or nil (if authorization-request fails).

# File 'lib/authorization.rb', line 89

def self.authorize(uri, action, subjectid)
  return true if !AA_SERVER
  begin
    resource = RestClient::Resource.new("#{AA_SERVER}/auth/authorize")
    return true if resource.post(:uri => uri, :action => action, :subjectid => subjectid) == "boolean=true\n"
  rescue
    return nil
  end    
end

.authorized?(uri, request_method, subjectid) ⇒ Boolean

Check Authorization for a resource (identified via URI) with method and subjectid.

Parameters:

• uri (String)
• request_method, (String) —

  should be GET, POST, PUT, DELETE

• subjectid (String)

Returns:

• (Boolean) —

  true if access granted, else otherwise

# File 'lib/authorization.rb', line 341

def self.authorized?(uri, request_method, subjectid)
  if CONFIG[:authorization][:free_request].include?(request_method)
    #LOGGER.debug "authorized? >>true<< (request is free), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}"
    true
  elsif OpenTox::Authorization.free_uri?(uri, request_method)
    #LOGGER.debug "authorized? >>true<< (uris is free_uri), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}"
    true
  elsif CONFIG[:authorization][:authenticate_request].include?(request_method)
    ret = OpenTox::Authorization.is_token_valid(subjectid)
    LOGGER.debug "authorized? >>#{ret}<< (token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret
    ret
  elsif OpenTox::Authorization.authorize_exception?(uri, request_method)
    ret = OpenTox::Authorization.is_token_valid(subjectid)
    LOGGER.debug "authorized? >>#{ret}<< (uris is authorize exception, token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret
    ret
  elsif CONFIG[:authorization][:authorize_request].include?(request_method)
    ret = OpenTox::Authorization.authorize(uri, request_method, subjectid)
    LOGGER.debug "authorized? >>#{ret}<< (uri (not) authorized), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret
    ret
  else 
    LOGGER.error "invalid request/uri method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}"
    false
  end
end

.check_policy(uri, subjectid) ⇒ Boolean

Checks (if subjectid is valid) if a policy exist and create default policy if not

Parameters:

• uri (String)
• subjectid (String)

Returns:

• (Boolean) —

  true if policy checked/created successfully (or no uri/subjectid given), false else

# File 'lib/authorization.rb', line 306

def self.check_policy(uri, subjectid)
  return true unless uri and subjectid
  token_valid = OpenTox::Authorization.is_token_valid(subjectid)      
  LOGGER.debug "OpenTox::Authorization.check_policy with uri: #{uri}, subjectid: #{subjectid} is valid: #{token_valid}"
  # check if subjectid is valid
  unless token_valid
    # abort if invalid
    LOGGER.error "OpenTox::Authorization.check_policy, subjectid NOT valid: #{subjectid}" 
    return false
  end
  
  if !uri_has_policy(uri, subjectid)
    # if no policy exists, create a policy, return result of send policy
    send_policy(uri, subjectid)
  else
    # if policy exists check for POST rights 
    if authorize(uri, "POST", subjectid)
      true
    else
      LOGGER.error "OpenTox::Authorization.check_policy, already exists, but no POST-authorization with subjectid: #{subjectid}" 
      false
    end
  end
  true
end

.create_policy(policy, subjectid) ⇒ Object

Sends a policy in xml-format to opensso server. Requires policy-xml and token. return [Boolean] returns true if policy is created

Parameters:

• policyxml,subjectid (String, String)

# File 'lib/authorization.rb', line 202

def self.create_policy(policy, subjectid)
  begin
    resource = RestClient::Resource.new("#{AA_SERVER}/Pol/opensso-pol")
    LOGGER.debug "OpenTox::Authorization.create_policy policy: #{policy[168,43]} with token:" + subjectid.to_s + " length: " + subjectid.length.to_s 
    return true if resource.post(policy, :subjectid => subjectid, :content_type =>  "application/xml")
  rescue
    return false
  end
end

.delete_policies_from_uri(uri, subjectid) ⇒ Boolean

Deletes all policies of an URI

Parameters:

• URI,subjectid (String, String)

Returns:

• (Boolean)

# File 'lib/authorization.rb', line 291

def self.delete_policies_from_uri(uri, subjectid)
  policies = list_uri_policies(uri, subjectid)
  if policies
    policies.each do |policy|
      ret = delete_policy(policy, subjectid)
      LOGGER.debug "OpenTox::Authorization delete policy: #{policy} - with result: #{ret}"
    end
  end
  return true
end

.delete_policy(policy, subjectid) ⇒ Boolean^?

