aserto 0.20.5 → 0.30.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7247661363785d8bcce7034a816c1d6c0d59ea054190066b599e590b140cf994
-  data.tar.gz: f7cc418cdcf5ee823527a13ad959f4c38a53c470396a13c195eb59a298994dbe
+  metadata.gz: 4471efcec975432356d584d3d480e0ab503e139787c8f96ab88032ab15356175
+  data.tar.gz: aa46126a15fb9f583fd8dc9a1b064889f95ccfa3814bc4c6c7588c0ed7f78175
 SHA512:
-  metadata.gz: d6f02241c7687ad870792af0fccde1ea326c2461a3b8535da94f2b309a4d65e2d478cf36fd7754b7b963388ae87e8bd1f38440fb33577a7ec03708fca8181424
-  data.tar.gz: 80284a19aad72b4064a5626bbbc23aecf5c2ae0ac91066478a09f1643a97543ab5cf6c2d98523c319decd8ad097385aeb54de5705d9061813566f36e2cbd4e75
+  metadata.gz: 61af3804724a6138e21a5233c25712213860b4e2939331f1087e728c36a6cf5fefb31c6e23b77fc219df75d84abf2ecb1675892e60663e787cd6932884be3dec
+  data.tar.gz: f73188bf7eb0a4b58944022c715fdcb65718e3d8debe3215a6a82437781f544ff78cc1012a169ffd8deb2a762650da9d0970030a2e8eeaab461abe1dc4233d3b

data/README.md

@@ -32,7 +32,7 @@ You can initialize a directory client as follows:
 ```ruby
 require 'aserto/directory/client'
 
-directory_client = Aserto::Directory::Client.new(
+directory_client =Aserto::Directory::V3::Client.new(
   url: "directory.eng.aserto.com:8443",
   tenant_id: "aserto-tenant-id",
   api_key: "basic directory api key",
@@ -44,85 +44,7 @@ directory_client = Aserto::Directory::Client.new(
 - `tenant_id`: Aserto tenant ID (_required_ if using hosted directory)
 - `cert_path`: Path to the grpc service certificate when connecting to local topaz instance.
 
-### Getting objects and relations
-Get an object instance with the type `type-name` and the key `object-key`. For example:
-
-```ruby
-user = directory_client.object(type: 'user', key: 'euang@acmecorp.com')
-```
-
-Get an array of relations of a certain type for an object instance. For example:
-
-```ruby
-identity = 'euang@acmecorp.com';
-relations = directory_client.relation(
-  {
-    subject: {
-      type: 'user',
-    },
-    object: {
-      type: 'identity',
-      key: identity
-    },
-    relation: {
-      name: 'identifier',
-      objectType: 'identity'
-    }
-  }
-)
-```
-
-### Setting objects and relations
-
-Create a new object
-```ruby
-user = directory_client.set_object(object: { type: "user", key: "test-object", display_name: "test object" })
-identity = directory_client.set_object(object: { type: "identity", key: "test-identity" })
-```
-
-Update an existing object
-```ruby
-user = directory_client.set_object(object: { type: "user", key: "test-object", display_name: "test object" })
-user.display_name = 'test object edit'
-updated_user = directory_client.set_object(object: user)
-```
-
-Create a new relation
-```ruby
-directory_client.set_relation(
-  subject: { type: "user", "test-object" },
-  relation: "identifier",
-  object: { type: "identity", key: "test-identity" }
-)
-```
-
-Delete a relation
-```ruby
-pp client.delete_relation(
-  subject: { type: "user", key: "test-object" },
-  relation: { name: "identifier", object_type: "identity" },
-  object: { type: "identity", key: "test-identity" }
-)
-```
-
-### Checking permissions and relations
-Check permission
-```ruby
-directory_client.check_permission(
-  subject: { type: "user", key: "011a88bc-7df9-4d92-ba1f-2ff319e101e1" },
-  permission: { name: "read" },
-  object: { type: "group", key: "executive" }
-)
-```
-
-Check relation
-```ruby
-directory_client.check_relation(
-  subject: { type: "user", key: "dfdadc39-7335-404d-af66-c77cf13a15f8" },
-  relation: { name: "identifier", object_type: "identity" },
-  object: { type: "identity", key: "euang@acmecorp.com" }
-)
-```
+See https://rubydoc.info/gems/aserto/docs/Aserto/Directory/V3/Client for full documentation
 
 ## Authorizer
 `Aserto::Authorization` is a middleware that allows Ruby applications to use Aserto as the Authorization provider.
@@ -150,7 +72,7 @@ The middleware accepts the following optional parameters:
 | cert_path | `""` | Path to the grpc service certificate when connecting to local topaz instance. |
 | decision | `"allowed"` | The decision that will be used by the middleware when creating an authorizer request. |
 | logger | `STDOUT` | The logger to be used by the middleware. |
-| identity_mapping | `{ type: :none }` | The strategy for retrieving the identity, possible values: `:jwt, :sub, :none` |
+| identity_mapping | `{ type: :none }` | The strategy for retrieving the identity, possible values: `:jwt, :sub, :manual, :none` |
 | disabled_for | `[{}]` | Which path and actions to skip the authorization for. |
 | on_unauthorized | `-> { return [403, {}, ["Forbidden"]] }`| A lambda that is executed when the authorization fails. |
 
@@ -172,6 +94,14 @@ config.identity_mapping = {
 }
 ```
 
+```ruby
+# configure the middleware to use a manual identity.
+config.identity_mapping = {
+  type: :manual,
+  value: "my-identity",
+}
+```
+
 The whole identity resolution can be overwritten by providing a custom function.
 ```ruby
 # config/initializers/aserto.rb

data/VERSION

@@ -1 +1 @@
-0.20.5
+0.30.0

data/lib/aserto/auth_client.rb

@@ -13,6 +13,7 @@ module Aserto
     INTERNAL_MAPPING = {
       unknown: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_UNKNOWN,
       none: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_NONE,
+      manual: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_MANUAL,
       sub: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_SUB,
       jwt: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_JWT
     }.freeze
@@ -22,26 +23,52 @@ module Aserto
     def initialize(request)
       @request = request
       @config = Aserto.config
-      @client = Aserto::Authorizer::V2::Authorizer::Stub.new(
+      @client = @config.client || Aserto::Authorizer::V2::Authorizer::Stub.new(
         config.service_url,
         load_creds
       )
     end
 
     def is
-      exec_is(config.decision)
+      exec_is(request_is(config.decision))
+    end
+
+    def check(object_id:, object_type:, relation:)
+      resource_context_fields = {
+        object_id: object_id,
+        object_type: object_type,
+        relation: relation
+      }.merge!(resource_context.to_h)
+
+      check_resource_context = Google::Protobuf::Struct
+                               .from_hash(resource_context_fields.transform_keys!(&:to_s))
+
+      request = Aserto::Authorizer::V2::IsRequest.new(
+        {
+          policy_context: Aserto::Authorizer::V2::Api::PolicyContext.new(
+            {
+              path: config.policy_root ? "#{config.policy_root}.check" : "rebac.check",
+              decisions: [config.decision]
+            }
+          ),
+          policy_instance: policy_instance,
+          identity_context: identity_context,
+          resource_context: check_resource_context
+        }
+      )
+      exec_is(request)
     end
 
     def allowed?
-      exec_is("allowed")
+      exec_is(request_is("allowed"))
     end
 
     def visible?
-      exec_is("visible")
+      exec_is(request_is("visible"))
     end
 
     def enabled?
-      exec_is("enabled")
+      exec_is(request_is("enabled"))
     end
 
     private
@@ -55,15 +82,15 @@ module Aserto
       end
     end
 
-    def exec_is(decision)
+    def exec_is(request)
       begin
-        response = client.is(request_is(decision), headers)
+        response = client.is(request, headers)
       rescue GRPC::BadStatus => e
         Aserto.logger.error(e.inspect)
         return false
       end
 
-      decision = response.decisions.find { |el| el.decision == decision }
+      decision = response.decisions.find { |el| el.decision == request.policy_context.decisions[0] }
       return false unless decision
 
       decision.is

data/lib/aserto/config.rb

@@ -26,6 +26,7 @@ module Aserto
     DEFAULT_ATTRS = {
       authorizer_api_key: "",
       tenant_id: "",
+      client: nil,
       service_url: "localhost:8282",
       decision: "allowed",
       disabled_for: [{}],

data/lib/aserto/directory/interceptors/headers.rb

@@ -10,11 +10,31 @@ module Aserto
           super()
         end
 
-        def request_response(method:, request:, call:, metadata:)
+        def request_response(request: nil, call: nil, method: nil, metadata: nil)
+          update_metadata(metadata)
+          yield(request, call, method, metadata)
+        end
+
+        def bidi_streamer(requests: nil, call: nil, method: nil, metadata: nil)
+          update_metadata(metadata)
+          yield(requests, call, method, metadata)
+        end
+
+        def client_streamer(requests: nil, call: nil, method: nil, metadata: nil)
+          update_metadata(metadata)
+          yield(requests, call, method, metadata)
+        end
+
+        def server_streamer(request: nil, call: nil, method: nil, metadata: nil)
+          update_metadata(metadata)
+          yield(request, call, method, metadata)
+        end
+
+        private
+
+        def update_metadata(metadata)
           metadata["aserto-tenant-id"] = @tenant_id
           metadata["authorization"] = @api_key
-
-          yield(method, request, call, metadata)
         end
       end
     end

data/lib/aserto/directory/v3/client.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+require "aserto/directory"
+require_relative "../interceptors/headers"
+require_relative "config"
+require_relative "reader"
+require_relative "writer"
+require_relative "model"
+require_relative "importer"
+require_relative "exporter"
+
+module Aserto
+  module Directory
+    module V3
+      class Client
+        extend Forwardable
+        include ::Aserto::Directory::V3::Reader
+        # @!parse include ::Aserto::Directory::V3::Reader
+
+        include ::Aserto::Directory::V3::Writer
+        # @!parse include ::Aserto::Directory::V3::Writer
+
+        include ::Aserto::Directory::V3::Model
+        # @!parse include ::Aserto::Directory::V3::Model
+
+        include ::Aserto::Directory::V3::Importer
+        # @!parse include ::Aserto::Directory::V3::Importer
+
+        include ::Aserto::Directory::V3::Exporter
+        # @!parse include ::Aserto::Directory::V3::Exporter
+
+        # Creates a new Directory V3 Client
+        #
+        # @param config [Aserto::Directory::V3::Config] the service configuration
+        # Base configuration
+        # If non-nil, this configuration is used for any client that doesn't have its own configuration.
+        # If nil, only clients that have their own configuration will be created.
+        #
+        # @example Create a new Directory V3 Client with all the services
+        #   client = Aserto::Directory::V3::Client.new(
+        #     {
+        #       url: "directory.eng.aserto.com:8443",
+        #       tenant_id: "tenant-id",
+        #       api_key: "basic api-key",
+        #     }
+        #   )
+        #
+        # @example Create a new Directory V3 Client with reader only
+        #   client = Aserto::Directory::V3::Client.new(
+        #     {
+        #       reader: {
+        #         url: "directory.eng.aserto.com:8443",
+        #         tenant_id: "tenant-id",
+        #         api_key: "basic api-key",
+        #       }
+        #     }
+        #   )
+        #
+        # @return [Aserto::Directory::V3::Client] the new Directory V3 Client
+        def initialize(config)
+          base_config = ::Aserto::Directory::V3::Config.new(config)
+
+          @reader = create_client(:reader, base_config.reader)
+          @writer = create_client(:writer, base_config.writer)
+          @importer = create_client(:importer, base_config.importer)
+          @exporter = create_client(:exporter, base_config.exporter)
+          @model = create_client(:model, base_config.model)
+        end
+
+        private
+
+        attr_reader :reader, :writer, :model, :importer, :exporter
+
+        class NullClient
+          def initialize(name)
+            @name = name
+          end
+
+          def method_missing(method, *_args)
+            puts "Cannot call '#{method}': '#{@name.to_s.capitalize}' client is not initialized."
