heutelbeck / sapl-demos Goto Github PK

View Code? Open in Web Editor NEW

16.0 9.0 14.0 18.08 MB

Demo, tutorial, and benchmarks for the SAPL policy engine

Home Page: http://sapl.io

License: Apache License 2.0

Java 90.04% HTML 4.31% CSS 0.12% JavaScript 5.44% TypeScript 0.09%

access-control java spring security policies sapl demo benchmark tutorial examples authorization spring-security

sapl-demos's Introduction

SAPL Demo Projects

** Attention ** The build of the sapl-demo-ethereum module may fail if this web service of web3labs.com is unreachable. In this case copy the file ' sapl-demo-ethereum/src/main/solc/releases.json to ~/.web3j/solc.

This project contains some demo modules demonstrating the usage of the SAPL engine. A good point to start exploring SAPL is by running and experimenting with modifying these demo projects.

If you are interested in how SAPL would be used in an application, you should take a look at sapl-demo-mvc-app and sapl-demo-webflux.

If you want to get familiar with using a PDP directly, start with sapl-demo-embedded.

After that pick a demo that matches your interest.

sapl-demo-webflux: Demonstrates how to hook a SAPL PEP into method security with Spring Security and Webflux.
sapl-demo-webflux-filterchain: Demonstrates how to hook a SAPL PEP into the Spring Security reactive filter chain in Webflux.
sapl-demo-mvc-app: A full stack Spring MVC application secured with SAPL. Demonstrates non-reactive declarative Policy Enforcement Points via annotations.
sapl-demo-filterchain: Demonstrates how to hook a SAPL PEP into the Spring Security filter chain for non-reactive environments.
sapl-demo-embedded: Manually instantiating a SAPL Policy Decision Point (PDP) and basic PDP interaction. Reading policies from bundled resources or monitoring a file system.
sapl-demo-remote: Connect to a dedicated SAPL PDP Server.
sapl-demo-extension: Write a custom Policy Information Point (PIP) and function library to extend SAPL with custom attributes and functions.
sapl-demo-jwt: A resource server secured with OAuth 2.0, JSON Web Tokens (JWT) and SAPL, with a matching OAuth authorization server and client application.
sapl-demo-web-editor: Demonstrates the Vaadin-based SAPL policy editor component.
sapl-demo-playground: An integrated policy testing and learning application. Also see https://playground.sapl.io/ for a deployed version ready to use.
sapl-demo-testing: Demonstrates how to test SAPL policies with unit tests, including test code coverage reports.
sapl-demo-mqtt-pip: Demonstrates how to evaluate MQTT messages with a Policy Information Point.

sapl-demos's People

Contributors

Stargazers

Watchers

Forkers

tkopton flocko-motion nniikkoollaaii benemichel mschweyen stefchar1 wolfmatth nils4444 flose89 stefwe marcbaitinger rooschoo praktikant42 mschulz-fuh

sapl-demos's Issues

[sapl-demo-playground] Switching between examples isn't correctly updating the not visible tab

When you're showing the "AuthorizationSubscription"-Tab and switching from Example "Basic" to "Spring Security" the Policy Editor and the AuthorizationSubscription-Editor are getting instantly updated correctly from the server side.

Code here ff .

But when clicking the previous not visible "Mocks"-Tab, it's still showing the "old" mock definition from the previous example. Only after clicking inside the sapl-editor-for-vaadin component "json-editor" the content is beeing updated.

You can recreate this behaviour on https://playground.sapl.io

Readme.md für jedes Demo-Projekt

ERROR[Type mismatch. Can only access arrays by index, got: Value[undefined]]

@heutelbeck, First of all thanks for the awesome library. Cab you please quickly help me with this.

I am getting the error
ERROR[Type mismatch. Can only access arrays by index, got: Value[undefined]]

My Sapl file is

import filter.*

set "KubernetesResourceKindController"

first-applicable

for "KubernetesResourceKindController" in action.java.instanceof..simpleName

policy "create Kubernetes kind only if user has access to organisation and workspace"
permit action.java.name == "createKubernetesResourceKind"
where
subject.name == action.arguments[1].<krk.accessToOrganisation>;

And this is my Spring boot Controller code snipped

@PostMapping("")
@IsDevopsOrAbove
@PreEnforce
fun createKubernetesResourceKind(
@RequestHeader("organisationId") organisationId: String,
@RequestHeader("workspaceId") workspaceId: String,
@requestbody createKubernetesResourceKindRequest: CreateKubernetesResourceKindRequest,
): ResponseEntity {
val result = kubernetesResourceKindService.createKubernetesResourceKind(

My PIP file looks like this

@service
@PolicyInformationPoint(name = "krk", description = "retrives info related to KRK")
class OrganisationPIP {

