Module: OpenTox::Authorization

Defined in:
lib/authorization.rb

Overview

Module for Authorization and Authentication

Examples:

Authentication

require "opentox-client"
OpenTox::Authorization::AA = "https://opensso.in-silico.ch" #if not set in .opentox/conf/[SERVICE].rb
OpenTox::Authorization.authenticate("username", "password")
puts OpenTox::Authorization.authorize("http://example.uri/testpath/", "GET")

See Also:

Defined Under Namespace

Classes: Helper

Class Method Summary collapse

Class Method Details

.authenticate(user, pw) ⇒ Boolean

Authentication against OpenSSO. Returns token. Requires Username and Password.

Parameters:

Returns:

  • (Boolean)

    true if successful


68
69
70
71
72
73
74
75
76
77
78
79
80
# File 'lib/authorization.rb', line 68

def self.authenticate(user, pw)
  begin
    res = RestClientWrapper.post("#{AA}/auth/authenticate",{:username=>user, :password => pw},{:subjectid => ""}).sub("token.id=","").sub("\n","")
    if is_token_valid(res)
      RestClientWrapper.subjectid = res
      return true
    else
      bad_request_error "Authentication failed #{res.inspect}"
    end
  rescue
    bad_request_error "Authentication failed #{res.inspect}"
  end
end

.authorize(uri, action, subjectid = RestClientWrapper.subjectid) ⇒ Boolean?

Authorization against OpenSSO for a URI with request-method (action) [GET/POST/PUT/DELETE]

Parameters:

  • uri (String)

    URI to request

  • action (String)

    request method

  • subjectid (String) (defaults to: RestClientWrapper.subjectid)

Returns:

  • (Boolean, nil)

    returns true, false or nil (if authorization-request fails).


100
101
102
103
# File 'lib/authorization.rb', line 100

def self.authorize(uri, action, subjectid=RestClientWrapper.subjectid)
  return true if RestClientWrapper.post("#{AA}/auth/authorize",{:subjectid => subjectid, :uri => uri, :action => action})== "boolean=true\n"
  return false
end

.authorized?(uri, request_method) ⇒ Boolean

Check Authorization for a resource (identified via URI) with method and subjectid.

Parameters:

  • uri (String)

    URI

  • request_method (String)

    GET, POST, PUT, DELETE

  • subjectid (String)

Returns:

  • (Boolean)

    true if access granted, else otherwise


332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
# File 'lib/authorization.rb', line 332

def self.authorized?(uri, request_method)
  return true unless $aa[:uri]
  request_method = request_method.to_sym if request_method
  if $aa[:free_request].include?(request_method)
    true
  elsif OpenTox::Authorization.free_uri?(uri, request_method)
    true
  elsif $aa[:authenticate_request].include?(request_method)
    ret = OpenTox::Authorization.is_token_valid(RestClientWrapper.subjectid)
    $logger.debug "authorized? >>#{ret}<< (token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{RestClientWrapper.subjectid}" unless ret
    ret
  elsif OpenTox::Authorization.authorize_exception?(uri, request_method)
    ret = OpenTox::Authorization.is_token_valid(RestClientWrapper.subjectid)
    $logger.debug "authorized? >>#{ret}<< (uris is authorize exception, token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{RestClientWrapper.subjectid}" unless ret
    ret
  elsif $aa[:authorize_request].include?(request_method)
    ret = OpenTox::Authorization.authorize(uri, request_method)
    $logger.debug "authorized? >>#{ret}<< (uri (not) authorized), method: #{request_method}, URI: #{uri}, subjectid: #{RestClientWrapper.subjectid}" unless ret
    ret
  else
    $logger.error "invalid request/uri method: #{request_method}, URI: #{uri}, subjectid: #{RestClientWrapper.subjectid}"
    false
  end
end

.check_policy(uri) ⇒ Boolean

Checks (if subjectid is valid) if a policy exist and create default policy if not

Parameters:

Returns:

  • (Boolean)

    true if policy checked/created successfully (or no uri/subjectid given), false else


301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
# File 'lib/authorization.rb', line 301

def self.check_policy(uri)
  return true unless uri and RestClientWrapper.subjectid
  unless OpenTox::Authorization.is_token_valid(RestClientWrapper.subjectid)
    $logger.error "OpenTox::Authorization.check_policy, subjectid NOT valid: #{RestClientWrapper.subjectid}"
    return false
  end

  if !uri_has_policy(uri)
    # if no policy exists, create a policy, return result of send policy
    send_policy(uri)
  else
    # if policy exists check for POST rights
    if authorize(uri, "POST")
      true
   else
      $logger.error "OpenTox::Authorization.check_policy, already exists, but no POST-authorization with subjectid: #{RestClientWrapper.subjectid}"
      false
    end
  end
  true
end

