aserto 0.0.6 → 0.20.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ec7d824cf97fc0b087d9f9294e06b82612b74220d2c9960766d83330d56ed1e5
-  data.tar.gz: 334ede61a8065c965dfd26654cb759ff0a9548231cedc057ec97f3647a5f9476
+  metadata.gz: 8cd1fbe04f5ef1cc23eba3a78db1fd4476f9daca53af402611a16f74d69c8d5b
+  data.tar.gz: 40ec68f4f792946a19e18076ebbac3d4f3bbf00c5f876c6044d5875572eda9ec
 SHA512:
-  metadata.gz: da1e51625ff33aecce4324ef811cfc5d65e445fd3062ee80a9f810f697a0ca25468170ffa12dceba8c46a02db7a8b80f3d562041e33de888f3a4d13c8d64abf2
-  data.tar.gz: 9300d6917c93634d4a7059579ea20568bcb2c350306ac37c614d188046be94e4587cf50d133a129376c35c140ee5807c245dac180f0a0445690210348510c94a
+  metadata.gz: facf115849a759091eac8a8f722c26f7f8a90d74a6fa158a6d3d63ef8225e1117d87015e4db7bf940a8d4c9561d198af6a27a1a40a603b95a7978663a9fea40c
+  data.tar.gz: 75d16d943d2fc2589009ea1aac863d45ef1ada1663acca38a5cd96abc73584f4843d958f7c3f2635a9e01223c7404146eb33927247151cbd49d2a425a234e5a5

data/README.md

@@ -29,9 +29,6 @@ gem install aserto
 
 ## Configuration
 The following configuration settings are required for the authorization middleware:
- - policy_id
- - tenant_id
- - authorizer_api_key
  - policy_root
 
 These settings can be retrieved from the [Policy Settings](https://console.aserto.com/ui/policies) page of your Aserto account.
@@ -41,7 +38,12 @@ The middleware accepts the following optional parameters:
 | Parameter name | Default value | Description |
 | -------------- | ------------- | ----------- |
 | enabled | true | Enables or disables Aserto Authorization |
-| service_url | `"authorizer.prod.aserto.com:8443"` | Sets the URL for the authorizer endpoint. |
+| policy_name | `""` | The Aserto policy name. |
+| instance_label | `""` | The label of the active policy runtime. |
+| authorizer_api_key | "" | The authorizer API Key |
+| tenant_id | "" | The Aserto Tenant ID |
+| service_url | `"localhost:8282"` | Sets the URL for the authorizer endpoint. |
+| cert_path | `""` | Path to the grpc service certificate when connecting to local topaz instance. |
 | decision | `"allowed"` | The decision that will be used by the middleware when creating an authorizer request. |
 | logger | `STDOUT` | The logger to be used by the middleware. |
 | identity_mapping | `{ type: :none }` | The strategy for retrieving the identity, possible values: `:jwt, :sub, :none` |
@@ -95,7 +97,6 @@ This behaviour can be overwritten by providing a custom function:
 Aserto.with_policy_path_mapper do |policy_root, request|
   method = request.request_method
   path = request.path_info
-
   "custom: #{policy_root}.#{method}.#{path}"
 end
 ```
@@ -149,11 +150,12 @@ config.disabled_for = [
 
 Rails.application.config.middleware.use Aserto::Authorization do |config|
   config.enabled = true
-  config.policy_id = "my-policy-id"
-  config.tenant_id = "my-tenant-id"
+  config.policy_name = "my-policy-name"
+  config.instance_label = "my-instance"
   config.authorizer_api_key = Rails.application.credentials.aserto[:authorizer_api_key]
   config.policy_root = "peoplefinder"
-  config.service_url = "authorizer.prod.aserto.com:8443"
+  config.service_url = "localhost:8282"
+  config.cert_path = "/path/to/topaz/cert.crt"
   config.decision = "allowed"
   config.logger = Rails.logger
   config.identity_mapping = {
@@ -184,11 +186,12 @@ end
 # aserto middleware
 use Aserto::Authorization do |config|
   config.enabled = true
-  config.policy_id = "my-policy-id"
-  config.tenant_id = "my-tenant-id"
+  config.policy_name = "my-policy-name"
   config.authorizer_api_key = ENV['authorizer_api_key']
   config.policy_root = "peoplefinder"
-  config.service_url = "authorizer.prod.aserto.com:8443"
+  config.instance_label = "my-instance"
+  config.service_url = "localhost:8282"
+  config.cert_path = "/path/to/topaz/cert.crt"
   config.decision = "allowed"
   config.disabled_for = [
     {

data/VERSION

@@ -1 +1 @@
-0.0.6
+0.20.3

data/lib/aserto/auth_client.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "aserto-grpc-authz"
+require "aserto/authorizer"
 
 require_relative "identity_mapper"
 require_relative "policy_path_mapper"
@@ -11,10 +11,10 @@ module Aserto
     attr_reader :client, :config, :request
 
     INTERNAL_MAPPING = {
-      unknown: Aserto::Api::V1::IdentityType::IDENTITY_TYPE_UNKNOWN,
-      none: Aserto::Api::V1::IdentityType::IDENTITY_TYPE_NONE,
-      sub: Aserto::Api::V1::IdentityType::IDENTITY_TYPE_SUB,
-      jwt: Aserto::Api::V1::IdentityType::IDENTITY_TYPE_JWT
+      unknown: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_UNKNOWN,
+      none: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_NONE,
+      sub: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_SUB,
+      jwt: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_JWT
     }.freeze
 
     private_constant :INTERNAL_MAPPING
@@ -22,9 +22,9 @@ module Aserto
     def initialize(request)
       @request = request
       @config = Aserto.config
-      @client = Aserto::Authorizer::Authorizer::V1::Authorizer::Stub.new(
+      @client = Aserto::Authorizer::V2::Authorizer::Stub.new(
         config.service_url,
-        GRPC::Core::ChannelCredentials.new
+        load_creds
       )
     end
 
@@ -46,14 +46,18 @@ module Aserto
 
     private
 
+    def load_creds
+      cert_path = config.cert_path
+      if cert_path && File.file?(cert_path)
+        GRPC::Core::ChannelCredentials.new(File.read(cert_path))
+      else
+        GRPC::Core::ChannelCredentials.new
+      end
+    end
+
     def exec_is(decision)
       begin
-        response = client.is(
-          request_is(decision), { metadata: {
-            "aserto-tenant-id": config.tenant_id,
-            authorization: "basic #{config.authorizer_api_key}"
-          } }
-        )
+        response = client.is(request_is(decision), headers)
       rescue GRPC::BadStatus => e
         Aserto.logger.error(e.inspect)
         return false
@@ -65,23 +69,44 @@ module Aserto
       decision.is
     end
 
+    def headers
+      headers = {
+        authorization: "basic #{config.authorizer_api_key}"
+      }
+
+      headers["aserto-tenant-id"] = config.tenant_id if config.tenant_id && config.tenant_id != ""
+
+      { metadata: headers }
+    end
+
     def request_is(decision)
-      Aserto::Authorizer::Authorizer::V1::IsRequest.new(
+      Aserto::Authorizer::V2::IsRequest.new(
         {
           policy_context: policy_context(decision),
+          policy_instance: policy_instance,
           identity_context: identity_context,
           resource_context: resource_context
         }
       )
     end
 
+    def policy_instance
+      return unless config.policy_name && config.instance_label
+
+      Aserto::Authorizer::V2::Api::PolicyInstance.new(
+        {
+          name: config.policy_name,
+          instance_label: config.instance_label
+        }
+      )
+    end
+
     def policy_context(decision)
       path = Aserto::PolicyPathMapper.execute(config.policy_root, request)
       Aserto.logger.debug "aserto authorizing: #{path}"
 
-      Aserto::Api::V1::PolicyContext.new(
+      Aserto::Authorizer::V2::Api::PolicyContext.new(
         {
-          id: config.policy_id,
           path: path,
           decisions: [decision]
         }
@@ -90,7 +115,7 @@ module Aserto
 
     def identity_context
       identity = Aserto::IdentityMapper.execute(request)
-      Aserto::Api::V1::IdentityContext.new(
+      Aserto::Authorizer::V2::Api::IdentityContext.new(
         {
           identity: identity.fetch(:identity, "null"),
           type: INTERNAL_MAPPING[identity.fetch(:type, :unknown)]

data/lib/aserto/config.rb

@@ -25,7 +25,8 @@ module Aserto
 
     DEFAULT_ATTRS = {
       authorizer_api_key: "",
-      service_url: "authorizer.prod.aserto.com:8443",
+      tenant_id: "",
+      service_url: "localhost:8282",
       decision: "allowed",
       disabled_for: [{}],
       enabled: true,
@@ -33,9 +34,10 @@ module Aserto
         type: :none
       },
       logger: Config.default_logger,
-      policy_id: "",
+      policy_name: "",
+      instance_label: "",
       policy_root: "",
-      tenant_id: "",
+      cert_path: "",
       on_unauthorized: lambda do |_env|
         return [403, {}, ["Forbidden"]]
       end

data/lib/aserto.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 require "rack"
-require "aserto-grpc-authz"
+require "aserto/authorizer"
 
 require_relative "aserto/version"
 require_relative "aserto/config"

metadata

@@ -1,29 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: aserto
 version: !ruby/object:Gem::Version
-  version: 0.0.6
+  version: 0.20.3
 platform: ruby
 authors:
 - Aserto
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-08-01 00:00:00.000000000 Z
+date: 2022-11-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: aserto-grpc-authz
+  name: aserto-authorizer
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 0.0.6
+        version: 0.0.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 0.0.6
+        version: 0.0.3
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement