aserto 0.0.6 → 0.20.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ec7d824cf97fc0b087d9f9294e06b82612b74220d2c9960766d83330d56ed1e5
4
- data.tar.gz: 334ede61a8065c965dfd26654cb759ff0a9548231cedc057ec97f3647a5f9476
3
+ metadata.gz: e916a9ac3365c314426fc9e8cc2ab563051b7577990e113d80f3770810d0af6d
4
+ data.tar.gz: 69cf001c50f1e090fc108e10bf6342cefbc80bdb7f357d1b2541081347538ac5
5
5
  SHA512:
6
- metadata.gz: da1e51625ff33aecce4324ef811cfc5d65e445fd3062ee80a9f810f697a0ca25468170ffa12dceba8c46a02db7a8b80f3d562041e33de888f3a4d13c8d64abf2
7
- data.tar.gz: 9300d6917c93634d4a7059579ea20568bcb2c350306ac37c614d188046be94e4587cf50d133a129376c35c140ee5807c245dac180f0a0445690210348510c94a
6
+ metadata.gz: 98378b09ed4fceb6ad3baef6b92418fc030e32e218007591adfa6ae6792a77d4be3de685b760831e5d6fcb3381990bf37182519ca4dd607f8b7294e67ea0292b
7
+ data.tar.gz: b044a93082d419936600ef467388208d2721a8e0c731d2df926db73c3412371abef0cd4f45a68b29fef0649a743f02fc3b06cd2e0845427196c35f808790485e
data/README.md CHANGED
@@ -29,9 +29,6 @@ gem install aserto
29
29
 
30
30
  ## Configuration
31
31
  The following configuration settings are required for the authorization middleware:
32
- - policy_id
33
- - tenant_id
34
- - authorizer_api_key
35
32
  - policy_root
36
33
 
37
34
  These settings can be retrieved from the [Policy Settings](https://console.aserto.com/ui/policies) page of your Aserto account.
@@ -41,7 +38,12 @@ The middleware accepts the following optional parameters:
41
38
  | Parameter name | Default value | Description |
42
39
  | -------------- | ------------- | ----------- |
43
40
  | enabled | true | Enables or disables Aserto Authorization |
44
- | service_url | `"authorizer.prod.aserto.com:8443"` | Sets the URL for the authorizer endpoint. |
41
+ | policy_name | `""` | The Aserto policy name. |
42
+ | instance_label | `""` | The label of the active policy runtime. |
43
+ | authorizer_api_key | "" | The authorizer API Key |
44
+ | tenant_id | "" | The Aserto Tenant ID |
45
+ | service_url | `"localhost:8282"` | Sets the URL for the authorizer endpoint. |
46
+ | cert_path | `""` | Path to the grpc service certificate when connecting to local topaz instance. |
45
47
  | decision | `"allowed"` | The decision that will be used by the middleware when creating an authorizer request. |
46
48
  | logger | `STDOUT` | The logger to be used by the middleware. |
47
49
  | identity_mapping | `{ type: :none }` | The strategy for retrieving the identity, possible values: `:jwt, :sub, :none` |
@@ -95,7 +97,6 @@ This behaviour can be overwritten by providing a custom function:
95
97
  Aserto.with_policy_path_mapper do |policy_root, request|
96
98
  method = request.request_method
97
99
  path = request.path_info
98
-
99
100
  "custom: #{policy_root}.#{method}.#{path}"
100
101
  end
101
102
  ```
@@ -149,11 +150,12 @@ config.disabled_for = [
149
150
 
150
151
  Rails.application.config.middleware.use Aserto::Authorization do |config|
151
152
  config.enabled = true
152
- config.policy_id = "my-policy-id"
153
- config.tenant_id = "my-tenant-id"
153
+ config.policy_name = "my-policy-name"
154
+ config.instance_label = "my-instance"
154
155
  config.authorizer_api_key = Rails.application.credentials.aserto[:authorizer_api_key]