.create_policy(policy) ⇒ Object

Sends a policy in xml-format to opensso server. Requires policy-xml and token. return [Boolean] returns true if policy is created

Parameters:

  • policy (String)

    XML string of a policy

  • subjectid (String)

214
215
216
217
218
219
220
221
# File 'lib/authorization.rb', line 214

def self.create_policy(policy)
  begin
    $logger.debug "OpenTox::Authorization.create_policy policy: #{policy[168,43]} with token: #{RestClientWrapper.subjectid} ."
    return true if RestClientWrapper.post("#{AA}/Pol/opensso-pol",policy, {:content_type =>  "application/xml"})
  rescue
    return false
  end
end

.delete_policies_from_uri(uri) ⇒ Boolean

Deletes all policies of an URI

Parameters:

Returns:

  • (Boolean)

286
287
288
289
290
291
292
293
294
295
# File 'lib/authorization.rb', line 286

def self.delete_policies_from_uri(uri)
  policies = list_uri_policies(uri)
  if policies
    policies.each do |policy|
      ret = delete_policy(policy)
      $logger.debug "OpenTox::Authorization delete policy: #{policy} - with result: #{ret}"
    end
  end
  return true
end

.delete_policy(policy) ⇒ Boolean?

Deletes a policy

Parameters:

Returns:

  • (Boolean, nil)

227
228
229
230
231
232
233
234
# File 'lib/authorization.rb', line 227

def self.delete_policy(policy)
  begin
    $logger.debug "OpenTox::Authorization.delete_policy policy: #{policy} with token: #{RestClientWrapper.subjectid}"
    return true if RestClientWrapper.delete("#{AA}/pol",nil, {:id => policy})
  rescue
    return nil
  end
end

.get_uri_owner(uri) ⇒ Object

Returns the owner (who created the first policy) of an URI return [String, nil]owner,nil returns owner of the URI

Parameters:


166
167
168
169
170
171
172
# File 'lib/authorization.rb', line 166

def self.get_uri_owner(uri)
  begin
    return RestClientWrapper.get("#{AA}/pol",nil,{:uri => uri}).sub("\n","")
  rescue
    return nil
  end
end

.get_user(subjectid = RestClientWrapper.subjectid) ⇒ String

Returns the owner (user id) of a token

Parameters:

  • subjectid (String) (defaults to: RestClientWrapper.subjectid)

    optional (normally only used for testing)

Returns:


255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
# File 'lib/authorization.rb', line 255

def self.get_user subjectid=RestClientWrapper.subjectid
  begin
    out = RestClientWrapper.post("#{AA}/opensso/identity/attributes", {:subjectid => subjectid, :attributes_names => "uid"})
    user = ""; check = false
    out.split("\n").each do |line|
      if check
        user = line.sub("userdetails.attribute.value=","") if line.include?("userdetails.attribute.value=")
        check = false
      end
      check = true if line.include?("userdetails.attribute.name=uid")
    end
    return user
  rescue
    nil
  end
end

.is_token_valid(subjectid = RestClientWrapper.subjectid) ⇒ Boolean Also known as: token_valid?

Checks if a token is a valid token

Parameters:

  • subjectid (String) (defaults to: RestClientWrapper.subjectid)

    subjectid from openSSO session

Returns:

  • (Boolean)

    subjectid is valid or not.


108
109
110
111
112
113
114
115
# File 'lib/authorization.rb', line 108

def self.is_token_valid(subjectid=RestClientWrapper.subjectid)
  begin
    return true if RestClientWrapper.post("#{AA}/auth/isTokenValid",:tokenid => subjectid) == "boolean=true\n"
  rescue #do rescue because openSSO throws 401
    return false
  end
  return false
end

.list_policiesArray?

Returns array with all policies of the token owner

Parameters:

  • subjectid (String)

    requires subjectid

Returns:

  • (Array, nil)

    returns an Array of policy names or nil if request fails


120
121
122
123
124
125
126
127
# File 'lib/authorization.rb', line 120

def self.list_policies
  begin
    out = RestClientWrapper.get("#{AA}/pol",nil)
    return out.split("\n")
  rescue
    return nil
  end
end

.list_policies_urisHash

Lists policies alongside with affected uris

Parameters:

Returns:

  • (Hash)

    keys: all policies of the subjectid owner, values: uris affected by those policies


144
145
146
147
148
149
150
151
# File 'lib/authorization.rb', line 144

def self.list_policies_uris
  names = list_policies
  policies = {}
  names.each do |n|
    policies[n] = list_policy_uris n 
  end
  policies
end

.list_policy(policy) ⇒ String

Returns a policy in xml-format

Parameters:

