CoSec
基于 RBAC 和策略的多租户响应式安全框架。
更新内容(v1.10.1) 🎉 🎉 🎉
-
特性:新增
ContainsConditionMatcher
。 -
{ "name": "TestContains", "effect": "allow", "actions": [ { "type": "all" } ], "condition": { "type": "contains", "part": "request.attributes.ipRegion", "pattern": "上海" } }
认证
授权
OAuth
建模类图
安全网关服务
授权策略流程
内置策略匹配器
ActionMatcher
如何自定义 ActionMatcher
(SPI)
参考 RegularActionMatcher
class CustomActionMatcherFactory : ActionMatcherFactory { companion object { const val TYPE = "[CustomActionType]" } override val type: String get() = TYPE override fun create(onfiguration: Configuration): ActionMatcher { return CustomActionMatcher(onfiguration) } } class CustomActionMatcher(configuration: Configuration) : AbstractActionMatcher(CustomActionMatcherFactory.TYPE, configuration) { override val type: String get() = CustomActionMatcherFactory.TYPE override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean { //Custom matching logic } }
META-INF/services/me.ahoo.cosec.policy.action.ActionMatcherFactory
# CustomActionMatcherFactory fully qualified name
ConditionMatcher
如何自定义 ConditionMatcher
(SPI)
参考 ContainsConditionMatcher
class CustomConditionMatcherFactory : ConditionMatcherFactory { companion object { const val TYPE = "[CustomConditionType]" } override val type: String get() = TYPE override fun create(configuration: Configuration): ConditionMatcher { return CustomConditionMatcher(configuration) } } class CustomConditionMatcher(configuration: Configuration) : AbstractActionMatcher(CustomActionMatcherFactory.TYPE, configuration) { override val type: String get() = CustomConditionMatcherFactory.TYPE override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean { //Custom matching logic } }
META-INF/services/me.ahoo.cosec.policy.condition.ConditionMatcherFactory
# CustomConditionMatcherFactory fully qualified name
策略 Schema
Policy Schema
策略 Demo
{ "id": "id", "name": "name", "category": "category", "description": "description", "type": "global", "tenantId": "tenantId", "statements": [ { "name": "Anonymous", "effect": "allow", "actions": [ { "type": "path", "pattern": "/auth/register" }, { "type": "path", "pattern": "/auth/login" } ] }, { "name": "UserScope", "effect": "allow", "actions": [ { "type": "path", "pattern": "/user/#{principal.id}/*" } ], "condition": { "type": "authenticated" } }, { "name": "Developer", "effect": "allow", "actions": [ { "type": "all" } ], "condition": { "type": "in", "part": "context.principal.id", "in": [ "developerId" ] } }, { "name": "RequestOriginDeny", "effect": "deny", "actions": [ { "type": "all" } ], "condition": { "type": "reg", "negate": true, "part": "request.origin", "pattern": "^(http|https)://github.com" } }, { "name": "IpBlacklist", "effect": "deny", "actions": [ { "type": "all" } ], "condition": { "type": "path", "part": "request.remoteIp", "path": { "caseSensitive": false, "separator": ".", "decodeAndParseSegments": false }, "pattern": "192.168.0.*" } }, { "name": "RegionWhitelist", "effect": "deny", "actions": [ { "type": "all" } ], "condition": { "negate": true, "type": "reg", "part": "request.attributes.ipRegion", "pattern": "^中国\\|0\\|(上海|广东省)\\|.*" } }, { "name": "AllowDeveloperOrIpRange", "effect": "allow", "actions": [ { "type": "all" } ], "condition": { "type": "bool", "bool": { "and": [ { "type": "authenticated" } ], "or": [ { "type": "in", "part": "context.principal.id", "in": [ "developerId" ] }, { "type": "path", "part": "request.remoteIp", "path": { "caseSensitive": false, "separator": ".", "decodeAndParseSegments": false }, "pattern": "192.168.0.*" } ] } } } ] }
感谢
CoSec 权限策略设计参考 AWS IAM 。
还没有评论,来说两句吧...