Module: ARBACVerifier::Utils

Extended by:
T::Sig
Included in:
ReachabilityVerifier
Defined in:
lib/arbac_verifier/modules/utils.rb

Instance Method Summary collapse

Instance Method Details

#backward_slicing(policy) ⇒ Object 



48
49
50
51
52
53
54
55
56
57
58
59
 
# File 'lib/arbac_verifier/modules/utils.rb', line 48

def backward_slicing(policy)
  relevant_roles = overaproximate_relevant_roles(policy)
  unused_roles = policy.roles - relevant_roles
  Instance.new(
    can_assign_rules: policy.can_assign_rules.to_a.select { |rule| !unused_roles.include? rule.target_role }.to_set,
    can_revoke_rules: policy.can_revoke_rules.to_a.select { |rule| !unused_roles.include? rule.target_role }.to_set,
    user_to_role: policy.user_to_role,
    roles: policy.roles - unused_roles,
    users: policy.users,
    goal: policy.goal
  )
end

#forward_slicing(policy) ⇒ Object 



10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
 
# File 'lib/arbac_verifier/modules/utils.rb', line 10

def forward_slicing(policy)
  reachable_roles = overaproximate_reachable_roles(policy)
  unused_roles = policy.roles - reachable_roles
  reduced_can_assign_rules = policy.can_assign_rules.to_a
                                   .select { |rule| not(unused_roles.include?(rule.target_role)) && (rule.positive_precondition_roles & unused_roles).empty? }
                                   .map { |rule| Rules::CanAssign.new(rule.user_role, rule.positive_precondition_roles, rule.negative_precondition_roles - unused_roles, rule.target_role )}
                                   .to_set
  reduced_can_revoke_rules = policy.can_revoke_rules.to_a
                                   .select { |rule| not(unused_roles.include? rule.target_role) }
                                   .to_set
  new_instance = Instance.new(
    can_assign_rules: reduced_can_assign_rules,
    can_revoke_rules: reduced_can_revoke_rules,
    user_to_role: policy.user_to_role,
    roles: policy.roles - unused_roles,
    users: policy.users,
    goal: policy.goal
  )
  new_instance
end

#overaproximate_reachable_roles(policy) ⇒ Object 



32
33
34
35
36
37
38
39
40
41
42
43
44
45
 
# File 'lib/arbac_verifier/modules/utils.rb', line 32

def overaproximate_reachable_roles(policy)
  reachable_roles = T.let(Set.new, T::Set[Symbol])
  evolving_roles_set = policy.user_to_role.map(&:role).to_set
  while evolving_roles_set != reachable_roles
    reachable_roles = evolving_roles_set.dup
    policy.can_assign_rules.each do |car|
      precondition_roles = car.positive_precondition_roles | [car.user_role]
      if precondition_roles.proper_subset?(reachable_roles)
        evolving_roles_set << car.target_role
      end
    end
  end
  reachable_roles
end

#overaproximate_relevant_roles(policy) ⇒ Object 



62
63
64
65
66
67
68
69
70
71
72
73
74
 
# File 'lib/arbac_verifier/modules/utils.rb', line 62

def overaproximate_relevant_roles(policy)
  relevant_roles = T.let(Set.new, T::Set[Symbol])
  evolving_roles_set = T.let(Set.new([policy.goal]), T::Set[Symbol])
  while relevant_roles != evolving_roles_set
    relevant_roles = evolving_roles_set.dup
    policy.can_assign_rules.each do |car|
      if relevant_roles.include? car.target_role
        evolving_roles_set = evolving_roles_set | [car.user_role] | car.positive_precondition_roles | car.negative_precondition_roles
      end
    end
  end
  relevant_roles
end