Module: AccessPolicy

Defined in:
lib/access_policy.rb

Instance Method Summary collapse

Instance Method Details

#authorize_access(user_role) ⇒ Object 



3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
# File 'lib/access_policy.rb', line 3

def authorize_access(user_role) 
    user_role = 'default' if user_role.nil? 
    request_url = request.path
    http_method = request.method_symbol.downcase.to_s   
    eligible_rules = get_rules(user_role,request_url)
    eligible_inherited_rules = get_inherited_rules(user_role,request_url) #array of arrays
    matched_rule = get_matched_rule(eligible_rules,http_method) 
    if matched_rule.length.zero?
        eligible_inherited_rules.each do |rules_arr|
            matched_rule = get_matched_rule(rules_arr,http_method)
            break if !matched_rule.length.zero?
        end
    end
     
    #decison maker
    action_type = ''
    action_type = policy_data()[user_role]['default-action']  if matched_rule.length.zero?
    action_type = matched_rule.first['action']  if !matched_rule.length.zero? 
    
    if( action_type =='deny')
        res_json = generate_message_response_json('Access to the requested resource is not allowed')
        render json: res_json, status: 403
    end
end

#generate_message_response_json(message) ⇒ Object 



27
28
29
30
31
 
# File 'lib/access_policy.rb', line 27

def generate_message_response_json(message)
    response_data = {}
    response_data['message'] = message
    response_data
end

#get_inherited_rules(parent_key, request_url) ⇒ Object 



48
49
50
51
52
53
54
55
56
57
58
59
60
61
 
# File 'lib/access_policy.rb', line 48

def get_inherited_rules(parent_key,request_url)
    inherited_roles_arr =[]
    inherited_rules_arr =[]
    policy_master = policy_data()
    inherited_role = policy_master[parent_key]["inherits"]
    if !(inherited_role.nil?) 
        while(!inherited_role.nil?) do 
            inherited_roles_arr << inherited_role 
            inherited_rules_arr << get_rules(inherited_role,request_url)
            inherited_role = policy_master[inherited_role]["inherits"] 
        end 
    end
    return inherited_rules_arr
end

#get_matched_rule(eligible_rules, http_method) ⇒ Object 



67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
 
# File 'lib/access_policy.rb', line 67

def get_matched_rule(eligible_rules,http_method)
    matched_rules =[]
    prioriy_arr =[]
    eligible_rules.each do |rule|
        match_found= true
        methods_present = rule.key?('methods')
        params_present = rule.key?('params')
        if(methods_present)
            match_found = false if !(rule['methods'].map(&:downcase).include?(http_method.downcase))
        end
        if(params_present)
            eligible_http_params = rule['params'].select{|x| x['method'].downcase == http_method.downcase} #array
            
            if !eligible_http_params.length.zero?
                eligible_http_param = eligible_http_params.first
                param_location ='url' #default
                param_location = eligible_http_param['param-location'] if eligible_http_param.key?('param-location')
                param_path = eligible_http_param['param-path'] #string
                permitted_values = [] #array
                permitted_values =  eligible_http_param['values'] if eligible_http_param.key?('values')
                incoming_params_val=nil
                if(param_location =='url' ||param_location =='body' )
                    incoming_params_val = params[param_path.to_sym]
                elsif
                    raw_post = JSON.parse(request.raw_post)
                    incoming_params_val = JsonPath.on(raw_post, param_path).first
                end
                match_found = false if !(permitted_values.include?(incoming_params_val))  
            end  
        end
        
        if match_found
            matched_rules<< rule  
            prioriy_arr<< rule['priority']
        end
    end #eligible rules end
    if !(matched_rules.length.zero?)
        max_priority = prioriy_arr.map(&:to_i).max
        # select only highest priority rule
        matched_rules = matched_rules.select{|x| x['priority'] == max_priority}
    
    end
    return matched_rules
end

#get_rules(parent_key, request_url) ⇒ Object 



32
33
34
35
36
37
38
39
40
41
42
 
# File 'lib/access_policy.rb', line 32

def get_rules(parent_key,request_url)
    policy_master = policy_data()
    eligible_rules = []
    policy_master[parent_key]["rules"].each do |rule|
        pattern ='absolute' #default
        pattern = rule['url']['pattern'] if  rule['url'].key?('pattern')
        eligible_rules << rule   if pattern == 'absolute' && request_url == rule['url']['value']
        eligible_rules << rule   if pattern == 'regex' && matched_url?(request_url,rule['url']['value'])
    end
    return eligible_rules
end

#matched_url?(url, regex_str) ⇒ Boolean

Returns:

  • (Boolean) 


63
64
65
 
# File 'lib/access_policy.rb', line 63

def matched_url?(url,regex_str)
    !!(url =~ Regexp.new(regex_str ))
end

#policy_dataObject 



44
45
46
 
# File 'lib/access_policy.rb', line 44

def policy_data()
    return Rails.configuration.AccessPolicyMaster
end