CoSec 正在参加 2021 年度 OSC 中国开源项目评选,请投票支持!
CoSec 在 2021 年度 OSC 中国开源项目评选 中已获得 {{ projectVoteCount }} 票,请投票支持!
2021 年度 OSC 中国开源项目评选 正在火热进行中,快来投票支持你喜欢的开源项目!
2021 年度 OSC 中国开源项目评选 >>> 中场回顾
CoSec 获得 2021 年度 OSC 中国开源项目评选「最佳人气项目」 !
授权协议 Apache
开发语言 Kotlin
操作系统 跨平台
软件类型 开源软件
开源组织
地区 国产
投 递 者 Ahoo-Wang
适用人群 未知
收录时间 2022-11-26

软件简介

CoSec 是基于 RBAC 和策略的多租户响应式安全框架。

认证

Authentication-Flow

授权

Authorization-Flow

OAuth

OAuth-Flow

建模类图

Modeling

安全网关服务

Gateway

授权策略流程

Authorization Policy

内置策略匹配器

ActionMatcher

ActionMatcher

如何自定义 ActionMatcher (SPI)

参考 PathActionMatcher

class CustomConditionMatcherFactory : ConditionMatcherFactory {
    companion object {
        const val TYPE = "[CustomConditionType]"
    }

    override val type: String
        get() = TYPE

    override fun create(configuration: Configuration): ConditionMatcher {
        return CustomConditionMatcher(configuration)
    }
}
class CustomConditionMatcher(configuration: Configuration) :
    AbstractConditionMatcher(CustomConditionMatcherFactory.TYPE, configuration) {

    override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean {
        //Custom matching logic
    }
}

 

META-INF/services/me.ahoo.cosec.policy.action.ActionMatcherFactory

# CustomActionMatcherFactory fully qualified name

ConditionMatcher

ConditionMatcher

如何自定义 ConditionMatcher (SPI)

参考 ContainsConditionMatcher

class CustomConditionMatcherFactory : ConditionMatcherFactory {
    companion object {
        const val TYPE = "[CustomConditionType]"
    }

    override val type: String
        get() = TYPE

    override fun create(configuration: Configuration): ConditionMatcher {
        return CustomConditionMatcher(configuration)
    }
}
class CustomConditionMatcher(configuration: Configuration) :
    AbstractConditionMatcher(CustomConditionMatcherFactory.TYPE, configuration) {

    override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean {
        //Custom matching logic
    }
}

