ockam_abac 0.80.0

Attribute based authorization control
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

use core::fmt::Formatter;
use ockam_core::compat::boxed::Box;
use ockam_core::compat::fmt::Debug;
use ockam_core::compat::str;
use ockam_core::compat::sync::Arc;
use ockam_core::compat::vec::vec;
use ockam_core::RelayMessage;
use ockam_core::{async_trait, OutgoingAccessControl};
use ockam_core::{Address, DenyAll, Result};

use crate::abac::Abac;
use crate::abac::SUBJECT_KEY;
use crate::Expr::*;
use crate::{Env, Expr};
use ockam_core::compat::format;
use ockam_identity::{Identifier, IdentitiesAttributes};
use ockam_node::Context;
use tracing::debug;

pub struct OutgoingAbac {
    ctx: Context,
    expression: Expr,
    abac: Abac,
}

impl Debug for OutgoingAbac {
    fn fmt(&self, f: &mut Formatter<'_>) -> core::fmt::Result {
        f.debug_struct("OutgoingAbac")
            .field("expression", &self.expression)
            .field("abac", &self.abac)
            .finish()
    }
}

impl OutgoingAbac {
    /// Create an AccessControl which will verify that the receiver of
    /// a message has an authenticated attribute that resolves the expression to `true`
    pub fn create(
        ctx: &Context,
        identities_attributes: Arc<IdentitiesAttributes>,
        authority: Option<Identifier>,
        expression: Expr,
    ) -> Result<Self> {
        let ctx = ctx.new_detached(Address::random_tagged("OutgoingAbac"), DenyAll, DenyAll)?;
        let abac = Abac::new(identities_attributes, authority, Env::new());

        Ok(Self {
            ctx,
            expression,
            abac,
        })
    }

    /// Create an AccessControl which will verify that the receiver of
    /// a message has an authenticated attribute with the correct name and value
    pub fn create_name_value(
        ctx: &Context,
        identities_attributes: Arc<IdentitiesAttributes>,
        authority: Option<Identifier>,
        attribute_name: &str,
        attribute_value: &str,
    ) -> Result<Self> {
        let expression = List(vec![
            Ident("=".into()),
            Ident(format!("{SUBJECT_KEY}.{attribute_name}")),
            Str(attribute_value.into()),
        ]);
        Self::create(ctx, identities_attributes, authority, expression)
    }

    /// Create an AccessControl which will verify that the receiver of
    /// a message has an authenticated credential without checking any attributes
    pub fn check_credential_only(
        ctx: &Context,
        identities_attributes: Arc<IdentitiesAttributes>,
        authority: Identifier,
    ) -> Result<Self> {
        Self::create(ctx, identities_attributes, Some(authority), true.into())
    }

    /// Returns true if the sender of the message is validated by the expression stored in AbacAccessControl
    pub async fn is_authorized_impl(&self, relay_msg: &RelayMessage) -> Result<bool> {
        let identifier = match Abac::get_outgoing_identifier(&self.ctx, relay_msg)? {
            Some(identifier) => identifier,
            None => {
                debug! {
                    policy = %self.expression,
                    "identity identifier not found; access denied"
                }

                return Ok(false);
            }
        };

        self.abac
            .is_identity_authorized(&identifier, &self.expression)
            .await
    }
}

#[async_trait]
impl OutgoingAccessControl for OutgoingAbac {
    async fn is_authorized(&self, relay_msg: &RelayMessage) -> Result<bool> {
        self.is_authorized_impl(relay_msg).await
    }
}