Module watts_service_authz

This module handles the authorization of users, defined by their sessions, to request credentials at specific services.

Description

This module handles the authorization of users, defined by their sessions, to request credentials at specific services. So it allows users the trigger the run of a plugin or not.

Each service has two configuration options:

Each entry is not a list of users but a rule to identify certain users by OpenID Connect information.

A user is allowed if at least one rule of the allow evaluates to true and none of the forbidden rules evaluate to true. So by default all users are forbidden.

Data Types

config()

config() = #{allow => rules(), forbid => rules(), tooltip => binary(), hide => boolean()}

operation()

operation() = contains | is_member_of | equals | regexp | any

rule()

rule() = {ProviderId::binary(), Key::binary(), Operation::operation(), ConfigValue::value()}

rules()

rules() = [rule()]

value()

value() = binary() | [binary()] | re:mp() | boolean()

Function Index

add_failed/6*error message and failing the rules.
any_rule_applies/3*apply a list of rules on a user.
apply_rule/3*Get UserValue and run the operation, Default returned on error.
does_provider_exist/2*checks if a provider exists and if the provider is 'any'.
get_provider_id/1*return the primary provider whith which the user logged in.
get_rsp_provider_list/0*get the list of RPS provider.
is_authorized/3checks and returns if a user is allowed to use a service.
limit_rules_to_provider/3*limit the rules to those that apply to the provider given.
maybe_add_to_result/5*only add a rule if a provider for the given role exists.
perform_operation/3*perform the given operation.
return_provider_id_if_found/1*return the provider if passed a valid pid.
return_rsp_if_enabled_and_exists/3*return the rsp id, if RSP are enabled and it does exist.
validate/1*validate a rule list.
validate/3*validate a list of rules ensuring all provider exist.
validate_config/2validate the authz config of a service.

Function Details

add_failed/6 *

add_failed(Reason::string(), Key::any(), Op::any(), Val::any(), Id::any(), X6::{boolean(), rules()}) -> {false, rules()}

error message and failing the rules.

any_rule_applies/3 *

any_rule_applies(UserInfo::watts_userinfo:userinfo(), Rules::rules(), Default::boolean()) -> boolean()

apply a list of rules on a user. this will either evaluate to true or false and so either allow or forbid the user. The rules are evaluated in an 'or' expression. So if at least one rule evaluates to true the whole rule-list is true, false otherwise.

apply_rule/3 *

apply_rule(Rule::rule(), UserInfo::watts_userinfo:userinfo(), Default::boolean()) -> boolean()

Get UserValue and run the operation, Default returned on error.

does_provider_exist/2 *

does_provider_exist(ProviderId::binary() | any, ProviderList::[tuple()]) -> {false, undefined} | {true, any} | {true, rsp} | {true, binary()}

checks if a provider exists and if the provider is 'any'

get_provider_id/1 *

get_provider_id(ProviderName::binary()) -> {ok, binary()} | {error, Reason::atom()}

return the primary provider whith which the user logged in

get_rsp_provider_list/0 *

get_rsp_provider_list() -> {ok, [{binary(), rsp}]}

get the list of RPS provider.

is_authorized/3

is_authorized(ServiceId::binary(), UserInfo::watts_userinfo:userinfo(), Config::config()) -> boolean()

checks and returns if a user is allowed to use a service.

limit_rules_to_provider/3 *

limit_rules_to_provider(Allow::rules(), Frobid::rules(), ProviderId::binary()) -> {rules(), rules()}

limit the rules to those that apply to the provider given

maybe_add_to_result/5 *

maybe_add_to_result(X1::{Add::boolean(), ProviderId::binary() | any | rsp}, Operation::operation(), OidcKey::binary(), Value::value(), Result::{Result::boolean(), List::rules()}) -> {IsOkay::boolean(), Rules::rules()}

only add a rule if a provider for the given role exists

perform_operation/3 *

perform_operation(Operation::operation(), UserValue::value(), ConfigValue::value()) -> boolean()

perform the given operation. A the moment the following operations are supported:

return_provider_id_if_found/1 *

return_provider_id_if_found(X1::{ok, pid} | any()) -> {ok, binary()} | {error, provider_not_found}

return the provider if passed a valid pid

return_rsp_if_enabled_and_exists/3 *

return_rsp_if_enabled_and_exists(RspId::binary(), X2::boolean(), X3::boolean()) -> {ok, binary()} | {error, rsp_disabled}

return the rsp id, if RSP are enabled and it does exist.

validate/1 *

validate(Rules::rules()) -> {Failed::boolean(), ValidatedRules::rules()}

validate a rule list

validate/3 *

validate(T::rules(), ProviderList::list(), Result::{boolean(), rules()}) -> {Failed::boolean(), ValidatedRules::rules()}

validate a list of rules ensuring all provider exist.

validate_config/2

validate_config(ServiceId::binary(), Config::config()) -> {ok, ValidatedConfig::config()}

validate the authz config of a service.


Generated by EDoc