Pauldron Policy is a Policy module developed for the Pauldron Authorization Server. It can, however, be used on its own as a very simple authorizatino policy engine.
Validate and query for authorization decisions against policies in the following format:
- Pauldron Simple Policy.
A simple Policy Decision Combiner with a deny-override strategy which accumulates all the obligations from all the decisions.
In Pauldron, policies are evaluated against a simple key-value claims objects in which keys are strings and values can be any object. For example:
The result of the evaluation is an object with two keys,
obligations, respectively, representing the authorization decision and some obligations. The authorization decision can be
NotApplicable. Obligations are encoded in the form of an object with keys representing the obligation identifier and the values representing the obligation parameters. For example:
Policies are JSON objects taking the following form:
type: the policy type.
name: A string used as an identifier or explanation for the policy.
content: The content of the policy.
Pauldron Simple Policy
For Simple Pauldron polices, the
type should be set to
pauldron:simple-policy, and the
content should be JSON object of the following form:
rules: an object which maps a number of string rule IDs to rule objects (discussed below).
PolicyDecisionobject indicating the default decision to be returned if the claims object does not match any of the rules in the policy.
A rule object must have the following form:
name: A string used as an identifier or explanation for the rule.
matchAnyOf: An array of JSON objects. The rule will be activated if any of these objects match the input claims, i.e. all the keys in the object also exist in the claims object and their values match.
PolicyDecisionobject to return if the rule matches the claims object and the condition is satisfied.
Check out the following sample policy as an example; it includes one rule and the default decision to deny with no obligation.
The rule will match any claims object which has a
client_id key with the value
client4. If the claims object also satisfies the condition, a decision to
Permit is returned which also includes an one obligation.
The condition includes one varilable name
pous whose value will be mapped to the propoerty with the same name from the claims object, if exists. This condition will be evaluated to true if:
- There is a
pousproperty in the claims object whose value is an array.
- There is at least one object in that array wich has the following propoerties:
- A property
systemwith the value
- A property
codewith the value
- A property
For policy verification, use the function
SimplePolicy.js. This will throw a suitable exception if the policy is not in the right format:
const SimplePolicy = ; try result = SimplePolicy; catch e console;
For making an authorization query against a policy, call
const SimplePolicyEngine = ; const policy = ;const claims = client_id: "client2" organization: "org1";const decision = SimplePolicyEngine;
Note that the
evaluate method will apply a deny-override strategy if the evaluation of the rules in the policy result in conflicting decisions.
For making an authorization query against a set of policies, call
SimplePolicyDecisionCombinerEngine.js which provides a mechanism to evaluate a set of claims againt an array of policies with a deny-override-accumulate-obligations strategy. This function takes a policy-type-to-engine map in which keys are the policy type and values are an object including an
evalute() returning a value decision. Note that this is to pave the road for future support of other policy types such as XACML.
const SimplePolicyDecisionCombinerEngine SimplePolicyEngine = ;const policyTypeToEnginesMap = "pauldron:simple-policy": SimplePolicyEngine; const decision = SimplePolicyDecisionCombinerEngine;
The library can be installed using
$ yarn install pauldron-policy
- Move to a workspace within the Pauldron main repository.
- Fix issues with package exports.
- Move away from
TypeScriptand use plain
- Switch to
- Pauldron Simple Policy validation and evaluation.
- A simple policy decision combiner engine with deny-override strategy.