aserto 0.0.1 → 0.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 16cd06af827e4a2522cefc9d6d699d4e7d027ca6780a7d70560e2b6bf1abca24
-  data.tar.gz: 0e23e7ccdb687e005b57f80b446dfce4dce244df30c5c7411b4634aa1c2f0e45
+  metadata.gz: 8367f27ac3bf9072b9b1d09015e555ceb0d33057f91269daa4d67f90ff3afff2
+  data.tar.gz: f552b23fc37d957b7e8f8b3b75acdb28761a9853e2accc93cc00b5177f1749c4
 SHA512:
-  metadata.gz: 460cd9aa2f3380aff50a1ca15ebb6f052c8de0f34a98ba8fc84a7bc21c740cc1ab51ee954976010fb27a2d757ca42ef4d3853b544c4447282bedbca4405ae910
-  data.tar.gz: 0c339a31a7c92c0ace5139f0cd7081f06e9ea77ad5afc43d21e62d758ad36187ebbad4d0901207b6b03ed09982a99b93f0535b3bd779fb79b93f1d1f0004f8c0
+  metadata.gz: 496d44c19c75442b90912ed89cc39aa07327570f1dec7eb7941962e0e0ad10e8b3fb82aabae5feb14650141fdbd2d3e2233cbee98c14fc0e513b1fdf18a2bc57
+  data.tar.gz: c8bc793fbd18940f3f433141d9e8b299e9e879ac30fccbce7eb8e0d6785377960d9946b08b8dd2dee7db0d06efd58eca5850b60cdbcddad8a9d55a556dc676ff

data/README.md

@@ -1,5 +1,10 @@
 # Ruby Rack Middleware for Aserto
 
+[![Gem Version](https://badge.fury.io/rb/aserto.svg)](https://badge.fury.io/rb/aserto)
+[![ci](https://github.com/aserto-dev/aserto-ruby/actions/workflows/ci.yaml/badge.svg)](https://github.com/aserto-dev/aserto-ruby/actions/workflows/ci.yaml)
+[![slack](https://img.shields.io/badge/slack-Aserto%20Community-brightgreen)](https://asertocommunity.slack.com
+)
+
 `Aserto::Authorization` is a middleware that allows Ruby applications to use Aserto as the Authorization provider.
 
 ## Prerequisites
@@ -39,14 +44,14 @@ The middleware accepts the following optional parameters:
 | service_url | `"authorizer.prod.aserto.com:8443"` | Sets the URL for the authorizer endpoint. |
 | decision | `"allowed"` | The decision that will be used by the middleware when creating an authorizer request. |
 | logger | `STDOUT` | The logger to be used by the middleware. |
-| identity_mapping | `{ type: :none }` | The strategy for retrieveing the identity, possible values: `:jwt, :sub, :none` |
+| identity_mapping | `{ type: :none }` | The strategy for retrieving the identity, possible values: `:jwt, :sub, :none` |
 | disabled_for | `[{}]` | Which path and actions to skip the authorization for. |
 | on_unauthorized | `-> { return [403, {}, ["Forbidden"]] }`| A lambda that is executed when the authorization fails. |
 
 ## Identity
 To determine the identity of the user, the middleware can be configured to use a JWT token or a claim using the `identity_mapping` config.
 ```ruby
-# configure the middleware to use a JWT token form the `my-auth-header` header.
+# configure the middleware to use a JWT token from the `my-auth-header` header.
 config.identity_mapping = {
   type: :jwt,
   from: "my-auth-header",
@@ -54,7 +59,7 @@ config.identity_mapping = {
 ```
 ```ruby
 # configure the middleware to use a claim from the JWT token.
-# This will decode the JWT token and extract the `sub` field from payload.
+# This will decode the JWT token and extract the `sub` field from the payload.
 config.identity_mapping = {
   type: :sub,
   from: :sub,
@@ -81,7 +86,7 @@ By default, when computing the policy path, the middleware:
 * converts any character that is not alpha, digit, dot or underscore to underscore
 * converts uppercase characters in the URL path to lowercases
 
-This behavior can be overwritten by providing a custom function:
+This behaviour can be overwritten by providing a custom function:
 
 ```ruby
 # config/initializers/aserto.rb
@@ -96,9 +101,9 @@ end
 ```
 
 ## Resource
-A resource can be any structured data that the authorization policy uses to evaluate decisions. By default, middleware do not include a resource in authorization calls.
+A resource can be any structured data that the authorization policy uses to evaluate decisions. By default, middleware does not include a resource in authorization calls.
 
-This behavior can be overwritten by providing a custom function:
+This behaviour can be overwritten by providing a custom function:
 
 ```ruby
 # config/initializers/aserto.rb

data/VERSION

@@ -1 +1 @@
-0.0.1
+0.0.4

data/lib/aserto/auth_client.rb

@@ -2,6 +2,10 @@
 
 require "aserto-grpc-authz"
 
+require_relative "identity_mapper"
+require_relative "policy_path_mapper"
+require_relative "resource_mapper"
+
 module Aserto
   class AuthClient
     attr_reader :client, :config, :request
@@ -25,31 +29,53 @@ module Aserto
     end
 
     def is
-      is_request = Aserto::Authorizer::Authorizer::V1::IsRequest.new(
-        {
-          policy_context: policy_context,
-          identity_context: identity_context,
-          resource_context: resource_context
-        }
-      )
+      exec_is(config.decision)
+    end
+
+    def allowed?
+      exec_is("allowed")
+    end
+
+    def visible?
+      exec_is("visible")
+    end
+
+    def enabled?
+      exec_is("enabled")
+    end
+
+    private
 
