RubyGems - oso-cloud - Versions diffs - 0.3.0 → 0.5.0 - Mend

oso-cloud 0.3.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 062aa3d76c978722bbc9242d4a7c594eb0feb62146559dcc9a07b3d24f81f5c2
-  data.tar.gz: 8f5afb67fd4e4242c35c7808df00b0bf0bbcd9fcd83257d3a34f218a33625070
+  metadata.gz: 7358c36375c04ca97c57ca8f326b49f1610b3a256aed07550a61a0f8208484aa
+  data.tar.gz: bf8823521cd89afe363c7a1241f7642c8badf49dc57a0a785330d129b963fe68
 SHA512:
-  metadata.gz: bd87423b50e294bbf5ea4761a9287fd9a885b94a803ba8a51f56b428197b1bb37612828e7e58c8124e140ff6a0173d7f5614b6eb86141e6a2aeb4affa705ac83
-  data.tar.gz: b3b1bfd172c4adcd344b2531875d1337cf0a34b3ccd12d0536a1c419a51c1a333ff2363f9d7ca9ab686f468de25bc0696ae2cae60bee2bfcc7ae59e83a956abc
+  metadata.gz: f7a1a6b6167562bb18fa9be85995a7e14384bc551d5ae0da3201f61aa8ece1c77ad7e1eaba9c47107feb2e7f8a92619cf92d386ce82525df601118f3744b47c2
+  data.tar.gz: '09d05422cfd5af07383c358d734e64a52a8508653c4719b6501c393c7ca52a85c68b26a973efbfca7a1ab5c172c1f01bd4418f8eec6906fabc0ee31bb2bde26a'

data/Gemfile.lock CHANGED Viewed

@@ -1,19 +1,21 @@
 PATH
   remote: .
   specs:
-    oso-cloud (0.3.0)
+    oso-cloud (0.5.0)
 GEM
   remote: https://rubygems.org/
   specs:
+    minitest (5.15.0)
     rake (12.3.3)
 PLATFORMS
   ruby
 DEPENDENCIES
+  minitest (~> 5.15)
   oso-cloud!
   rake (~> 12.0)
 BUNDLED WITH
-   2.1.4
+   2.3.13

data/Rakefile CHANGED Viewed

@@ -1,2 +1,9 @@
-require "bundler/gem_tasks"
-task :default => :spec
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+Rake::TestTask.new do |t|
+  t.libs << 'test'
+end
+desc "Run tests"
+task :default => :test

