This project detects role based access control (RBAC) violations that can happen during the REST communication between microservices. It takes a set of compiled microservice artifacts and a role hierarchy as input and generates a list of RBAC violations.
To get started clone the Github repository.
$ git clone https://github.com/cloudhubs/rad-analysis.git
-
RAD: The rad library detects the REST communication between microservices from a set of bytecode artifacts.
-
Local weaver (security service): The security service of local weaver library process the role hierarchy and propagates appropriate roles from controller methods to child methods.
-
Rad Analysis Service: Detects the RBAC violations for controller to controller REST communication between a pair of microservices.
$ git clone https://github.com/cloudhubs/rad.git
$ cd rad
$ mvn clean install -DskipTests
$ git clone https://github.com/cloudhubs/common.git
$ cd common
$ mvn clean install -DskipTests
$ git clone https://github.com/cloudhubs/local-weaver.git
$ cd local-weaver
$ mvn clean install -DskipTests
We will use a fork of TMS as our test bed. Clone and package each microservice into JARs.
$ git clone https://github.com/cloudhubs/tms-testbed.git
$ cd tms-testbed
$ ./buildAll.sh
$ git clone https://github.com/cloudhubs/rad-analysis.git
$ cd rad-analysis
$ mvn clean install -DskipTests
$ java -jar application/target/rad-analysis-0.0.5.jar
curl --request POST \
--url http://localhost:8080/ \
--header 'content-type: application/json' \
--data '{
"pathToCompiledMicroservices":"C:\\baylor\\cil-tms",
"organizationPath":"edu/baylor/ecs",
"securityAnalyzerInterface": "SuperAdmin \n SuperAdmin->Admin \n SuperAdmin->Reviewer \n Admin->User \n User->Guest \n Admin->Moderator"
}'
{
"securityContexts": [{
"resourcePath": "C:\\baylor\\cil-tms\\tms-cms\\target\\cms-0.0.1-SNAPSHOT.jar",
"security": {
"securityRoleSpecificationSource": "SuperAdmin \n SuperAdmin->Admin \n SuperAdmin->Reviewer \n Admin->User \n User->Guest \n Admin->Moderator",
"root": {
"data": "SuperAdmin",
"children": [{
"data": "Admin",
"children": [{
"data": "User",
"children": [{
"data": "Guest",
"children": []
}]
},
{
"data": "Moderator",
"children": []
}
]
},
{
"data": "Reviewer",
"children": []
}
]
},
"roleViolations": [],
"entityAccessViolations": [],
"securityRoots": [{
"methodName": "edu.baylor.ecs.cms.controller.CategoryInfoController.getCategoryInfo()",
"childMethods": [
"edu.baylor.ecs.qms.controller.CategoryInfoController.findAllCategoryInfos"
],
"roles": [
"user"
],
"httpType": "NONE",
"parameters": [],
"returnType": "java.util.List<java.lang.Object>"
},
...
]
}
},
...
],
"restFlowContext": {
"restFlows": [{
"resourcePath": "C:\\baylor\\cil-tms\\tms-cms\\target\\cms-0.0.1-SNAPSHOT.jar",
"className": "edu.baylor.ecs.cms.service.EmsService",
"methodName": "createExam",
"servers": [{
"url": "http://localhost:10002/exam",
"applicationName": null,
"ribbonServerName": null,
"resourcePath": "C:\\baylor\\cil-tms\\tms-ems\\target\\ems-0.1.0.jar",
"className": "edu.baylor.ecs.ems.controller.ExamController",
"methodName": "createExam",
"returnType": "edu.baylor.ecs.ems.model.Exam",
"path": "/exam",
"pathParams": null,
"formParams": null,
"queryParams": null,
"headerParams": null,
"cookieParams": null,
"matrixParams": null,
"httpMethod": "POST",
"consumeType": null,
"produceType": "application/json; charset=UTF-8",
"client": false
}]
},
...
]
},
"apiSecurityContext": {
"allSecurityMethods": [{
"methodName": "edu.baylor.ecs.cms.controller.ExamController.getExamDetail(java.lang.Integer)",
"childMethods": [
"edu.baylor.ecs.ems.controller.ExamController.listAllQuestionsForExam"
],
"roles": [
"user"
]
},
...
],
"entityAccessViolations": [],
"constraintViolations": [{
"type": "UNRELATED",
"method": "edu.baylor.ecs.qms.controller.ConfigurationController.findAllConfigurations",
"roles": [
"moderator",
"user"
]
},
{
"type": "HIERARCHY",
"method": "edu.baylor.ecs.qms.controller.ConfigurationController.createConfiguration",
"roles": [
"admin",
"user"
]
}
]
}
}$ cd rad-analysis/application
$ mvn spring-boot:run -Dspring-boot.run.arguments='--k8s'
$ git clone https://github.com/cloudhubs/rad.git
$ cd rad
$ mvn clean install -DskipTests
<dependency>
<groupId>edu.baylor.ecs.cloudhubs</groupId>
<artifactId>rad</artifactId>
<version>0.0.5</version>
</dependency>@Autowired
private final RadAnalysisService radAnalysisService;
public RadAnalysisResponseContext getRadResponseContext(@RequestBody RadAnalysisRequestContext request) {
return radAnalysisService.generateRadAnalysisResponseContext(request);
}public class RadAnalysisRequestContext {
private String pathToCompiledMicroservices;
private String organizationPath;
private String outputPath;
private String securityAnalyzerInterface;
}public class RadAnalysisResponseContext {
List<SecurityContextWrapper> securityContexts = new ArrayList<>();
SeerRestFlowContext restFlowContext;
ApiSecurityContext apiSecurityContext;
}public class ApiSecurityContext {
private List<SecurityMethod> allSecurityMethods;
Set<SeerSecurityEntityAccessViolation> entityAccessViolations;
Set<SeerSecurityConstraintViolation> constraintViolations;
}public class SecurityContextWrapper {
private String resourcePath;
private SeerSecurityContext security;
}