Class: Verifica::AuthorizationResult

Inherits:

Object

• Object
• Verifica::AuthorizationResult

Defined in:

lib/verifica/authorization_result.rb

Overview

Outcome of the authorization, either successful or failed. Memoizes the state of variables that affected the decision. Could show why the authorization was successful or failed even if the concerned objects have changed.

See Also:

• Verifica::Authorizer#authorize

Instance Attribute Summary

• #acl ⇒ Acl readonly

  Access Control List returned by ACL provider registered for this #resource_type in Authorizer.

• #action ⇒ Symbol readonly

  Action that #subject attempted to perform on the #resource.

• #context ⇒ Hash readonly

  Any additional keyword arguments that have been passed to the authorization call.

• #resource ⇒ Object readonly

  Resource on which #subject attempted to perform #action.

• #resource_id ⇒ Object readonly

  Resource ID returned by resource.resource_id.

• #resource_type ⇒ Symbol readonly

  Resource type returned by resource#resource_type.

• #subject ⇒ Object readonly

  Subject of the authorization (e.g. current user, external service).

• #subject_id ⇒ Object readonly

  Subject ID returned by subject.subject_id.

• #subject_sids ⇒ Array<String> readonly

  Array of subject Security Identifiers returned by subject.subject_sids.

• #subject_type ⇒ Symbol^? readonly

  Subject type returned by subject.subject_type.

Instance Method Summary

• #allowed_actions ⇒ Array<Symbol>

  Array of actions allowed for given #subject or empty array if none.

• #explain ⇒ String

  Detailed, human-readable description of authorization result.

• #failure? ⇒ Boolean

  True if given #action is denied for given #subject.

• #initialize(subject, resource, action, acl, **context) ⇒ AuthorizationResult constructor private

  A new instance of AuthorizationResult.

• #message ⇒ String

  Human-readable description of authorization result.

• #success? ⇒ Boolean

  True if given #action is allowed for given #subject.

Constructor Details

#initialize(subject, resource, action, acl, **context) ⇒ AuthorizationResult

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of AuthorizationResult.

# File 'lib/verifica/authorization_result.rb', line 65

def initialize(subject, resource, action, acl, **context)
  @subject = subject
  sids = Verifica.subject_sids(subject, **context)
  @subject_sids = sids.map { _1.dup.freeze }.freeze
  @subject_id = subject.subject_id.dup.freeze
  @subject_type = subject.subject_type&.to_sym
  @resource = resource
  @resource_id = resource.resource_id.dup.freeze
  @resource_type = resource.resource_type.to_sym
  @action = action
  @acl = acl
  @context = context
  @success = acl.action_allowed?(action, @subject_sids)
  freeze
end

Instance Attribute Details

#acl ⇒ Acl (readonly)

Returns Access Control List returned by ACL provider registered for this #resource_type in Verifica::Authorizer.

Returns:

• (Acl) —

  Access Control List returned by ACL provider registered for this #resource_type in Verifica::Authorizer

# File 'lib/verifica/authorization_result.rb', line 55

def acl
  @acl
end

#action ⇒ Symbol (readonly)

Returns action that #subject attempted to perform on the #resource.

Returns:

• (Symbol) —

  action that #subject attempted to perform on the #resource

# File 'lib/verifica/authorization_result.rb', line 50

def action
  @action
end

#context ⇒ Hash (readonly)

Returns any additional keyword arguments that have been passed to the authorization call.

Returns:

• (Hash) —

  any additional keyword arguments that have been passed to the authorization call

See Also:

• Verifica::Authorizer#authorize

# File 'lib/verifica/authorization_result.rb', line 62

def context
  @context
end

#resource ⇒ Object (readonly)

Returns resource on which #subject attempted to perform #action.

Returns:

• (Object) —

  resource on which #subject attempted to perform #action

# File 'lib/verifica/authorization_result.rb', line 35

def resource
  @resource
end

#resource_id ⇒ Object (readonly)

Returns resource ID returned by resource.resource_id.

