cerbos 0.7.0 → 0.8.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -1
- data/lib/cerbos/client.rb +32 -15
- data/lib/cerbos/error.rb +2 -2
- data/lib/cerbos/version.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c6961d2c4bf6227d115dfa027f8823762bba4725c3d0dbe0c884ba2d69d0a253
|
|
4
|
+
data.tar.gz: 45d8c99f6aaeaa8aea2f30a0b0c4befbed70c6feb97f53f5f6c2288eada4919b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 50f06f8fc92658d6ade88f5ccfc92c899e8584aeb0c043faa1d350493645c49674ca0a1faff8484ba07d53f6243436622fb855fed1cdff47705d1dfde0c8c735
|
|
7
|
+
data.tar.gz: 2d440c072fb8554ed687004ca97ed1717e9735d031f385350da15ddf5bd52fe427837c5a330bbc2cb82bbdc3fcfe733f924bcb9cae1c597bed4eec5b79ebc490
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,12 @@
|
|
|
2
2
|
|
|
3
3
|
No notable changes.
|
|
4
4
|
|
|
5
|
+
## [0.8.0] - 2024-01-12
|
|
6
|
+
|
|
7
|
+
### Added
|
|
8
|
+
|
|
9
|
+
- `grpc_metadata` option to `Cerbos::Client` constructor and request methods to add gRPC metadata (a.k.a. HTTP headers) to requests to the policy decision point ([#132](https://github.com/cerbos/cerbos-sdk-ruby/pull/132))
|
|
10
|
+
|
|
5
11
|
## [0.7.0] - 2023-06-07
|
|
6
12
|
|
|
7
13
|
### Added
|
|
@@ -68,7 +74,8 @@ No notable changes.
|
|
|
68
74
|
|
|
69
75
|
- Initial implementation of `Cerbos::Client` ([#2](https://github.com/cerbos/cerbos-sdk-ruby/pull/2))
|
|
70
76
|
|
|
71
|
-
[Unreleased]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.
|
|
77
|
+
[Unreleased]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.8.0...HEAD
|
|
78
|
+
[0.8.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.7.0...v0.8.0
|
|
72
79
|
[0.7.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.1...v0.7.0
|
|
73
80
|
[0.6.1]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.0...v0.6.1
|
|
74
81
|
[0.6.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.5.0...v0.6.0
|
data/lib/cerbos/client.rb
CHANGED
|
@@ -4,14 +4,22 @@ module Cerbos
|
|
|
4
4
|
# A client for interacting with the Cerbos policy decision point (PDP) server over gRPC.
|
|
5
5
|
#
|
|
6
6
|
# An instance of the client may be shared between threads.
|
|
7
|
-
#
|
|
8
|
-
#
|
|
7
|
+
#
|
|
8
|
+
# Due to [a limitation in the underlying `grpc` gem](https://github.com/grpc/grpc/issues/8798), creating a client instance before a process fork is [only (experimentally) supported on Linux](https://github.com/grpc/grpc/pull/33430) and requires you to
|
|
9
|
+
# - have at least v1.57.0 of the `grpc` gem installed,
|
|
10
|
+
# - set the `GRPC_ENABLE_FORK_SUPPORT` environment variable to `1`,
|
|
11
|
+
# - call `GRPC.prefork` before forking,
|
|
12
|
+
# - call `GRPC.postfork_parent` in the parent process after forking, and
|
|
13
|
+
# - call `GRPC.postfork_child` in the child processes after forking.
|
|
14
|
+
#
|
|
15
|
+
# Otherwise, if your application runs on a forking webserver (for example, Puma in clustered mode), then you'll need to ensure that you only create client instances in the child (worker) processes.
|
|
9
16
|
class Client
|
|
10
17
|
# Create a client for interacting with the Cerbos PDP server over gRPC.
|
|
11
18
|
#
|
|
12
19
|
# @param target [String] Cerbos PDP server address (`"host"`, `"host:port"`, or `"unix:/path/to/socket"`).
|
|
13
20
|
# @param tls [TLS, MutualTLS, false] gRPC connection encryption settings (`false` for plaintext).
|
|
14
21
|
# @param grpc_channel_args [Hash{String, Symbol => String, Integer}] low-level settings for the gRPC channel (see [available keys in the gRPC documentation](https://grpc.github.io/grpc/core/group__grpc__arg__keys.html)).
|
|
22
|
+
# @param grpc_metadata [Hash{String, Symbol => String, Array<String>}] gRPC metadata (a.k.a. HTTP headers) to add to every request to the PDP.
|
|
15
23
|
# @param on_validation_error [:return, :raise, #call] action to take when input fails schema validation (`:return` to return the validation errors in the response, `:raise` to raise {Error::ValidationFailed}, or a callback to invoke).
|
|
16
24
|
# @param playground_instance [String, nil] identifier of the playground instance to use when prototyping against the hosted demo PDP.
|
|
17
25
|
# @param timeout [Numeric, nil] timeout for gRPC calls, in seconds (`nil` to never time out).
|
|
@@ -30,7 +38,8 @@ module Cerbos
|
|
|
30
38
|
#
|
|
31
39
|
# @example Invoke a callback when input fails schema validation
|
|
32
40
|
# client = Cerbos::Client.new("localhost:3593", tls: false, on_validation_error: ->(validation_errors) { do_something_with validation_errors })
|
|
33
|
-
def initialize(target, tls:, grpc_channel_args: {}, on_validation_error: :return, playground_instance: nil, timeout: nil)
|
|
41
|
+
def initialize(target, tls:, grpc_channel_args: {}, grpc_metadata: {}, on_validation_error: :return, playground_instance: nil, timeout: nil)
|
|
42
|
+
@grpc_metadata = grpc_metadata.transform_keys(&:to_sym)
|
|
34
43
|
@on_validation_error = on_validation_error
|
|
35
44
|
|
|
36
45
|
handle_errors do
|
|
@@ -60,6 +69,7 @@ module Cerbos
|
|
|
60
69
|
# @param action [String] the action to check.
|
|
61
70
|
# @param aux_data [Input::AuxData, Hash, nil] auxiliary data.
|
|
62
71
|
# @param request_id [String] identifier for tracing the request.
|
|
72
|
+
# @param grpc_metadata [Hash{String, Symbol => String, Array<String>}] gRPC metadata (a.k.a. HTTP headers) to add to the request.
|
|
63
73
|
#
|
|
64
74
|
# @return [Boolean]
|
|
65
75
|
#
|
|
@@ -69,13 +79,14 @@ module Cerbos
|
|
|
69
79
|
# resource: {kind: "document", id: "1"},
|
|
70
80
|
# action: "view"
|
|
71
81
|
# ) # => true
|
|
72
|
-
def allow?(principal:, resource:, action:, aux_data: nil, request_id: SecureRandom.uuid)
|
|
82
|
+
def allow?(principal:, resource:, action:, aux_data: nil, request_id: SecureRandom.uuid, grpc_metadata: {})
|
|
73
83
|
check_resource(
|
|
74
84
|
principal: principal,
|
|
75
85
|
resource: resource,
|
|
76
86
|
actions: [action],
|
|
77
87
|
aux_data: aux_data,
|
|
78
|
-
request_id: request_id
|
|
88
|
+
request_id: request_id,
|
|
89
|
+
grpc_metadata: grpc_metadata
|
|
79
90
|
).allow?(action)
|
|
80
91
|
end
|
|
81
92
|
|
|
@@ -87,6 +98,7 @@ module Cerbos
|
|
|
87
98
|
# @param aux_data [Input::AuxData, Hash, nil] auxiliary data.
|
|
88
99
|
# @param include_metadata [Boolean] `true` to include additional metadata ({Output::CheckResources::Result::Metadata}) in the results.
|
|
89
100
|
# @param request_id [String] identifier for tracing the request.
|
|
101
|
+
# @param grpc_metadata [Hash{String, Symbol => String, Array<String>}] gRPC metadata (a.k.a. HTTP headers) to add to the request.
