Authorizer - npolar/api.npolar.no GitHub Wiki

The Authorizer is Rack middleware for role-based access control.

The authorizer restrict edits (POST, PUT, and DELETE) to those with a editor role, in a specified system. (By default reads are not subject to access control.)

The authorizer performs authentication and authorization using lambda functions Authentication

# default authenticated?
lambda {|auth, request| auth.match? (request.username, request.password)}

Authorization

# default authorized?
lambda {|auth, system, request|
 # DELETE, POST, PUT: auth.roles? "writer sysadmin"
}

If you want different roles or different logic, just inject your own lambdas.

If you use the default lambdas, the :auth backend should implement the following methods

def match?(*args) end
def roles(system) end
# optional
def username=username end
def username end

Use

LDAP

use Npolar::Auth::Authorizer, {
  :auth => Net::LDAP.new { :host => "ldap.local" }, # see ... 
  :system => "system.dn",
  :authenticated? => Npolar::Auth::Ldap.autenticator
}

CouchDB

Roles

Npolar::Auth::Couch

{"_id":"api-sysadmin","id":"api-sysadmin","type":"group","systems":["api"],"roles":{"api":["sysadmin"]}}

{"_id":"username1","id":"username1","email":"[email protected]","name":"User One","type":"person","groups":["datacentre-staff","api-sysadmin"],"roles":{"api":["reader"]},"dn":"uid=11389,cn=users,dc=polarresearch,dc=org","ssha_password":"#"}