oso-cloud 0.3.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 062aa3d76c978722bbc9242d4a7c594eb0feb62146559dcc9a07b3d24f81f5c2
-  data.tar.gz: 8f5afb67fd4e4242c35c7808df00b0bf0bbcd9fcd83257d3a34f218a33625070
+  metadata.gz: 7358c36375c04ca97c57ca8f326b49f1610b3a256aed07550a61a0f8208484aa
+  data.tar.gz: bf8823521cd89afe363c7a1241f7642c8badf49dc57a0a785330d129b963fe68
 SHA512:
-  metadata.gz: bd87423b50e294bbf5ea4761a9287fd9a885b94a803ba8a51f56b428197b1bb37612828e7e58c8124e140ff6a0173d7f5614b6eb86141e6a2aeb4affa705ac83
-  data.tar.gz: b3b1bfd172c4adcd344b2531875d1337cf0a34b3ccd12d0536a1c419a51c1a333ff2363f9d7ca9ab686f468de25bc0696ae2cae60bee2bfcc7ae59e83a956abc
+  metadata.gz: f7a1a6b6167562bb18fa9be85995a7e14384bc551d5ae0da3201f61aa8ece1c77ad7e1eaba9c47107feb2e7f8a92619cf92d386ce82525df601118f3744b47c2
+  data.tar.gz: '09d05422cfd5af07383c358d734e64a52a8508653c4719b6501c393c7ca52a85c68b26a973efbfca7a1ab5c172c1f01bd4418f8eec6906fabc0ee31bb2bde26a'

data/Gemfile.lock

@@ -1,19 +1,21 @@
 PATH
   remote: .
   specs:
-    oso-cloud (0.3.0)
+    oso-cloud (0.5.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
+    minitest (5.15.0)
     rake (12.3.3)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
+  minitest (~> 5.15)
   oso-cloud!
   rake (~> 12.0)
 
 BUNDLED WITH
-   2.1.4
+   2.3.13

data/Rakefile

@@ -1,2 +1,9 @@
-require "bundler/gem_tasks"
-task :default => :spec
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs << 'test'
+end
+
+desc "Run tests"
+task :default => :test

data/lib/oso/client.rb

@@ -1,5 +1,4 @@
 require 'json'
-require 'logger'
 require 'net/http'
 require 'uri'
 
@@ -7,73 +6,120 @@ require 'oso/version'
 
 module Oso
   class Client
-    def initialize(url: 'https://cloud.osohq.com', api_key: nil, logger: nil)
+    def initialize(url: 'https://cloud.osohq.com', api_key: nil)
       @url = url
       @api_key = api_key
-      @logger = logger || Logger.new(STDOUT)
-      # TODO: why does this need to be configurable?
-      # @to_type_and_id = method(default_to_type_and_id)
+    end
+
+    def policy(policy)
+      POST('policy', { src: policy })
     end
 
     def authorize(actor, action, resource)
-      actor_type, actor_id = default_to_type_and_id actor
-      resource_type, resource_id = default_to_type_and_id resource
-      result = post('authorize', {
-                      actor_type: actor_type, actor_id: actor_id,
-                      action: action,
-                      resource_type: resource_type, resource_id: resource_id
-                    })
+      actor_typed_id = extract_typed_id actor
+      resource_typed_id = extract_typed_id resource
+      result = POST('authorize', {
+        actor_type: actor_typed_id.type, actor_id: actor_typed_id.id,
+        action: action,
+        resource_type: resource_typed_id.type, resource_id: resource_typed_id.id
+      })
       allowed = result['allowed']
-      @logger.debug { "AUTHORIZING (#{actor}, #{action}, #{resource}) => ALLOWED? =  #{allowed ? 'true' : 'false'} " }
-
       allowed
     end
 
