Proxy to manage security policies from application code.
- Source:
Extends
Members
CA_LOCAL :string
- Source:
A symbol representing the local name of this CA, i.e., "!CA_LOCAL"
.
Type:
- string
SELF :string
- Source:
A symbol representing the owner of this CA, i.e., "!SELF"
.
Type:
- string
Methods
addRule(newRule) → {string}
- Source:
Adds a rule that allows a principal to invoke certain methods.
The type can be simpleRuleType
or aggregateRuleType
The type of ruleType
when the rule type is simpleRuleType
:
{ type: 'caf.simpleRule', ac: {caOwner: string=,
caLocalName: string=},
methods: (Array.<string> | string)=}
a missing field means a wildcard, "!SELF"
represents the owner of
this CA, and "!CA_LOCAL"
matches the local name of this CA.
For example:
{type: 'caf.simpleRule', ac: {caOwner: "!SELF",
caLocalName: "!CA_LOCAL"}}
gives the owner, within an authenticated session, full access to this CA. This is a sensible default.
{type: 'caf.simpleRule', ac: {caOwner: '!SELF'}}
gives any CA with the same owner full access to this CA.
{type: 'caf.simpleRule', ac: {caOwner: '!SELF', caLocalName: 'bar'},
methods: 'foo'}
grants permission to CA bar
, of the same owner, to invoke method
foo
.
The type of ruleType
when the rule type is aggregateRuleType
:
{type: 'caf.aggregateRule', alias : string,
methods: (Array.<string> | string)=}
where alias
is the AggregateMap
alias in the sharing
plugin
context. See external:caf_sharing.
For example, if alias
is foo
, the map is this.$.sharing.$.foo
.
Parameters:
Name | Type | Description |
---|---|---|
newRule |
ruleType | A new authorization rule. |
Returns:
A rule identifier.
- Type
- string
attenuateToken(megaToken, tokenDesc, cb0)
- Source:
Weakens an authentication token generating one (or many) token(s).
type of tokenDescriptionType
is
{appPublisher: (string|null)=, appLocalName: (string|null)=,
caOwner: (string|null)=, caLocalName: (string|null)=,
durationInSec: number=}
A null
value in the token description means force the current value.
An undefined
value means remove the constraint.
Parameters:
Name | Type | Description |
---|---|---|
megaToken |
tokenType | A token that we want to restrict. |
tokenDesc |
Array.<tokenDescriptionType> | tokenDescriptionType | A description of the new token(s). |
cb0 |
cbType | A callback to return the new token(s) or an error. |
computeRuleId(rule) → {string}
- Source:
Computes a content-based identifier for a rule.
Parameters:
Name | Type | Description |
---|---|---|
rule |
ruleType | A rule. |
Throws:
-
Invalid rule.
- Type
- Error
Returns:
A unique identifier based on the contents of that rule.
- Type
- string
getAppName() → {string}
- Source:
Gets the application name.
Returns:
The application name.
- Type
- string
getCallerFrom() → {string}
- Source:
Gets the authenticated caller's name.
It matches the from
field of the message that we are currently
processing, i.e., <caOwner>-<caLocalName>
.
Returns:
The name of the caller.
- Type
- string
isAuthorized(caller, method, ignoreInternalopt) → {boolean}
- Source:
Checks whether a caller is authorized to invoke certain method.
This explicit check is typically not needed because the framework enforces access policy, but it can be useful for debugging or to validate application-level checks.
Parameters:
Name | Type | Attributes | Description |
---|---|---|---|
caller |
string | A CA name of the form |
|
method |
string | A method name. |
|
ignoreInternal |
boolean |
<optional> |
Treat internal methods, i.e., starting
with |
Returns:
True if access would be granted, false otherwise.
- Type
- boolean
listRules() → {Object.<string, ruleType>}
- Source:
Lists current active rules.
It returns a deep frozen copy of the current rules.
Returns:
A map using rule ids as keys and rule contents as values.
- Type
- Object.<string, ruleType>
newAggregateRule(methodsopt, aggregateMapAlias) → {ruleType}
- Source:
- See:
Constructor for a rule that uses an AggregateMap
to represent a linked
local namespace.
Note that aggregate rules are only active if the corresponding
AggregateMap
has been added using the caf_sharing
plugin.
Parameters:
Name | Type | Attributes | Description |
---|---|---|---|
methods |
Array.<string> | string |
<optional> |
Methods to enable. Defaults to all. |
aggregateMapAlias |
string | The alias that we used to instantiate the AggregateMap. |
Returns:
An authorization rule.
- Type
- ruleType
newSimpleRule(methodsopt, caOwneropt, caLocalNameopt) → {ruleType}
- Source:
- See:
Constructor for a simple rule, i.e., of type "caf.simpleRule"
.
Parameters:
Name | Type | Attributes | Description |
---|---|---|---|
methods |
Array.<string> | string |
<optional> |
Methods to enable. Defaults to all. |
caOwner |
string |
<optional> |
Owner of the calling CA. |
caLocalName |
string |
<optional> |
Local name of the calling CA/ |
Returns:
An authorization rule.
- Type
- ruleType
removeRule(ruleId)
- Source:
Removes a rule.
Parameters:
Name | Type | Description |
---|---|---|
ruleId |
string | The identifier of the rule to be removed. |
verifyToken(tokenStr) → {tokenType|null}
- Source:
Checks that a serialized token is trusted by this app.
The type of tokenType
is
{appPublisher: string=, appLocalName:string=, caOwner: string=,
caLocalName: string=, expiresAfter: string=}
Parameters:
Name | Type | Description |
---|---|---|
tokenStr |
string | A serialized token to validate. |
Returns:
A parsed and validated token, or null
if token
invalid.
- Type
- tokenType | null