data/lib/oso/client.rb CHANGED Viewed

@@ -1,5 +1,4 @@
 require 'json'
-require 'logger'
 require 'net/http'
 require 'uri'
@@ -7,73 +6,120 @@ require 'oso/version'
 module Oso
   class Client
-    def initialize(url: 'https://cloud.osohq.com', api_key: nil, logger: nil)
+    def initialize(url: 'https://cloud.osohq.com', api_key: nil)
       @url = url
       @api_key = api_key
-      @logger = logger || Logger.new(STDOUT)
-      # TODO: why does this need to be configurable?
-      # @to_type_and_id = method(default_to_type_and_id)
+    end
+    def policy(policy)
+      POST('policy', { src: policy })
     end
     def authorize(actor, action, resource)
-      actor_type, actor_id = default_to_type_and_id actor
-      resource_type, resource_id = default_to_type_and_id resource
-      result = post('authorize', {
-                      actor_type: actor_type, actor_id: actor_id,
-                      action: action,
-                      resource_type: resource_type, resource_id: resource_id
-                    })
+      actor_typed_id = extract_typed_id actor
+      resource_typed_id = extract_typed_id resource
+      result = POST('authorize', {
+        actor_type: actor_typed_id.type, actor_id: actor_typed_id.id,
+        action: action,
+        resource_type: resource_typed_id.type, resource_id: resource_typed_id.id
+      })
       allowed = result['allowed']
-      @logger.debug { "AUTHORIZING (#{actor}, #{action}, #{resource}) => ALLOWED? =  #{allowed ? 'true' : 'false'} " }
       allowed
     end
+    def authorize_resources(actor, action, resources)
+      return [] if resources.nil?
+      return [] if resources.empty?
+      key = lambda do |type, id|
+        "#{type}:#{id}"
+      end
+      resources_extracted = resources.map { |r| extract_typed_id(r) }
+      actor_typed_id = extract_typed_id actor
+      result = POST('authorize_resources', {
+        actor_type: actor_typed_id.type, actor_id: actor_typed_id.id,
+        action: action,
+        resources: resources_extracted
+      })
+      return [] if result['results'].empty?
+      results_lookup = Hash.new
+      result['results'].each do |r|
+        k = key.call(r['type'], r['id'])
+        if results_lookup[k] == nil
+          results_lookup[k] = true
+        end
+      end
+      results = resources.select do |r|
+        e = extract_typed_id(r)
+        exists = results_lookup[key.call(e.type, e.id)]
+        exists
+      end
+      results
+    end
     def list(actor, action, resource_type)
-      actor_type, actor_id = default_to_type_and_id actor
-      result = post('list',
-                    {
-                      actor_type: actor_type, actor_id: actor_id,
-                      action: action,
-                      resource_type: resource_type
-                    })
+      actor_typed_id = extract_typed_id actor
+      result = POST('list', {
+        actor_type: actor_typed_id.type, actor_id: actor_typed_id.id,
+        action: action,
+        resource_type: resource_type,
+      })
+      results = result['results']
+      results
+    end
+    def actions(actor, resource)
+      actor_typed_id = extract_typed_id actor
+      resource_typed_id = extract_typed_id resource
+      result = POST('actions', {
+        actor_type: actor_typed_id.type, actor_id: actor_typed_id.id,
+        resource_type: resource_typed_id.type, resource_id: resource_typed_id.id,
+      })
       results = result['results']
-      @logger.debug { "AUTHORIZING (#{actor}, #{action}, #{resource_type}). RESULTS: #{results}" }
       results
     end
-    def add_role(actor, role_name, resource)
-      add_role_or_relation('role', resource, role_name, actor)
+    def tell(predicate, *args)
+      typed_args = args.map { |a| extract_typed_id a}
+      POST('facts', { predicate: predicate, args: typed_args })
     end
-    def delete_role(actor, role_name, resource)
-      delete_role_or_relation('role', resource, role_name, actor)
+    def bulk_tell(facts)
+      params = facts.map { |predicate, *args|
+        typed_args = args.map { |a| extract_typed_id a}
+        { predicate: predicate, args: typed_args }
+      }
+      POST('bulk_load', params)
     end
-    def add_relation(subject, name, object)
-      add_role_or_relation('relation', subject, name, object)
+    def delete(predicate, *args)
+      typed_args = args.map { |a| extract_typed_id a}
+      DELETE('facts', { predicate: predicate, args: typed_args })
     end
-    def delete_relation(subject, name, object)
-      delete_role_or_relation('relation', subject, name, object)
+    def bulk_delete(facts)
+      params = facts.map { |predicate, *args|
+        typed_args = args.map { |a| extract_typed_id a}
+        { predicate: predicate, args: typed_args }
+      }
+      POST('bulk_delete', params)
     end
-    def get_roles(resource: nil, role: nil, actor: nil)
-      params = {}
-      unless actor.nil?
-        actor_type, actor_id = default_to_type_and_id actor
-        params[:actor_type] = actor_type
-        params[:actor_id] = actor_id
-      end
-      unless resource.nil?
-        resource_type, resource_id = default_to_type_and_id resource
-        params[:resource_type] = resource_type
-        params[:resource_id] = resource_id
+    def get(predicate, *args)
+      params = {predicate: predicate}
+      args.each_with_index do |arg, i|
+        typed_id = extract_arg_query(arg)
+        if typed_id
+          params["args.#{i}.type"] = typed_id.type
+          params["args.#{i}.id"] = typed_id.id
+        end
       end
-      params[:role] = role unless role.nil?
-      get('roles')
+      GET('facts', params)
     end
     private
@@ -82,65 +128,68 @@ module Oso
       {
         "Authorization" => "Basic %s" % @api_key,
         "User-Agent" => "Oso Cloud (ruby)",
-        "Accept": "application/json"
+        "Accept": "application/json",
+        "Content-Type": "application/json"
       }
     end
-    def get(path)
-      result = Net::HTTP.get(URI("#{@url}/api/#{path}"), headers)
+    def GET(path, params)
+      uri = URI("#{@url}/api/#{path}")
+      uri.query = URI::encode_www_form(params)
+      use_ssl = (uri.scheme == 'https')
+      result = Net::HTTP.start(uri.hostname, uri.port, use_ssl: use_ssl ) { |http|
+        http.request(Net::HTTP::Get.new(uri, headers)) {|r|
+          r.read_body
+        }
+      }
       handle_result result
     end
-    def post(path, params)
+    def POST(path, params)
       result = Net::HTTP.post(URI("#{@url}/api/#{path}"), params.to_json, headers)
       handle_result result
     end
-    def delete(path, params)
-      result = Net::HTTP.delete(URI("#{@url}/api/#{path}"), params.to_json, headers)
+    def DELETE(path, params)
+      uri = URI("#{@url}/api/#{path}")
+      use_ssl = (uri.scheme == 'https')
+      result = Net::HTTP.start(uri.hostname, uri.port, use_ssl: use_ssl ) { |http|
+        http.request(Net::HTTP::Delete.new(uri, headers), params.to_json) {|r|
+          r.read_body
+        }
+      }
       handle_result result
     end
-    # TODO: why does this need to be configurable?
-    def default_to_type_and_id(obj)
-      if obj.nil?
-        %w[null null]
-      else
-        [obj.class.to_s, obj.id.to_s]
-      end
-    end
     def handle_result(result)
       unless result.is_a?(Net::HTTPSuccess)
         raise "Got an unexpected error from Oso Service: #{result.code}\n#{result.body}"
       end
-      # TODO: Always JSON?
       JSON.parse(result.body)
     end
-    def to_params(role_or_relation, from, name, to)
-      from_type, from_id = default_to_type_and_id from
-      to_type, to_id = default_to_type_and_id to
+    def extract_typed_id(x)
+      return TypedId.new(type: "String", id: x) if x.is_a? String
-      from_name = role_or_relation == 'role' ? 'resource' : 'from'
-      to_name = role_or_relation == 'role' ? 'actor' : 'to'
+      raise "#{x} does not have an 'id' field" unless x.respond_to? :id
+      raise "Invalid 'id' field on #{x}: #{x.id}" if x.id.nil?
-      {
-        "#{from_name}_id" => from_id,
-        "#{from_name}_type" => from_type,
-        role_or_relation.to_s => name,
-        "#{to_name}_id" => to_id,
-        "#{to_name}_type" => to_type
-      }
+      TypedId.new(type: x.class.name, id: x.id.to_s)
     end
-    def add_role_or_relation(role_or_relation, from, name, to)
-      post("#{role_or_relation}s", to_params(role_or_relation, from, name, to))
+    def extract_arg_query(x)
+      return nil if x.nil?
+      extract_typed_id(x)
     end
-    def delete_role_or_relation(role_or_relation, from, name, to)
-      delete("#{role_or_relation}s", to_params(role_or_relation, from, name, to))
+    TypedId = Struct.new(:type, :id, keyword_init: true) do
+      def to_json(*args)
+        to_h.to_json(*args)
+      end
     end
   end
 end

data/lib/oso/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Oso
-  VERSION = '0.3.0'.freeze
+  VERSION = '0.5.0'.freeze
 end

data/oso-cloud.gemspec CHANGED Viewed

@@ -8,7 +8,7 @@ Gem::Specification.new do |spec|
   spec.summary       = 'Oso authorization library.'
   spec.homepage      = 'https://www.osohq.com/'
-  spec.required_ruby_version = Gem::Requirement.new('>= 2.3.0')
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.7.0')
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
@@ -18,4 +18,6 @@ Gem::Specification.new do |spec|
   spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
+  spec.add_development_dependency 'minitest', '~> 5.15'
 end

metadata CHANGED Viewed

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: oso-cloud
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Oso Security, Inc.
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-05-13 00:00:00.000000000 Z
-dependencies: []
+date: 2022-05-31 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.15'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.15'
 description:
 email:
 - support@osohq.com
@@ -38,7 +52,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.0
+      version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="