Module: OpenTox::Authorization

Defined in:
lib/authorization.rb

Overview

Module for Authorization and Authentication

Examples:

Authentication

require "opentox-client"
OpenTox::Authorization::AA = "https://opensso.in-silico.ch" #if not set in .opentox/conf/[SERVICE].rb
OpenTox::Authorization.authenticate("username", "password")
puts OpenTox::Authorization.authorize("http://example.uri/testpath/", "GET")

See Also:

Defined Under Namespace

Classes: Helper

Class Method Summary collapse

Class Method Details

.authenticate(user, pw) ⇒ Boolean

Authentication against OpenSSO. Returns token. Requires Username and Password.


68
69
70
71
72
73
74
75
76
77
78
79
80
# File 'lib/authorization.rb', line 68

def self.authenticate(user, pw)
  begin
    res = RestClientWrapper.post("#{AA}/auth/authenticate",{:username=>user, :password => pw},{:subjectid => ""}).sub("token.id=","").sub("\n","")
    if is_token_valid(res)
      RestClientWrapper.subjectid = res
      return true
    else
      bad_request_error "Authentication failed #{res.inspect}"
    end
  rescue
    bad_request_error "Authentication failed #{res.inspect}"
  end
end

.authorize(uri, action, subjectid = RestClientWrapper.subjectid) ⇒ Boolean?

Authorization against OpenSSO for a URI with request-method (action) [GET/POST/PUT/DELETE]


100
101
102
103
# File 'lib/authorization.rb', line 100

def self.authorize(uri, action, subjectid=RestClientWrapper.subjectid)
  return true if RestClientWrapper.post("#{AA}/auth/authorize",{:subjectid => subjectid, :uri => uri, :action => action})== "boolean=true\n"
  return false
end

.authorized?(uri, request_method) ⇒ Boolean

Check Authorization for a resource (identified via URI) with method and subjectid.


332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
# File 'lib/authorization.rb', line 332

def self.authorized?(uri, request_method)
  return true unless $aa[:uri]
  request_method = request_method.to_sym if request_method
  if $aa[:free_request].include?(request_method)
    true
  elsif OpenTox::Authorization.free_uri?(uri, request_method)
    true
  elsif $aa[:authenticate_request].include?(request_method)
    ret = OpenTox::Authorization.is_token_valid(RestClientWrapper.subjectid)
    $logger.debug "authorized? >>#{ret}<< (token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{RestClientWrapper.subjectid}" unless ret
    ret
  elsif OpenTox::Authorization.authorize_exception?(uri, request_method)
    ret = OpenTox::Authorization.is_token_valid(RestClientWrapper.subjectid)
    $logger.debug "authorized? >>#{ret}<< (uris is authorize exception, token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{RestClientWrapper.subjectid}" unless ret
    ret
  elsif $aa[:authorize_request].include?(request_method)
    ret = OpenTox::Authorization.authorize(uri, request_method)
    $logger.debug "authorized? >>#{ret}<< (uri (not) authorized), method: #{request_method}, URI: #{uri}, subjectid: #{RestClientWrapper.subjectid}" unless ret
    ret
  else
    $logger.error "invalid request/uri method: #{request_method}, URI: #{uri}, subjectid: #{RestClientWrapper.subjectid}"
    false
  end
end

.check_policy(uri) ⇒ Boolean

Checks (if subjectid is valid) if a policy exist and create default policy if not


301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
# File 'lib/authorization.rb', line 301

def self.check_policy(uri)
  return true unless uri and RestClientWrapper.subjectid
  unless OpenTox::Authorization.is_token_valid(RestClientWrapper.subjectid)
    $logger.error "OpenTox::Authorization.check_policy, subjectid NOT valid: #{RestClientWrapper.subjectid}"
    return false
  end

  if !uri_has_policy(uri)
    # if no policy exists, create a policy, return result of send policy
    send_policy(uri)
  else
    # if policy exists check for POST rights
    if authorize(uri, "POST")
      true
   else
      $logger.error "OpenTox::Authorization.check_policy, already exists, but no POST-authorization with subjectid: #{RestClientWrapper.subjectid}"
      false
    end
  end
  true
end

.create_policy(policy) ⇒ Object

Sends a policy in xml-format to opensso server. Requires policy-xml and token. return [Boolean] returns true if policy is created


214
215
216
217
218
219
220
221
# File 'lib/authorization.rb', line 214

def self.create_policy(policy)
  begin
    $logger.debug "OpenTox::Authorization.create_policy policy: #{policy[168,43]} with token: #{RestClientWrapper.subjectid} ."
    return true if RestClientWrapper.post("#{AA}/Pol/opensso-pol",policy, {:content_type =>  "application/xml"})
  rescue
    return false
  end
end

.delete_policies_from_uri(uri) ⇒ Boolean

Deletes all policies of an URI


286
287
288
289
290
291
292
293
294
295
# File 'lib/authorization.rb', line 286

def self.delete_policies_from_uri(uri)
  policies = list_uri_policies(uri)
  if policies
    policies.each do |policy|
      ret = delete_policy(policy)
      $logger.debug "OpenTox::Authorization delete policy: #{policy} - with result: #{ret}"
    end
  end
  return true
end

.delete_policy(policy) ⇒ Boolean?

Deletes a policy


227
228
229
230
231
232
233
234
# File 'lib/authorization.rb', line 227

def self.delete_policy(policy)
  begin
    $logger.debug "OpenTox::Authorization.delete_policy policy: #{policy} with token: #{RestClientWrapper.subjectid}"
    return true if RestClientWrapper.delete("#{AA}/pol",nil, {:id => policy})
  rescue
    return nil
  end
end

.get_uri_owner(uri) ⇒ Object

Returns the owner (who created the first policy) of an URI return [String, nil]owner,nil returns owner of the URI


166
167
168
169
170
171
172
# File 'lib/authorization.rb', line 166

def self.get_uri_owner(uri)
  begin
    return RestClientWrapper.get("#{AA}/pol",nil,{:uri => uri}).sub("\n","")
  rescue
    return nil
  end
end

.get_user(subjectid = RestClientWrapper.subjectid) ⇒ String

Returns the owner (user id) of a token


255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
# File 'lib/authorization.rb', line 255

def self.get_user subjectid=RestClientWrapper.subjectid
  begin
    out = RestClientWrapper.post("#{AA}/opensso/identity/attributes", {:subjectid => subjectid, :attributes_names => "uid"})
    user = ""; check = false
    out.split("\n").each do |line|
      if check
        user = line.sub("userdetails.attribute.value=","") if line.include?("userdetails.attribute.value=")
        check = false
      end
      check = true if line.include?("userdetails.attribute.name=uid")
    end
    return user
  rescue
    nil
  end
end

.is_token_valid(subjectid = RestClientWrapper.subjectid) ⇒ Boolean Also known as: token_valid?

Checks if a token is a valid token


108
109
110
111
112
113
114
115
# File 'lib/authorization.rb', line 108

def self.is_token_valid(subjectid=RestClientWrapper.subjectid)
  begin
    return true if RestClientWrapper.post("#{AA}/auth/isTokenValid",:tokenid => subjectid) == "boolean=true\n"
  rescue #do rescue because openSSO throws 401
    return false
  end
  return false
end

.list_policiesArray?

Returns array with all policies of the token owner


120
121
122
123
124
125
126
127
# File 'lib/authorization.rb', line 120

def self.list_policies
  begin
    out = RestClientWrapper.get("#{AA}/pol",nil)
    return out.split("\n")
  rescue
    return nil
  end
end

.list_policies_urisHash

Lists policies alongside with affected uris


144
145
146
147
148
149
150
151
# File 'lib/authorization.rb', line 144

def self.list_policies_uris
  names = list_policies
  policies = {}
  names.each do |n|
    policies[n] = list_policy_uris n 
  end
  policies
end