META-INF/services/me.ahoo.cosec.policy.condition.ConditionMatcherFactory

# CustomConditionMatcherFactory fully qualified name

策略 Schema

配置 Policy Schema 以支持 IDE (IntelliJ IDEA) 输入自动完成。

策略 Demo

{
  "id": "id",
  "name": "name",
  "category": "category",
  "description": "description",
  "type": "global",
  "tenantId": "tenantId",
  "condition": {
    "bool": {
      "and": [
        {
          "authenticated": {}
        },
        {
          "rateLimiter": {
            "permitsPerSecond": 10
          }
        }
      ]
    }
  },
  "statements": [
    {
      "action": {
        "path": {
          "pattern": "/user/#{principal.id}/*",
          "options": {
            "caseSensitive": false,
            "separator": "/",
            "decodeAndParseSegments": false
          }
        }
      }
    },
    {
      "name": "Anonymous",
      "action": [
        "/auth/register",
        "/auth/login"
      ]
    },
    {
      "name": "UserScope",
      "action": "/user/#{principal.id}/*",
      "condition": {
        "authenticated": {}
      }
    },
    {
      "name": "Developer",
      "action": "*",
      "condition": {
        "in": {
          "part": "context.principal.id",
          "value": [
            "developerId"
          ]
        }
      }
    },
    {
      "name": "RequestOriginDeny",
      "effect": "deny",
      "action": "*",
      "condition": {
        "regular": {
          "negate": true,
          "part": "request.origin",
          "pattern": "^(http|https)://github.com"
        }
      }
    },
    {
      "name": "IpBlacklist",
      "effect": "deny",
      "action": "*",
      "condition": {
        "path": {
          "part": "request.remoteIp",
          "pattern": "192.168.0.*",
          "options": {
            "caseSensitive": false,
            "separator": ".",
            "decodeAndParseSegments": false
          }
        }
      }
    },
    {
      "name": "RegionWhitelist",
      "effect": "deny",
      "action": "*",
      "condition": {
        "regular": {
          "negate": true,
          "part": "request.attributes.ipRegion",
          "pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
        }
      }
    },
    {
      "name": "AllowDeveloperOrIpRange",
      "action": "*",
      "condition": {
        "bool": {
          "and": [
            {
              "authenticated": {}
            }
          ],
          "or": [
            {
              "in": {
                "part": "context.principal.id",
                "value": [
                  "developerId"
                ]
              }
            },
            {
              "path": {
                "part": "request.remoteIp",
                "pattern": "192.168.0.*",
                "options": {
                  "caseSensitive": false,
                  "separator": ".",
                  "decodeAndParseSegments": false
                }
              }
            }
          ]
        }
      }
    },
    {
      "name": "TestContains",
      "effect": "allow",
      "action": "*",
      "condition": {
        "contains": {
          "part": "request.attributes.ipRegion",
          "value": "上海"
        }
      }
    },
    {
      "name": "TestStartsWith",
      "effect": "allow",
      "action": "*",
      "condition": {
        "startsWith": {
          "part": "request.attributes.ipRegion",
          "value": "中国"
        }
      }
    },
    {
      "name": "TestEndsWith",
      "effect": "allow",
      "action": "*",
      "condition": {
        "endsWith": {
          "part": "request.attributes.remoteIp",
          "value": ".168.0.1"
        }
      }
    }
  ]
}

应用权限元数据 Schema

配置 App Permission Schema 以支持 IDE (IntelliJ IDEA) 输入自动完成。

应用权限元数据 Demo

{
  "id": "manage",
  "condition": {
    "bool": {
      "and": [
        {
          "authenticated": {}
        },
        {
          "groupedRateLimiter": {
            "part": "request.remoteIp",
            "permitsPerSecond": 10,
            "expireAfterAccessSecond": 1000
          }
        },
        {
          "inTenant": {
            "value": "default"
          }
        }
      ]
    }
  },
  "groups": [
    {
      "name": "order",
      "description": "order management",
      "permissions": [
        {
          "id": "manage.order.ship",
          "name": "Ship",
          "description": "Ship",
          "action": "/order/ship"
        },
        {
          "id": "manage.order.issueInvoice",
          "name": "Issue an invoice",
          "description": "Issue an invoice",
          "action": "/order/issueInvoice"
        }
      ]
    }
  ]
}

OpenTelemetry

CoSec-OpenTelemetry

CoSec 遵循 OpenTelemetry General identity attributes 规范。

CoSec-OpenTelemetry

感谢

CoSec 权限策略设计参考 AWS IAM 

展开阅读全文

代码

的 Gitee 指数为
超过 的项目

评论

点击加入讨论🔥(1) 发布并加入讨论🔥
发表了资讯
2023/07/26 09:22

CoSec 2.2.0 发布,基于 RBAC 和策略的多租户响应式安全框架

基于 RBAC 和策略的多租户响应式安全框架 更新内容(v2.2.0) 🎉 🎉 🎉 全面支持 Spring Boot 3 依赖:更新 me.ahoo.cosid:cosid-bom 版本 v2.2.5 依赖:更新 org.springframework.boot:spring-boot-dependencies 版本 v3.1.2 依赖:更新 me.ahoo.cocache:cocache-bom 版本 v2.0.3 特性:新增 MatcherFactoryRegister 支持扫描注册 Spring 容器定义的 ConditionMatcherFactory / ActionMatcherFactory 增强 SPI 特性...

