CoSec

RBAC-based And Policy-based Multi-Tenant Reactive Security Framework.

Authentication

Social Authentication

Authorization

Modeling

Gateway

Authorization Policy

Build In Policy

ActionMatcher

How to customize `ActionMatcher` (SPI)

Refer to PathActionMatcher

class CustomActionMatcherFactory : ActionMatcherFactory {
    companion object {
        const val TYPE = "[CustomActionType]"
    }

    override val type: String
        get() = TYPE

    override fun create(configuration: Configuration): ConditionMatcher {
        return CustomActionMatcher(configuration)
    }
}
class CustomActionMatcher(override val configuration: Configuration) : ActionMatcher {

    override val type: String
        get() = CustomActionMatcherFactory.TYPE

    override fun match(request: Request, securityContext: SecurityContext): Boolean {
        //Custom matching logic
    }
}

META-INF/services/me.ahoo.cosec.policy.action.ActionMatcherFactory

# CustomActionMatcherFactory fully qualified name

ConditionMatcher

How to customize `ConditionMatcher` (SPI)

Refer to ContainsConditionMatcher

class CustomConditionMatcherFactory : ConditionMatcherFactory {
    companion object {
        const val TYPE = "[CustomConditionType]"
    }

    override val type: String
        get() = TYPE

    override fun create(configuration: Configuration): ConditionMatcher {
        return CustomConditionMatcher(configuration)
    }
}
class CustomConditionMatcher(configuration: Configuration) :
    AbstractConditionMatcher(CustomConditionMatcherFactory.TYPE, configuration) {

    override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean {
        //Custom matching logic
    }
}

META-INF/services/me.ahoo.cosec.policy.condition.ConditionMatcherFactory

# CustomConditionMatcherFactory fully qualified name

Policy Schema

Configure Policy Schema to support IDE (IntelliJ IDEA) input autocompletion.

Policy Demo

{
  "id": "id",
  "name": "name",
  "category": "category",
  "description": "description",
  "type": "global",
  "tenantId": "tenantId",
  "condition": {
    "bool": {
      "and": [
        {
          "authenticated": {}
        },
        {
          "rateLimiter": {
            "permitsPerSecond": 10
          }
        }
      ]
    }
  },
  "statements": [
    {
      "action": {
        "path": {
          "pattern": "/user/#{principal.id}/*",
          "options": {
            "caseSensitive": false,
            "separator": "/",
            "decodeAndParseSegments": false
          }
        }
      }
    },
    {
      "name": "Anonymous",
      "action": [
        "/auth/register",
        "/auth/login"
      ]
    },
    {
      "name": "UserScope",
      "action": "/user/#{principal.id}/*",
      "condition": {
        "authenticated": {}
      }
    },
    {
      "name": "Developer",
      "action": "*",
      "condition": {
        "in": {
          "part": "context.principal.id",
          "value": [
            "developerId"
          ]
        }
      }
    },
    {
      "name": "RequestOriginDeny",
      "effect": "deny",
      "action": "*",
      "condition": {
        "regular": {
          "negate": true,
          "part": "request.origin",
          "pattern": "^(http|https)://github.com"
        }
      }
    },
    {
      "name": "IpBlacklist",
      "effect": "deny",
      "action": "*",
      "condition": {
        "path": {
          "part": "request.remoteIp",
          "pattern": "192.168.0.*",
          "options": {
            "caseSensitive": false,
            "separator": ".",
            "decodeAndParseSegments": false
          }
        }
      }
    },
    {
      "name": "RegionWhitelist",
      "effect": "deny",
      "action": "*",
      "condition": {
        "regular": {
          "negate": true,
          "part": "request.attributes.ipRegion",
          "pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
        }
      }
    },
    {
      "name": "AllowDeveloperOrIpRange",
      "action": "*",
      "condition": {
        "bool": {
          "and": [
            {
              "authenticated": {}
            }
          ],
          "or": [
            {
              "in": {
                "part": "context.principal.id",
                "value": [
                  "developerId"
                ]
              }
            },
            {
              "path": {
                "part": "request.remoteIp",
                "pattern": "192.168.0.*",
                "options": {
                  "caseSensitive": false,
                  "separator": ".",
                  "decodeAndParseSegments": false
                }
              }
            }
          ]
        }
      }
    },
    {
      "name": "TestContains",
      "effect": "allow",
      "action": "*",
      "condition": {
        "contains": {
          "part": "request.attributes.ipRegion",
          "value": "上海"
        }
      }
    },
    {
      "name": "TestStartsWith",
      "effect": "allow",
      "action": "*",
      "condition": {
        "startsWith": {
          "part": "request.attributes.ipRegion",
          "value": "中国"
        }
      }
    },
    {
      "name": "TestEndsWith",
      "effect": "allow",
      "action": "*",
      "condition": {
        "endsWith": {
          "part": "request.attributes.remoteIp",
          "value": ".168.0.1"
        }
      }
    }
  ]
}

