aserto 0.20.6 → 0.30.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dc8ec9b57f67226df562850ca0188c27b310de08b2ac716d30143c2c603b84fd
-  data.tar.gz: 845f1cdf67e54411d004b2a91b0a37ba02d709c949512110a8158552c67f48a3
+  metadata.gz: ddb26b2da994a8a4f72162f227590060a990a31d16639994b5cd2e4bd9ce538f
+  data.tar.gz: e6969585d13f94a6e410d8763647cbc3dca69402969a194db2674239514adeeb
 SHA512:
-  metadata.gz: dda8391014951485e822508b064667ff3bfd649b412df436fe019fb3c351fc891bed770093bf9a4c8db6e1bf791a14ed3dd6e23f9bcb6def14e5c26b69f49745
-  data.tar.gz: 675b6dbcc2c38a8d094a3baa59de6c786a5ddd07ad0f8ab91975b70645f279df28bcfd856c5ec33a68664afe365d4852fcfc7599c91fbdd881b0ff50be3346c5
+  metadata.gz: c0202011d8ce67f9fc48e361fdbd00b9239e291aa7bc60e5773eed58252dec41fdbac16e28ea25f0ff54d4652a0eee247ec048f59e6df5b1ae1bc5d254638244
+  data.tar.gz: a2c5e23bcb6e18ee1babb1c13d0e39912c32aa70595c5ce8dae69e24e0f10c6c37e7251f6dad0d5059fbe801dc8bf3d5ddde3ba806c071ae96b52afd1ba84f49

data/README.md

@@ -23,7 +23,7 @@ gem install aserto
 
 ## Directory
 
-The Directory APIs can be used to get or set object instances and relation instances. They can also be used to check whether a user has a permission or relation on an object instance.
+The Directory APIs can be used to get or set object instances and relation instances. They can also be used to check whether a user has permission or relation on an object instance.
 
 ### Directory Client
 
@@ -32,7 +32,7 @@ You can initialize a directory client as follows:
 ```ruby
 require 'aserto/directory/client'
 
-directory_client = Aserto::Directory::Client.new(
+directory_client = Aserto::Directory::V3::Client.new(
   url: "directory.eng.aserto.com:8443",
   tenant_id: "aserto-tenant-id",
   api_key: "basic directory api key",
@@ -42,87 +42,9 @@ directory_client = Aserto::Directory::Client.new(
 - `url`: hostname:port of directory service (_required_)
 - `api_key`: API key for directory service (_required_ if using hosted directory)
 - `tenant_id`: Aserto tenant ID (_required_ if using hosted directory)
-- `cert_path`: Path to the grpc service certificate when connecting to local topaz instance.
+- `cert_path`: Path to the grpc service certificate when connecting to the local topaz instance.
 
-### Getting objects and relations
-Get an object instance with the type `type-name` and the key `object-key`. For example:
-
-```ruby
-user = directory_client.object(type: 'user', key: 'euang@acmecorp.com')
-```
-
-Get an array of relations of a certain type for an object instance. For example:
-
-```ruby
-identity = 'euang@acmecorp.com';
-relations = directory_client.relation(
-  {
-    subject: {
-      type: 'user',
-    },
-    object: {
-      type: 'identity',
-      key: identity
-    },
-    relation: {
-      name: 'identifier',
-      objectType: 'identity'
-    }
-  }
-)
-```
-
-### Setting objects and relations
-
-Create a new object
-```ruby
-user = directory_client.set_object(object: { type: "user", key: "test-object", display_name: "test object" })
-identity = directory_client.set_object(object: { type: "identity", key: "test-identity" })
-```
-
-Update an existing object
-```ruby
-user = directory_client.set_object(object: { type: "user", key: "test-object", display_name: "test object" })
-user.display_name = 'test object edit'
-updated_user = directory_client.set_object(object: user)
-```
-
-Create a new relation
-```ruby
-directory_client.set_relation(
-  subject: { type: "user", "test-object" },
-  relation: "identifier",
-  object: { type: "identity", key: "test-identity" }
-)
-```
-
-Delete a relation
-```ruby
-pp client.delete_relation(
-  subject: { type: "user", key: "test-object" },
-  relation: { name: "identifier", object_type: "identity" },
-  object: { type: "identity", key: "test-identity" }
-)
-```
-
-### Checking permissions and relations
-Check permission
-```ruby
-directory_client.check_permission(
-  subject: { type: "user", key: "011a88bc-7df9-4d92-ba1f-2ff319e101e1" },
-  permission: { name: "read" },
-  object: { type: "group", key: "executive" }
-)
-```
-
-Check relation
-```ruby
-directory_client.check_relation(
-  subject: { type: "user", key: "dfdadc39-7335-404d-af66-c77cf13a15f8" },
-  relation: { name: "identifier", object_type: "identity" },
-  object: { type: "identity", key: "euang@acmecorp.com" }
-)
-```
+See [Aserto::Directory::V3::Client](https://rubydoc.info/gems/aserto/Aserto/Directory/V3/Client) for full documentation
 
 ## Authorizer
 `Aserto::Authorization` is a middleware that allows Ruby applications to use Aserto as the Authorization provider.
@@ -150,7 +72,7 @@ The middleware accepts the following optional parameters:
 | cert_path | `""` | Path to the grpc service certificate when connecting to local topaz instance. |
 | decision | `"allowed"` | The decision that will be used by the middleware when creating an authorizer request. |
 | logger | `STDOUT` | The logger to be used by the middleware. |
-| identity_mapping | `{ type: :none }` | The strategy for retrieving the identity, possible values: `:jwt, :sub, :none` |
+| identity_mapping | `{ type: :none }` | The strategy for retrieving the identity, possible values: `:jwt, :sub, :manual, :none` |
 | disabled_for | `[{}]` | Which path and actions to skip the authorization for. |
 | on_unauthorized | `-> { return [403, {}, ["Forbidden"]] }`| A lambda that is executed when the authorization fails. |
 
@@ -172,6 +94,14 @@ config.identity_mapping = {
 }
 ```
 