|
|
90
102
|
#
|
|
91
103
|
# @return [Output::CheckResources::Result]
|
|
92
104
|
#
|
|
@@ -98,14 +110,15 @@ module Cerbos
|
|
|
98
110
|
# )
|
|
99
111
|
#
|
|
100
112
|
# decision.allow?("view") # => true
|
|
101
|
-
def check_resource(principal:, resource:, actions:, aux_data: nil, include_metadata: false, request_id: SecureRandom.uuid)
|
|
113
|
+
def check_resource(principal:, resource:, actions:, aux_data: nil, include_metadata: false, request_id: SecureRandom.uuid, grpc_metadata: {})
|
|
102
114
|
handle_errors do
|
|
103
115
|
check_resources(
|
|
104
116
|
principal: principal,
|
|
105
117
|
resources: [Input::ResourceCheck.new(resource: resource, actions: actions)],
|
|
106
118
|
aux_data: aux_data,
|
|
107
119
|
include_metadata: include_metadata,
|
|
108
|
-
request_id: request_id
|
|
120
|
+
request_id: request_id,
|
|
121
|
+
grpc_metadata: grpc_metadata
|
|
109
122
|
).find_result(resource)
|
|
110
123
|
end
|
|
111
124
|
end
|
|
@@ -117,6 +130,7 @@ module Cerbos
|
|
|
117
130
|
# @param aux_data [Input::AuxData, Hash, nil] auxiliary data.
|
|
118
131
|
# @param include_metadata [Boolean] `true` to include additional metadata ({Output::CheckResources::Result::Metadata}) in the results.
|
|
119
132
|
# @param request_id [String] identifier for tracing the request.
|
|
133
|
+
# @param grpc_metadata [Hash{String, Symbol => String, Array<String>}] gRPC metadata (a.k.a. HTTP headers) to add to the request.
|
|
120
134
|
#
|
|
121
135
|
# @return [Output::CheckResources]
|
|
122
136
|
#
|
|
@@ -136,7 +150,7 @@ module Cerbos
|
|
|
136
150
|
# )
|
|
137
151
|
#
|
|
138
152
|
# decision.allow?(resource: {kind: "document", id: "1"}, action: "view") # => true
|
|
139
|
-
def check_resources(principal:, resources:, aux_data: nil, include_metadata: false, request_id: SecureRandom.uuid)
|
|
153
|
+
def check_resources(principal:, resources:, aux_data: nil, include_metadata: false, request_id: SecureRandom.uuid, grpc_metadata: {})
|
|
140
154
|
handle_errors do
|
|
141
155
|
request = Protobuf::Cerbos::Request::V1::CheckResourcesRequest.new(
|
|
142
156
|
principal: Input.coerce_required(principal, Input::Principal).to_protobuf,
|
|
@@ -146,7 +160,7 @@ module Cerbos
|
|
|
146
160
|
request_id: request_id
|
|
147
161
|
)
|
|
148
162
|
|
|
149
|
-
response = perform_request(@cerbos_service, :check_resources, request)
|
|
163
|
+
response = perform_request(@cerbos_service, :check_resources, request, grpc_metadata)
|
|
150
164
|
|
|
151
165
|
Output::CheckResources.from_protobuf(response).tap do |output|
|
|
152
166
|
handle_validation_errors output
|
|
@@ -162,6 +176,7 @@ module Cerbos
|
|
|
162
176
|
# @param aux_data [Input::AuxData, Hash, nil] auxiliary data.
|
|
163
177
|
# @param include_metadata [Boolean] `true` to include additional metadata ({Output::CheckResources::Result::Metadata}) in the results.
|
|
164
178
|
# @param request_id [String] identifier for tracing the request.
|
|
179
|
+
# @param grpc_metadata [Hash{String, Symbol => String, Array<String>}] gRPC metadata (a.k.a. HTTP headers) to add to the request.
|
|
165
180
|
#
|
|
166
181
|
# @return [Output::PlanResources]
|
|
167
182
|
#
|
|
@@ -174,7 +189,7 @@ module Cerbos
|
|
|
174
189
|
#
|
|
175
190
|
# plan.conditional? # => true
|
|
176
191
|
# plan.condition # => #<Cerbos::Output::PlanResources::Expression ...>
|
|
177
|
-
def plan_resources(principal:, resource:, action:, aux_data: nil, include_metadata: false, request_id: SecureRandom.uuid)
|
|
192
|
+
def plan_resources(principal:, resource:, action:, aux_data: nil, include_metadata: false, request_id: SecureRandom.uuid, grpc_metadata: {})
|
|
178
193
|
handle_errors do
|
|
179
194
|
request = Protobuf::Cerbos::Request::V1::PlanResourcesRequest.new(
|
|
180
195
|
principal: Input.coerce_required(principal, Input::Principal).to_protobuf,
|
|
@@ -185,7 +200,7 @@ module Cerbos
|
|
|
185
200
|
request_id: request_id
|
|
186
201
|
)
|
|
187
202
|
|
|
188
|
-
response = perform_request(@cerbos_service, :plan_resources, request)
|
|
203
|
+
response = perform_request(@cerbos_service, :plan_resources, request, grpc_metadata)