+          end
+
+          def respond_to_missing?(_name, _include_private)
+            true
+          end
+        end
+
+        SERVICE_MAP = {
+          reader: ::Aserto::Directory::Reader::V3::Reader::Stub,
+          writer: ::Aserto::Directory::Writer::V3::Writer::Stub,
+          importer: ::Aserto::Directory::Importer::V3::Importer::Stub,
+          exporter: ::Aserto::Directory::Exporter::V3::Exporter::Stub,
+          model: ::Aserto::Directory::Model::V3::Model::Stub
+        }.freeze
+
+        def create_client(type, config)
+          return NullClient.new(type) unless config
+
+          SERVICE_MAP[type].new(
+            config.url,
+            config.credentials,
+            interceptors: config.interceptors
+          )
+        end
+      end
+
+      remove_const(:Reader)
+      remove_const(:Writer)
+      remove_const(:Model)
+      remove_const(:Importer)
+      remove_const(:Exporter)
+    end
+  end
+end

data/lib/aserto/directory/v3/config.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require_relative "../interceptors/headers"
+
+module Aserto
+  module Directory
+    module V3
+      class Config
+        attr_reader :reader, :writer, :importer, :exporter, :model
+
+        def initialize(config)
+          @base = {
+            url: config[:url] || "directory.prod.aserto.com:8443",
+            api_key: config[:api_key],
+            tenant_id: config[:tenant_id],
+            cert_path: config[:cert_path]
+          }
+
+          @reader = build(**(config[:reader] || {}))
+          @writer = build(**(config[:writer] || {}))
+          @importer = build(**(config[:importer] || {}))
+          @exporter = build(**(config[:exporter] || {}))
+          @model = build(**(config[:model] || {}))
+        end
+
+        private
+
+        class BaseConfig
+          attr_reader :url, :credentials, :interceptors
+
+          def initialize(url, credentials, interceptors)
+            @url = url
+            @credentials = credentials
+            @interceptors = interceptors
+          end
+        end
+
+        def build(
+          url: @base[:url],
+          api_key: @base[:api_key],
+          tenant_id: @base[:tenant_id],
+          cert_path: @base[:cert_path]
+        )
+
+          interceptors = []
+          interceptors = [Interceptors::Headers.new(api_key, tenant_id)] if !api_key.nil? && !tenant_id.nil?
+          BaseConfig.new(url, load_creds(cert_path), interceptors)
+        end
+
+        def load_creds(cert_path)
+          if cert_path && File.file?(cert_path)
+            GRPC::Core::ChannelCredentials.new(File.read(cert_path))
+          else
+            GRPC::Core::ChannelCredentials.new
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aserto/directory/v3/exporter.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Aserto
+  module Directory
+    module V3
+      module Exporter
+        DATA_TYPE = {
+          unknown: ::Aserto::Directory::Exporter::V3::Option::OPTION_UNKNOWN,
+          objects: ::Aserto::Directory::Exporter::V3::Option::OPTION_DATA_OBJECTS,
+          relations: ::Aserto::Directory::Exporter::V3::Option::OPTION_DATA_RELATIONS,
+          all: ::Aserto::Directory::Exporter::V3::Option::OPTION_DATA
+        }.freeze
+
+        #
+        # Exports directory data
+        #
+        # @param [String] data_type one of [:unknown, :objects, :relations, :all]
+        #
+        def export(data_type: :unknown)
+          data = []
+          operation = exporter.export(
+            Aserto::Directory::Exporter::V3::ExportRequest.new(options: DATA_TYPE[data_type]),
+            return_op: true
+          )
+
+          response = operation.execute
+          response.each { |r| data.push(r) }
+          operation.wait
+
+          data
+        end
+      end
+    end
+  end
+end

data/lib/aserto/directory/v3/importer.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Aserto
+  module Directory
+    module V3
+      module Importer
+        #
+        # Imports objects and relations
+        #
+        # @param Array[Hash] data to be imported
+        #
+        # @example
+        #   directory.import(
+        #     [
+        #       { object: { id: "import-user", type: "user" } },
+        #       { object: { id: "import-group", type: "group" } },
+        #       {
+        #         relation: {
+        #           object_id: "import-user",
+        #           object_type: "user",
+        #           relation: "member",
+        #           subject_id: "import-group",
+        #           subject_type: "group"
+        #         }
+        #       }
+        #     ]
+        #   )
+        def import(data)
+          data.map! do |value|
+            Aserto::Directory::Importer::V3::ImportRequest.new(value)
+          end
+          operation = importer.import(data, return_op: true)
+          response = operation.execute
+          response.each { |r| } # ensures that the server sends trailing data
+          operation.wait
+        end
+      end
+    end
+  end
+end

data/lib/aserto/directory/v3/model.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Aserto
+  module Directory
+    module V3
+      module Model
+        # rubocop:disable Naming/AccessorMethodName
+
+        # Get the content of a manifest
+        # @return [Hash] { body: String, updated_at: Timestap, etag: String }
+        def get_manifest
+          response = {}
+          manifest_enum = @model.get_manifest(Aserto::Directory::Model::V3::GetManifestRequest.new)
+          manifest_enum.each do |resp|
+            response[:body] = resp.body.data if resp.respond_to?(:body) && !resp.body.nil?