+```ruby
+# configure the middleware to use a manual identity.
+config.identity_mapping = {
+  type: :manual,
+  value: "my-identity",
+}
+```
+
 The whole identity resolution can be overwritten by providing a custom function.
 ```ruby
 # config/initializers/aserto.rb
@@ -190,7 +120,7 @@ end
 By default, when computing the policy path, the middleware:
 * converts all slashes to dots
 * converts any character that is not alpha, digit, dot or underscore to underscore
-* converts uppercase characters in the URL path to lowercases
+* converts uppercase characters in the URL path to lowercase
 
 This behaviour can be overwritten by providing a custom function:
 
@@ -206,7 +136,7 @@ end
 ```
 
 ### Resource
-A resource can be any structured data that the authorization policy uses to evaluate decisions. By default, middleware does not include a resource in authorization calls.
+A resource can be any structured data the authorization policy uses to evaluate decisions. By default, middleware does not include a resource in authorization calls.
 
 This behaviour can be overwritten by providing a custom function:
 

data/VERSION

@@ -1 +1 @@
-0.20.6
+0.30.1

data/lib/aserto/auth_client.rb

@@ -13,6 +13,7 @@ module Aserto
     INTERNAL_MAPPING = {
       unknown: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_UNKNOWN,
       none: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_NONE,
+      manual: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_MANUAL,
       sub: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_SUB,
       jwt: Aserto::Authorizer::V2::Api::IdentityType::IDENTITY_TYPE_JWT
     }.freeze

data/lib/aserto/directory/client.rb

@@ -1,14 +1,10 @@
 # frozen_string_literal: true
 
-require "aserto/directory"
-require_relative "interceptors/headers"
-require_relative "requests"
+require_relative "v2/client"
 
 module Aserto
   module Directory
     class Client
-      include Requests
-
       # Creates a new Directory Client
       #
       # @param url [String] the gRpc url of the directory server
@@ -17,127 +13,28 @@ module Aserto
       # @param cert_path [String] the path to the certificates folder
       #
       # @return [Aserto::Directory::Client] the new Directory Client
-      def initialize(url: "directory.prod.aserto.com:8443", api_key: nil, tenant_id: nil, cert_path: nil)
-        @reader_client = ::Aserto::Directory::Reader::V2::Reader::Stub.new(
-          url,
-          load_creds(cert_path),
-          interceptors: [Interceptors::Headers.new(api_key, tenant_id)]
-        )
-        @writer_client = ::Aserto::Directory::Writer::V2::Writer::Stub.new(
-          url,
-          load_creds(cert_path),
-          interceptors: [Interceptors::Headers.new(api_key, tenant_id)]
-        )
-      end
-
-      # Check permissions
-      #
-      # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
-      # @param permission [String] permission name to be checked
-      # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
-      # @param trace [Boolean] whether to enable tracing
-      #
-      # @return [Boolean]
-      def check_permission(subject:, permission:, object:, trace: false)
-        reader_client.check_permission(check_permission_request(subject, permission, object, trace))
-      end
-
-      # Check relation
-      #
-      # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
-      # @param relation [::Aserto::Directory::Common::V2::RelationTypeIdentifier] relation name to be checked
-      # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
-      # @param trace [Boolean] whether to enable tracing
-      #
-      # @return [Boolean]
-      def check_relation(subject:, relation:, object:, trace: false)
-        reader_client.check_relation(check_relation_request(subject, relation, object, trace))
-      end
-
-      # Get an object by type and key
-      #
-      # @param type [String] the type of object
-      # @param key [String] the key of the object
-      #
-      # @return [::Aserto::Directory::Common::V2::Object]
-      def object(type:, key:)
-        reader_client.get_object(object_request(key, type)).result
-      end
-
-      # Set an object
-      #
-      # @param object [::Aserto::Directory::Common::V2::Object]
-      #
-      # @return [::Aserto::Directory::Common::V2::Object] the created/updated object
-      def set_object(object:)
-        writer_client.set_object(new_object_request(object)).result
-      end
-
-      # Get a list of objects by type
-      #
-      # @param type [String] the type of objects
-      # @param page [::Aserto::Directory::Common::V2::PaginationRequest]
-      #
-      # @return [Array<::Aserto::Directory::Common::V2::Object>]
-      def objects(type:, page: nil)
-        reader_client.get_objects(objects_request(type, page)).results
-      end
 
