Module: Legion::Rbac::CapabilityAudit

Extended by:
Logging::Helper
Defined in:
lib/legion/rbac/capability_audit.rb

Defined Under Namespace

Classes: AuditResult

Constant Summary collapse

PATTERN_TO_CAPABILITY = 
{
  /\bKernel\.system\b|\bsystem\s*\(/     => :shell_execute,
  /\bKernel\.exec\b|\bexec\s*\(/         => :shell_execute,
  /\bOpen3\b/                            => :shell_execute,
  /`[^`]+`/                              => :shell_execute,
  /\bIO\.popen\b/                        => :shell_execute,
  /\bKernel\.eval\b|\beval\s*\(/         => :code_eval,
  /\bNet::HTTP\b/                        => :network_outbound,
  /\bFaraday\b/                          => :network_outbound,
  /\bHTTParty\b/                         => :network_outbound,
  /\bFile\.(write|open|delete|rename)\b/ => :filesystem_write,
  /\bFileUtils\b/                        => :filesystem_write
}.freeze

Class Method Summary collapse

Class Method Details

.audit(extension_name:, source_path:, declared_capabilities: []) ⇒ Object 



55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
 
# File 'lib/legion/rbac/capability_audit.rb', line 55

def audit(extension_name:, source_path:, declared_capabilities: [])
  log.info(
    "RBAC capability_audit start extension=#{extension_name} source_path=#{source_path} " \
    "declared=#{Array(declared_capabilities).size}"
  )
  unless enabled?
    result = skip_result(extension_name, 'capability audit disabled')
    log.info("RBAC capability_audit skipped extension=#{extension_name} reason=#{result.reason}")
    return result
  end

  unless source_path && Dir.exist?(source_path.to_s)
    result = skip_result(extension_name, 'no source path')
    log.info("RBAC capability_audit skipped extension=#{extension_name} reason=#{result.reason}")
    return result
  end

  detected = scan_source(source_path)
  declared_syms = Array(declared_capabilities).map(&:to_sym)
  undeclared = (detected.uniq - declared_syms)

  result = if undeclared.empty?
             AuditResult.new(
               extension_name: extension_name,
               detected:       detected,
               declared:       declared_syms,
               allowed:        true
             )
           else
             handle_undeclared(extension_name, detected, declared_syms, undeclared)
           end
  log.info(
    "RBAC capability_audit extension=#{extension_name} allowed=#{result.allowed} " \
    "detected=#{result.detected_capabilities.size} undeclared=#{result.undeclared.size}"
  )
  result
rescue StandardError => e
  handle_exception(
    e,
    level:          :error,
    operation:      'rbac.capability_audit.audit',
    extension_name: extension_name,
    source_path:    source_path
  )
  raise
end

.enabled?Boolean

Returns:

  • (Boolean) 


102
103
104
105
 
# File 'lib/legion/rbac/capability_audit.rb', line 102

def enabled?
  settings = capability_audit_settings
  settings[:enabled] != false
end

.modeObject 



107
108
109
110
 
# File 'lib/legion/rbac/capability_audit.rb', line 107

def mode
  settings = capability_audit_settings
  (settings[:mode] || 'enforce').to_s
end