Skip to content

Commit

Permalink
Refactor: Remove Statement.conditions (#63)
Browse files Browse the repository at this point in the history 
* Refactor: Remove `Statement.conditions`
  • Loading branch information
@Ahoo-Wang
Ahoo-Wang authored Jan 7, 2023
1 parent 02c3aaf commit 4117211
Show file tree
Hide file tree
Showing 12 changed files with 212 additions and 255 deletions.
130 changes: 59 additions & 71 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,11 +81,9 @@ RBAC-based And Policy-based Multi-Tenant Reactive Security Framework.
"pattern": "/user/#{principal.id}/*"
}
],
"conditions": [
{
"type": "authenticated"
}
]
"condition": {
"type": "authenticated"
}
},
{
"name": "Developer",
Expand All @@ -95,15 +93,13 @@ RBAC-based And Policy-based Multi-Tenant Reactive Security Framework.
"type": "all"
}
],
"conditions": [
{
"type": "in",
"part": "context.principal.id",
"in": [
"developerId"
]
}
]
"condition": {
"type": "in",
"part": "context.principal.id",
"in": [
"developerId"
]
}
},
{
"name": "RequestOriginDeny",
Expand All @@ -113,14 +109,12 @@ RBAC-based And Policy-based Multi-Tenant Reactive Security Framework.
"type": "all"
}
],
"conditions": [
{
"type": "reg",
"negate": true,
"part": "request.origin",
"pattern": "^(http|https)://github.com"
}
]
"condition": {
"type": "reg",
"negate": true,
"part": "request.origin",
"pattern": "^(http|https)://github.com"
}
},
{
"name": "IpBlacklist",
Expand All @@ -130,18 +124,16 @@ RBAC-based And Policy-based Multi-Tenant Reactive Security Framework.
"type": "all"
}
],
"conditions": [
{
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
"pattern": "192.168.0.*"
}
]
"condition": {
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
"pattern": "192.168.0.*"
}
},
{
"name": "RegionWhitelist",
Expand All @@ -151,14 +143,12 @@ RBAC-based And Policy-based Multi-Tenant Reactive Security Framework.
"type": "all"
}
],
"conditions": [
{
"negate": true,
"type": "reg",
"part": "request.attributes.ipRegion",
"pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
}
]
"condition": {
"negate": true,
"type": "reg",
"part": "request.attributes.ipRegion",
"pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
}
},
{
"name": "AllowDeveloperOrIpRange",
Expand All @@ -168,37 +158,35 @@ RBAC-based And Policy-based Multi-Tenant Reactive Security Framework.
"type": "all"
}
],
"conditions": [
{
"type": "bool",
"bool": {
"and": [
{
"type": "authenticated"
}
],
"or": [
{
"type": "in",
"part": "context.principal.id",
"in": [
"developerId"
]
"condition": {
"type": "bool",
"bool": {
"and": [
{
"type": "authenticated"
}
],
"or": [
{
"type": "in",
"part": "context.principal.id",
"in": [
"developerId"
]
},
{
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
{
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
"pattern": "192.168.0.*"
}
]
}
"pattern": "192.168.0.*"
}
]
}
]
}
}
]
}
Expand Down
130 changes: 59 additions & 71 deletions README.zh-CN.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,11 +81,9 @@
"pattern": "/user/#{principal.id}/*"
}
],
"conditions": [
{
"type": "authenticated"
}
]
"condition": {
"type": "authenticated"
}
},
{
"name": "Developer",
Expand All @@ -95,15 +93,13 @@
"type": "all"
}
],
"conditions": [
{
"type": "in",
"part": "context.principal.id",
"in": [
"developerId"
]
}
]
"condition": {
"type": "in",
"part": "context.principal.id",
"in": [
"developerId"
]
}
},
{
"name": "RequestOriginDeny",
Expand All @@ -113,14 +109,12 @@
"type": "all"
}
],
"conditions": [
{
"type": "reg",
"negate": true,
"part": "request.origin",
"pattern": "^(http|https)://github.com"
}
]
"condition": {
"type": "reg",
"negate": true,
"part": "request.origin",
"pattern": "^(http|https)://github.com"
}
},
{
"name": "IpBlacklist",
Expand All @@ -130,18 +124,16 @@
"type": "all"
}
],
"conditions": [
{
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
"pattern": "192.168.0.*"
}
]
"condition": {
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
"pattern": "192.168.0.*"
}
},
{
"name": "RegionWhitelist",
Expand All @@ -151,14 +143,12 @@
"type": "all"
}
],
"conditions": [
{
"negate": true,
"type": "reg",
"part": "request.attributes.ipRegion",
"pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
}
]
"condition": {
"negate": true,
"type": "reg",
"part": "request.attributes.ipRegion",
"pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
}
},
{
"name": "AllowDeveloperOrIpRange",
Expand All @@ -168,37 +158,35 @@
"type": "all"
}
],
"conditions": [
{
"type": "bool",
"bool": {
"and": [
{
"type": "authenticated"
}
],
"or": [
{
"type": "in",
"part": "context.principal.id",
"in": [
"developerId"
]
"condition": {
"type": "bool",
"bool": {
"and": [
{
"type": "authenticated"
}
],
"or": [
{
"type": "in",
"part": "context.principal.id",
"in": [
"developerId"
]
},
{
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
{
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
"pattern": "192.168.0.*"
}
]
}
"pattern": "192.168.0.*"
}
]
}
]
}
}
]
}
Expand Down
8 changes: 0 additions & 8 deletions cosec-api/src/main/kotlin/me/ahoo/cosec/api/policy/Statement.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,19 +22,11 @@ interface Statement : Named, PermissionVerifier {
val effect: Effect
val actions: List<ActionMatcher>
val condition: ConditionMatcher
val conditions: List<ConditionMatcher>

override fun verify(request: Request, securityContext: SecurityContext): VerifyResult {
if (!condition.match(request, securityContext)) {
return VerifyResult.IMPLICIT_DENY
}
conditions.any {
!it.match(request, securityContext)
}.let { anyNotMatched ->
if (anyNotMatched) {
return VerifyResult.IMPLICIT_DENY
}
}
actions.any {
it.match(request, securityContext)
}.let { anyMatched ->
Expand Down
4 changes: 1 addition & 3 deletions cosec-core/src/main/kotlin/me/ahoo/cosec/policy/DefaultPolicyEvaluator.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,7 @@ object DefaultPolicyEvaluator : PolicyEvaluator {
it.match(mockRequest, mockContext)
}

statement.conditions.forEach {
it.match(mockRequest, mockContext)
}
statement.condition.match(mockRequest, mockContext)
}
}
}
3 changes: 1 addition & 2 deletions cosec-core/src/main/kotlin/me/ahoo/cosec/policy/StatementData.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,5 @@ data class StatementData(
override val name: String = "",
override val effect: Effect = Effect.ALLOW,
override val actions: List<ActionMatcher> = listOf(),
override val condition: ConditionMatcher = AllConditionMatcher.INSTANCE,
override val conditions: List<ConditionMatcher> = listOf(),
override val condition: ConditionMatcher = AllConditionMatcher.INSTANCE
) : Statement
Loading

0 comments on commit 4117211

Please sign in to comment.