+    def authorize_resources(actor, action, resources)
+      return [] if resources.nil?
+      return [] if resources.empty?
+
+      key = lambda do |type, id|
+        "#{type}:#{id}"
+      end
+
+      resources_extracted = resources.map { |r| extract_typed_id(r) }
+      actor_typed_id = extract_typed_id actor
+      result = POST('authorize_resources', {
+        actor_type: actor_typed_id.type, actor_id: actor_typed_id.id,
+        action: action,
+        resources: resources_extracted
+      })
+
+      return [] if result['results'].empty?
+
+      results_lookup = Hash.new
+      result['results'].each do |r|
+        k = key.call(r['type'], r['id'])
+        if results_lookup[k] == nil
+          results_lookup[k] = true
+        end
+      end
+
+      results = resources.select do |r|
+        e = extract_typed_id(r)
+        exists = results_lookup[key.call(e.type, e.id)]
+        exists
+      end
+      results
+    end
+
     def list(actor, action, resource_type)
-      actor_type, actor_id = default_to_type_and_id actor
-      result = post('list',
-                    {
-                      actor_type: actor_type, actor_id: actor_id,
-                      action: action,
-                      resource_type: resource_type
-                    })
+      actor_typed_id = extract_typed_id actor
+      result = POST('list', {
+        actor_type: actor_typed_id.type, actor_id: actor_typed_id.id,
+        action: action,
+        resource_type: resource_type,
+      })
+      results = result['results']
+      results
+    end
+    
+    def actions(actor, resource)
+      actor_typed_id = extract_typed_id actor
+      resource_typed_id = extract_typed_id resource
+      result = POST('actions', {
+        actor_type: actor_typed_id.type, actor_id: actor_typed_id.id,
+        resource_type: resource_typed_id.type, resource_id: resource_typed_id.id,
+      })
       results = result['results']
-      @logger.debug { "AUTHORIZING (#{actor}, #{action}, #{resource_type}). RESULTS: #{results}" }
-
       results
     end
 
-    def add_role(actor, role_name, resource)
-      add_role_or_relation('role', resource, role_name, actor)
+    def tell(predicate, *args)
+      typed_args = args.map { |a| extract_typed_id a}
+      POST('facts', { predicate: predicate, args: typed_args })
     end
 
-    def delete_role(actor, role_name, resource)
-      delete_role_or_relation('role', resource, role_name, actor)
+    def bulk_tell(facts)
+      params = facts.map { |predicate, *args|
+        typed_args = args.map { |a| extract_typed_id a}
+        { predicate: predicate, args: typed_args }
+      }
+      POST('bulk_load', params)
     end
 
-    def add_relation(subject, name, object)
-      add_role_or_relation('relation', subject, name, object)
+    def delete(predicate, *args)
+      typed_args = args.map { |a| extract_typed_id a}
+      DELETE('facts', { predicate: predicate, args: typed_args })
     end
 
-    def delete_relation(subject, name, object)
-      delete_role_or_relation('relation', subject, name, object)
+    def bulk_delete(facts)
+      params = facts.map { |predicate, *args|
+        typed_args = args.map { |a| extract_typed_id a}
+        { predicate: predicate, args: typed_args }
+      }
+      POST('bulk_delete', params)
     end
 
-    def get_roles(resource: nil, role: nil, actor: nil)
-      params = {}
-      unless actor.nil?
-        actor_type, actor_id = default_to_type_and_id actor
-        params[:actor_type] = actor_type
-        params[:actor_id] = actor_id
-      end
-      unless resource.nil?
-        resource_type, resource_id = default_to_type_and_id resource
-        params[:resource_type] = resource_type
-        params[:resource_id] = resource_id
+    def get(predicate, *args)
+      params = {predicate: predicate}
+      args.each_with_index do |arg, i|
+        typed_id = extract_arg_query(arg)
+        if typed_id
+          params["args.#{i}.type"] = typed_id.type
+          params["args.#{i}.id"] = typed_id.id
+        end
       end
-      params[:role] = role unless role.nil?
 