Returns:

  • (String)

    XML of the policy


133
134
135
136
137
138
139
# File 'lib/authorization.rb', line 133

def self.list_policy(policy)
  begin
    return RestClientWrapper.get("#{AA}/pol",nil,{:id => policy})
  rescue
    return nil
  end
end

.list_policy_uris(policy) ⇒ Hash

Lists policies alongside with affected uris

Parameters:

Returns:

  • (Hash)

    keys: all policies of the subjectid owner, values: uris affected by those policies


156
157
158
159
160
# File 'lib/authorization.rb', line 156

def self.list_policy_uris( policy )
  p = OpenTox::Policies.new
  p.load_xml( list_policy(policy) )
  p.uris
end

.list_uri_policies(uri) ⇒ Object

List all policynames for a URI. Requires URI and token. return [Array, nil] returns an Array of policy names or nil if request fails

Parameters:


196
197
198
199
200
201
202
203
204
205
206
207
208
# File 'lib/authorization.rb', line 196

def self.list_uri_policies(uri)
  begin
    out = RestClientWrapper.get("#{AA}/pol",nil,{:uri => uri, :polnames => true})
    policies = []; notfirstline = false
    out.split("\n").each do |line|
      policies << line if notfirstline
      notfirstline = true
    end
    return policies
  rescue
    return nil
  end
end

.list_user_groups(user) ⇒ Array

Returns array of the LDAP-Groups of an user

Parameters:

Returns:

  • (Array)

    gives array of LDAP groups of a user


239
240
241
242
243
244
245
246
247
248
249
250
# File 'lib/authorization.rb', line 239

def self.list_user_groups(user)
  begin
    out = RestClientWrapper.post("#{AA}/opensso/identity/read", {:name => user, :admin => RestClientWrapper.subjectid, :attributes_names => "group"})
    grps = []
    out.split("\n").each do |line|
      grps << line.sub("identitydetails.group=","") if line.include?("identitydetails.group=")
    end
    return grps
  rescue
    []
  end
end

.logout(subjectid = RestClientWrapper.subjectid) ⇒ Boolean

Logout on opensso. Make token invalid. Requires token

Parameters:

  • subjectid (String) (defaults to: RestClientWrapper.subjectid)

    the subjectid

Returns:

  • (Boolean)

    true if logout is OK


85
86
87
88
89
90
91
92
93
# File 'lib/authorization.rb', line 85

def self.logout(subjectid=RestClientWrapper.subjectid)
  begin
    out = RestClientWrapper.post("#{AA}/auth/logout", :subjectid => subjectid)
    return true unless is_token_valid(subjectid)
  rescue
    return false
  end
  return false
end

.methodBoolean

methods: free_uri and authorize_exception

Returns:

  • (Boolean)

    checks if uri-method pair is included in $aa or $aa


362
363
364
365
366
367
368
369
370
371
372
373
374
375
# File 'lib/authorization.rb', line 362

[:free_uri, :authorize_exception].each do |method|
  define_method "#{method}?".to_sym do |uri, request_method|
    if $aa["#{method}s".to_sym]
      $aa["#{method}s".to_sym].each do |request_methods, uris|
        if request_methods and uris and request_methods.include?(request_method.to_sym)
          uris.each do |u|
            return true if u.match uri
          end
        end
      end
    end
    return false
  end
end

.send_policy(uri) ⇒ Object

Send default policy with Authorization::Helper class

Parameters:


275
276
277
278
279
280
# File 'lib/authorization.rb', line 275

def self.send_policy(uri)
  aa  = Authorization::Helper.new
  ret = aa.send(uri)
  $logger.debug "OpenTox::Authorization send policy for URI: #{uri} | subjectid: #{RestClientWrapper.subjectid} - policy created: #{ret}"
  ret
end

.serverString?

Returns the open-sso server set in the config file .opentox/config/.yaml

Returns:

  • (String, nil)

    the openSSO server URI or nil


60
61
62
# File 'lib/authorization.rb', line 60

def self.server
  return AA
end

.uri_has_policy(uri) ⇒ Object

Checks if a policy exists to a URI. Requires URI and token. return [Boolean]

Parameters:


186
187
188
189
190
# File 'lib/authorization.rb', line 186

def self.uri_has_policy(uri)
  owner = get_uri_owner(uri)
  return true if owner and owner != "null"
  false
end

.uri_owner?(uri) ⇒ Boolean

Returns true or false if owner (who created the first policy) of an URI return [Boolean]true,false status of ownership of the URI

Parameters:

Returns:

  • (Boolean)

178
179
180
# File 'lib/authorization.rb', line 178

def self.uri_owner?(uri)
  get_uri_owner(uri) == get_user
end