+            if resp.respond_to?(:metadata)
+              response[:updated_at] ||= resp.metadata&.updated_at&.to_time
+              response[:etag] ||= resp.metadata&.etag
+            end
+          end
+
+          response
+        end
+
+        # Set the content of a manifest
+        # @param body [String]
+        # @return [Aserto::Directory::Model::V3::SetManifestResponse]
+        def set_manifest(body)
+          @model.set_manifest([Aserto::Directory::Model::V3::SetManifestRequest.new(body: { data: body })])
+        end
+
+        # rubocop:enable Naming/AccessorMethodName
+      end
+    end
+  end
+end

data/lib/aserto/directory/v3/reader.rb

@@ -0,0 +1,266 @@
+# frozen_string_literal: true
+
+module Aserto
+  module Directory
+    module V3
+      module Reader
+        #
+        # find an object by id and type
+        #
+        # @param object_id [String]
+        # @param object_type [String]
+        #
+        # @return [Aserto::Directory::Reader::V3::GetObjectResponse]
+        #
+        # @example
+        #   client.get_object(
+        #     object_type: "user",
+        #     object_id: "rick@the-citadel.com"
+        #   )
+        def get_object(object_id:, object_type:)
+          reader.get_object(
+            Aserto::Directory::Reader::V3::GetObjectRequest.new(
+              object_id: object_id,
+              object_type: object_type
+            )
+          )
+        end
+
+        #
+        # list objects by type
+        #
+        # @param object_type [String]
+        # @param page [Hash]
+        # @option page [Integer] :size
+        # @option page [String] :token
+        #
+        # @return [Aserto::Directory::V3::GetObjectsResponse]
+        #
+        # @example
+        #   client.get_objects(
+        #      object_type: "user",
+        #      page: { size: 2 }
+        #   )
+        def get_objects(object_type:, page: { size: 100 })
+          reader.get_objects(
+            Aserto::Directory::Reader::V3::GetObjectsRequest.new(
+              object_type: object_type,
+              page: Aserto::Directory::Common::V3::PaginationRequest.new(page)
+            )
+          )
+        end
+
+        #
+        # find a relation between two objects
+        #
+        # @param [String] object_type
+        # @param [String] object_id
+        # @param [String] relation
+        # @param [String] subject_type
+        # @param [String] subject_id
+        # @param [String] subject_relation
+        # @param [Boolean] with_objects
+        #
+        # @return [Aserto::Directory::Reader::V3::GetRelationResponse]
+        #
+        # @example
+        #   client.get_relation(
+        #     object_type: "user",
+        #     object_id: "rick@the-citadel.com",
+        #     relation: "member",
+        #     object_type: "group",
+        #     object_id: "evil_genius"
+        #   )
+        def get_relation(object_type:, object_id:, relation:, subject_type:, subject_id:, subject_relation: "",
+                         with_objects: false)
+          reader.get_relation(
+            Aserto::Directory::Reader::V3::GetRelationRequest.new(
+              object_type: object_type,
+              object_id: object_id,
+              relation: relation,
+              subject_type: subject_type,
+              subject_id: subject_id,
+              subject_relation: subject_relation,
+              with_objects: with_objects
+            )
+          )
+        end
+
+        #
+        # List relations between two objects
+        #
+        # @param [String] object_type
+        # @param [String] object_id
+        # @param [String] relation
+        # @param [String] subject_type
+        # @param [String] subject_id
+        # @param [String] subject_relation
+        # @param [Boolean] with_objects
+        # @param page [Hash]
+        # @option page [Integer] :size
+        # @option page [String] :token
+        #
+        # @return [Aserto::Directory::Reader::V3::GetRelationsResponse]
+        #
+        # @example
+        #   client.get_relations(
+        #     object_type: "user",
+        #     object_id: "rick@the-citadel.com",
+        #     relation: "member",
+        #     page: { size: 10 }
+        #   )
+        def get_relations(object_type: "", object_id: "", relation: "", subject_type: "", subject_id: "",
+                          subject_relation: "", with_objects: false, page: { size: 100 })
+          reader.get_relations(
+            Aserto::Directory::Reader::V3::GetRelationsRequest.new(
+              object_type: object_type,
+              object_id: object_id,
+              relation: relation,
+              subject_type: subject_type,
+              subject_id: subject_id,
+              subject_relation: subject_relation,
+              with_objects: with_objects,
+              page: Aserto::Directory::Common::V3::PaginationRequest.new(page)
+            )
+          )
+        end
+
+        #
+        # Check relation between two objects
+        #
+        # @param [String] object_type
+        # @param [String] object_id
+        # @param [String] relation
+        # @param [String] subject_type
+        # @param [String] subject_id
+        # @param [Boolean] trace
+        #
+        # @return [Aserto::Directory::Reader::V3::CheckRelationResponse]
+        #
+        # @example
+        #   client.check_relation(
+        #     object_type: "user",
+        #     object_id: "rick@the-citadel.com",
+        #     relation: "member",
+        #     object_type: "group",
+        #     object_id: "evil_genius"
+        #   )
+        def check_relation(object_type:, object_id:, relation:, subject_type:, subject_id:, trace: false)
+          reader.check_relation(
+            Aserto::Directory::Reader::V3::CheckRelationRequest.new(
+              object_type: object_type,
+              object_id: object_id,
+              relation: relation,
+              subject_type: subject_type,
+              subject_id: subject_id,
+              trace: trace
+            )
+          )
+        end
+
+        #
+        # Check relation between two objects
+        #
+        # @param [String] object_type
+        # @param [String] object_id
+        # @param [String] relation
+        # @param [String] subject_type
+        # @param [String] subject_id
+        # @param [Boolean] trace
+        #
+        # @return [Aserto::Directory::Reader::V3::CheckResponse]
+        #
+        # @example
+        #   client.check(
+        #     object_type: "user",
+        #     object_id: "rick@the-citadel.com",
+        #     relation: "member",
+        #     object_type: "group",
+        #     object_id: "evil_genius"
+        #   )
+        def check(object_type:, object_id:, relation:, subject_type:, subject_id:, trace: false)
+          reader.check(
+            Aserto::Directory::Reader::V3::CheckRequest.new(
+              object_type: object_type,
+              object_id: object_id,
+              relation: relation,
+              subject_type: subject_type,
+              subject_id: subject_id,
+              trace: trace
+            )
+          )
+        end
+
+        #
+        # Check permission between two objects
+        #
+        # @param [String] object_type
+        # @param [String] object_id
+        # @param [String] permission
+        # @param [String] subject_type
+        # @param [String] subject_id
+        # @param [Boolean] trace
+        #
+        # @return [Aserto::Directory::Reader::V3::CheckPermissionResponse]
+        #
+        # @example
+        #   client.check_permission(
+        #     object_type: "user",
+        #     object_id: "rick@the-citadel.com",
+        #     permission: "read",
+        #     object_type: "group",
+        #     object_id: "evil_genius"
+        #   )
+        def check_permission(object_type:, object_id:, permission:, subject_type:, subject_id:, trace: false)
+          reader.check_permission(
+            Aserto::Directory::Reader::V3::CheckPermissionRequest.new(
+              object_type: object_type,
+              object_id: object_id,
+              permission: permission,
+              subject_type: subject_type,
+              subject_id: subject_id,
+              trace: trace
+            )
+          )
+        end
+
+        #
+        # Returns object graph from anchor to subject or object.