App Permission Metadata Schema

Configure App Permission Schema to support IDE (IntelliJ IDEA) input autocompletion.

App Permission Demo

{
  "id": "manage",
  "condition": {
    "bool": {
      "and": [
        {
          "authenticated": {}
        },
        {
          "groupedRateLimiter": {
            "part": "request.remoteIp",
            "permitsPerSecond": 10,
            "expireAfterAccessSecond": 1000
          }
        },
        {
          "inTenant": {
            "value": "default"
          }
        }
      ]
    }
  },
  "groups": [
    {
      "name": "order",
      "description": "order management",
      "permissions": [
        {
          "id": "manage.order.ship",
          "name": "Ship",
          "description": "Ship",
          "action": "/order/ship"
        },
        {
          "id": "manage.order.issueInvoice",
          "name": "Issue an invoice",
          "description": "Issue an invoice",
          "action": "/order/issueInvoice"
        }
      ]
    }
  ]
}

OpenTelemetry

CoSec-OpenTelemetry

CoSec follows the OpenTelemetry General identity attributes specification。

Thanks

CoSec permission policy design refers to AWS IAM .

Name		Name	Last commit message	Last commit date
Latest commit History 451 Commits
.github		.github
code-coverage-report		code-coverage-report
config		config
cosec-api		cosec-api
cosec-bom		cosec-bom
cosec-core		cosec-core
cosec-dependencies		cosec-dependencies
cosec-gateway-server		cosec-gateway-server
cosec-gateway		cosec-gateway
cosec-generator		cosec-generator
cosec-ip2region		cosec-ip2region
cosec-jwt		cosec-jwt
cosec-opentelemetry		cosec-opentelemetry
cosec-redis		cosec-redis
cosec-social		cosec-social
cosec-spring-boot-starter		cosec-spring-boot-starter
cosec-webflux		cosec-webflux
cosec-webmvc		cosec-webmvc
document/design		document/design
gradle		gradle
k8s		k8s
schema		schema
.editorconfig		.editorconfig
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
README.zh-CN.md		README.zh-CN.md
build.gradle.kts		build.gradle.kts
codecov.yml		codecov.yml
gradle.properties		gradle.properties
gradlew		gradlew
gradlew.bat		gradlew.bat
renovate.json		renovate.json
settings.gradle.kts		settings.gradle.kts

License

Ahoo-Wang/CoSec

Folders and files

Latest commit

History

Repository files navigation

CoSec

Authentication

Social Authentication

Authorization

Modeling

Gateway

Authorization Policy

Build In Policy

ActionMatcher

How to customize ActionMatcher (SPI)

ConditionMatcher

How to customize ConditionMatcher (SPI)

Policy Schema

App Permission Metadata Schema

OpenTelemetry

Thanks

About

Topics

Resources

License

Stars

Watchers

Forks

Languages

How to customize `ActionMatcher` (SPI)

How to customize `ConditionMatcher` (SPI)