+    def exec_is(decision)
       begin
         response = client.is(
-          is_request, { metadata: {
+          request_is(decision), { metadata: {
             "aserto-tenant-id": config.tenant_id,
             authorization: "basic #{config.authorizer_api_key}"
           } }
         )
       rescue GRPC::BadStatus => e
         Aserto.logger.error(e.inspect)
-        false
+        return false
       end
-      response.to_h.dig(:decisions, 0, :is) || false
+
+      decision = response.decisions.find { |el| el.decision == decision }
+      return false unless decision
+
+      decision.is
     end
 
-    private
+    def request_is(decision)
+      Aserto::Authorizer::Authorizer::V1::IsRequest.new(
+        {
+          policy_context: policy_context(decision),
+          identity_context: identity_context,
+          resource_context: resource_context
+        }
+      )
+    end
 
-    def policy_context
+    def policy_context(decision)
       path = Aserto::PolicyPathMapper.execute(config.policy_root, request)
       Aserto.logger.debug "aserto authorizing: #{path}"
 
@@ -57,7 +83,7 @@ module Aserto
         {
           id: config.policy_id,
           path: path,
-          decisions: [config.decision]
+          decisions: [decision]
         }
       )
     end

data/lib/aserto/authorization.rb

@@ -16,13 +16,14 @@ module Aserto
       allowed = if enabled?(request)
                   Aserto.logger.debug("Aserto authorization enabled")
                   client = Aserto::AuthClient.new(request)
-                  client.is
+                  res = client.is
+                  Aserto.logger.debug("Aserto authorization result -> allowed: #{res}")
+                  res
                 else
                   Aserto.logger.debug("Aserto authorization not enabled")
                   true
                 end
 
-      Aserto.logger.debug("Aserto authorization result -> allowed: #{allowed}")
       return @app.call env if allowed
 
       config.on_unauthorized.call(env)
@@ -32,11 +33,11 @@ module Aserto
 
     def route(request)
       if defined? ::Rails
-        require "aserto/rails/utils"
+        require_relative "rails/utils"
 
         Aserto::Rails::Utils.route(request)
       elsif defined? ::Sinatra
-        require "aserto/sinatra/utils"
+        require_relative "sinatra/utils"
         Aserto::Sinatra::Utils.route(request)
       end
     end

data/lib/aserto/errors.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Aserto
+  class Error < StandardError; end
+
+  class AccessDenied < Error
+    attr_reader :action, :conditions
+    attr_writer :default_message
+
+    def initialize(message = nil, action = nil, conditions = nil)
+      @message = message
+      @action = action
+      @conditions = conditions
+      @default_message = I18n.t(:"unauthorized.default", default: "You are not authorized to access this page.")
+      super()
+    end
+
+    def to_s
+      @message || @default_message
+    end
+
+    def inspect
+      details = %i[action conditions message].filter_map do |attribute|
+        value = instance_variable_get "@#{attribute}"
+        "#{attribute}: #{value.inspect}" if value.present?
+      end.join(", ")
+      "#<#{self.class.name} #{details}>"
+    end
+  end
+end

data/lib/aserto/policy_path_mapper.rb

@@ -8,14 +8,14 @@ module Aserto
         path = request.path_info
 
         if defined? ::Rails
-          require "aserto/rails/utils"
+          require_relative "rails/utils"
 
           route = Aserto::Rails::Utils.route(request)
           path = route[:path] if route
         end
 
         if defined? ::Sinatra
-          require "aserto/sinatra/utils"
+          require_relative "sinatra/utils"
 
           route = Aserto::Sinatra::Utils.route(request)
           path = route[:path] if route

data/lib/aserto.rb

@@ -10,6 +10,7 @@ require_relative "aserto/policy_path_mapper"
 require_relative "aserto/identity_mapper"
 require_relative "aserto/resource_mapper"
 require_relative "aserto/auth_client"
+require_relative "aserto/errors"
 
 module Aserto
   class << self
@@ -61,7 +62,7 @@ module Aserto
     # Aserto.with_identity_mapper do |request|
     #   {
     #     sub: "test",
-    #     type: Aserto::Api::V1::IdentityType::IDENTITY_TYPE_NONE
+    #     type: :none
     #   }
     # end
     def with_identity_mapper

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aserto
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.4
 platform: ruby
 authors:
 - Aserto
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-07-19 00:00:00.000000000 Z
+date: 2022-07-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aserto-grpc-authz
@@ -156,6 +156,7 @@ files:
 - lib/aserto/auth_client.rb
 - lib/aserto/authorization.rb
 - lib/aserto/config.rb
+- lib/aserto/errors.rb
 - lib/aserto/identity_mapper.rb
 - lib/aserto/identity_mapper/base.rb
 - lib/aserto/identity_mapper/jwt.rb
@@ -174,6 +175,7 @@ metadata:
   homepage_uri: https://www.aserto.com
   source_code_uri: https://github.com/aserto-dev/aserto-ruby
   changelog_uri: https://github.com/aserto-dev/aserto-ruby
+  documentation_uri: https://docs.aserto.com/docs/software-development-kits/ruby/middleware
   rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []