Open pchainho opened 8 years ago
@pchainho: should Data Object Address Allocation a functionality of the Policy Engine? I believe the Syncher Manager is more suitable, as it manages data objects creation, but I can transfer the code to the Policy Engine if you find it better to.
Apart from this, the remaining points were implemented and committed except for the policy criteria 'hyperty resource'. A while ago we discussed that we needed to have a new field in the messages to specify which is the resource type of the incoming communication out of the ones supported by the hyperty. Is there any way that I can access this information without this field?
The policy engine should use the new
Message.Body.auth
boolean attribute to set whether an authorisation policy was enforced with sucess (true
) or if no policy was found (true
).For the Data Object Creation / Subscription use cases, the following steps should be performed by the Policy Engine:
data object creation authorisation
1- look for valid policies to be enforced for this data object creation. Different criteria can be used including:
2- set "auth" in Message.body: 2.1- If auth policies found were successfuly enforced set
auth=true
2.2- If no auth policies were found setauth=false
2.3- If auth policies found were unsuccessfuly enforced (not authorised) return a failure3- for 2.1 and 2.2, Request Data Object Address Allocation. This is currently implemented in the Sync Manager and it is a question of cut and paste of source code. @shumy pls place here the source code
4- look for
message.body.authorise
array and take all HypertyURLs and set as pre-authorised for the authorised data object creationdata object subscription authorisation
1- look for valid policies to be enforced for this data object subscription. Different criteria can be used including: 1.1- user observer:
1.2- data object scheme 1.3- hyperty resource 1.4- user reporter 1.5- time
2- for 1.1 take Message.from and check for pre-authorised Observers previously defined by the Reporter (see above). depending on applicable policy set "Message.body.auth" value: 2.1 - user is pre-authorised set
auth=true
2.2 - user is not pre-authorised setauth=false
2.3 - user is not authorised return error