-      # Get a relation
-      #
-      # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
-      # @param relation [::Aserto::Directory::Common::V2::RelationTypeIdentifier]
-      # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
-      #
-      # @return [::Aserto::Directory::Common::V2::Relation]
-      def relation(subject: nil, relation: nil, object: nil)
-        reader_client.get_relation(relation_request(subject, relation, object)).results
-      end
+      def initialize(url: "directory.prod.aserto.com:8443", api_key: nil, tenant_id: nil, cert_path: nil)
+        warn WARN_MESSAGE
 
-      # Get a list of relations
-      #
-      # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
-      # @param relation [::Aserto::Directory::Common::V2::RelationTypeIdentifier]
-      # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
-      #
-      # @return [Array<::Aserto::Directory::Common::V2::Relation>]
-      def relations(subject: nil, relation: nil, object: nil, page: nil)
-        reader_client.get_relations(relations_request(subject, relation, object, page)).results
+        @v2_client = Aserto::Directory::V2::Client.new(
+          url: url, api_key: api_key, tenant_id: tenant_id, cert_path: cert_path
+        )
       end
 
-      # Set a relation
-      # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
-      # @param relation [String] name of the relation
-      # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
-      # @param hash [String] hash of the relation(required for updating a relation)
-      #
-      # @return [::Aserto::Directory::Common::V2::Relation] the created/updated relation
-      def set_relation(subject:, relation:, object:, hash: nil)
-        writer_client.set_relation(new_relation_request(subject, relation, object, hash)).result
+      def method_missing(method, args)
+        @v2_client.send(method, **args)
       end
 
-      # Delete a relation
-      #
-      # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
-      # @param relation [::Aserto::Directory::Common::V2::RelationTypeIdentifier]
-      # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
-      #
-      # @return nil
-      def delete_relation(subject:, relation:, object:)
-        writer_client.delete_relation(delete_relation_request(subject, relation, object))
+      def respond_to_missing?(_name, _include_private)
+        true
       end
 
-      private
-
-      attr_reader :reader_client, :writer_client
-
-      def load_creds(cert_path)
-        if cert_path && File.file?(cert_path)
-          GRPC::Core::ChannelCredentials.new(File.read(cert_path))
-        else
-          GRPC::Core::ChannelCredentials.new
-        end
-      end
+      WARN_MESSAGE = <<~TEXT
+        Aserto::Directory::Client is deprecated and will be removed.
+        Use Aserto::Directory::V3::Client for the latest Directory Client.
+        If you need Directory V2, use Aserto::Directory::V2::Client
+      TEXT
     end
   end
 end

data/lib/aserto/directory/interceptors/headers.rb

@@ -10,11 +10,31 @@ module Aserto
           super()
         end
 
-        def request_response(method:, request:, call:, metadata:)
+        def request_response(request: nil, call: nil, method: nil, metadata: nil)
+          update_metadata(metadata)
+          yield(request, call, method, metadata)
+        end
+
+        def bidi_streamer(requests: nil, call: nil, method: nil, metadata: nil)
+          update_metadata(metadata)
+          yield(requests, call, method, metadata)
+        end
+
+        def client_streamer(requests: nil, call: nil, method: nil, metadata: nil)
+          update_metadata(metadata)
+          yield(requests, call, method, metadata)
+        end
+
+        def server_streamer(request: nil, call: nil, method: nil, metadata: nil)
+          update_metadata(metadata)
+          yield(request, call, method, metadata)
+        end
+
+        private
+
+        def update_metadata(metadata)
           metadata["aserto-tenant-id"] = @tenant_id
           metadata["authorization"] = @api_key
-
-          yield(method, request, call, metadata)
         end
       end
     end

