Module: Legion::Sandbox

Defined in:
lib/legion/sandbox.rb

Defined Under Namespace

Classes: Policy

Class Method Summary collapse

Class Method Details

.allowed?(extension_name: nil, gem_name: nil, capability: nil, agent_domain: nil) ⇒ Boolean

Returns:

  • (Boolean) 


56
57
58
59
60
61
62
63
64
65
66
67
 
# File 'lib/legion/sandbox.rb', line 56

def allowed?(extension_name: nil, gem_name: nil, capability: nil, agent_domain: nil)
  ext = extension_name || gem_name
  return true unless enforcement_enabled?

  policy = policy_for(ext)

  return false if capability && !policy.allowed?(capability)

  return false if agent_domain && !policy.domain_allowed?(agent_domain)

  true
end

.clear!Object 



75
76
77
 
# File 'lib/legion/sandbox.rb', line 75

def clear!
  @policies = {}
end

.enforce!(extension_name, capability) ⇒ Object

Raises:

  • (SecurityError) 


47
48
49
50
51
52
53
54
 
# File 'lib/legion/sandbox.rb', line 47

def enforce!(extension_name, capability)
  return true unless enforcement_enabled?

  policy = policy_for(extension_name)
  raise SecurityError, "Extension #{extension_name} not authorized for: #{capability}" unless policy.allowed?(capability)

  true
end

.enforcement_enabled?Boolean

Returns:

  • (Boolean) 


69
70
71
72
73
 
# File 'lib/legion/sandbox.rb', line 69

def enforcement_enabled?
  return false unless defined?(Legion::Settings)

  Legion::Settings.dig(:sandbox, :enabled) != false
end

.policy_for(extension_name) ⇒ Object 



43
44
45
 
# File 'lib/legion/sandbox.rb', line 43

def policy_for(extension_name)
  policies[extension_name] || Policy.new(extension_name: extension_name)
end

.register_policy(extension_name, capabilities:, allowed_domains: nil) ⇒ Object 



35
36
37
38
39
40
41
 
# File 'lib/legion/sandbox.rb', line 35

def register_policy(extension_name, capabilities:, allowed_domains: nil)
  policies[extension_name] = Policy.new(
    extension_name:  extension_name,
    capabilities:    capabilities,
    allowed_domains: allowed_domains
  )
end