caf_security/proxy_security

Proxy to manage security policies from application code.

Source:

Extends

Members

CA_LOCAL :string

Source:

A symbol representing the local name of this CA, i.e., "!CA_LOCAL".

Type:
  • string

SELF :string

Source:

A symbol representing the owner of this CA, i.e., "!SELF".

Type:
  • string

Methods

addRule(newRule) → {string}

Source:

Adds a rule that allows a principal to invoke certain methods.

The type can be simpleRuleType or aggregateRuleType

The type of ruleType when the rule type is simpleRuleType:

{ type: 'caf.simpleRule', ac: {caOwner: string=,
                               caLocalName: string=},
  methods: (Array.<string> | string)=}

a missing field means a wildcard, "!SELF" represents the owner of this CA, and "!CA_LOCAL" matches the local name of this CA.

For example:

 {type: 'caf.simpleRule', ac: {caOwner: "!SELF",
                               caLocalName: "!CA_LOCAL"}}

gives the owner, within an authenticated session, full access to this CA. This is a sensible default.

 {type: 'caf.simpleRule', ac: {caOwner: '!SELF'}}

gives any CA with the same owner full access to this CA.

 {type: 'caf.simpleRule', ac: {caOwner: '!SELF', caLocalName: 'bar'},
  methods: 'foo'}

grants permission to CA bar, of the same owner, to invoke method foo.

The type of ruleType when the rule type is aggregateRuleType:

 {type: 'caf.aggregateRule', alias : string,
  methods: (Array.<string> | string)=}

where alias is the AggregateMap alias in the sharing plugin context. See external:caf_sharing.

For example, if alias is foo, the map is this.$.sharing.$.foo.

Parameters:
Name Type Description
newRule ruleType

A new authorization rule.

Returns:

A rule identifier.

Type
string

attenuateToken(megaToken, tokenDesc, cb0)

Source:

Weakens an authentication token generating one (or many) token(s).

type of tokenDescriptionType is

 {appPublisher: (string|null)=, appLocalName: (string|null)=,
  caOwner: (string|null)=, caLocalName: (string|null)=,
  durationInSec: number=}

A null value in the token description means force the current value.

An undefined value means remove the constraint.

Parameters:
Name Type Description
megaToken tokenType

A token that we want to restrict.

tokenDesc Array.<tokenDescriptionType> | tokenDescriptionType

A description of the new token(s).

cb0 cbType

A callback to return the new token(s) or an error.

computeRuleId(rule) → {string}

Source:

Computes a content-based identifier for a rule.

Parameters:
Name Type Description
rule ruleType

A rule.

Throws:

Invalid rule.

Type
Error
Returns:

A unique identifier based on the contents of that rule.

Type
string

getAppName() → {string}

Source:

Gets the application name.

Returns:

The application name.

Type
string

getCallerFrom() → {string}

Source:

Gets the authenticated caller's name.

It matches the from field of the message that we are currently processing, i.e., <caOwner>-<caLocalName>.

Returns:

The name of the caller.

Type
string

isAuthorized(caller, method, ignoreInternalopt) → {boolean}

Source:

Checks whether a caller is authorized to invoke certain method.

This explicit check is typically not needed because the framework enforces access policy, but it can be useful for debugging or to validate application-level checks.

Parameters:
Name Type Attributes Description
caller string

A CA name of the form <caOwner>-<caLocalName>.

method string

A method name.

ignoreInternal boolean <optional>

Treat internal methods, i.e., starting with __ca_, as external ones while checking authorization.

Returns:

True if access would be granted, false otherwise.

Type
boolean

listRules() → {Object.<string, ruleType>}

Source:

Lists current active rules.

It returns a deep frozen copy of the current rules.

Returns:

A map using rule ids as keys and rule contents as values.

Type
Object.<string, ruleType>

newAggregateRule(methodsopt, aggregateMapAlias) → {ruleType}

Source:
See:

Constructor for a rule that uses an AggregateMap to represent a linked local namespace.

Note that aggregate rules are only active if the corresponding AggregateMap has been added using the caf_sharing plugin.

Parameters:
Name Type Attributes Description
methods Array.<string> | string <optional>

Methods to enable. Defaults to all.

aggregateMapAlias string

The alias that we used to instantiate the AggregateMap.

Returns:

An authorization rule.

Type
ruleType

newSimpleRule(methodsopt, caOwneropt, caLocalNameopt) → {ruleType}

Source:
See:

Constructor for a simple rule, i.e., of type "caf.simpleRule".

Parameters:
Name Type Attributes Description
methods Array.<string> | string <optional>

Methods to enable. Defaults to all.

caOwner string <optional>

Owner of the calling CA.

caLocalName string <optional>

Local name of the calling CA/

Returns:

An authorization rule.

Type
ruleType

removeRule(ruleId)

Source:

Removes a rule.

Parameters:
Name Type Description
ruleId string

The identifier of the rule to be removed.

verifyToken(tokenStr) → {tokenType|null}

Source:

Checks that a serialized token is trusted by this app.

The type of tokenType is

  {appPublisher: string=, appLocalName:string=, caOwner: string=,
   caLocalName: string=, expiresAfter: string=}
Parameters:
Name Type Description
tokenStr string

A serialized token to validate.

Returns:

A parsed and validated token, or null if token invalid.

Type
tokenType | null