data/lib/aserto/directory/v2/client.rb

@@ -0,0 +1,145 @@
+# frozen_string_literal: true
+
+require "aserto/directory"
+require_relative "../interceptors/headers"
+require_relative "requests"
+
+module Aserto
+  module Directory
+    module V2
+      class Client
+        include Requests
+
+        # Creates a new Directory V2 Client
+        #
+        # @param url [String] the gRpc url of the directory server
+        # @param api_key [String] the api key of the directory server(for hosted directory)
+        # @param tenant_id [String] the tenant id of the directory server(for hosted directory)
+        # @param cert_path [String] the path to the certificates folder
+        #
+        # @return [Aserto::Directory::V2::Client] the new Directory Client
+        def initialize(url: "directory.prod.aserto.com:8443", api_key: nil, tenant_id: nil, cert_path: nil)
+          @reader_client = ::Aserto::Directory::Reader::V2::Reader::Stub.new(
+            url,
+            load_creds(cert_path),
+            interceptors: [Interceptors::Headers.new(api_key, tenant_id)]
+          )
+          @writer_client = ::Aserto::Directory::Writer::V2::Writer::Stub.new(
+            url,
+            load_creds(cert_path),
+            interceptors: [Interceptors::Headers.new(api_key, tenant_id)]
+          )
+        end
+
+        # Check permissions
+        #
+        # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
+        # @param permission [String] permission name to be checked
+        # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
+        # @param trace [Boolean] whether to enable tracing
+        #
+        # @return [Boolean]
+        def check_permission(subject:, permission:, object:, trace: false)
+          reader_client.check_permission(check_permission_request(subject, permission, object, trace))
+        end
+
+        # Check relation
+        #
+        # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
+        # @param relation [::Aserto::Directory::Common::V2::RelationTypeIdentifier] relation name to be checked
+        # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
+        # @param trace [Boolean] whether to enable tracing
+        #
+        # @return [Boolean]
+        def check_relation(subject:, relation:, object:, trace: false)
+          reader_client.check_relation(check_relation_request(subject, relation, object, trace))
+        end
+
+        # Get an object by type and key
+        #
+        # @param type [String] the type of object
+        # @param key [String] the key of the object
+        #
+        # @return [::Aserto::Directory::Common::V2::Object]
+        def object(type:, key:)
+          reader_client.get_object(object_request(key, type)).result
+        end
+
+        # Set an object
+        #
+        # @param object [::Aserto::Directory::Common::V2::Object]
+        #
+        # @return [::Aserto::Directory::Common::V2::Object] the created/updated object
+        def set_object(object:)
+          writer_client.set_object(new_object_request(object)).result
+        end
+
+        # Get a list of objects by type
+        #
+        # @param type [String] the type of objects
+        # @param page [::Aserto::Directory::Common::V2::PaginationRequest]
+        #
+        # @return [Array<::Aserto::Directory::Common::V2::Object>]
+        def objects(type:, page: nil)
+          reader_client.get_objects(objects_request(type, page)).results
+        end
+
+        # Get a relation
+        #
+        # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
+        # @param relation [::Aserto::Directory::Common::V2::RelationTypeIdentifier]
+        # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
+        #
+        # @return [::Aserto::Directory::Common::V2::Relation]
+        def relation(subject: nil, relation: nil, object: nil)
+          reader_client.get_relation(relation_request(subject, relation, object)).results
+        end
+
+        # Get a list of relations
+        #
+        # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
+        # @param relation [::Aserto::Directory::Common::V2::RelationTypeIdentifier]
+        # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
+        #
+        # @return [Array<::Aserto::Directory::Common::V2::Relation>]
+        def relations(subject: nil, relation: nil, object: nil, page: nil)
+          reader_client.get_relations(relations_request(subject, relation, object, page)).results
+        end
+
+        # Set a relation
+        # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
+        # @param relation [String] name of the relation
+        # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
+        # @param hash [String] hash of the relation(required for updating a relation)
+        #
+        # @return [::Aserto::Directory::Common::V2::Relation] the created/updated relation
+        def set_relation(subject:, relation:, object:, hash: nil)
+          writer_client.set_relation(new_relation_request(subject, relation, object, hash)).result
+        end
+
+        # Delete a relation
+        #
+        # @param subject [::Aserto::Directory::Common::V2::ObjectIdentifier]
+        # @param relation [::Aserto::Directory::Common::V2::RelationTypeIdentifier]
+        # @param object [::Aserto::Directory::Common::V2::ObjectIdentifier]
+        #
+        # @return nil
+        def delete_relation(subject:, relation:, object:)
+          writer_client.delete_relation(delete_relation_request(subject, relation, object))
+        end
+
+        private
+
+        attr_reader :reader_client, :writer_client
+
+        def load_creds(cert_path)
+          if cert_path && File.file?(cert_path)
+            GRPC::Core::ChannelCredentials.new(File.read(cert_path))
+          else
+            GRPC::Core::ChannelCredentials.new
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aserto/directory/v3/client.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+require "aserto/directory"
+require_relative "../interceptors/headers"
+require_relative "config"
+require_relative "reader"
+require_relative "writer"
+require_relative "model"
+require_relative "importer"
+require_relative "exporter"
+
+module Aserto
+  module Directory
+    module V3
+      class Client
+        extend Forwardable
+        include ::Aserto::Directory::V3::Reader
+        # @!parse include ::Aserto::Directory::V3::Reader
+
+        include ::Aserto::Directory::V3::Writer
+        # @!parse include ::Aserto::Directory::V3::Writer
+
+        include ::Aserto::Directory::V3::Model
+        # @!parse include ::Aserto::Directory::V3::Model
+
+        include ::Aserto::Directory::V3::Importer
+        # @!parse include ::Aserto::Directory::V3::Importer
+
+        include ::Aserto::Directory::V3::Exporter
+        # @!parse include ::Aserto::Directory::V3::Exporter
+
+        # Creates a new Directory V3 Client
+        #
+        # @param config [Aserto::Directory::V3::Config] the service configuration
+        # Base configuration
+        # If non-nil, this configuration is used for any client that doesn't have its own configuration.
+        # If nil, only clients that have their own configuration will be created.
+        #
+        # @example Create a new Directory V3 Client with all the services
+        #   client = Aserto::Directory::V3::Client.new(
+        #     {
+        #       url: "directory.eng.aserto.com:8443",
+        #       tenant_id: "tenant-id",
+        #       api_key: "basic api-key",
+        #     }
+        #   )
+        #
+        # @example Create a new Directory V3 Client with reader only
+        #   client = Aserto::Directory::V3::Client.new(
+        #     {
+        #       reader: {
+        #         url: "directory.eng.aserto.com:8443",
+        #         tenant_id: "tenant-id",
+        #         api_key: "basic api-key",
+        #       }
+        #     }
+        #   )
+        #
+        # @return [Aserto::Directory::V3::Client] the new Directory V3 Client
+        def initialize(config)
+          base_config = ::Aserto::Directory::V3::Config.new(config)
+
+          @reader = create_client(:reader, base_config.reader)
+          @writer = create_client(:writer, base_config.writer)
+          @importer = create_client(:importer, base_config.importer)
+          @exporter = create_client(:exporter, base_config.exporter)
+          @model = create_client(:model, base_config.model)
+        end
+
+        private
+
+        attr_reader :reader, :writer, :model, :importer, :exporter
+
+        class NullClient
+          def initialize(name)
+            @name = name
+          end
+
+          def method_missing(method, *_args)
+            puts "Cannot call '#{method}': '#{@name.to_s.capitalize}' client is not initialized."
+          end
+
+          def respond_to_missing?(_name, _include_private)
+            true
+          end
+        end
+
+        SERVICE_MAP = {
+          reader: ::Aserto::Directory::Reader::V3::Reader::Stub,
+          writer: ::Aserto::Directory::Writer::V3::Writer::Stub,
+          importer: ::Aserto::Directory::Importer::V3::Importer::Stub,
+          exporter: ::Aserto::Directory::Exporter::V3::Exporter::Stub,
+          model: ::Aserto::Directory::Model::V3::Model::Stub
+        }.freeze
+
+        def create_client(type, config)
+          return NullClient.new(type) unless config
+
+          SERVICE_MAP[type].new(
+            config.url,
+            config.credentials,
+            interceptors: config.interceptors
+          )
+        end
+      end
+
+      remove_const(:Reader)
+      remove_const(:Writer)
+      remove_const(:Model)
+      remove_const(:Importer)
+      remove_const(:Exporter)
+    end
+  end
+end

data/lib/aserto/directory/v3/config.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require_relative "../interceptors/headers"
+
+module Aserto
+  module Directory
+    module V3
+      class Config
+        attr_reader :reader, :writer, :importer, :exporter, :model
+
+        def initialize(config)
+          @base = {
+            url: config[:url] || "directory.prod.aserto.com:8443",
+            api_key: config[:api_key],
+            tenant_id: config[:tenant_id],
+            cert_path: config[:cert_path]
+          }
+
+          @reader = build(**(config[:reader] || {}))
+          @writer = build(**(config[:writer] || {}))
+          @importer = build(**(config[:importer] || {}))
+          @exporter = build(**(config[:exporter] || {}))
+          @model = build(**(config[:model] || {}))
+        end
+
+        private
+
+        class BaseConfig
+          attr_reader :url, :credentials, :interceptors
+
+          def initialize(url, credentials, interceptors)
+            @url = url
+            @credentials = credentials
+            @interceptors = interceptors
+          end
+        end
+
+        def build(
+          url: @base[:url],
+          api_key: @base[:api_key],
+          tenant_id: @base[:tenant_id],
+          cert_path: @base[:cert_path]
+        )
+
+          interceptors = []
+          interceptors = [Interceptors::Headers.new(api_key, tenant_id)] if !api_key.nil? && !tenant_id.nil?
+          BaseConfig.new(url, load_creds(cert_path), interceptors)
+        end
+
+        def load_creds(cert_path)
+          if cert_path && File.file?(cert_path)
+            GRPC::Core::ChannelCredentials.new(File.read(cert_path))
+          else
+            GRPC::Core::ChannelCredentials.new
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aserto/directory/v3/exporter.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Aserto
+  module Directory
+    module V3
+      module Exporter
+        DATA_TYPE = {
+          unknown: ::Aserto::Directory::Exporter::V3::Option::OPTION_UNKNOWN,
+          objects: ::Aserto::Directory::Exporter::V3::Option::OPTION_DATA_OBJECTS,
+          relations: ::Aserto::Directory::Exporter::V3::Option::OPTION_DATA_RELATIONS,
+          all: ::Aserto::Directory::Exporter::V3::Option::OPTION_DATA
+        }.freeze
+
+        #
+        # Exports directory data
+        #
+        # @param [String] data_type one of [:unknown, :objects, :relations, :all]
+        #
+        def export(data_type: :unknown)
+          data = []
+          operation = exporter.export(
+            Aserto::Directory::Exporter::V3::ExportRequest.new(options: DATA_TYPE[data_type]),
+            return_op: true
+          )
+
+          response = operation.execute
+          response.each { |r| data.push(r) }
+          operation.wait
+
+          data
+        end
+      end
+    end
+  end
+end

data/lib/aserto/directory/v3/importer.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Aserto
+  module Directory
+    module V3
+      module Importer
+        #
+        # Imports objects and relations
+        #
+        # @param Array[Hash] data to be imported
+        #
+        # @example
+        #   directory.import(
+        #     [
+        #       { object: { id: "import-user", type: "user" } },
+        #       { object: { id: "import-group", type: "group" } },
+        #       {
+        #         relation: {
+        #           object_id: "import-user",
+        #           object_type: "user",
+        #           relation: "member",
+        #           subject_id: "import-group",
+        #           subject_type: "group"
+        #         }
+        #       }
+        #     ]
+        #   )
+        def import(data)
+          data.map! do |value|
+            Aserto::Directory::Importer::V3::ImportRequest.new(value)
+          end
+          operation = importer.import(data, return_op: true)
+          response = operation.execute
+          response.each { |r| } # ensures that the server sends trailing data
+          operation.wait
+        end
+      end
+    end
+  end
+end