+        #
+        # @param [String] anchor_type <description>
+        # @param [String] anchor_id <description>
+        # @param [String] object_type <description>
+        # @param [String] object_id <description>
+        # @param [String] relation <description>
+        # @param [String] subject_type <description>
+        # @param [String] <description>
+        #
+        # @return [Aserto::Directory::Reader::V3::GetGraphResponse]
+        #
+        # @example
+        #   directory.get_graph(
+        #     anchor_type: "user",
+        #     anchor_id: "rick@the-citadel.com",
+        #     subject_id: "rick@the-citadel.com",
+        #     subject_type: "user",
+        #     relation: "member"
+        #   )
+        def get_graph(anchor_type:, anchor_id:, object_type: "", object_id: "", relation: "", subject_type: "",
+                      subject_id: "", subject_relation: "")
+          reader.get_graph(
+            Aserto::Directory::Reader::V3::GetGraphRequest.new(
+              anchor_type: anchor_type,
+              anchor_id: anchor_id,
+              object_type: object_type,
+              object_id: object_id,
+              relation: relation,
+              subject_type: subject_type,
+              subject_id: subject_id,
+              subject_relation: subject_relation
+            )
+          )
+        end
+      end
+    end
+  end
+end

data/lib/aserto/directory/v3/writer.rb

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+
+module Aserto
+  module Directory
+    module V3
+      module Writer
+        require "google/protobuf/well_known_types"
+
+        #
+        # Create a new object
+        #
+        # @param [String] object_id
+        # @param [String] object_type
+        # @param [String] display_name
+        # @param [Hash] properties
+        # @param [String] etag
+        #
+        # @return [Aserto::Directory::Writer::V3::SetObjectResponse]
+        #
+        # @example
+        #   client.set_object(object_id: "1234", object_type: "user", properties: { email: "test" })
+        def set_object(object_id:, object_type:, display_name: "", properties: {}, etag: nil)
+          writer.set_object(
+            Aserto::Directory::Writer::V3::SetObjectRequest.new(
+              object: {
+                id: object_id,
+                type: object_type,
+                display_name: display_name,
+                properties: Google::Protobuf::Struct.from_hash(properties.transform_keys!(&:to_s)),
+                etag: etag
+              }
+            )
+          )
+        end
+
+        #
+        # Delete an object
+        #
+        # @param [String] object_id
+        # @param [String] object_type
+        # @param [Boolean] with_relations
+        #
+        # @return [ Aserto::Directory::Writer::V3::DeleteObjectResponse]
+        #
+        # @example
+        #   client.delete_object(object_id: "1234", object_type: "user")
+        def delete_object(object_id:, object_type:, with_relations: false)
+          writer.delete_object(
+            Aserto::Directory::Writer::V3::DeleteObjectRequest.new(
+              object_id: object_id,
+              object_type: object_type,
+              with_relations: with_relations
+            )
+          )
+        end
+
+        #
+        # Creates a relation between two objects
+        #
+        # @param [String] object_type
+        # @param [String] object_id
+        # @param [String] relation
+        # @param [String] subject_type
+        # @param [String] subject_id
+        #
+        # @return [Aserto::Directory::Writer::V3::SetRelationResponse]
+        #
+        # @example
+        #   client.set_relation(
+        #     object_type: "user",
+        #     object_id: "rick@the-citadel.com",
+        #     relation: "member",
+        #     object_type: "group",
+        #     object_id: "evil_genius"
+        #   )
+        def set_relation(object_type:, object_id:, relation:, subject_type:, subject_id:)
+          writer.set_relation(
+            Aserto::Directory::Writer::V3::SetRelationRequest.new(
+              relation: {
+                object_type: object_type,
+                object_id: object_id,
+                relation: relation,
+                subject_type: subject_type,
+                subject_id: subject_id
+              }
+            )
+          )
+        end
+
+        #
+        # Delete a relation between two objects
+        #
+        # @param [String] object_type
+        # @param [String] object_id
+        # @param [String] relation
+        # @param [String] subject_type
+        # @param [String] subject_id
+        # @param [String] subject_relation
+        #
+        # @return [Aserto::Directory::Writer::V3::DeleteRelationRequest]
+        #
+        # @example
+        #   client.get_relation(
+        #     object_type: "user",
