搜索

CoSec基于 RBAC 和策略的多租户响应式安全框架

联合创作 · 2023-09-30 08:33

CoSec 是基于 RBAC 和策略的多租户响应式安全框架。

认证

Authentication-Flow

授权

Authorization-Flow

OAuth

OAuth-Flow

建模类图

Modeling

安全网关服务

Gateway

授权策略流程

Authorization Policy

内置策略匹配器

ActionMatcher

ActionMatcher

如何自定义 ActionMatcher (SPI)

参考 PathActionMatcher

class CustomConditionMatcherFactory : ConditionMatcherFactory {
    companion object {
        const val TYPE = "[CustomConditionType]"
    }

    override val type: String
        get() = TYPE

    override fun create(configuration: Configuration): ConditionMatcher {
        return CustomConditionMatcher(configuration)
    }
}
class CustomConditionMatcher(configuration: Configuration) :
    AbstractConditionMatcher(CustomConditionMatcherFactory.TYPE, configuration) {

    override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean {
        //Custom matching logic
    }
}

 

META-INF/services/me.ahoo.cosec.policy.action.ActionMatcherFactory

# CustomActionMatcherFactory fully qualified name

ConditionMatcher

ConditionMatcher

如何自定义 ConditionMatcher (SPI)

参考 ContainsConditionMatcher

class CustomConditionMatcherFactory : ConditionMatcherFactory {
    companion object {
        const val TYPE = "[CustomConditionType]"
    }

    override val type: String
        get() = TYPE

    override fun create(configuration: Configuration): ConditionMatcher {
        return CustomConditionMatcher(configuration)
    }
}
class CustomConditionMatcher(configuration: Configuration) :
    AbstractConditionMatcher(CustomConditionMatcherFactory.TYPE, configuration) {

    override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean {
        //Custom matching logic
    }
}

META-INF/services/me.ahoo.cosec.policy.condition.ConditionMatcherFactory

# CustomConditionMatcherFactory fully qualified name

策略 Schema

配置 Policy Schema 以支持 IDE (IntelliJ IDEA) 输入自动完成。

策略 Demo

{
  "id": "id",
  "name": "name",
  "category": "category",
  "description": "description",
  "type": "global",
  "tenantId": "tenantId",
  "condition": {
    "bool": {
      "and": [
        {
          "authenticated": {}
        },
        {
          "rateLimiter": {
            "permitsPerSecond": 10
          }
        }
      ]
    }
  },
  "statements": [
    {
      "action": {
        "path": {
          "pattern": "/user/#{principal.id}/*",
          "options": {
            "caseSensitive": false,
            "separator": "/",
            "decodeAndParseSegments": false
          }
        }
      }
    },
    {
      "name": "Anonymous",
      "action": [
        "/auth/register",
        "/auth/login"
      ]
    },
    {
      "name": "UserScope",
      "action": "/user/#{principal.id}/*",
      "condition": {
        "authenticated": {}
      }
    },
    {
      "name": "Developer",
      "action": "*",
      "condition": {
        "in": {
          "part": "context.principal.id",
          "value": [
            "developerId"
          ]
        }
      }
    },
    {
      "name": "RequestOriginDeny",
      "effect": "deny",
      "action": "*",
      "condition": {
        "regular": {
          "negate": true,
          "part": "request.origin",
          "pattern": "^(http|https)://github.com"
        }
      }
    },
    {
      "name": "IpBlacklist",
      "effect": "deny",
      "action": "*",
      "condition": {
        "path": {
          "part": "request.remoteIp",
          "pattern": "192.168.0.*",
          "options": {
            "caseSensitive": false,
            "separator": ".",
            "decodeAndParseSegments": false
          }
        }
      }
    },
    {
      "name": "RegionWhitelist",
      "effect": "deny",
      "action": "*",
      "condition": {
        "regular": {
          "negate": true,
          "part": "request.attributes.ipRegion",
          "pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
        }
      }
    },
    {
      "name": "AllowDeveloperOrIpRange",
      "action": "*",
      "condition": {
        "bool": {
          "and": [
            {
              "authenticated": {}
            }
          ],
          "or": [
            {
              "in": {
                "part": "context.principal.id",
                "value": [
                  "developerId"
                ]
              }
            },
            {
              "path": {
                "part": "request.remoteIp",
                "pattern": "192.168.0.*",
                "options": {
                  "caseSensitive": false,
                  "separator": ".",
                  "decodeAndParseSegments": false
                }
              }
            }
          ]
        }
      }
    },
    {
      "name": "TestContains",
      "effect": "allow",
      "action": "*",
      "condition": {
        "contains": {
          "part": "request.attributes.ipRegion",
          "value": "上海"
        }
      }
    },
    {
      "name": "TestStartsWith",
      "effect": "allow",
      "action": "*",
      "condition": {
        "startsWith": {
          "part": "request.attributes.ipRegion",
          "value": "中国"
        }
      }
    },
    {
      "name": "TestEndsWith",
      "effect": "allow",
      "action": "*",
      "condition": {
        "endsWith": {
          "part": "request.attributes.remoteIp",
          "value": ".168.0.1"
        }
      }
    }
  ]
}

应用权限元数据 Schema

配置 App Permission Schema 以支持 IDE (IntelliJ IDEA) 输入自动完成。

应用权限元数据 Demo

{
  "id": "manage",
  "condition": {
    "bool": {
      "and": [
        {
          "authenticated": {}
        },
        {
          "groupedRateLimiter": {
            "part": "request.remoteIp",
            "permitsPerSecond": 10,
            "expireAfterAccessSecond": 1000
          }
        },
        {
          "inTenant": {
            "value": "default"
          }
        }
      ]
    }
  },
  "groups": [
    {
      "name": "order",
      "description": "order management",
      "permissions": [
        {
          "id": "manage.order.ship",
          "name": "Ship",
          "description": "Ship",
          "action": "/order/ship"
        },
        {
          "id": "manage.order.issueInvoice",
          "name": "Issue an invoice",
          "description": "Issue an invoice",
          "action": "/order/issueInvoice"
        }
      ]
    }
  ]
}

OpenTelemetry

CoSec-OpenTelemetry

CoSec 遵循 OpenTelemetry General identity attributes 规范。

CoSec-OpenTelemetry

感谢

CoSec 权限策略设计参考 AWS IAM 

浏览 7
点赞
评论
收藏
分享

手机扫一扫分享

编辑 分享
举报
评论
图片
表情
推荐
Datamill基于 RxJava 响应式框架
基于RxJava 的函数式 Reactive 风格的 Java web 框架。示例代码:public
Datamill基于 RxJava 响应式框架
0
Datamill基于 RxJava 响应式框架
基于RxJava的函数式Reactive风格的Javaweb框架。示例代码:public static void main(String[] args) {    // Note the Server
Datamill基于 RxJava 响应式框架
0
Centurion响应式框架
Centurion 是一个基于 SASS 和 CSS3 构建的响应式 Web 框架。
Centurion响应式框架
0
Groundwork响应式框架
GroundworkCSS是一个基于Sass预处理器的开源项目,主要用于快速构建响应式Web应用程序。拥有一个灵活的、可嵌套的网格系统,可以创建适应多种浏览设备的布局。Groundwork还提供多种U
Groundwork响应式框架
0
MQFramework响应式的 CSS 框架
MQFramework 是一个响应式的 CSS 框架,利用 @media 属性来适应不同的浏览器和尺
MQFramework响应式的 CSS 框架
0
Groundwork响应式框架
GroundworkCSS 是一个基于 Sass 预处理器的开源项目 ,主要用于快速构建响应式 We
Groundwork响应式框架
0
Centurion响应式框架
Centurion是一个基于SASS和CSS3构建的响应式Web框架。
Centurion响应式框架
0
MQFramework响应式的 CSS 框架
MQFramework是一个响应式的CSS框架,利用@media属性来适应不同的浏览器和尺寸,基于12columngrid构建。
MQFramework响应式的 CSS 框架
0
Coral基于 RBAC 的后台管理权限基础框架
Coral 是 Gem 家族成员之一,英文发音[ˈkɒrəl] 释义“珊瑚”。2020年首次与大家见
Coral基于 RBAC 的后台管理权限基础框架
0
Coral基于 RBAC 的后台管理权限基础框架
Coral是Gem家族成员之一,英文发音[ˈkɒrəl]释义“珊瑚”。2020年首次与大家见面。Coral企业快速开发框架,基于SpringBoot2.2x,MyBatis,Shiro等主流框架开发;
Coral基于 RBAC 的后台管理权限基础框架
0
点赞
评论
收藏
分享

手机扫一扫分享

编辑 分享
举报