155
156
  config.policy_root = "peoplefinder"
156
- config.service_url = "authorizer.prod.aserto.com:8443"
157
+ config.service_url = "localhost:8282"
158
+ config.cert_path = "/path/to/topaz/cert.crt"
157
159
  config.decision = "allowed"
158
160
  config.logger = Rails.logger
159
161
  config.identity_mapping = {
@@ -184,11 +186,12 @@ end
184
186
  # aserto middleware
185
187
  use Aserto::Authorization do |config|
186
188
  config.enabled = true
187
- config.policy_id = "my-policy-id"
188
- config.tenant_id = "my-tenant-id"
189
+ config.policy_name = "my-policy-name"
189
190
  config.authorizer_api_key = ENV['authorizer_api_key']
190
191
  config.policy_root = "peoplefinder"
191
- config.service_url = "authorizer.prod.aserto.com:8443"
192
+ config.instance_label = "my-instance"
193
+ config.service_url = "localhost:8282"
194
+ config.cert_path = "/path/to/topaz/cert.crt"
192
195
  config.decision = "allowed"
193
196
  config.disabled_for = [
194
197
  {
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.0.6
1
+ 0.20.2
@@ -1,6 +1,6 @@
1
1
  # frozen_string_literal: true
2
2
 
3
- require "aserto-grpc-authz"
3
+ require "aserto/authorizer"
4
4
 
5
5
  require_relative "identity_mapper"
6
6
  require_relative "policy_path_mapper"
@@ -11,10 +11,10 @@ module Aserto
11
11
  attr_reader :client, :config, :request
12
12
 
13
13
  INTERNAL_MAPPING = {
14
- unknown: Aserto::Api::V1::IdentityType::IDENTITY_TYPE_UNKNOWN,
15
- none: Aserto::Api::V1::IdentityType::IDENTITY_TYPE_NONE,
16
- sub: Aserto::Api::V1::IdentityType::IDENTITY_TYPE_SUB,
17
- jwt: Aserto::Api::V1::IdentityType::IDENTITY_TYPE_JWT
14
+ unknown: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_UNKNOWN,
15
+ none: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_NONE,
16
+ sub: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_SUB,
17
+ jwt: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_JWT
18
18
  }.freeze
19
19
 
20
20
  private_constant :INTERNAL_MAPPING
@@ -22,9 +22,9 @@ module Aserto
22
22
  def initialize(request)
23
23
  @request = request
24
24
  @config = Aserto.config
25
- @client = Aserto::Authorizer::Authorizer::V1::Authorizer::Stub.new(
25
+ @client = Aserto::Authorizer::V2::Authorizer::Stub.new(
26
26
  config.service_url,
27
- GRPC::Core::ChannelCredentials.new
27
+ load_creds
28
28
  )
29
29
  end
30
30
 
@@ -46,14 +46,17 @@ module Aserto
46
46
 
47
47
  private
48
48
 
49
+ def load_creds
50
+ if File.file?(config.cert_path)
51
+ GRPC::Core::ChannelCredentials.new(File.read(config.cert_path))
52
+ else
53
+ GRPC::Core::ChannelCredentials.new
54
+ end
55
+ end
56
+
49
57
  def exec_is(decision)
50
58
  begin
51
- response = client.is(
52
- request_is(decision), { metadata: {
53
- "aserto-tenant-id": config.tenant_id,
54
- authorization: "basic #{config.authorizer_api_key}"
55
- } }
56
- )
59
+ response = client.is(request_is(decision), headers)
57
60
  rescue GRPC::BadStatus => e
58
61
  Aserto.logger.error(e.inspect)
59
62
  return false
@@ -65,23 +68,44 @@ module Aserto
65
68
  decision.is
66
69
  end
67
70
 
71
+ def headers
72
+ headers = {
73
+ authorization: "basic #{config.authorizer_api_key}"
74
+ }
75
+
76