data/lib/aserto/directory/v3/model.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Aserto
+  module Directory
+    module V3
+      module Model
+        # rubocop:disable Naming/AccessorMethodName
+
+        # Get the content of a manifest
+        # @return [Hash] { body: String, updated_at: Timestap, etag: String }
+        def get_manifest
+          response = {}
+          manifest_enum = @model.get_manifest(Aserto::Directory::Model::V3::GetManifestRequest.new)
+          manifest_enum.each do |resp|
+            response[:body] = resp.body.data if resp.respond_to?(:body) && !resp.body.nil?
+            if resp.respond_to?(:metadata)
+              response[:updated_at] ||= resp.metadata&.updated_at&.to_time
+              response[:etag] ||= resp.metadata&.etag
+            end
+          end
+
+          response
+        end
+
+        # Set the content of a manifest
+        # @param body [String]
+        # @return [Aserto::Directory::Model::V3::SetManifestResponse]
+        def set_manifest(body)
+          @model.set_manifest([Aserto::Directory::Model::V3::SetManifestRequest.new(body: { data: body })])
+        end
+
+        # rubocop:enable Naming/AccessorMethodName
+      end
+    end
+  end
+end

data/lib/aserto/directory/v3/reader.rb

@@ -0,0 +1,266 @@
+# frozen_string_literal: true
+
+module Aserto
+  module Directory
+    module V3
+      module Reader
+        #
+        # find an object by id and type
+        #
+        # @param object_id [String]
+        # @param object_type [String]
+        #
+        # @return [Aserto::Directory::Reader::V3::GetObjectResponse]
+        #
+        # @example
+        #   client.get_object(
+        #     object_type: "user",
+        #     object_id: "rick@the-citadel.com"
+        #   )
+        def get_object(object_id:, object_type:)
+          reader.get_object(
+            Aserto::Directory::Reader::V3::GetObjectRequest.new(
+              object_id: object_id,
+              object_type: object_type
+            )
+          )
+        end
+
+        #
+        # list objects by type
+        #
+        # @param object_type [String]
+        # @param page [Hash]
+        # @option page [Integer] :size
+        # @option page [String] :token
+        #
+        # @return [Aserto::Directory::V3::GetObjectsResponse]
+        #
+        # @example
+        #   client.get_objects(
+        #      object_type: "user",
+        #      page: { size: 2 }
+        #   )
+        def get_objects(object_type:, page: { size: 100 })
+          reader.get_objects(
+            Aserto::Directory::Reader::V3::GetObjectsRequest.new(
+              object_type: object_type,
+              page: Aserto::Directory::Common::V3::PaginationRequest.new(page)
+            )
+          )
+        end
+
+        #
+        # find a relation between two objects
+        #
+        # @param [String] object_type
+        # @param [String] object_id
+        # @param [String] relation
+        # @param [String] subject_type
+        # @param [String] subject_id
+        # @param [String] subject_relation
+        # @param [Boolean] with_objects
+        #
+        # @return [Aserto::Directory::Reader::V3::GetRelationResponse]
+        #
+        # @example
+        #   client.get_relation(
+        #     object_type: "user",
+        #     object_id: "rick@the-citadel.com",
+        #     relation: "member",
+        #     object_type: "group",
+        #     object_id: "evil_genius"
+        #   )
+        def get_relation(object_type:, object_id:, relation:, subject_type:, subject_id:, subject_relation: "",
+                         with_objects: false)
+          reader.get_relation(
+            Aserto::Directory::Reader::V3::GetRelationRequest.new(
+              object_type: object_type,
+              object_id: object_id,
+              relation: relation,
+              subject_type: subject_type,
+              subject_id: subject_id,
+              subject_relation: subject_relation,
+              with_objects: with_objects
+            )
+          )
+        end
+
+        #
+        # List relations between two objects
+        #
+        # @param [String] object_type
+        # @param [String] object_id
+        # @param [String] relation
+        # @param [String] subject_type
+        # @param [String] subject_id
+        # @param [String] subject_relation
+        # @param [Boolean] with_objects
+        # @param page [Hash]
+        # @option page [Integer] :size
+        # @option page [String] :token
+        #
+        # @return [Aserto::Directory::Reader::V3::GetRelationsResponse]
+        #
+        # @example
+        #   client.get_relations(
+        #     object_type: "user",
+        #     object_id: "rick@the-citadel.com",
+        #     relation: "member",
+        #     page: { size: 10 }
+        #   )
+        def get_relations(object_type: "", object_id: "", relation: "", subject_type: "", subject_id: "",
+                          subject_relation: "", with_objects: false, page: { size: 100 })
+          reader.get_relations(
+            Aserto::Directory::Reader::V3::GetRelationsRequest.new(
+              object_type: object_type,
+              object_id: object_id,
+              relation: relation,
+              subject_type: subject_type,
+              subject_id: subject_id,
+              subject_relation: subject_relation,
+              with_objects: with_objects,
+              page: Aserto::Directory::Common::V3::PaginationRequest.new(page)
+            )
+          )
+        end
+
+        #
+        # Check relation between two objects
+        #
+        # @param [String] object_type
+        # @param [String] object_id
+        # @param [String] relation
+        # @param [String] subject_type
+        # @param [String] subject_id
+        # @param [Boolean] trace
+        #
+        # @return [Aserto::Directory::Reader::V3::CheckRelationResponse]
+        #
+        # @example
+        #   client.check_relation(
+        #     object_type: "user",
+        #     object_id: "rick@the-citadel.com",
+        #     relation: "member",
+        #     object_type: "group",
+        #     object_id: "evil_genius"
+        #   )
+        def check_relation(object_type:, object_id:, relation:, subject_type:, subject_id:, trace: false)
+          reader.check_relation(
+            Aserto::Directory::Reader::V3::CheckRelationRequest.new(
+              object_type: object_type,
+              object_id: object_id,
+              relation: relation,
+              subject_type: subject_type,
+              subject_id: subject_id,
+              trace: trace
+            )
+          )
+        end
+
+        #
+        # Check relation between two objects
+        #
+        # @param [String] object_type
+        # @param [String] object_id
+        # @param [String] relation
+        # @param [String] subject_type
+        # @param [String] subject_id
+        # @param [Boolean] trace
+        #
+        # @return [Aserto::Directory::Reader::V3::CheckResponse]
+        #
+        # @example
+        #   client.check(
+        #     object_type: "user",
+        #     object_id: "rick@the-citadel.com",
+        #     relation: "member",
+        #     object_type: "group",
+        #     object_id: "evil_genius"
+        #   )
+        def check(object_type:, object_id:, relation:, subject_type:, subject_id:, trace: false)
+          reader.check(
+            Aserto::Directory::Reader::V3::CheckRequest.new(
+              object_type: object_type,
+              object_id: object_id,
+              relation: relation,
+              subject_type: subject_type,
+              subject_id: subject_id,
+              trace: trace
+            )
+          )
+        end
+
+        #
+        # Check permission between two objects
+        #
+        # @param [String] object_type
+        # @param [String] object_id
+        # @param [String] permission
+        # @param [String] subject_type
+        # @param [String] subject_id
+        # @param [Boolean] trace
+        #
+        # @return [Aserto::Directory::Reader::V3::CheckPermissionResponse]
+        #
+        # @example
+        #   client.check_permission(
+        #     object_type: "user",
+        #     object_id: "rick@the-citadel.com",
+        #     permission: "read",
+        #     object_type: "group",
+        #     object_id: "evil_genius"
+        #   )
+        def check_permission(object_type:, object_id:, permission:, subject_type:, subject_id:, trace: false)
+          reader.check_permission(
+            Aserto::Directory::Reader::V3::CheckPermissionRequest.new(
+              object_type: object_type,
+              object_id: object_id,
+              permission: permission,
+              subject_type: subject_type,
+              subject_id: subject_id,
+              trace: trace
+            )
+          )
+        end
+
+        #
+        # Returns object graph from anchor to subject or object.
+        #
+        # @param [String] anchor_type <description>
+        # @param [String] anchor_id <description>
+        # @param [String] object_type <description>
+        # @param [String] object_id <description>
+        # @param [String] relation <description>
+        # @param [String] subject_type <description>
+        # @param [String] <description>
+        #
+        # @return [Aserto::Directory::Reader::V3::GetGraphResponse]
+        #
+        # @example
+        #   directory.get_graph(
+        #     anchor_type: "user",
+        #     anchor_id: "rick@the-citadel.com",
+        #     subject_id: "rick@the-citadel.com",
+        #     subject_type: "user",
+        #     relation: "member"
+        #   )
+        def get_graph(anchor_type:, anchor_id:, object_type: "", object_id: "", relation: "", subject_type: "",
+                      subject_id: "", subject_relation: "")
+          reader.get_graph(
+            Aserto::Directory::Reader::V3::GetGraphRequest.new(
+              anchor_type: anchor_type,
+              anchor_id: anchor_id,
+              object_type: object_type,
+              object_id: object_id,
+              relation: relation,
+              subject_type: subject_type,
+              subject_id: subject_id,
+              subject_relation: subject_relation
+            )
+          )
+        end
+      end
+    end
+  end
+end