@Autowired
lateinit var workspaceService: WorkspaceService

@Autowired
lateinit var userService: UserService


@Attribute(name = "accessToOrganisation")
fun getAccessOfUserToOrganisation(@Array organisationId: Val, variables: Map<String, JsonNode>): Flux<Val> {
    println("Called getAccessOfUserToOrganisation")
    return Flux.just(Val.of(Utils.objectMapper.convertValue(mapOf("abc" to "bca"), JsonNode::class.java)))
}

}

Im PipProvider alle Klassen über die PIP-Annotation suchen und holen

Policy umformulieren

In sapl-demo-pip die u. a. Policy umschreiben mit einer regex, so dass Zugriff auf alle Resourcen unterhalb "/css/" gewährt wird

aktuell:
policy "permit_css"
permit
action == "GET"
where
resource == "/css/saplDemoMain.css";

Build of sapl-demo-reactive is failing

Hello @heutelbeck ,

the build of the sapl-demo-reactive component is failing. Probably due to your version bump this afternoon?

This is since some change you introduced somewhere triggering this build:

https://github.com/heutelbeck/sapl-demos/actions/runs/1005360953

Could you please have a look?

[sapl-demo-playground] Playground does not react on the first three changed char's

After page load the sapl-editor-for-vaadin components "sapl-editor" & "json-editor" are not emitting a DocumentChangedEvent for the first three changes.

Because of this the playground is not removing the result of the previous run if for example a single semicolon in the policy is removed, making the policy invalid.

During debugging via a Console.log statement here https://github.com/heutelbeck/sapl-server/blob/main/sapl-editor-for-vaadin/src/main/resources/META-INF/frontend/json-editor.js#L96
I could observe, that the javascript onDocumentChanged method is called on every change. But it's somehow not forwarding this correctly to vaadin.

You can recreate this behaviour on https://playground.sapl.io

StandardSaplAuthorizator ohne @Autowired im Konstruktor und mit Lombok

Adding my first SAPL to a Spring Boot 2.6.4 projects results in class not found

Hello -

We are just starting to explore using SAPL and I have a simple Spring Boot 2.6.4 application using Gradle and have included SAPL like:

  // SAPL BOM
    implementation(platform("io.sapl:sapl-bom:2.0.1"))
    implementation 'io.sapl:sapl-spring-security'
    implementation 'io.sapl:sapl-spring-pdp-embedded'

However when I add my first SAPL file to the resources folder, I get the following stack trace:

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [io.sapl.prp.PrpUpdateEventSource]: Factory method 'prpUpdateSource' threw exception; nested exception is java.lang.NoSuchFieldError: EOF_TOKEN
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185)
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
	... 98 common frames omitted
Caused by: java.lang.NoSuchFieldError: EOF_TOKEN
	at org.eclipse.xtext.parser.antlr.Lexer.nextToken(Lexer.java:60)
	at org.antlr.runtime.BufferedTokenStream.fetch(BufferedTokenStream.java:143)
	at org.antlr.runtime.BufferedTokenStream.sync(BufferedTokenStream.java:137)

and it appears that the version of antlr that is included is missing a reference to:
Token.EOF_TOKEN; in the Lexar class.

It doesn't appear that you've added anything special here:
https://github.com/heutelbeck/sapl-demos/blob/master/sapl-demo-mvc-app/pom.xml

Perhaps something with the latest Spring Boot?
Thanks

Funktionsbibliothek erweitern

Mapper fertigstellen

Soll Requests an den PDP auf subject, action, resource, environment mappen. Beispiel von Dominic:
@requarhandler("/xxx/{v1}/{v2}")

Result getSome(@pathparam v1, @pathparam v2, QueryParam(name="sort") String sort) { }

@action(name="some:thingToDo")

(subject, {name = "some:thingToDo", pathParams = { "v1" : ???, "v2": ???}, queryParams = {"sort" = "asc"}}}

Beispiele für Functions

How to write SAPL rules？

On the springboot, when a user accesses /books/list, I need to filter books data according to the data_scope range data of the currently logged in user and the category value of books. Please ask how to do this. Please give some collective examples. Thank you very much!

USER：

user | dept | data_scope
admin | 1 | [,]
Tom | 1 | [1,2,3]
Sim | 2 | [1,2]
Kat | 3 | null

BOOKS：

id | name | category
1 | book1 | 1
2 | book2 | 1
3 | Book3 | 2
4 | book4 | 3
5 | book5 | 4
6 | book6 | 5

when user admin to access the api /books/list, can visible all data，return the data:

id | name | category
1 | book1 | 1
2 | book2 | 1
3 | Book3 | 2
4 | book4 | 3
5 | book5 | 4
6 | book6 | 5

when user Kat to access the api /books/list, user.data_scope is null, return the exception:
“access denied，missing permissions”

How to implement the above requirements in MVC and oauth2 environment? Please give some practical examples. Thank you very much!