CoSec是基于RBAC和策略的多租户响应式安全框架。

认证

授权

OAuth

建模类图

安全网关服务

授权策略流程

内置策略匹配器ActionMatcher

如何自定义 ActionMatcher (SPI)参考 PathActionMatcher

classCustomConditionMatcherFactory:ConditionMatcherFactory{companionobject{constvalTYPE="[CustomConditionType]"}overridevaltype:Stringget()=TYPEoverridefuncreate(configuration:Configuration):ConditionMatcher{returnCustomConditionMatcher(configuration)}}classCustomConditionMatcher(configuration:Configuration):AbstractConditionMatcher(CustomConditionMatcherFactory.TYPE,configuration){overridefuninternalMatch(request:Request,securityContext:SecurityContext):Boolean{//Custommatchinglogic}}

 

META-INF/services/me.ahoo.cosec.policy.action.ActionMatcherFactory

#CustomActionMatcherFactoryfullyqualifiednameConditionMatcher

如何自定义 ConditionMatcher (SPI)参考 ContainsConditionMatcher

classCustomConditionMatcherFactory:ConditionMatcherFactory{  companionobject{    constvalTYPE="[CustomConditionType]"  }  overridevaltype:String    get()=TYPE  overridefuncreate(configuration:Configuration):ConditionMatcher{    returnCustomConditionMatcher(configuration)  }}classCustomConditionMatcher(configuration:Configuration):  AbstractConditionMatcher(CustomConditionMatcherFactory.TYPE,configuration){  overridefuninternalMatch(request:Request,securityContext:SecurityContext):Boolean{    //Custommatchinglogic  }}META-INF/services/me.ahoo.cosec.policy.condition.ConditionMatcherFactory

#CustomConditionMatcherFactoryfullyqualifiedname策略Schema配置 PolicySchema 以支持IDE(IntelliJIDEA)输入自动完成。

策略Demo

{"id":"id","name":"name","category":"category","description":"description","type":"global","tenantId":"tenantId","condition":{"bool":{"and":[{"authenticated":{}},{"rateLimiter":{"permitsPerSecond":10}}]}},"statements":[{"action":{"path":{"pattern":"/user/#{principal.id}/*","options":{"caseSensitive":false,"separator":"/","decodeAndParseSegments":false}}}},{"name":"Anonymous","action":["/auth/register","/auth/login"]},{"name":"UserScope","action":"/user/#{principal.id}/*","condition":{"authenticated":{}}},{"name":"Developer","action":"*","condition":{"in":{"part":"context.principal.id","value":["developerId"]}}},{"name":"RequestOriginDeny","effect":"deny","action":"*","condition":{"regular":{"negate":true,"part":"request.origin","pattern":"^(http|https)://github.com"}}},{"name":"IpBlacklist","effect":"deny","action":"*","condition":{"path":{"part":"request.remoteIp","pattern":"192.168.0.*","options":{"caseSensitive":false,"separator":".","decodeAndParseSegments":false}}}},{"name":"RegionWhitelist","effect":"deny","action":"*","condition":{"regular":{"negate":true,"part":"request.attributes.ipRegion","pattern":"^中国\\|0\\|(上海|广东省)\\|.*"}}},{"name":"AllowDeveloperOrIpRange","action":"*","condition":{"bool":{"and":[{"authenticated":{}}],"or":[{"in":{"part":"context.principal.id","value":["developerId"]}},{"path":{"part":"request.remoteIp","pattern":"192.168.0.*","options":{"caseSensitive":false,"separator":".","decodeAndParseSegments":false}}}]}}},{"name":"TestContains","effect":"allow","action":"*","condition":{"contains":{"part":"request.attributes.ipRegion","value":"上海"}}},{"name":"TestStartsWith","effect":"allow","action":"*","condition":{"startsWith":{"part":"request.attributes.ipRegion","value":"中国"}}},{"name":"TestEndsWith","effect":"allow","action":"*","condition":{"endsWith":{"part":"request.attributes.remoteIp","value":".168.0.1"}}}]}应用权限元数据Schema配置 AppPermissionSchema 以支持IDE(IntelliJIDEA)输入自动完成。

应用权限元数据Demo

{"id":"manage","condition":{"bool":{"and":[{"authenticated":{}},{"groupedRateLimiter":{"part":"request.remoteIp","permitsPerSecond":10,"expireAfterAccessSecond":1000}},{"inTenant":{"value":"default"}}]}},"groups":[{"name":"order","description":"ordermanagement","permissions":[{"id":"manage.order.ship","name":"Ship","description":"Ship","action":"/order/ship"},{"id":"manage.order.issueInvoice","name":"Issueaninvoice","description":"Issueaninvoice","action":"/order/issueInvoice"}]}]}OpenTelemetryCoSec-OpenTelemetry

CoSec遵循OpenTelemetry Generalidentityattributes 规范。

感谢CoSec权限策略设计参考 AWSIAM 。