App

The entire functionality has to be bundlet at one point. This is the App class. The App class reads in the command line arguments, reads the configuration, creates the ServiceProxy objects, connects them with the OidcHandler, starts the cherrypy instance and coordinates the application flow.

!include ../classes.plantuml
remove arpoc.ac.Policy
remove arpoc.ac.Policy_Set
remove arpoc.ac.AC_Entity
remove arpoc.ac.Rule
remove arpoc.ac.AC_Container
remove arpoc.ac.EvaluationResult
remove arpoc.ac.conflict_resolution.AnyOfAny
remove arpoc.ac.conflict_resolution.And
remove arpoc.ac.conflict_resolution.ConflictResolution
remove arpoc.ac.common.Effects
remove arpoc.ac.parser.TransformAttr
remove arpoc.ac.parser.TopLevelTransformer
remove arpoc.ac.parser.OperatorTransformer
remove arpoc.ac.parser.MiddleLevelTransformer
remove arpoc.ac.parser.ExistsTransformer
remove arpoc.ac.lark_adapter.MyTransformer
remove arpoc.ac.lark_adapter.CombinedTransformer
remove arpoc.base.ServiceProxy
remove arpoc.base.OidcHandler
remove arpoc.base.App
remove arpoc.base.TLSOnlyDispatcher
remove arpoc.cache.Cache
remove arpoc.cache.CacheItem
remove arpoc.config.ACConfig
remove arpoc.config.Misc
remove arpoc.config.OIDCProxyConfig
remove arpoc.config.ProviderConfig
remove arpoc.config.ProxyConfig
remove arpoc.config.ServiceConfig
remove arpoc.exceptions.ACEntityMissing
remove arpoc.exceptions.AttributeMissing
remove arpoc.exceptions.BadRuleSyntax
remove arpoc.exceptions.BadSemantics
remove arpoc.exceptions.ConfigError
remove arpoc.exceptions.DuplicateKeyError
remove arpoc.exceptions.EnvironmentAttributeMissing
remove arpoc.exceptions.OIDCProxyException
remove arpoc.exceptions.ObjectAttributeMissing
remove arpoc.exceptions.SubjectAttributeMissing
remove arpoc.pap.PAPNode
remove arpoc.pap.PolicyAdministrationPoint
remove arpoc.ac.parser.BinaryNumeralOperator
remove arpoc.ac.parser.BinaryOperator
remove arpoc.ac.parser.BinaryOperatorAnd
remove arpoc.ac.parser.BinaryOperatorIn
remove arpoc.ac.parser.BinaryOperatorOr
remove arpoc.ac.parser.BinarySameTypeOperator
remove arpoc.ac.parser.BinaryStringOperator
remove arpoc.ac.parser.Equal
remove arpoc.ac.parser.Greater
remove arpoc.ac.parser.Lesser
remove arpoc.ac.parser.NotEqual
remove arpoc.ac.parser.UOP
remove arpoc.ac.parser.matches
remove arpoc.ac.parser.startswith
remove arpoc.plugins.EnvironmentDict
remove arpoc.plugins.ObjectDict
remove arpoc.plugins.ObligationsDict
remove arpoc.plugins.PrioritizedItem
remove arpoc.plugins._lib.EnvironmentAttribute
remove arpoc.plugins._lib.ObjectSetter
remove arpoc.plugins._lib.Obligation
remove arpoc.plugins.env_attr_time.EnvAttrDateTime
remove arpoc.plugins.env_attr_time.EnvAttrTime
remove arpoc.plugins.env_attr_time.EnvAttrTimeHour
remove arpoc.plugins.env_attr_time.EnvAttrTimeMinute
remove arpoc.plugins.env_attr_time.EnvAttrTimeSecond
remove arpoc.plugins.obj_json.obj_json
remove arpoc.plugins.obj_urlmap.ObjUrlmap
remove arpoc.plugins.obl_loggers.Log
remove arpoc.plugins.obl_loggers.LogFailed
remove arpoc.plugins.obl_loggers.LogSuccessful
remove arpoc.special_pages.Userinfo

argparse

Our proxy should run on clients without a graphical user interface. Therefore, every startup option must be given on the command line. For command line arguments we use Python native module argparse ([argparse]). This way, users can display all recognized command line parameters with –help, and the order of the command line arguments are not relevant. We provide the following options:

  • -c / –config-file to specify the configuration file

  • –print-sample-config to print a default configuration

  • –print-samle-ac to print a default rule, policy and policy set

  • –add-provider in combination with –client-id and –client-secret to add a OpenID connect provider without dynamic registration

  • -d / –daemonize to start ARPOC as a daemon

  • –check-ac to do some checks on the defined access control entities.

CherryPy

A reverse proxy is not different to a normal webserver in tasks like session handling, listening on ports or parsing HTTP requests. The only difference is that the objects it serves are not files or outputs of applications on the server but the output of another webserver. For all tasks of a normal HTTP server we use cherrypy ([cherrypy]). Cherrypy is “a minimalist python web framework” ([cherrypy]). To increase the security of our application, we run the webserver with reduced privileges. We do this by using the dropprivileges plugin ([cherrypy_dropprivileges]). Also the use case for our webserver is to run as a daemon. This is done with the daemonizer plugin ([cherrypy_daemonizer]). After parsing the requests the request must handled by the application. The connector between CherryPy and the application is the dispatcher. Based on the requested URL the dispatcher selects and calls a method of an object. We used the RoutesDispatcher ([cherrypy_routes]) that selects the methods based on matches with regular expressions. For every service an instance of a ServiceProxy (todo: link) class is created, likewise for special pages.