CoSec

基于 RBAC 和策略的多租户响应式安全框架。

更新内容（v1.10.1） 🎉 🎉 🎉

• 特性：新增  ContainsConditionMatcher。

•   { "name": "TestContains", "effect": "allow", "actions": [ { "type": "all" } ], "condition": { "type": "contains", "part": "request.attributes.ipRegion", "pattern": "上海" } }

认证

授权

OAuth

建模类图

安全网关服务

授权策略流程

内置策略匹配器

ActionMatcher

如何自定义 ActionMatcher (SPI)

参考 RegularActionMatcher

 class CustomActionMatcherFactory : ActionMatcherFactory { companion object { const val TYPE = "[CustomActionType]" } override val type: String get() = TYPE override fun create(onfiguration: Configuration): ActionMatcher { return CustomActionMatcher(onfiguration) } } class CustomActionMatcher(configuration: Configuration) : AbstractActionMatcher(CustomActionMatcherFactory.TYPE, configuration) { override val type: String get() = CustomActionMatcherFactory.TYPE override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean { //Custom matching logic } }

META-INF/services/me.ahoo.cosec.policy.action.ActionMatcherFactory

 # CustomActionMatcherFactory fully qualified name

ConditionMatcher

如何自定义 ConditionMatcher (SPI)

参考 ContainsConditionMatcher

 class CustomConditionMatcherFactory : ConditionMatcherFactory { companion object { const val TYPE = "[CustomConditionType]" } override val type: String get() = TYPE override fun create(configuration: Configuration): ConditionMatcher { return CustomConditionMatcher(configuration) } } class CustomConditionMatcher(configuration: Configuration) : AbstractActionMatcher(CustomActionMatcherFactory.TYPE, configuration) { override val type: String get() = CustomConditionMatcherFactory.TYPE override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean { //Custom matching logic } }

META-INF/services/me.ahoo.cosec.policy.condition.ConditionMatcherFactory

 # CustomConditionMatcherFactory fully qualified name 

策略 Schema

Policy Schema

策略 Demo

 { "id": "id", "name": "name", "category": "category", "description": "description", "type": "global", "tenantId": "tenantId", "statements": [ { "name": "Anonymous", "effect": "allow", "actions": [ { "type": "path", "pattern": "/auth/register" }, { "type": "path", "pattern": "/auth/login" } ] }, { "name": "UserScope", "effect": "allow", "actions": [ { "type": "path", "pattern": "/user/#{principal.id}/*" } ], "condition": { "type": "authenticated" } }, { "name": "Developer", "effect": "allow", "actions": [ { "type": "all" } ], "condition": { "type": "in", "part": "context.principal.id", "in": [ "developerId" ] } }, { "name": "RequestOriginDeny", "effect": "deny", "actions": [ { "type": "all" } ], "condition": { "type": "reg", "negate": true, "part": "request.origin", "pattern": "^(http|https)://github.com" } }, { "name": "IpBlacklist", "effect": "deny", "actions": [ { "type": "all" } ], "condition": { "type": "path", "part": "request.remoteIp", "path": { "caseSensitive": false, "separator": ".", "decodeAndParseSegments": false }, "pattern": "192.168.0.*" } }, { "name": "RegionWhitelist", "effect": "deny", "actions": [ { "type": "all" } ], "condition": { "negate": true, "type": "reg", "part": "request.attributes.ipRegion", "pattern": "^中国\\|0\\|(上海|广东省)\\|.*" } }, { "name": "AllowDeveloperOrIpRange", "effect": "allow", "actions": [ { "type": "all" } ], "condition": { "type": "bool", "bool": { "and": [ { "type": "authenticated" } ], "or": [ { "type": "in", "part": "context.principal.id", "in": [ "developerId" ] }, { "type": "path", "part": "request.remoteIp", "path": { "caseSensitive": false, "separator": ".", "decodeAndParseSegments": false }, "pattern": "192.168.0.*" } ] } } } ] }

感谢

CoSec 权限策略设计参考 AWS IAM 。