+ headers["aserto-tenant-id"] = config.tenant_id if config.tenant_id && config.tenant_id != ""
77
+
78
+ { metadata: headers }
79
+ end
80
+
68
81
  def request_is(decision)
69
- Aserto::Authorizer::Authorizer::V1::IsRequest.new(
82
+ Aserto::Authorizer::V2::IsRequest.new(
70
83
  {
71
84
  policy_context: policy_context(decision),
85
+ policy_instance: policy_instance,
72
86
  identity_context: identity_context,
73
87
  resource_context: resource_context
74
88
  }
75
89
  )
76
90
  end
77
91
 
92
+ def policy_instance
93
+ return unless config.policy_name && config.instance_label
94
+
95
+ Aserto::Authorizer::V2::Api::PolicyInstance.new(
96
+ {
97
+ name: config.policy_name,
98
+ instance_label: config.instance_label
99
+ }
100
+ )
101
+ end
102
+
78
103
  def policy_context(decision)
79
104
  path = Aserto::PolicyPathMapper.execute(config.policy_root, request)
80
105
  Aserto.logger.debug "aserto authorizing: #{path}"
81
106
 
82
- Aserto::Api::V1::PolicyContext.new(
107
+ Aserto::Authorizer::V2::Api::PolicyContext.new(
83
108
  {
84
- id: config.policy_id,
85
109
  path: path,
86
110
  decisions: [decision]
87
111
  }
@@ -90,7 +114,7 @@ module Aserto
90
114
 
91
115
  def identity_context
92
116
  identity = Aserto::IdentityMapper.execute(request)
93
- Aserto::Api::V1::IdentityContext.new(
117
+ Aserto::Authorizer::V2::Api::IdentityContext.new(
94
118
  {
95
119
  identity: identity.fetch(:identity, "null"),
96
120
  type: INTERNAL_MAPPING[identity.fetch(:type, :unknown)]
data/lib/aserto/config.rb CHANGED
@@ -25,7 +25,8 @@ module Aserto
25
25
 
26
26
  DEFAULT_ATTRS = {
27
27
  authorizer_api_key: "",
28
- service_url: "authorizer.prod.aserto.com:8443",
28
+ tenant_id: "",
29
+ service_url: "localhost:8282",
29
30
  decision: "allowed",
30
31
  disabled_for: [{}],
31
32
  enabled: true,
@@ -33,9 +34,10 @@ module Aserto
33
34
  type: :none
34
35
  },
35
36
  logger: Config.default_logger,
36
- policy_id: "",
37
+ policy_name: "",
38
+ instance_label: "",
37
39
  policy_root: "",
38
- tenant_id: "",
40
+ cert_path: "",
39
41
  on_unauthorized: lambda do |_env|
40
42
  return [403, {}, ["Forbidden"]]
41
43
  end
data/lib/aserto.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require "rack"
4
- require "aserto-grpc-authz"
4
+ require "aserto/authorizer"
5
5
 
6
6
  require_relative "aserto/version"
7
7
  require_relative "aserto/config"
metadata CHANGED
@@ -1,29 +1,29 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aserto
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.6
4
+ version: 0.20.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Aserto
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-08-01 00:00:00.000000000 Z
11
+ date: 2022-10-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
- name: aserto-grpc-authz
14
+ name: aserto-authorizer
15
15
  requirement: !ruby/object:Gem::Requirement
16
16
  requirements:
17
- - - "~>"
17
+ - - ">="
18
18
  - !ruby/object:Gem::Version
19
- version: 0.0.6
19
+ version: 0.0.3
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
- - - "~>"
24
+ - - ">="
25
25
  - !ruby/object:Gem::Version
26
- version: 0.0.6
26
+ version: 0.0.3
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: jwt
29
29
  requirement: !ruby/object:Gem::Requirement