-      get('roles')
+      GET('facts', params)
     end
 
     private
@@ -82,65 +128,68 @@ module Oso
       {
         "Authorization" => "Basic %s" % @api_key,
         "User-Agent" => "Oso Cloud (ruby)",
-        "Accept": "application/json"
+        "Accept": "application/json",
+        "Content-Type": "application/json"
       }
     end
 
-    def get(path)
-      result = Net::HTTP.get(URI("#{@url}/api/#{path}"), headers)
+
+    def GET(path, params)
+      uri = URI("#{@url}/api/#{path}")
+      uri.query = URI::encode_www_form(params)
+      use_ssl = (uri.scheme == 'https')
+
+      result = Net::HTTP.start(uri.hostname, uri.port, use_ssl: use_ssl ) { |http|
+        http.request(Net::HTTP::Get.new(uri, headers)) {|r|
+          r.read_body
+        }
+      }
       handle_result result
+
     end
 
-    def post(path, params)
+    def POST(path, params)
       result = Net::HTTP.post(URI("#{@url}/api/#{path}"), params.to_json, headers)
       handle_result result
     end
 
-    def delete(path, params)
-      result = Net::HTTP.delete(URI("#{@url}/api/#{path}"), params.to_json, headers)
+    def DELETE(path, params)
+      uri = URI("#{@url}/api/#{path}")
+      use_ssl = (uri.scheme == 'https')
+      result = Net::HTTP.start(uri.hostname, uri.port, use_ssl: use_ssl ) { |http|
+        http.request(Net::HTTP::Delete.new(uri, headers), params.to_json) {|r|
+          r.read_body
+        }
+      }
       handle_result result
     end
 
-    # TODO: why does this need to be configurable?
-    def default_to_type_and_id(obj)
-      if obj.nil?
-        %w[null null]
-      else
-        [obj.class.to_s, obj.id.to_s]
-      end
-    end
-
     def handle_result(result)
       unless result.is_a?(Net::HTTPSuccess)
         raise "Got an unexpected error from Oso Service: #{result.code}\n#{result.body}"
       end
 
-      # TODO: Always JSON?
       JSON.parse(result.body)
     end
 
-    def to_params(role_or_relation, from, name, to)
-      from_type, from_id = default_to_type_and_id from
-      to_type, to_id = default_to_type_and_id to
+    def extract_typed_id(x)
+      return TypedId.new(type: "String", id: x) if x.is_a? String
 
-      from_name = role_or_relation == 'role' ? 'resource' : 'from'
-      to_name = role_or_relation == 'role' ? 'actor' : 'to'
+      raise "#{x} does not have an 'id' field" unless x.respond_to? :id
+      raise "Invalid 'id' field on #{x}: #{x.id}" if x.id.nil?
 
-      {
-        "#{from_name}_id" => from_id,
-        "#{from_name}_type" => from_type,
-        role_or_relation.to_s => name,
-        "#{to_name}_id" => to_id,
-        "#{to_name}_type" => to_type
-      }
+      TypedId.new(type: x.class.name, id: x.id.to_s)
     end
 
-    def add_role_or_relation(role_or_relation, from, name, to)
-      post("#{role_or_relation}s", to_params(role_or_relation, from, name, to))
+    def extract_arg_query(x)
+      return nil if x.nil?
+      extract_typed_id(x)
     end
 
-    def delete_role_or_relation(role_or_relation, from, name, to)
-      delete("#{role_or_relation}s", to_params(role_or_relation, from, name, to))
+    TypedId = Struct.new(:type, :id, keyword_init: true) do
+      def to_json(*args)
+        to_h.to_json(*args)
+      end
     end
   end
 end

data/lib/oso/version.rb

@@ -1,3 +1,3 @@
 module Oso
-  VERSION = '0.3.0'.freeze
+  VERSION = '0.5.0'.freeze
 end

data/oso-cloud.gemspec

@@ -8,7 +8,7 @@ Gem::Specification.new do |spec|
   spec.summary       = 'Oso authorization library.'
   spec.homepage      = 'https://www.osohq.com/'
 
-  spec.required_ruby_version = Gem::Requirement.new('>= 2.3.0')
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.7.0')
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
@@ -18,4 +18,6 @@ Gem::Specification.new do |spec|
   spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'minitest', '~> 5.15'
 end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: oso-cloud
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Oso Security, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-05-13 00:00:00.000000000 Z
-dependencies: []
+date: 2022-05-31 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.15'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.15'
 description: 
 email:
 - support@osohq.com
@@ -38,7 +52,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.0
+      version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="