Our access control decisions are based on attributes. We provide a reverse proxy with Attribute Based Access Control (ABAC). This section describes how these attributes are gathered and the different kinds of attributes. We call the set of all attributes access control context.
- Definition Access Control Context
We call the mapping from subject, object, environment and access to their respective mapping from key to value Access Control Context (AC Context). We call the key of a value in one of the four mappings attribute key.
The subject dictionary is filled with attributes or - as they are called in the OpenID Connect Context - claims. The contents of the subject dictionary and the information from the OpenID Connect Userinfo Endpoint are the same. The scopes are requested on-demand. If an access control rule tries to access a not existing claim, this claim is saved and - if the evaluation was not successful (GRANT) - the scopes providing the missing claims are requested from the userinfo endpoint. For self-defined scopes the user can provide a mapping from claim to scope.
The object dictionary is initialized with the following keys:
path: The requested path excluding the proxy path ( /serviceA/foo -> /foo )
target_url: The url that is proxied, if access is granted
service: The service name configured by arpoc configuration
The rest of the object dictionary is populated using so-called objectsetters. The objectsetters can be implemented and activated using the configuration file with the plugin system. All object setters are run when the first ac entities requests a key that is not in the dictionary.
Each service can define the order the objectsetters are run. In the initalization step, every subclass of the class ObjectSetter is collected and added to a priority queue, with the priority specified in the service configuration.
Then, if the transformer requests a specific key, it is checked if the key is already in the data. If the key is not in the dictionary, the object setters are run. Each objectsetter receives the complete object dictionary as input and can modify every attribute. Objectsetters that run later get the modified content from object setters before.
The environment variables are also populated with plugins. In contrast to the objectsetters, each environment plugin specifies the attribute key it sets (target attribut) and the plugin is only called when this attribute is requested.
The value of the plugin is cached, so repeated requests of the same variable will return the same value.
The access dictionary is populated with the HTTP headers, the body (if present) and HTTP method from the current HTTP request. The following keys are present:
method: The HTTP method (GET,POST,PUT,DELETE,PATCH)
body: The request body
headers: The request headers
query_dict: The parsed query string (everything after the first ‘?’ in the URL) in dictionary form.