0
4
发表了资讯
2023/03/27 08:09

CoSec v1.16.8 发布,基于 RBAC 和策略的多租户响应式安全框架

基于 RBAC 和策略的多租户响应式安全框架 更新内容(v1.16.8) 🎉 🎉 🎉 特性:新增 CompositeActionMatcher { "name": "TestComposite", "effect": "allow", "action": { "composite": [ "/user/#{principal.id}/*", { "path": { "method": "POST", "pattern": [ "/user/#{principal.id}...

0
2
发表了资讯
2023/03/24 11:45

CoSec v1.16.3 发布,基于 RBAC 和策略的多租户响应式安全框架

基于 RBAC 和策略的多租户响应式安全框架 更新内容(v1.16.3) 🎉 🎉 🎉 特性:新增 GroupedRateLimiterConditionMatcher 支持分组限流。 { "groupedRateLimiter": { "part": "request.remoteIp", "permitsPerSecond": 10, "expireAfterAccessSecond": 1000 } } 特性:Policy / AppPermission 支持顶级 Condition,降低重复配置 重构:重构角色权限策略,提升易用性 { "id": "manage...

2
7
发表了资讯
2023/01/11 09:34

CoSec v1.10.4 发布,基于 RBAC 和策略的多租户响应式安全框架

CoSec 基于 RBAC 和策略的多租户响应式安全框架 更新内容(v1.10.4) 🎉 🎉 🎉 特性:新增StartsWithConditionMatcher。 { "name": "TestStartsWith", "effect": "allow", "actions": [ { "type": "all" } ], "condition": { "type": "starts_with", "part": "request.attributes.ipRegion", "pattern": "中国"...

0
6
发表了资讯
2023/01/10 14:07

CoSec v1.10.1 发布,基于 RBAC 和策略的多租户响应式安全框架

CoSec 基于 RBAC 和策略的多租户响应式安全框架。 更新内容(v1.10.1) 🎉 🎉 🎉 特性:新增 ContainsConditionMatcher。 { "name": "TestContains", "effect": "allow", "actions": [ { "type": "all" } ], "condition": { "type": "contains", "part": "request.attributes.ipRegion", "pattern": "上海" ...

1
2
发表了资讯
2023/01/08 10:19

CoSec v1.10.0 发布,基于 RBAC 和策略的多租户响应式安全框架

CoSec 基于 RBAC 和策略的多租户响应式安全框架。 更新内容(v1.10.0) 🎉 🎉 🎉 ⭐ 更新内容 依赖:更新 io.opentelemetry:opentelemetry-bom 到 v1.22.0。 特性:新增 BoolConditionMatcher,Bool 条件匹配器,支持无限级嵌套,以增强条件匹配器语义。 { "name": "AllowDeveloperOrIpRange", "effect": "allow", "actions": [ { "type": "all" } ...

7
8
发表了资讯
2023/01/06 21:13

CoSec v1.9.0 发布,基于 RBAC 和策略的多租户响应式安全框架

CoSec 基于 RBAC 和策略的多租户响应式安全框架。 更新内容(v1.9.0) 🎉 🎉 🎉 ⭐ 特性 特性:新增 RequestAttributesAppender API。 特性:新增 Ip2RegionRequestAttributesAppender,支持IP区域匹配器。 { "name": "RegionWhitelist", "effect": "deny", "actions": [ { "type": "all" } ], "conditions": [ { ...

0
5
没有更多内容
加载失败,请刷新页面
点击加载更多
加载中
下一页
发表了博客
{{o.pubDate | formatDate}}

{{formatAllHtml(o.title)}}

{{parseInt(o.replyCount) | bigNumberTransform}}
{{parseInt(o.viewCount) | bigNumberTransform}}
没有更多内容
暂无内容
发表了问答
{{o.pubDate | formatDate}}

{{formatAllHtml(o.title)}}

{{parseInt(o.replyCount) | bigNumberTransform}}
{{parseInt(o.viewCount) | bigNumberTransform}}
没有更多内容
暂无内容
暂无内容
1 评论
8 收藏
分享
OSCHINA
登录后可查看更多优质内容
返回顶部
顶部