|
|
189
204
|
|
|
190
205
|
Output::PlanResources.from_protobuf(response).tap do |output|
|
|
191
206
|
handle_validation_errors output
|
|
@@ -195,12 +210,14 @@ module Cerbos
|
|
|
195
210
|
|
|
196
211
|
# Retrieve information about the Cerbos PDP server.
|
|
197
212
|
#
|
|
213
|
+
# @param grpc_metadata [Hash{String, Symbol => String, Array<String>}] gRPC metadata (a.k.a. HTTP headers) to add to the request.
|
|
214
|
+
#
|
|
198
215
|
# @return [Output::ServerInfo]
|
|
199
|
-
def server_info
|
|
216
|
+
def server_info(grpc_metadata: {})
|
|
200
217
|
handle_errors do
|
|
201
218
|
request = Protobuf::Cerbos::Request::V1::ServerInfoRequest.new
|
|
202
219
|
|
|
203
|
-
response = perform_request(@cerbos_service, :server_info, request)
|
|
220
|
+
response = perform_request(@cerbos_service, :server_info, request, grpc_metadata)
|
|
204
221
|
|
|
205
222
|
Output::ServerInfo.from_protobuf(response)
|
|
206
223
|
end
|
|
@@ -231,8 +248,8 @@ module Cerbos
|
|
|
231
248
|
@on_validation_error.call validation_errors
|
|
232
249
|
end
|
|
233
250
|
|
|
234
|
-
def perform_request(service, rpc, request)
|
|
235
|
-
service.public_send(rpc, request)
|
|
251
|
+
def perform_request(service, rpc, request, metadata)
|
|
252
|
+
service.public_send(rpc, request, metadata: @grpc_metadata.merge(metadata.transform_keys(&:to_sym)))
|
|
236
253
|
end
|
|
237
254
|
end
|
|
238
255
|
end
|
data/lib/cerbos/error.rb
CHANGED
|
@@ -12,7 +12,7 @@ module Cerbos
|
|
|
12
12
|
|
|
13
13
|
# @private
|
|
14
14
|
def initialize(validation_errors)
|
|
15
|
-
super
|
|
15
|
+
super("Input failed schema validation")
|
|
16
16
|
|
|
17
17
|
@validation_errors = validation_errors
|
|
18
18
|
end
|
|
@@ -48,7 +48,7 @@ module Cerbos
|
|
|
48
48
|
|
|
49
49
|
# @private
|
|
50
50
|
def initialize(code:, details:, metadata: {})
|
|
51
|
-
super
|
|
51
|
+
super("gRPC error #{code}: #{details}")
|
|
52
52
|
|
|
53
53
|
@code = code
|
|
54
54
|
@details = details
|
data/lib/cerbos/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cerbos
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.8.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Cerbos
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-01-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: grpc
|
|
@@ -77,7 +77,7 @@ licenses:
|
|
|
77
77
|
metadata:
|
|
78
78
|
bug_tracker_uri: https://github.com/cerbos/cerbos-sdk-ruby/issues
|
|
79
79
|
changelog_uri: https://github.com/cerbos/cerbos-sdk-ruby/blob/main/CHANGELOG.md
|
|
80
|
-
documentation_uri: https://www.rubydoc.info/gems/cerbos/0.
|
|
80
|
+
documentation_uri: https://www.rubydoc.info/gems/cerbos/0.8.0
|
|
81
81
|
homepage_uri: https://github.com/cerbos/cerbos-sdk-ruby
|
|
82
82
|
source_code_uri: https://github.com/cerbos/cerbos-sdk-ruby
|
|
83
83
|
rubygems_mfa_required: 'true'
|
|
@@ -96,7 +96,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
96
96
|
- !ruby/object:Gem::Version
|
|
97
97
|
version: '0'
|
|
98
98
|
requirements: []
|
|
99
|
-
rubygems_version: 3.4
|
|
99
|
+
rubygems_version: 3.5.4
|
|
100
100
|
signing_key:
|
|
101
101
|
specification_version: 4
|
|
102
102
|
summary: Client library for authorization via Cerbos
|