aserto 0.20.3 → 0.20.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8cd1fbe04f5ef1cc23eba3a78db1fd4476f9daca53af402611a16f74d69c8d5b
-  data.tar.gz: 40ec68f4f792946a19e18076ebbac3d4f3bbf00c5f876c6044d5875572eda9ec
+  metadata.gz: 96e9f934b980519a7f6f2a737ba3f3120a255fdcaff12a9adf4b343e4b74df27
+  data.tar.gz: 775bf4b1af000a1fed33d3dd1a86073cb8d021ca3220b941919d3ba58ce3903d
 SHA512:
-  metadata.gz: facf115849a759091eac8a8f722c26f7f8a90d74a6fa158a6d3d63ef8225e1117d87015e4db7bf940a8d4c9561d198af6a27a1a40a603b95a7978663a9fea40c
-  data.tar.gz: 75d16d943d2fc2589009ea1aac863d45ef1ada1663acca38a5cd96abc73584f4843d958f7c3f2635a9e01223c7404146eb33927247151cbd49d2a425a234e5a5
+  metadata.gz: d25293714c54198bf6ecbfadde8fde7b99e329205a95bd56bd74691d1afafb359f086ee09a68f6c82560f45b4b5107d6405d8b24787a68b93210b1f3bbcd9fef
+  data.tar.gz: 833aa4f4416ca12352a857557c53433e129bf80768c9d3d4df5f7ad948c48c114295d929497f3e1eb64552ba2fd64cb7e20ea229259b6fec6c7cd523a9007da4

data/README.md

@@ -1,16 +1,10 @@
-# Ruby Rack Middleware for Aserto
+# Aserto Ruby SDK
 
 [![Gem Version](https://badge.fury.io/rb/aserto.svg)](https://badge.fury.io/rb/aserto)
 [![ci](https://github.com/aserto-dev/aserto-ruby/actions/workflows/ci.yaml/badge.svg)](https://github.com/aserto-dev/aserto-ruby/actions/workflows/ci.yaml)
 [![slack](https://img.shields.io/badge/slack-Aserto%20Community-brightgreen)](https://asertocommunity.slack.com
 )
 
-`Aserto::Authorization` is a middleware that allows Ruby applications to use Aserto as the Authorization provider.
-
-## Prerequisites
-* [Ruby](https://www.ruby-lang.org/en/downloads/) 2.7 or newer.
-* An [Aserto](https://console.aserto.com) account.
-
 ## Installation
 Add to your application Gemfile:
 
