Module: AccessPolicy

Defined in:
lib/access_policy.rb

Instance Method Summary collapse

Instance Method Details

#authorize_access(user_role) ⇒ Object 



3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
# File 'lib/access_policy.rb', line 3

def authorize_access(user_role) 
    user_role = 'default' if user_role.nil? 
    request_url = request.path
    http_method = request.method_symbol.downcase.to_s   
    eligible_rules = get_rules(user_role,request_url)
    eligible_inherited_rules = get_inherited_rules(user_role,request_url) #array of arrays

    matched_rule = get_matched_rule(eligible_rules,http_method) 
    if matched_rule.length.zero?
        eligible_inherited_rules.each do |rules_arr|
            matched_rule = get_matched_rule(rules_arr,http_method)
            break if !matched_rule.length.zero?
        end
    end
     
    #decison maker

    action_type = ''
    action_type = policy_data()[user_role]['default-action']  if matched_rule.length.zero?
    action_type = matched_rule.first['action']  if !matched_rule.length.zero? 
    
    if( action_type =='deny')
        res_json = generate_message_response_json('Access to the requested resource is not allowed')
        render json: res_json, status: 403
    end
end

#get_inherited_rules(parent_key, request_url) ⇒ Object 



43
44
45
46
47
48
49
50
51
52
53
54
55
56
 
# File 'lib/access_policy.rb', line 43

def get_inherited_rules(parent_key,request_url)
    inherited_roles_arr =[]
    inherited_rules_arr =[]
    policy_master = policy_data()
    inherited_role = policy_master[parent_key]["inherits"]
    if !(inherited_role.nil?) 
        while(!inherited_role.nil?) do 
            inherited_roles_arr << inherited_role 
            inherited_rules_arr << get_rules(inherited_role,request_url)
            inherited_role = policy_master[inherited_role]["inherits"] 
        end 
    end
    return inherited_rules_arr
end

#get_matched_rule(eligible_rules, http_method) ⇒ Object 



62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
 
# File 'lib/access_policy.rb', line 62

def get_matched_rule(eligible_rules,http_method)
    matched_rules =[]
    prioriy_arr =[]
    eligible_rules.each do |rule|
        match_found= true
        methods_present = rule.key?('methods')
        params_present = rule.key?('params')
        if(methods_present)
            match_found = false if !(rule['methods'].map(&:downcase).include?(http_method.downcase))
        end
        if(params_present)
            eligible_http_params = rule['params'].select{|x| x['method'].downcase == http_method.downcase} #array

            
            if !eligible_http_params.length.zero?
                eligible_http_param = eligible_http_params.first
                param_location ='url' #default

                param_location = eligible_http_param['param-location'] if eligible_http_param.key?('param-location')
                param_path = eligible_http_param['param-path'] #string

                permitted_values = [] #array

                permitted_values =  eligible_http_param['values'] if eligible_http_param.key?('values')
                incoming_params_val=nil
                if(param_location =='url' ||param_location =='body' )
                    incoming_params_val = params[param_path.to_sym]
                elsif
                    raw_post = JSON.parse(request.raw_post)
                    incoming_params_val = JsonPath.on(raw_post, param_path).first
                end
                match_found = false if !(permitted_values.include?(incoming_params_val))  
            end  
        end
        
        if match_found
            matched_rules<< rule  
            prioriy_arr<< rule['priority']
        end
    end #eligible rules end

    if !(matched_rules.length.zero?)
        max_priority = prioriy_arr.map(&:to_i).max
        # select only highest priority rule

        matched_rules = matched_rules.select{|x| x['priority'] == max_priority}
    
    end
    return matched_rules
end

#get_rules(parent_key, request_url) ⇒ Object 



27
28
29
30
31
32
33
34
35
36
37
 
# File 'lib/access_policy.rb', line 27

def get_rules(parent_key,request_url)
    policy_master = policy_data()
    eligible_rules = []
    policy_master[parent_key]["rules"].each do |rule|
        pattern ='absolute' #default

        pattern = rule['url']['pattern'] if  rule['url'].key?('pattern')
        eligible_rules << rule   if pattern == 'absolute' && request_url == rule['url']['value']
        eligible_rules << rule   if pattern == 'regex' && matched_url?(request_url,rule['url']['value'])
    end
    return eligible_rules
end

#matched_url?(url, regex_str) ⇒ Boolean

Returns:

  • (Boolean) 


58
59
60
 
# File 'lib/access_policy.rb', line 58

def matched_url?(url,regex_str)
    !!(url =~ Regexp.new(regex_str ))
end

#policy_dataObject 



39
40
41
 
# File 'lib/access_policy.rb', line 39

def policy_data()
    return Rails.configuration.AccessPolicyMaster
end