Deletes a policy

Parameters:

• policyname,subjectid (String, String)

Returns:

• (Boolean, nil)

# File 'lib/authorization.rb', line 215

def self.delete_policy(policy, subjectid)
  begin
    resource = RestClient::Resource.new("#{AA_SERVER}/pol")
    LOGGER.debug "OpenTox::Authorization.delete_policy policy: #{policy} with token: #{subjectid}"
    return true if resource.delete(:subjectid => subjectid, :id => policy)        
  rescue
    return false
  end
end

.get_uri_owner(uri, subjectid) ⇒ Object

Returns the owner (who created the first policy) of an URI return [String, nil]owner,nil returns owner of the URI

Parameters:

• uri,subjectid (String, String)

# File 'lib/authorization.rb', line 163

def self.get_uri_owner(uri, subjectid)
  begin
    resource = RestClient::Resource.new("#{AA_SERVER}/pol")
    return resource.get(:uri => uri, :subjectid => subjectid).sub("\n","")
  rescue
    return nil
  end      
end

.get_user(subjectid) ⇒ String

Returns the owner (user id) of a token

Parameters:

• subjectid (String)

Returns:

• (String) —

  user

# File 'lib/authorization.rb', line 260

def self.get_user(subjectid)
  begin
    resource = RestClient::Resource.new("#{AA_SERVER}/opensso/identity/attributes")
    out = resource.post(:subjectid => subjectid, :attributes_names => "uid")
    user = ""; check = false
    out.split("\n").each do |line|
      if check
        user = line.sub("userdetails.attribute.value=","") if line.include?("userdetails.attribute.value=")
        check = false
      end
      check = true if line.include?("userdetails.attribute.name=uid") 
    end
    return user
  rescue
    nil
  end
end

.is_token_valid(subjectid) ⇒ Boolean Also known as: token_valid?

Checks if a token is a valid token

Parameters:

• subjectid (String) —

  subjectid from openSSO session

Returns:

• (Boolean) —

  subjectid is valid or not.

# File 'lib/authorization.rb', line 102

def self.is_token_valid(subjectid)
  return true if !AA_SERVER
  begin
    resource = RestClient::Resource.new("#{AA_SERVER}/auth/isTokenValid")
    return true if resource.post(:tokenid => subjectid) == "boolean=true\n"
  rescue
    return false
  end
end

.list_groups(subjectid) ⇒ Array

Returns array of all possible LDAP-Groups

Parameters:

• subjectid (String)

Returns:

• (Array)

# File 'lib/authorization.rb', line 228

def self.list_groups(subjectid)
  begin
    resource = RestClient::Resource.new("#{AA_SERVER}/opensso/identity/search")
    grps = resource.post(:admin => subjectid, :attributes_names => "objecttype", :attributes_values_objecttype => "group")
    grps = grps.split("\n").collect{|x|  x.sub("string=","")}
    grps.delete_if{|g|g=="MemberManagement"||g=="Webmasters"}
    grps
  rescue
    []
  end
end

.list_policies(subjectid) ⇒ Array^?

Returns array with all policies of the token owner

Parameters:

• subjectid (String) —

  requires subjectid

Returns:

• (Array, nil) —

  returns an Array of policy names or nil if request fails

# File 'lib/authorization.rb', line 115

def self.list_policies(subjectid)
  begin
    resource = RestClient::Resource.new("#{AA_SERVER}/pol")
    out = resource.get(:subjectid => subjectid)
    return out.split("\n")
  rescue RestClient::InternalServerError => e
    raise e.response  
  rescue
    return nil
  end
end

.list_policies_uris(subjectid) ⇒ Hash

Lists policies alongside with affected uris

Parameters:

• subjectid (String)

Returns:

• (Hash) —

  keys: all policies of the subjectid owner, values: uris affected by those policies

# File 'lib/authorization.rb', line 142

def self.list_policies_uris( subjectid )
  names = list_policies(subjectid)
  policies = {}
  names.each do |n|
    policies[n] = list_policy_uris( n, subjectid )
  end
  policies
end

.list_policy(policy, subjectid) ⇒ String

Returns a policy in xml-format

Parameters:

• policy,subjectid (String, String)

Returns:

• (String) —

  XML of the policy

# File 'lib/authorization.rb', line 130

def self.list_policy(policy, subjectid)
  begin
    resource = RestClient::Resource.new("#{AA_SERVER}/pol")
    return resource.get(:subjectid => subjectid,:id => policy)
  rescue
    return nil
  end
end

.list_policy_uris(policy, subjectid) ⇒ Hash

Lists policies alongside with affected uris

Parameters:

• subjectid (String)

Returns:

• (Hash) —

  keys: all policies of the subjectid owner, values: uris affected by those policies

# File 'lib/authorization.rb', line 154

def self.list_policy_uris( policy, subjectid )
  p = OpenTox::Policies.new
  p.load_xml( list_policy(policy, subjectid) )
  p.uris
end

.list_uri_policies(uri, subjectid) ⇒ Object

List all policynames for a URI. Requires URI and token. return [Array, nil] returns an Array of policy names or nil if request fails

Parameters:

• uri,subjectid (String, String)

# File 'lib/authorization.rb', line 184

def self.list_uri_policies(uri, subjectid)
  begin
    resource = RestClient::Resource.new("#{AA_SERVER}/pol")
    out = resource.get(:uri => uri, :polnames => true, :subjectid => subjectid)        
    policies = []; notfirstline = false
    out.split("\n").each do |line|
      policies << line if notfirstline
      notfirstline = true    
    end
    return policies 
  rescue
    return nil
  end      
end

.list_user_groups(user, subjectid) ⇒ Array

Returns array of the LDAP-Groups of an user

Parameters:

• subjectid (String)

Returns:

• (Array) —

  gives array of LDAP groups of a user

# File 'lib/authorization.rb', line 243

def self.list_user_groups(user, subjectid)
  begin
    resource = RestClient::Resource.new("#{AA_SERVER}/opensso/identity/read")
    out = resource.post(:name => user, :admin => subjectid, :attributes_names => "group")
    grps = []
    out.split("\n").each do |line|
      grps << line.sub("identitydetails.group=","") if line.include?("identitydetails.group=")    
    end
    return grps
  rescue
    []
  end
end

.logout(subjectid) ⇒ Boolean

Logout on opensso. Make token invalid. Requires token

Parameters:

• subjectid (String) —

  the subjectid

Returns:

• (Boolean) —

  true if logout is OK

# File 'lib/authorization.rb', line 76

def self.logout(subjectid)
  begin
    resource = RestClient::Resource.new("#{AA_SERVER}/auth/logout")
    resource.post(:subjectid => subjectid)
    return true 
  rescue
    return false
  end
end

.send_policy(uri, subjectid) ⇒ Object

Send default policy with Authorization::AA class

Parameters:

• URI,subjectid (String, String)

# File 'lib/authorization.rb', line 280

def self.send_policy(uri, subjectid)
  return true if !AA_SERVER
  aa  = Authorization::AA.new(subjectid)
  ret = aa.send(uri)
  LOGGER.debug "OpenTox::Authorization send policy for URI: #{uri} | subjectid: #{subjectid} - policy created: #{ret}"
  ret
end

.server ⇒ String^?

Returns the open-sso server set in the config file .opentox/config/.yaml

Returns:

• (String, nil) —

  the openSSO server URI or nil

# File 'lib/authorization.rb', line 55

def self.server
  return AA_SERVER
end

.uri_has_policy(uri, subjectid) ⇒ Object

Checks if a policy exists to a URI. Requires URI and token. return [Boolean]

Parameters:

• uri,subjectid (String, String)

# File 'lib/authorization.rb', line 175

def self.uri_has_policy(uri, subjectid)
  owner = get_uri_owner(uri, subjectid)
  return true if owner and owner != "null"
  false
end