@@ -27,7 +21,117 @@ Or install it yourself as:
 gem install aserto
 ```
 
-## Configuration
+## Directory
+
+The Directory APIs can be used to get or set object instances and relation instances. They can also be used to check whether a user has a permission or relation on an object instance.
+
+### Directory Client
+
+You can initialize a directory client as follows:
+
+```ruby
+require 'aserto/directory/client'
+
+directory_client = Aserto::Directory::Client.new(
+  url: "directory.eng.aserto.com:8443",
+  tenant_id: "aserto-tenant-id",
+  api_key: "basic directory api key",
+)
+```
+
+- `url`: hostname:port of directory service (_required_)
+- `api_key`: API key for directory service (_required_ if using hosted directory)
+- `tenant_id`: Aserto tenant ID (_required_ if using hosted directory)
+- `cert_path`: Path to the grpc service certificate when connecting to local topaz instance.
+
+### Getting objects and relations
+Get an object instance with the type `type-name` and the key `object-key`. For example:
+
+```ruby
+user = directory_client.object(type: 'user', key: 'euang@acmecorp.com')
+```
+
+Get an array of relations of a certain type for an object instance. For example:
+
+```ruby
+identity = 'euang@acmecorp.com';
+relations = directory_client.relation(
+  {
+    subject: {
+      type: 'user',
+    },
+    object: {
+      type: 'identity',
+      key: identity
+    },
+    relation: {
+      name: 'identifier',
+      objectType: 'identity'
+    }
+  }
+)
+```
+
+### Setting objects and relations
+
+Create a new object
+```ruby
+user = directory_client.set_object(object: { type: "user", key: "test-object", display_name: "test object" })
+identity = directory_client.set_object(object: { type: "identity", key: "test-identity" })
+```
+
+Update an existing object
+```ruby
+user = directory_client.set_object(object: { type: "user", key: "test-object", display_name: "test object" })
+user.display_name = 'test object edit'
+updated_user = directory_client.set_object(object: user)
+```
+
+Create a new relation
+```ruby
+directory_client.set_relation(
+  subject: { type: "user", "test-object" },
+  relation: "identifier",
+  object: { type: "identity", key: "test-identity" }
+)
+```
+
+Delete a relation
+```ruby
+pp client.delete_relation(
+  subject: { type: "user", key: "test-object" },
+  relation: { name: "identifier", object_type: "identity" },
+  object: { type: "identity", key: "test-identity" }
+)
+```
+
+### Checking permissions and relations
+Check permission
+```ruby
+directory_client.check_permission(
+  subject: { type: "user", key: "011a88bc-7df9-4d92-ba1f-2ff319e101e1" },
+  permission: { name: "read" },
+  object: { type: "group", key: "executive" }
+)
+```
+
+Check relation
+```ruby
+directory_client.check_relation(
+  subject: { type: "user", key: "dfdadc39-7335-404d-af66-c77cf13a15f8" },
+  relation: { name: "identifier", object_type: "identity" },
+  object: { type: "identity", key: "euang@acmecorp.com" }
+)
+```
+
+## Authorizer
+`Aserto::Authorization` is a middleware that allows Ruby applications to use Aserto as the Authorization provider.
+
+### Prerequisites
+* [Ruby](https://www.ruby-lang.org/en/downloads/) 2.7 or newer.
+* An [Aserto](https://console.aserto.com) account.
+
+### Configuration
 The following configuration settings are required for the authorization middleware:
  - policy_root
 
@@ -50,7 +154,7 @@ The middleware accepts the following optional parameters:
 | disabled_for | `[{}]` | Which path and actions to skip the authorization for. |
 | on_unauthorized | `-> { return [403, {}, ["Forbidden"]] }`| A lambda that is executed when the authorization fails. |
 
-## Identity
+### Identity
 To determine the identity of the user, the middleware can be configured to use a JWT token or a claim using the `identity_mapping` config.
 ```ruby
 # configure the middleware to use a JWT token from the `my-auth-header` header.
@@ -82,7 +186,7 @@ Aserto.with_identity_mapper do |request|
 end
 ```
 
-## URL path to policy mapping
+### URL path to policy mapping
 By default, when computing the policy path, the middleware:
 * converts all slashes to dots
 * converts any character that is not alpha, digit, dot or underscore to underscore
@@ -101,7 +205,7 @@ Aserto.with_policy_path_mapper do |policy_root, request|
 end
 ```
 
-## Resource
+### Resource
 A resource can be any structured data that the authorization policy uses to evaluate decisions. By default, middleware does not include a resource in authorization calls.
 
 This behaviour can be overwritten by providing a custom function:
@@ -115,14 +219,14 @@ Aserto.with_resource_mapper do |request|
 end
 ```
 
-## Disable authorization for specific paths
+### Disable authorization for specific paths
 
 The middleware exposes a `disable_for` configuration option that
 accepts an array of hashes with the following keys:
  - path - the path to disable authorization for
  - actions - an array of actions to disable authorization for
 
-### Rails
+#### Rails
 You can find the paths and actions using `bundle exec rails routes`
 ```bash
 bundle exec rails routes
@@ -142,9 +246,9 @@ config.disabled_for = [
   }
 ]
 ```
-## Examples
+### Examples
 
-### Rails
+#### Rails
 ```ruby
 # config/initializers/aserto.rb
 
@@ -179,7 +283,7 @@ Rails.application.config.middleware.use Aserto::Authorization do |config|
 end
 ```
 
-### Sinatra
+#### Sinatra
 ```ruby
 # server.rb
 

data/VERSION

@@ -1 +1 @@
-0.20.3
+0.20.4

data/lib/aserto/directory/client.rb

@@ -0,0 +1,143 @@
+# frozen_string_literal: true
+
+require "aserto/directory"
+require_relative "interceptors/headers"
+require_relative "requests"
+
+module Aserto
+  module Directory
+    class Client
+      include Requests
+
+      # Creates a new Directory Client
+      #
+      # @param url [String] the gRpc url of the directory server
+      # @param api_key [String] the api key of the directory server(for hosted directory)
+      # @param tenant_id [String] the tenant id of the directory server(for hosted directory)
+      # @param cert_path [String] the path to the certificates folder
+      #
+      # @return [Aserto::Directory::Client] the new Directory Client
+      def initialize(url: "directory.prod.aserto.com:8443", api_key: nil, tenant_id: nil, cert_path: nil)
+        @reader_client = ::Aserto::Directory::Reader::V2::Reader::Stub.new(
+          url,
+          load_creds(cert_path),
+          interceptors: [Interceptors::Headers.new(api_key, tenant_id)]
+        )
+        @writer_client = ::Aserto::Directory::Writer::V2::Writer::Stub.new(
+          url,
+          load_creds(cert_path),
+          interceptors: [Interceptors::Headers.new(api_key, tenant_id)]
+        )
+      end
+
+      # Check permissions
+      #
+      # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
+      # @param permission [String] permission name to be checked
+      # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
+      # @param trace [Boolean] whether to enable tracing
+      #
+      # @return [Boolean]
+      def check_permission(subject:, permission:, object:, trace: false)
+        reader_client.check_permission(check_permission_request(subject, permission, object, trace))
+      end
+
+      # Check relation
+      #
+      # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
+      # @param relation [::Aserto::Directory::Common::V2::RelationTypeIdentifier] relation name to be checked
+      # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
+      # @param trace [Boolean] whether to enable tracing
+      #
+      # @return [Boolean]
+      def check_relation(subject:, relation:, object:, trace: false)
+        reader_client.check_relation(check_relation_request(subject, relation, object, trace))
+      end
+
+      # Get an object by type and key
+      #
+      # @param type [String] the type of object
+      # @param key [String] the key of the object
+      #
+      # @return [::Aserto::Directory::Common::V2::Object]
+      def object(type:, key:)
+        reader_client.get_object(object_request(key, type)).result
+      end
+
+      # Set an object
+      #
+      # @param object [::Aserto::Directory::Common::V2::Object]
+      #
+      # @return [::Aserto::Directory::Common::V2::Object] the created/updated object
+      def set_object(object:)
+        writer_client.set_object(new_object_request(object)).result
+      end
+
+      # Get a list of objects by type
+      #
+      # @param type [String] the type of objects
+      # @param page [::Aserto::Directory::Common::V2::PaginationRequest]
+      #
+      # @return [Array<::Aserto::Directory::Common::V2::Object>]
+      def objects(type:, page: nil)
+        reader_client.get_objects(objects_request(type, page)).results
+      end
+
+      # Get a relation
+      #
+      # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
+      # @param relation [::Aserto::Directory::Common::V2::RelationTypeIdentifier]
+      # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
+      #
+      # @return [::Aserto::Directory::Common::V2::Relation]
+      def relation(subject: nil, relation: nil, object: nil)
+        reader_client.get_relation(relation_request(subject, relation, object)).results
+      end
+
+      # Get a list of relations
+      #
+      # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
+      # @param relation [::Aserto::Directory::Common::V2::RelationTypeIdentifier]
+      # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
+      #
+      # @return [Array<::Aserto::Directory::Common::V2::Relation>]
+      def relations(subject: nil, relation: nil, object: nil, page: nil)
+        reader_client.get_relations(relations_request(subject, relation, object, page)).results
+      end
+
+      # Set a relation
+      # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
+      # @param relation [String] name of the relation
+      # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
+      # @param hash [String] hash of the relation(required for updating a relation)
+      #
+      # @return [::Aserto::Directory::Common::V2::Relation] the created/updated relation
+      def set_relation(subject:, relation:, object:, hash: nil)
+        writer_client.set_relation(new_relation_request(subject, relation, object, hash)).result
+      end
+
+      # Delete a relation
+      #
+      # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
+      # @param relation [::Aserto::Directory::Common::V2::RelationTypeIdentifier]
+      # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
+      #
+      # @return nil
+      def delete_relation(subject:, relation:, object:)
+        writer_client.delete_relation(delete_relation_request(subject, relation, object))
+      end
+
+      private
+
+      attr_reader :reader_client, :writer_client
+
+      def load_creds(cert_path)
+        if cert_path && File.file?(cert_path)
+          GRPC::Core::ChannelCredentials.new(File.read(cert_path))
+        else
+          GRPC::Core::ChannelCredentials.new
+        end
+      end
+    end
+  end
+end

data/lib/aserto/directory/interceptors/headers.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Aserto
+  module Directory
+    module Interceptors
+      class Headers < GRPC::ClientInterceptor
+        def initialize(api_key, tenant_id)
+          @api_key = api_key
+          @tenant_id = tenant_id
+          super()
+        end
+
+        def request_response(method:, request:, call:, metadata:)
+          metadata["aserto-tenant-id"] = @tenant_id
+          metadata["authorization"] = @api_key
+
+          yield(method, request, call, metadata)
+        end
+      end
+    end
+  end
+end

data/lib/aserto/directory/requests.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+module Aserto
+  module Directory
+    module Requests
+      private
+
+      def check_permission_request(subject, permission, object, trace)
+        subject_identifier = ::Aserto::Directory::Common::V2::ObjectIdentifier.new(subject)
+        permission_identifier = ::Aserto::Directory::Common::V2::PermissionIdentifier.new(permission)
+        object_identifier = ::Aserto::Directory::Common::V2::ObjectIdentifier.new(object)
+        ::Aserto::Directory::Reader::V2::CheckPermissionRequest.new(
+          {
+            object: object_identifier,
+            subject: subject_identifier,
+            permission: permission_identifier,
+            trace: trace
+          }
+        )
+      end
+
+      def check_relation_request(subject, relation, object, trace)
+        subject_identifier = ::Aserto::Directory::Common::V2::ObjectIdentifier.new(subject)
+        relation_identifier = ::Aserto::Directory::Common::V2::RelationTypeIdentifier.new(relation)
+        object_identifier = ::Aserto::Directory::Common::V2::ObjectIdentifier.new(object)
+        ::Aserto::Directory::Reader::V2::CheckRelationRequest.new(
+          {
+            object: object_identifier,
+            subject: subject_identifier,
+            relation: relation_identifier,
+            trace: trace
+          }
+        )
+      end
+
+      def object_request(key, type)
+        object_identifier = ::Aserto::Directory::Common::V2::ObjectIdentifier.new(type: type, key: key)
+        ::Aserto::Directory::Reader::V2::GetObjectRequest.new(param: object_identifier)
+      end
+
+      def new_object_request(object)
+        ::Aserto::Directory::Writer::V2::SetObjectRequest.new(object: object)
+      end
+
+      def objects_request(type, page)
+        object_type_identifier = ::Aserto::Directory::Common::V2::ObjectTypeIdentifier.new(
+          { name: type }
+        )
+        ::Aserto::Directory::Reader::V2::GetObjectsRequest.new(param: object_type_identifier, page: page)
+      end
+
+      def relation_request(subject, relation, object)
+        ::Aserto::Directory::Reader::V2::GetRelationRequest.new(
+          param: relation_identifier(subject, relation, object)
+        )
+      end
+
+      def relations_request(subject, relation, object, page)
+        ::Aserto::Directory::Reader::V2::GetRelationsRequest.new(
+          param: relation_identifier(subject, relation, object),
+          page: page
+        )
+      end
+
+      def new_relation_request(subject, relation, object, hash)
+        subject_identifier = ::Aserto::Directory::Common::V2::ObjectIdentifier.new(subject)
+        object_identifier = ::Aserto::Directory::Common::V2::ObjectIdentifier.new(object)
+        ::Aserto::Directory::Writer::V2::SetRelationRequest.new(
+          {
+            relation: {
+              subject: subject_identifier,
+              relation: relation,
+              object: object_identifier,
+              hash: hash
+            }
+          }
+        )
+      end
+
+      def delete_relation_request(subject, relation, object)
+        ::Aserto::Directory::Writer::V2::DeleteRelationRequest.new(
+          param: relation_identifier(subject, relation, object)
+        )
+      end
+
+      def relation_identifier(subject, relation, object)
+        relation_identifier = ::Aserto::Directory::Common::V2::RelationIdentifier.new
+        relation_identifier.subject = ::Aserto::Directory::Common::V2::ObjectIdentifier.new(subject) if subject
+        relation_identifier.relation = ::Aserto::Directory::Common::V2::RelationTypeIdentifier.new(relation) if relation
+        relation_identifier.object = ::Aserto::Directory::Common::V2::ObjectIdentifier.new(object) if object
+        relation_identifier
+      end
+    end
+  end
+end

data/lib/aserto.rb

@@ -11,6 +11,7 @@ require_relative "aserto/identity_mapper"
 require_relative "aserto/resource_mapper"
 require_relative "aserto/auth_client"
 require_relative "aserto/errors"
+require_relative "aserto/directory/client"
 
 module Aserto
   class << self

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aserto
 version: !ruby/object:Gem::Version
-  version: 0.20.3
+  version: 0.20.4
 platform: ruby
 authors:
 - Aserto
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-11-04 00:00:00.000000000 Z
+date: 2023-05-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aserto-authorizer
@@ -25,123 +25,47 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 0.0.3
 - !ruby/object:Gem::Dependency
-  name: jwt
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.4'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.4'
-- !ruby/object:Gem::Dependency
-  name: rack
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
-- !ruby/object:Gem::Dependency
-  name: bundler
+  name: aserto-directory
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.15.0
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3.0'
-  type: :development
+        version: 0.0.2
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.15.0
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3.0'
+        version: 0.0.2
 - !ruby/object:Gem::Dependency
-  name: codecov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.6'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.6'
-- !ruby/object:Gem::Dependency
-  name: grpc_mock
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.4'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.4'
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.0'
-- !ruby/object:Gem::Dependency
-  name: rubocop-performance
+  name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.14'
-  type: :development
+        version: '2.4'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: '2.4'
 - !ruby/object:Gem::Dependency
-  name: rubocop-rspec
+  name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.11'
-  type: :development
+        version: '2.0'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.11'
+        version: '2.0'
 description: Aserto Middleware
 email:
 - aserto@aserto.com
@@ -156,6 +80,9 @@ files:
 - lib/aserto/auth_client.rb
 - lib/aserto/authorization.rb
 - lib/aserto/config.rb
+- lib/aserto/directory/client.rb
+- lib/aserto/directory/interceptors/headers.rb
+- lib/aserto/directory/requests.rb
 - lib/aserto/errors.rb
 - lib/aserto/identity_mapper.rb
 - lib/aserto/identity_mapper/base.rb
@@ -192,7 +119,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.4.10
 signing_key: 
 specification_version: 4
 summary: Aserto Middleware