Returns:

• (Object) —

  resource ID returned by resource.resource_id

# File 'lib/verifica/authorization_result.rb', line 40

def resource_id
  @resource_id
end

#resource_type ⇒ Symbol (readonly)

Returns resource type returned by resource#resource_type.

Returns:

• (Symbol) —

  resource type returned by resource#resource_type

# File 'lib/verifica/authorization_result.rb', line 45

def resource_type
  @resource_type
end

#subject ⇒ Object (readonly)

Returns subject of the authorization (e.g. current user, external service).

Returns:

• (Object) —

  subject of the authorization (e.g. current user, external service)

# File 'lib/verifica/authorization_result.rb', line 15

def subject
  @subject
end

#subject_id ⇒ Object (readonly)

Returns subject ID returned by subject.subject_id.

Returns:

• (Object) —

  subject ID returned by subject.subject_id

# File 'lib/verifica/authorization_result.rb', line 20

def subject_id
  @subject_id
end

#subject_sids ⇒ Array<String> (readonly)

Returns array of subject Security Identifiers returned by subject.subject_sids.

Returns:

• (Array<String>) —

  array of subject Security Identifiers returned by subject.subject_sids

# File 'lib/verifica/authorization_result.rb', line 30

def subject_sids
  @subject_sids
end

#subject_type ⇒ Symbol^? (readonly)

Returns subject type returned by subject.subject_type.

Returns:

• (Symbol, nil) —

  subject type returned by subject.subject_type

# File 'lib/verifica/authorization_result.rb', line 25

def subject_type
  @subject_type
end

Instance Method Details

#allowed_actions ⇒ Array<Symbol>

Returns array of actions allowed for given #subject or empty array if none.

Returns:

• (Array<Symbol>) —

  array of actions allowed for given #subject or empty array if none

See Also:

• Verifica::Acl#allowed_actions

# File 'lib/verifica/authorization_result.rb', line 100

def allowed_actions
  acl.allowed_actions(subject_sids)
end

#explain ⇒ String

Returns detailed, human-readable description of authorization result. Includes subject, resource, resource ACL, and explains the reason why authorization was successful or failed. Extremely useful for debugging.

Returns:

• (String) —

  detailed, human-readable description of authorization result. Includes subject, resource, resource ACL, and explains the reason why authorization was successful or failed. Extremely useful for debugging.

# File 'lib/verifica/authorization_result.rb', line 118

def explain
  <<~MESSAGE
    #{message}

    \s\sSubject SIDs (#{subject_sids.empty? ? "empty" : subject_sids.size}):
    \s\s\s\s#{subject_sids}

    \s\sContext:
    \s\s\s\s#{context}

    \s\sResource ACL (#{acl.empty? ? "empty" : acl.size}):
    #{acl.to_a.map { "\s\s\s\s#{_1}" }.join("\n")}

    Reason: #{reason_message}
  MESSAGE
end

#failure? ⇒ Boolean

Returns true if given #action is denied for given #subject.

Returns:

• (Boolean) —

  true if given #action is denied for given #subject

# File 'lib/verifica/authorization_result.rb', line 91

def failure?
  !success?
end

#message ⇒ String

Returns human-readable description of authorization result. Includes subject, resource, and outcome.

Returns:

• (String) —

  human-readable description of authorization result. Includes subject, resource, and outcome

# File 'lib/verifica/authorization_result.rb', line 107

def message
  status = success? ? "SUCCESS" : "FAILURE"
  "Authorization #{status}. Subject '#{subject_type}' id='#{subject_id}'. Resource '#{resource_type}' " \
    "id='#{resource_id}'. Action '#{action}'"
end

#success? ⇒ Boolean

Returns true if given #action is allowed for given #subject.

Returns:

• (Boolean) —

  true if given #action is allowed for given #subject

# File 'lib/verifica/authorization_result.rb', line 84

def success?
  @success
end