+        #     object_id: "rick@the-citadel.com",
+        #     relation: "member",
+        #     object_type: "group",
+        #     object_id: "evil_genius"
+        #   )
+        def delete_relation(object_type:, object_id:, relation:, subject_type:, subject_id:, subject_relation: "")
+          writer.delete_relation(
+            Aserto::Directory::Writer::V3::DeleteRelationRequest.new(
+              object_type: object_type,
+              object_id: object_id,
+              relation: relation,
+              subject_type: subject_type,
+              subject_id: subject_id,
+              subject_relation: subject_relation
+            )
+          )
+        end
+      end
+    end
+  end
+end

data/lib/aserto/errors.rb

@@ -3,6 +3,7 @@
 module Aserto
   class Error < StandardError; end
   class InvalidResourceMapping < Error; end
+  class InvalidIdentityType < Error; end
 
   class AccessDenied < Error
     attr_reader :action, :conditions

data/lib/aserto/identity_mapper/manual.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Aserto
+  module IdentityMapper
+    module Manual
+      class << self
+        def execute(_request)
+          {
+            type: :manual,
+            identity: ::Aserto.config.identity_mapping[:value].to_s
+          }
+        end
+      end
+    end
+  end
+end

data/lib/aserto/identity_mapper.rb

@@ -4,20 +4,23 @@ require_relative "identity_mapper/base"
 require_relative "identity_mapper/none"
 require_relative "identity_mapper/sub"
 require_relative "identity_mapper/jwt"
+require_relative "identity_mapper/manual"
 
 module Aserto
   module IdentityMapper
     STRATEGY = {
       none: Aserto::IdentityMapper::None,
+      manual: Aserto::IdentityMapper::Manual,
       sub: Aserto::IdentityMapper::Sub,
       jwt: Aserto::IdentityMapper::Jwt
     }.freeze
 
     class << self
       def execute(request)
-        STRATEGY[
-          Aserto.config.identity_mapping[:type].to_sym || :none
-        ].execute(request)
+        STRATEGY.fetch(
+          Aserto.config.identity_mapping[:type].to_sym || :none,
+          Aserto::IdentityMapper::None
+        ).execute(request)
       end
     end
   end

data/lib/aserto.rb

@@ -12,6 +12,7 @@ require_relative "aserto/resource_mapper"
 require_relative "aserto/auth_client"
 require_relative "aserto/errors"
 require_relative "aserto/directory/client"
+require_relative "aserto/directory/v3/client"
 
 module Aserto
   class << self
@@ -52,17 +53,17 @@ module Aserto
     def with_resource_mapper
       Aserto::ResourceMapper.class_eval do |klass|
         klass.define_singleton_method(:execute) do |request|
-          if block_given?
-            result = yield(request)
-            unless result.is_a?(Hash)
-              raise Aserto::InvalidResourceMapping, "block must return a hash, got: #{result.class}"
-            end
+          return unless block_given?
 
-            require "google/protobuf/well_known_types"
-
-            result.transform_keys!(&:to_s)
-            Google::Protobuf::Struct.from_hash(result)
+          result = yield(request)
+          unless result.is_a?(Hash)
+            raise Aserto::InvalidResourceMapping, "block must return a hash, got: #{result.class}"
           end
+
+          require "google/protobuf/well_known_types"
+
+          result.transform_keys!(&:to_s)
+          Google::Protobuf::Struct.from_hash(result)
         end
       end
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aserto
 version: !ruby/object:Gem::Version
-  version: 0.20.5
+  version: 0.30.0
 platform: ruby
 authors:
 - Aserto
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-06-23 00:00:00.000000000 Z
+date: 2023-11-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aserto-authorizer
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.0.5
+        version: 0.20.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.0.5
+        version: 0.20.1
 - !ruby/object:Gem::Dependency
   name: aserto-directory
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.0.3
+        version: 0.30.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.0.3
+        version: 0.30.1
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -83,10 +83,18 @@ files:
 - lib/aserto/directory/client.rb
 - lib/aserto/directory/interceptors/headers.rb
 - lib/aserto/directory/requests.rb
+- lib/aserto/directory/v3/client.rb
+- lib/aserto/directory/v3/config.rb
+- lib/aserto/directory/v3/exporter.rb
+- lib/aserto/directory/v3/importer.rb
+- lib/aserto/directory/v3/model.rb
+- lib/aserto/directory/v3/reader.rb
+- lib/aserto/directory/v3/writer.rb
 - lib/aserto/errors.rb
 - lib/aserto/identity_mapper.rb
 - lib/aserto/identity_mapper/base.rb
 - lib/aserto/identity_mapper/jwt.rb
+- lib/aserto/identity_mapper/manual.rb
 - lib/aserto/identity_mapper/none.rb
 - lib/aserto/identity_mapper/sub.rb
 - lib/aserto/policy_path_mapper.rb