CoSec
基于 RBAC 和策略的多租户响应式安全框架。
更新内容(v1.10.1) 🎉 🎉 🎉
-
特性:新增
ContainsConditionMatcher
。 -
{ "name": "TestContains", "effect": "allow", "actions": [ { "type": "all" } ], "condition": { "type": "contains", "part": "request.attributes.ipRegion", "pattern": "上海" } }
认证
授权
OAuth
建模类图
安全网关服务
授权策略流程
内置策略匹配器
ActionMatcher
如何自定义 ActionMatcher
(SPI)
参考 RegularActionMatcher
class CustomActionMatcherFactory : ActionMatcherFactory {
companion object {
const val TYPE = "[CustomActionType]"
}
override val type: String
get() = TYPE
override fun create(onfiguration: Configuration): ActionMatcher {
return CustomActionMatcher(onfiguration)
}
}
class CustomActionMatcher(configuration: Configuration) :
AbstractActionMatcher(CustomActionMatcherFactory.TYPE, configuration) {
override val type: String
get() = CustomActionMatcherFactory.TYPE
override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean {
//Custom matching logic
}
}
META-INF/services/me.ahoo.cosec.policy.action.ActionMatcherFactory
# CustomActionMatcherFactory fully qualified name
ConditionMatcher
如何自定义 ConditionMatcher
(SPI)
参考 ContainsConditionMatcher
class CustomConditionMatcherFactory : ConditionMatcherFactory {
companion object {
const val TYPE = "[CustomConditionType]"
}
override val type: String
get() = TYPE
override fun create(configuration: Configuration): ConditionMatcher {
return CustomConditionMatcher(configuration)
}
}
class CustomConditionMatcher(configuration: Configuration) :
AbstractActionMatcher(CustomActionMatcherFactory.TYPE, configuration) {
override val type: String
get() = CustomConditionMatcherFactory.TYPE
override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean {
//Custom matching logic
}
}
META-INF/services/me.ahoo.cosec.policy.condition.ConditionMatcherFactory
# CustomConditionMatcherFactory fully qualified name
策略 Schema
Policy Schema
策略 Demo
{
"id": "id",
"name": "name",
"category": "category",
"description": "description",
"type": "global",
"tenantId": "tenantId",
"statements": [
{
"name": "Anonymous",
"effect": "allow",
"actions": [
{
"type": "path",
"pattern": "/auth/register"
},
{
"type": "path",
"pattern": "/auth/login"
}
]
},
{
"name": "UserScope",
"effect": "allow",
"actions": [
{
"type": "path",
"pattern": "/user/#{principal.id}/*"
}
],
"condition": {
"type": "authenticated"
}
},
{
"name": "Developer",
"effect": "allow",
"actions": [
{
"type": "all"
}
],
"condition": {
"type": "in",
"part": "context.principal.id",
"in": [
"developerId"
]
}
},
{
"name": "RequestOriginDeny",
"effect": "deny",
"actions": [
{
"type": "all"
}
],
"condition": {
"type": "reg",
"negate": true,
"part": "request.origin",
"pattern": "^(http|https)://github.com"
}
},
{
"name": "IpBlacklist",
"effect": "deny",
"actions": [
{
"type": "all"
}
],
"condition": {
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
"pattern": "192.168.0.*"
}
},
{
"name": "RegionWhitelist",
"effect": "deny",
"actions": [
{
"type": "all"
}
],
"condition": {
"negate": true,
"type": "reg",
"part": "request.attributes.ipRegion",
"pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
}
},
{
"name": "AllowDeveloperOrIpRange",
"effect": "allow",
"actions": [
{
"type": "all"
}
],
"condition": {
"type": "bool",
"bool": {
"and": [
{
"type": "authenticated"
}
],
"or": [
{
"type": "in",
"part": "context.principal.id",
"in": [
"developerId"
]
},
{
"type": "path",
"part": "request.remoteIp",
"path": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
},
"pattern": "192.168.0.*"
}
]
}
}
}
]
}
感谢
CoSec 权限策略设计参考 AWS IAM 。