gitlab-glaz 0.0.1-x86_64-linux-musl

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 002f698aa62ff8899092e36252d04133646e69f61733240a05abc63e9d7bfa5d
+  data.tar.gz: 3bf65117caf4a269eb92a4953557930d0ca589fa8771e588d2b437359e2ff754
+SHA512:
+  metadata.gz: 322d043cffbd0373040620518c40b44ce31f23bfdbe4a9631ef324498a76b383960c4cd78924d6ecdb6090e832983265dabf5748b713e7a25052d9a439b246d0
+  data.tar.gz: 6ecdd1a206a5d4ad98e72e386b2fc351b709254e03c0cc8e8f0938612139c5e9259cc285f55bac7f596939851315576fe59fecba646b1dca8536fb5ee58dcb9b

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2024-present GitLab B.V.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,71 @@
+# GitLab GLAZ Gem
+
+> [!WARNING]
+> This gem is currently designed entirely for internal use at GitLab.
+
+Ruby bindings for the [Glaz](https://gitlab.com/gitlab-org/auth/glaz) authorization engine. It wraps the Rust-backed `glaz-ruby` crate via [Magnus](https://github.com/matsadler/magnus) FFI, exposing the Glaz `CheckEngine` to Ruby without leaving the Ruby process.
+
+## Requirements
+
+- Ruby >= 3.1
+- Rust toolchain (for building the native extension)
+
+## Installation
+
+Add to your Gemfile:
+
+```ruby
+gem 'gitlab-glaz', path: 'gems/gitlab-glaz'
+```
+
+## Building
+
+The gem contains a Rust extension that must be compiled before use:
+
+```shell
+bundle exec rake compile
+```
+
+This compiles the Rust crate in `ext/glaz/` and places the resulting native library under `lib/glaz/`.
+
+## Usage
+
+```ruby
+require 'gitlab-glaz'
+
+# Use the Glaz CheckEngine via the compiled native extension
+```
+
+## Architecture
+
+| Layer | Technology | Purpose |
+| ------- | ----------- | --------- |
+| Ruby API | `lib/gitlab-glaz.rb` | Entry point, loads the native extension |
+| FFI bridge | [Magnus](https://github.com/matsadler/magnus) + [rb-sys](https://github.com/oxidize-rb/rb-sys) | Bridges Ruby ↔ Rust |
+| Rust extension | `ext/glaz/` | Thin `#[magnus::init]` shim that delegates to `glaz-ruby` |
+| Core engine | [`glaz-ruby`](https://gitlab.com/gitlab-org/auth/glaz) | Rust crate implementing the Glaz authorization engine |
+
+## Development
+
+The workspace root [`Cargo.toml`](Cargo.toml) declares all shared Rust dependencies. The extension crate lives in [`ext/glaz/`](ext/glaz/).
+
+To build only the Rust extension:
+
+```shell
+cargo build --release
+```
+
+To run the full compile via Rake (used during gem installation):
+
+```shell
+bundle exec rake
+```
+
+## Releasing a new version
+
+To release a new version, create a merge request and use the `Release` template, following its instructions.
+Once merged, the new version with precompiled, native gems will automatically be published to RubyGems.
+
+## License
+
+Released under the [MIT License](LICENSE).

data/ext/glaz/Cargo.toml

@@ -0,0 +1,12 @@
+[package]
+name = "glaz"
+version.workspace = true
+edition.workspace = true
+
+[lib]
+name = "glaz"
+crate-type = ["cdylib"]
+
+[dependencies]
+glaz-module = { workspace = true }
+magnus = { workspace = true }

data/ext/glaz/extconf.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "mkmf"
+require "rb_sys/mkmf"
+
+create_rust_makefile("gitlab/glaz/glaz") do |r|
+  r.auto_install_rust_toolchain = true
+end

data/ext/glaz/src/lib.rs

@@ -0,0 +1,48 @@
+use magnus::{Error, Ruby, exception, prelude::*};
+
+#[magnus::wrap(class = "Glaz::Engine::CheckPermission")]
+struct CheckPermission {
+    engine: glaz_module::PermissionCheckEngine,
+}
+
+impl CheckPermission {
+    fn initialize() -> Result<Self, Error> {
+        glaz_module::PermissionCheckEngine::new()
+            .map(|engine| Self { engine })
+            .map_err(|e| Error::new(exception::runtime_error(), format!("{e}")))
+    }
+
+    fn check_permission(&self, proto_bytes: magnus::RString) -> Result<magnus::RHash, Error> {
+        let bytes = unsafe { proto_bytes.as_slice() };
+
+        let result = self.engine.check_permission(bytes).map_err(map_error)?;
+
+        let ruby = Ruby::get()
+            .map_err(|_| Error::new(exception::runtime_error(), "Ruby runtime unavailable"))?;
+        let hash = ruby.hash_new();
+        hash.aset(ruby.sym_new("allowed"), result.allowed)?;
+        hash.aset(ruby.sym_new("reason"), result.reason)?;
+        Ok(hash)
+    }
+}
+
+fn map_error(e: glaz_module::GlazError) -> Error {
+    use glaz_module::GlazError::*;
+    match e {
+        InvalidArgument(_) => Error::new(exception::arg_error(), format!("{e}")),
+        Runtime(_) => Error::new(exception::runtime_error(), format!("{e}")),
+    }
+}
+
+#[magnus::init]
+fn init(ruby: &Ruby) -> Result<(), Error> {
+    let glaz = ruby.define_module("Glaz")?;
+    let engine = glaz.define_module("Engine")?;
+    let class = engine.define_class("CheckPermission", ruby.class_object())?;
+    class.define_singleton_method("new", magnus::function!(CheckPermission::initialize, 0))?;
+    class.define_method(
+        "check_permission",
+        magnus::method!(CheckPermission::check_permission, 1),
+    )?;
+    Ok(())
+}

data/lib/gitlab/glaz/loader.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# Native-gem installs ship a per-Ruby-ABI .so under lib/gitlab/glaz/<X.Y>/glaz.so.
+# Source-gem installs (or local `rake compile` output) put it at lib/gitlab/glaz/glaz.{so,bundle}.
+# Try the version-specific path first, fall back to the flat layout.
+def load_rust_extension
+  ruby_version = /(\d+\.\d+)/.match(RUBY_VERSION)
+  require "gitlab/glaz/#{ruby_version}/glaz"
+rescue LoadError
+  require "gitlab/glaz/glaz"
+end

data/lib/gitlab/glaz/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Glaz
+    VERSION = "0.0.1"
+  end
+end

data/lib/gitlab/glaz.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require_relative "glaz/version"
+require_relative 'glaz/loader'
+require "proto/service_pb"
+
+load_rust_extension
+
+module Gitlab
+  module Glaz
+    module_function
+
+    def check_permission(subject_uuid:, object_uuid:, permission:, context: {})
+      request = ::Glaz::CheckPermissionRequest.encode(
+        ::Glaz::CheckPermissionRequest.new(
+          subject: subject_uuid,
+          object: object_uuid,
+          permission: permission,
+          context: context.to_json
+        )
+      )
+
+      ::Glaz::Engine::CheckPermission.new.check_permission(request)
+    end
+  end
+end

data/lib/proto/service_pb.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: service.proto
+
+require 'google/protobuf'
+
+descriptor_data = "\n\rservice.proto\x12\x04glaz\"?\n\x0e\x45xplainRequest\x12\x0f\n\x07subject\x18\x01 \x01(\t\x12\x0e\n\x06object\x18\x02 \x01(\t\x12\x0c\n\x04role\x18\x03 \x01(\x05\"2\n\x0f\x45xplainResponse\x12\x0f\n\x07\x61llowed\x18\x01 \x01(\x08\x12\x0e\n\x06reason\x18\x02 \x01(\t\"2\n\x0f\x45valuateRequest\x12\x0f\n\x07subject\x18\x01 \x01(\t\x12\x0e\n\x06object\x18\x02 \x01(\t\"3\n\x10\x45valuateResponse\x12\x0f\n\x07\x61llowed\x18\x01 \x01(\x08\x12\x0e\n\x06reason\x18\x02 \x01(\t\"^\n\x16\x43heckPermissionRequest\x12\x0f\n\x07subject\x18\x01 \x01(\t\x12\x0e\n\x06object\x18\x02 \x01(\t\x12\x12\n\npermission\x18\x03 \x01(\t\x12\x0f\n\x07\x63ontext\x18\x04 \x01(\t\":\n\x17\x43heckPermissionResponse\x12\x0f\n\x07\x61llowed\x18\x01 \x01(\x08\x12\x0e\n\x06reason\x18\x02 \x01(\t2\xd9\x01\n\x14\x41uthorizationService\x12\x36\n\x07\x45xplain\x12\x14.glaz.ExplainRequest\x1a\x15.glaz.ExplainResponse\x12\x39\n\x08\x45valuate\x12\x15.glaz.EvaluateRequest\x1a\x16.glaz.EvaluateResponse\x12N\n\x0f\x43heckPermission\x12\x1c.glaz.CheckPermissionRequest\x1a\x1d.glaz.CheckPermissionResponseb\x06proto3"
+
+pool = ::Google::Protobuf::DescriptorPool.generated_pool
+pool.add_serialized_file(descriptor_data)
+
+module Glaz
+  ExplainRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("glaz.ExplainRequest").msgclass
+  ExplainResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("glaz.ExplainResponse").msgclass
+  EvaluateRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("glaz.EvaluateRequest").msgclass
+  EvaluateResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("glaz.EvaluateResponse").msgclass
+  CheckPermissionRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("glaz.CheckPermissionRequest").msgclass
+  CheckPermissionResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("glaz.CheckPermissionResponse").msgclass
+end

metadata

@@ -0,0 +1,131 @@
+--- !ruby/object:Gem::Specification
+name: gitlab-glaz
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: x86_64-linux-musl
+authors:
+- group::authorization
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2026-05-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: google-protobuf
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rb_sys
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.126
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.126
+- !ruby/object:Gem::Dependency
+  name: gitlab-styles
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '14.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '14.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.81'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.81'
+description: Wraps the Rust-backed GitLab Authorization Service (GLAZ) exposed via
+  magnus FFI
+email:
+- engineering@gitlab.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- ext/glaz/Cargo.toml
+- ext/glaz/extconf.rb
+- ext/glaz/src/lib.rs
+- lib/gitlab/glaz.rb
+- lib/gitlab/glaz/3.1/glaz.so
+- lib/gitlab/glaz/3.2/glaz.so
+- lib/gitlab/glaz/3.3/glaz.so
+- lib/gitlab/glaz/3.4/glaz.so
+- lib/gitlab/glaz/4.0/glaz.so
+- lib/gitlab/glaz/loader.rb
+- lib/gitlab/glaz/version.rb
+- lib/proto/service_pb.rb
+homepage: https://gitlab.com/gitlab-org/ruby/gems/gitlab-glaz
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.1'
+  - - "<"
+    - !ruby/object:Gem::Version
+      version: 4.1.dev
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.3.22
+requirements: []
+rubygems_version: 3.5.23
+signing_key: 
+specification_version: 4
+summary: Ruby client for the GLAZ authorization engine
+test_files: []