ockam_abac 0.80.0

Attribute based authorization control
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

use ockam_core::async_trait;
use ockam_core::compat::boxed::Box;
use ockam_core::compat::fmt::Debug;
use ockam_core::compat::str;
use ockam_core::compat::sync::Arc;
use ockam_core::compat::vec::vec;
use ockam_core::Result;
use ockam_core::{IncomingAccessControl, RelayMessage};

use crate::abac::Abac;
use crate::abac::SUBJECT_KEY;
use crate::Expr::*;
use crate::{Env, Expr};
use ockam_core::compat::format;
use ockam_identity::{Identifier, IdentitiesAttributes};
use tracing::debug;

#[derive(Debug)]
pub struct IncomingAbac {
    expression: Expr,
    abac: Abac,
}

impl IncomingAbac {
    /// Create an AccessControl which will verify that the sender of
    /// a message has an authenticated attribute that resolves the expression to `true`
    pub fn create(
        identities_attributes: Arc<IdentitiesAttributes>,
        authority: Option<Identifier>,
        expression: Expr,
    ) -> Self {
        let abac = Abac::new(identities_attributes, authority, Env::new());

        Self { expression, abac }
    }

    /// Create an AccessControl which will verify that the sender of
    /// a message has an authenticated attribute with the correct name and value
    pub fn create_name_value(
        identities_attributes: Arc<IdentitiesAttributes>,
        authority: Option<Identifier>,
        attribute_name: &str,
        attribute_value: &str,
    ) -> Self {
        let expression = List(vec![
            Ident("=".into()),
            Ident(format!("{SUBJECT_KEY}.{attribute_name}")),
            Str(attribute_value.into()),
        ]);
        Self::create(identities_attributes, authority, expression)
    }

    /// Create an AccessControl which will verify that the sender of
    /// a message has an authenticated credential without checking any attributes
    pub fn check_credential_only(
        identities_attributes: Arc<IdentitiesAttributes>,
        authority: Identifier,
    ) -> Self {
        Self::create(identities_attributes, Some(authority), true.into())
    }

    /// Returns true if the sender of the message is validated by the expression stored in AbacAccessControl
    pub async fn is_authorized_impl(&self, relay_msg: &RelayMessage) -> Result<bool> {
        let identifier = match Abac::get_incoming_identifier(relay_msg) {
            Some(identifier) => identifier,
            None => {
                debug! {
                    policy = %self.expression,
                    "identity identifier not found; access denied"
                }

                return Ok(false);
            }
        };

        self.abac
            .is_identity_authorized(&identifier, &self.expression)
            .await
    }

    pub fn expression(&self) -> &Expr {
        &self.expression
    }

    pub fn abac(&self) -> &Abac {
        &self.abac
    }
}

#[async_trait]
impl IncomingAccessControl for IncomingAbac {
    /// Returns true if the sender of the message is validated by the expression stored in AbacAccessControl
    async fn is_authorized(&self, msg: &RelayMessage) -> Result<bool> {
        self.is_authorized_impl(msg).await
    }
}