Skip to content

Commit

Permalink
Refactor: Enhance Statement.name (#56)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Ahoo-Wang
Ahoo-Wang authored Jan 6, 2023
1 parent bece707 commit 68b407d
Show file tree
Hide file tree
Showing 20 changed files with 350 additions and 289 deletions.
105 changes: 55 additions & 50 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,95 +49,100 @@ RBAC-based And Policy-based Multi-Tenant Reactive Security Framework.

```json
{
"id": "2",
"name": "auth",
"category": "auth",
"description": "",
"id": "id",
"name": "name",
"category": "category",
"description": "description",
"type": "global",
"tenantId": "1",
"tenantId": "tenantId",
"statements": [
{
"name": "Anonymous",
"effect": "allow",
"actions": [
{
"type": "all"
"type": "path",
"pattern": "/auth/register"
},
{
"type": "none"
},
"type": "path",
"pattern": "/auth/login"
}
]
},
{
"name": "UserScope",
"effect": "allow",
"actions": [
{
"type": "path",
"methods": [
"GET",
"POST",
"PUT",
"DELETE"
],
"pattern": "/user/{userId}/*"
"pattern": "/user/#{principal.id}/*"
}
],
"conditions": [
{
"type": "authenticated"
},
}
]
},
{
"name": "Developer",
"effect": "allow",
"actions": [
{
"type": "all"
}
],
"conditions": [
{
"type": "in",
"part": "context.principal.id",
"in": [
"userId"
"developerId"
]
}
]
},
{
"name": "RequestOriginDeny",
"effect": "deny",
"actions": [
{
"type": "all",
"methods": [
"GET"
]
},
{
"type": "none"
},
{
"type": "path",
"pattern": ".*"
},
{
"type": "path",
"pattern": "#{principal.id}.*"
},
"type": "all"
}
],
"conditions": [
{
"type": "reg",
"pattern": ".*"
},
"negate": true,
"part": "request.origin",
"pattern": "^(http|https)://github.com"
}
]
},
{
"name": "IpBlacklist",
"effect": "deny",
"actions": [
{
"type": "reg",
"pattern": "#{principal.id}.*"
"type": "all"
}
],
"conditions": [
{
"type": "all"
},
{
"type": "none"
},
{
"type": "spel",
"pattern": "context.principal.id=='1'"
},
{
"type": "ognl",
"pattern": "path == \"auth/login\""
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
"pattern": "192.168.0.*"
}
]
}
]
}

```

## Thanks
Expand Down
105 changes: 55 additions & 50 deletions README.zh-CN.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,95 +49,100 @@

```json
{
"id": "2",
"name": "auth",
"category": "auth",
"description": "",
"id": "id",
"name": "name",
"category": "category",
"description": "description",
"type": "global",
"tenantId": "1",
"tenantId": "tenantId",
"statements": [
{
"name": "Anonymous",
"effect": "allow",
"actions": [
{
"type": "all"
"type": "path",
"pattern": "/auth/register"
},
{
"type": "none"
},
"type": "path",
"pattern": "/auth/login"
}
]
},
{
"name": "UserScope",
"effect": "allow",
"actions": [
{
"type": "path",
"methods": [
"GET",
"POST",
"PUT",
"DELETE"
],
"pattern": "/user/{userId}/*"
"pattern": "/user/#{principal.id}/*"
}
],
"conditions": [
{
"type": "authenticated"
},
}
]
},
{
"name": "Developer",
"effect": "allow",
"actions": [
{
"type": "all"
}
],
"conditions": [
{
"type": "in",
"part": "context.principal.id",
"in": [
"userId"
"developerId"
]
}
]
},
{
"name": "RequestOriginDeny",
"effect": "deny",
"actions": [
{
"type": "all",
"methods": [
"GET"
]
},
{
"type": "none"
},
{
"type": "path",
"pattern": ".*"
},
{
"type": "path",
"pattern": "#{principal.id}.*"
},
"type": "all"
}
],
"conditions": [
{
"type": "reg",
"pattern": ".*"
},
"negate": true,
"part": "request.origin",
"pattern": "^(http|https)://github.com"
}
]
},
{
"name": "IpBlacklist",
"effect": "deny",
"actions": [
{
"type": "reg",
"pattern": "#{principal.id}.*"
"type": "all"
}
],
"conditions": [
{
"type": "all"
},
{
"type": "none"
},
{
"type": "spel",
"pattern": "context.principal.id=='1'"
},
{
"type": "ognl",
"pattern": "path == \"auth/login\""
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
"pattern": "192.168.0.*"
}
]
}
]
}