.list_policy(policy) ⇒ String

Returns a policy in xml-format


133
134
135
136
137
138
139
# File 'lib/authorization.rb', line 133

def self.list_policy(policy)
  begin
    return RestClientWrapper.get("#{AA}/pol",nil,{:id => policy})
  rescue
    return nil
  end
end

.list_policy_uris(policy) ⇒ Hash

Lists policies alongside with affected uris


156
157
158
159
160
# File 'lib/authorization.rb', line 156

def self.list_policy_uris( policy )
  p = OpenTox::Policies.new
  p.load_xml( list_policy(policy) )
  p.uris
end

.list_uri_policies(uri) ⇒ Object

List all policynames for a URI. Requires URI and token. return [Array, nil] returns an Array of policy names or nil if request fails


196
197
198
199
200
201
202
203
204
205
206
207
208
# File 'lib/authorization.rb', line 196

def self.list_uri_policies(uri)
  begin
    out = RestClientWrapper.get("#{AA}/pol",nil,{:uri => uri, :polnames => true})
    policies = []; notfirstline = false
    out.split("\n").each do |line|
      policies << line if notfirstline
      notfirstline = true
    end
    return policies
  rescue
    return nil
  end
end

.list_user_groups(user) ⇒ Array

Returns array of the LDAP-Groups of an user


239
240
241
242
243
244
245
246
247
248
249
250
# File 'lib/authorization.rb', line 239

def self.list_user_groups(user)
  begin
    out = RestClientWrapper.post("#{AA}/opensso/identity/read", {:name => user, :admin => RestClientWrapper.subjectid, :attributes_names => "group"})
    grps = []
    out.split("\n").each do |line|
      grps << line.sub("identitydetails.group=","") if line.include?("identitydetails.group=")
    end
    return grps
  rescue
    []
  end
end

.logout(subjectid = RestClientWrapper.subjectid) ⇒ Boolean

Logout on opensso. Make token invalid. Requires token


85
86
87
88
89
90
91
92
93
# File 'lib/authorization.rb', line 85

def self.logout(subjectid=RestClientWrapper.subjectid)
  begin
    out = RestClientWrapper.post("#{AA}/auth/logout", :subjectid => subjectid)
    return true unless is_token_valid(subjectid)
  rescue
    return false
  end
  return false
end

.methodBoolean

methods: free_uri and authorize_exception


362
363
364
365
366
367
368
369
370
371
372
373
374
375
# File 'lib/authorization.rb', line 362

[:free_uri, :authorize_exception].each do |method|
  define_method "#{method}?".to_sym do |uri, request_method|
    if $aa["#{method}s".to_sym]
      $aa["#{method}s".to_sym].each do |request_methods, uris|
        if request_methods and uris and request_methods.include?(request_method.to_sym)
          uris.each do |u|
            return true if u.match uri
          end
        end
      end
    end
    return false
  end
end

.send_policy(uri) ⇒ Object

Send default policy with Authorization::Helper class


275
276
277
278
279
280
# File 'lib/authorization.rb', line 275

def self.send_policy(uri)
  aa  = Authorization::Helper.new
  ret = aa.send(uri)
  $logger.debug "OpenTox::Authorization send policy for URI: #{uri} | subjectid: #{RestClientWrapper.subjectid} - policy created: #{ret}"
  ret
end

.serverString?

Returns the open-sso server set in the config file .opentox/config/.yaml


60
61
62
# File 'lib/authorization.rb', line 60

def self.server
  return AA
end

.uri_has_policy(uri) ⇒ Object

Checks if a policy exists to a URI. Requires URI and token. return [Boolean]


186
187
188
189
190
# File 'lib/authorization.rb', line 186

def self.uri_has_policy(uri)
  owner = get_uri_owner(uri)
  return true if owner and owner != "null"
  false
end

.uri_owner?(uri) ⇒ Boolean

Returns true or false if owner (who created the first policy) of an URI return [Boolean]true,false status of ownership of the URI


178
179
180
# File 'lib/authorization.rb', line 178

def self.uri_owner?(uri)
  get_uri_owner(uri) == get_user
end