data/lib/aserto/directory/v3/writer.rb

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+
+module Aserto
+  module Directory
+    module V3
+      module Writer
+        require "google/protobuf/well_known_types"
+
+        #
+        # Create a new object
+        #
+        # @param [String] object_id
+        # @param [String] object_type
+        # @param [String] display_name
+        # @param [Hash] properties
+        # @param [String] etag
+        #
+        # @return [Aserto::Directory::Writer::V3::SetObjectResponse]
+        #
+        # @example
+        #   client.set_object(object_id: "1234", object_type: "user", properties: { email: "test" })
+        def set_object(object_id:, object_type:, display_name: "", properties: {}, etag: nil)
+          writer.set_object(
+            Aserto::Directory::Writer::V3::SetObjectRequest.new(
+              object: {
+                id: object_id,
+                type: object_type,
+                display_name: display_name,
+                properties: Google::Protobuf::Struct.from_hash(properties.transform_keys!(&:to_s)),
+                etag: etag
+              }
+            )
+          )
+        end
+
+        #
+        # Delete an object
+        #
+        # @param [String] object_id
+        # @param [String] object_type
+        # @param [Boolean] with_relations
+        #
+        # @return [ Aserto::Directory::Writer::V3::DeleteObjectResponse]
+        #
+        # @example
+        #   client.delete_object(object_id: "1234", object_type: "user")
+        def delete_object(object_id:, object_type:, with_relations: false)
+          writer.delete_object(
+            Aserto::Directory::Writer::V3::DeleteObjectRequest.new(
+              object_id: object_id,
+              object_type: object_type,
+              with_relations: with_relations
+            )
+          )
+        end
+
+        #
+        # Creates a relation between two objects
+        #
+        # @param [String] object_type
+        # @param [String] object_id
+        # @param [String] relation
+        # @param [String] subject_type
+        # @param [String] subject_id
+        #
+        # @return [Aserto::Directory::Writer::V3::SetRelationResponse]
+        #
+        # @example
+        #   client.set_relation(
+        #     object_type: "user",
+        #     object_id: "rick@the-citadel.com",
+        #     relation: "member",
+        #     object_type: "group",
+        #     object_id: "evil_genius"
+        #   )
+        def set_relation(object_type:, object_id:, relation:, subject_type:, subject_id:)
+          writer.set_relation(
+            Aserto::Directory::Writer::V3::SetRelationRequest.new(
+              relation: {
+                object_type: object_type,
+                object_id: object_id,
+                relation: relation,
+                subject_type: subject_type,
+                subject_id: subject_id
+              }
+            )
+          )
+        end
+
+        #
+        # Delete a relation between two objects
+        #
+        # @param [String] object_type
+        # @param [String] object_id
+        # @param [String] relation
+        # @param [String] subject_type
+        # @param [String] subject_id
+        # @param [String] subject_relation
+        #
+        # @return [Aserto::Directory::Writer::V3::DeleteRelationRequest]
+        #
+        # @example
+        #   client.get_relation(
+        #     object_type: "user",
+        #     object_id: "rick@the-citadel.com",
+        #     relation: "member",
+        #     object_type: "group",
+        #     object_id: "evil_genius"
+        #   )
+        def delete_relation(object_type:, object_id:, relation:, subject_type:, subject_id:, subject_relation: "")
+          writer.delete_relation(
+            Aserto::Directory::Writer::V3::DeleteRelationRequest.new(
+              object_type: object_type,
+              object_id: object_id,
+              relation: relation,
+              subject_type: subject_type,
+              subject_id: subject_id,
+              subject_relation: subject_relation
+            )
+          )
+        end
+      end
+    end
+  end
+end

data/lib/aserto/errors.rb

@@ -3,6 +3,7 @@
 module Aserto
   class Error < StandardError; end
   class InvalidResourceMapping < Error; end
+  class InvalidIdentityType < Error; end
 
   class AccessDenied < Error
     attr_reader :action, :conditions

data/lib/aserto/identity_mapper/manual.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Aserto
+  module IdentityMapper
+    module Manual
+      class << self
+        def execute(_request)
+          {
+            type: :manual,
+            identity: ::Aserto.config.identity_mapping[:value].to_s
+          }
+        end
+      end
+    end
+  end
+end

data/lib/aserto/identity_mapper.rb

@@ -4,20 +4,23 @@ require_relative "identity_mapper/base"
 require_relative "identity_mapper/none"
 require_relative "identity_mapper/sub"
 require_relative "identity_mapper/jwt"
+require_relative "identity_mapper/manual"
 
 module Aserto
   module IdentityMapper
     STRATEGY = {
       none: Aserto::IdentityMapper::None,
+      manual: Aserto::IdentityMapper::Manual,
       sub: Aserto::IdentityMapper::Sub,
       jwt: Aserto::IdentityMapper::Jwt
     }.freeze
 
     class << self
       def execute(request)
-        STRATEGY[
-          Aserto.config.identity_mapping[:type].to_sym || :none
-        ].execute(request)
+        STRATEGY.fetch(
+          Aserto.config.identity_mapping[:type].to_sym || :none,
+          Aserto::IdentityMapper::None
+        ).execute(request)
       end
     end
   end

data/lib/aserto.rb

@@ -12,6 +12,7 @@ require_relative "aserto/resource_mapper"
 require_relative "aserto/auth_client"
 require_relative "aserto/errors"
 require_relative "aserto/directory/client"
+require_relative "aserto/directory/v3/client"
 
 module Aserto
   class << self

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aserto
 version: !ruby/object:Gem::Version
-  version: 0.20.6
+  version: 0.30.1
 platform: ruby
 authors:
 - Aserto
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-11-24 00:00:00.000000000 Z
+date: 2023-11-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aserto-authorizer
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.30.0
+        version: 0.30.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.30.0
+        version: 0.30.1
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -82,11 +82,20 @@ files:
 - lib/aserto/config.rb
 - lib/aserto/directory/client.rb
 - lib/aserto/directory/interceptors/headers.rb
-- lib/aserto/directory/requests.rb
+- lib/aserto/directory/v2/client.rb
+- lib/aserto/directory/v2/requests.rb
+- lib/aserto/directory/v3/client.rb
+- lib/aserto/directory/v3/config.rb
+- lib/aserto/directory/v3/exporter.rb
+- lib/aserto/directory/v3/importer.rb
+- lib/aserto/directory/v3/model.rb
+- lib/aserto/directory/v3/reader.rb
+- lib/aserto/directory/v3/writer.rb
 - lib/aserto/errors.rb
 - lib/aserto/identity_mapper.rb
 - lib/aserto/identity_mapper/base.rb
 - lib/aserto/identity_mapper/jwt.rb
+- lib/aserto/identity_mapper/manual.rb
 - lib/aserto/identity_mapper/none.rb
 - lib/aserto/identity_mapper/sub.rb
 - lib/aserto/policy_path_mapper.rb