```

## 感谢
Expand Down
2 changes: 1 addition & 1 deletion cosec-api/src/main/kotlin/me/ahoo/cosec/api/policy/Policy.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,5 +24,5 @@ interface Policy : Named, Tenant {
val category: String
val description: String
val type: PolicyType
val statements: Set<Statement>
val statements: List<Statement>
}
8 changes: 5 additions & 3 deletions cosec-api/src/main/kotlin/me/ahoo/cosec/api/policy/Statement.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,15 @@

package me.ahoo.cosec.api.policy

import me.ahoo.cosec.api.Named
import me.ahoo.cosec.api.context.SecurityContext
import me.ahoo.cosec.api.context.request.Request

interface Statement : PermissionVerifier {
interface Statement : Named, PermissionVerifier {
override val name: String
val effect: Effect
val actions: Set<ActionMatcher>
val conditions: Set<ConditionMatcher>
val actions: List<ActionMatcher>
val conditions: List<ConditionMatcher>

override fun verify(request: Request, securityContext: SecurityContext): VerifyResult {
conditions.all {
Expand Down
12 changes: 8 additions & 4 deletions cosec-core/src/main/kotlin/me/ahoo/cosec/authorization/SimpleAuthorization.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,13 @@ class SimpleAuthorization(private val policyRepository: PolicyRepository) : Auth
policies.forEach { policy: Policy ->
policy.statements.filter { statement: Statement ->
statement.effect == Effect.DENY
}.forEach { statement: Statement ->
}.forEachIndexed { index, statement ->
val verifyResult = statement.verify(request, context)
if (verifyResult == VerifyResult.EXPLICIT_DENY) {
if (log.isDebugEnabled) {
log.debug("Verify [$request] [$context] matched Policy[${policy.id}] - [Explicit Deny].")
log.debug(
"Verify [$request] [$context] matched Policy[${policy.id}] Statement[$index][${statement.name}] - [Explicit Deny]."
)
}
return VerifyResult.EXPLICIT_DENY
}
Expand All @@ -53,11 +55,13 @@ class SimpleAuthorization(private val policyRepository: PolicyRepository) : Auth
policies.forEach { policy: Policy ->
policy.statements.filter { statement: Statement ->
statement.effect == Effect.ALLOW
}.forEach { statement: Statement ->
}.forEachIndexed { index, statement ->
val verifyResult = statement.verify(request, context)
if (verifyResult == VerifyResult.ALLOW) {
if (log.isDebugEnabled) {
log.debug("Verify [$request] [$context] matched Policy[${policy.id}] - [Allow].")
log.debug(
"Verify [$request] [$context] matched Policy[${policy.id}] Statement[$index][${statement.name}] - [Allow]."
)
}
return VerifyResult.ALLOW
}
Expand Down
25 changes: 22 additions & 3 deletions cosec-core/src/main/kotlin/me/ahoo/cosec/policy/PolicyData.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,31 @@ import me.ahoo.cosec.api.policy.Policy
import me.ahoo.cosec.api.policy.PolicyType
import me.ahoo.cosec.api.policy.Statement

data class PolicyData(
class PolicyData(
override val id: String,
override val category: String,
override val name: String,
override val description: String,
override val type: PolicyType,
override val tenantId: String,
override val statements: Set<Statement> = emptySet()
) : Policy
override val statements: List<Statement> = listOf()
) : Policy {

override fun equals(other: Any?): Boolean {
if (this === other) return true
if (javaClass != other?.javaClass) return false

other as PolicyData

if (id != other.id) return false
if (tenantId != other.tenantId) return false

return true
}

override fun hashCode(): Int {
var result = id.hashCode()
result = 31 * result + tenantId.hashCode()
return result
}
}
Loading

0 comments on commit 68b407d

Please sign in to comment.