oso-cloud 0.7.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 69149698f1269f5bd98bf3072671992b364170e0ff5264132fde524f10d997b2
-  data.tar.gz: ccd52aa2087dfadffc11dce6343aaad7abf10ec3cb2099a8b01df8f19f3e88d4
+  metadata.gz: 339079e696596a482f6f1fe6bc875d9f88dc5415b0eaca4b4e7a04304280cc7a
+  data.tar.gz: '099c6b0532405a7fc0cf5933b09ea03991fe43f3e2da6b726d5e33e932706b55'
 SHA512:
-  metadata.gz: 2cc987575b2ef6ff3b7bdff48b575c23f1a6739ba5553a44f00731700e03b89a854d71bac3fd60b41bf76854d9b38fb9b380ee2eb7b4abdc7a0338abcb48b3ed
-  data.tar.gz: afa3922a254311adf4616372c15b3c51c834339d89c5cc3942c86d261e12121d919b8879dd9494e28cb71b7f318f060924e1852cae28e36e7fcf385c70591cb1
+  metadata.gz: 441e11c7fdb4b201cf22d84195d7f0cc5454a64186c0078086ae085138a31a8ee10f667f5723b94b467aa74ee89780e1ccd853c435d044f84616b46f78a44527
+  data.tar.gz: 56c4cb7d88820805bbd9238624f8220253c48aa19fdffe71298af26ff9369e3bf5692d49be70f439a582e4f76ff9d4b7458f45a303fa32c02296c5c2324f9f08

data/Gemfile.lock

@@ -1,13 +1,22 @@
 PATH
   remote: .
   specs:
-    oso-cloud (0.7.0)
+    oso-cloud (1.0.1)
+      faraday (~> 2.5.2)
+      faraday-retry (~> 2.0.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
+    faraday (2.5.2)
+      faraday-net_http (>= 2.0, < 3.1)
+      ruby2_keywords (>= 0.0.4)
+    faraday-net_http (3.0.2)
+    faraday-retry (2.0.0)
+      faraday (~> 2.0)
     minitest (5.15.0)
     rake (12.3.3)
+    ruby2_keywords (0.0.5)
 
 PLATFORMS
   ruby

data/README.md

@@ -1,25 +1,53 @@
-# Oso::Client
+# Oso Cloud Client for Ruby
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/oso/client`. To experiment with that code, run `bin/console` for an interactive prompt.
+[![Slack][badge-slack]][badge-slack-link]
 
-TODO: Delete this and the text above, and describe your gem
+The Oso Cloud client for Ruby provides a convenient wrapper around the Oso
+Cloud HTTP API for applications and services written in Ruby.
 
-## Installation
+## What is Oso Cloud?
+Oso Cloud is authorization-as-a-service. It provides abstractions for building
+and iterating on authorization in your application – based on years of work
+with hundreds of engineering teams.
 
-Add this line to your application's Gemfile:
+- Model: Build your authorization model using primitives for common patterns
+  like multi-tenancy and RBAC. Express custom rules using Polar, a
+  declarative policy language for authorization.
 
-```ruby
-gem 'oso-cloud'
-```
+- Store: Store your authorization data using a best-practices data model and
+  use it for access decisions across all of your services.
 
-And then execute:
+- Enforce & Query: Add enforcement calls to your application to perform
+  yes/no permission checks, filter resources by permissions, list a user's
+  roles, and show/hide pieces of your UI.
 
-    $ bundle install
+- Test & Watch: Write tests over your authorization policies before you push
+  them live. See logs of authorization decisions in real time.
 
-Or install it yourself as:
+For more information on  how Oso Cloud works and how it fits into your
+architecture, check out the
+[introduction](https://www.osohq.com/docs/get-started/what-is-oso-cloud).
 
-    $ gem install oso-cloud
+## Documentation
+- To get up and running with Oso Cloud, try the
+  [Quickstart guide](https://www.osohq.com/docs/get-started/quickstart).
+- For method-level documentation, see the
+  [Ruby Client API documentation](https://www.osohq.com/docs/reference/client-apis/ruby).
+- Full documentation is available at
+  [osohq.com/docs](https://www.osohq.com/docs).
+- To learn about authorization best practices (not specific to Oso), read the
+  [Authorization Academy](https://www.osohq.com/developers/authorization-academy)
+  guides.
 
-## Usage
+## Community & Support
+
+If you have any questions on Oso Cloud or authorization more generally, you can
+join our engineering team & hundreds of other developers using Oso in our
+community Slack:
+
+[![Button][join-slack-link]][badge-slack-link]
+
+[join-slack-link]: https://user-images.githubusercontent.com/282595/128394344-1bd9e5b2-e83d-4666-b446-2e4f431ffcea.png
+[badge-slack]: https://img.shields.io/badge/slack-oso--oss-orange
+[badge-slack-link]: https://join-slack.osohq.com/
 
-TODO: Write usage instructions here

data/lib/oso/api.rb

@@ -0,0 +1,458 @@
+require 'json'
+require 'uri'
+require 'faraday'
+require 'faraday/retry'
+
+require 'oso/helpers'
+
+module OsoCloud
+  # @!visibility private
+  module Core
+    # @!visibility private
+    class ApiResult
+      attr_reader :message
+
+      def initialize(message:)
+        @message = message
+      end
+    end
+
+    # @!visibility private
+    class ApiError < StandardError
+      def initialize(message:)
+        super(message)
+      end
+    end
+
+    # @!visibility private
+    class Policy
+      attr_reader :filename
+      attr_reader :src
+
+      def initialize(filename:, src:)
+        @filename = filename
+        @src = src
+      end
+    end
+
+    # @!visibility private
+    class GetPolicyResult
+      attr_reader :policy
+
+      def initialize(policy:)
+        if policy.is_a? Policy
+          @policy = policy
+        else
+          @policy = Policy.new(**policy)
+        end
+      end
+    end
+
+    # @!visibility private
+    class Fact
+      attr_reader :predicate
+      attr_reader :args
+
+      def initialize(predicate:, args:)
+        @predicate = predicate
+        @args = args.map { |v| if v.is_a? Value then v else Value.new(**v) end }
+      end
+    end
+
+    # @!visibility private
+    class Value
+      attr_reader :type
+      attr_reader :id
+
+      def initialize(type:, id:)
+        @type = type
+        @id = id
+      end
+    end
+
+    # @!visibility private
+    class Bulk
+      attr_reader :delete
+      attr_reader :tell
+
+      def initialize(delete:, tell:)
+        @delete = delete.map { |v| if v.is_a? Fact then v else Fact.new(**v) end }
+        @tell = tell.map { |v| if v.is_a? Fact then v else Fact.new(**v) end }
+      end
+    end
+
+    # @!visibility private
+    class AuthorizeResult
+      attr_reader :allowed
+
+      def initialize(allowed:)
+        @allowed = allowed
+      end
+    end
+
+    # @!visibility private
+    class AuthorizeQuery
+      attr_reader :actor_type
+      attr_reader :actor_id
+      attr_reader :action
+      attr_reader :resource_type
+      attr_reader :resource_id
+      attr_reader :context_facts
+
+      def initialize(actor_type:, actor_id:, action:, resource_type:, resource_id:, context_facts:)
+        @actor_type = actor_type
+        @actor_id = actor_id
+        @action = action
+        @resource_type = resource_type
+        @resource_id = resource_id
+        @context_facts = context_facts.map { |v| if v.is_a? Fact then v else Fact.new(**v) end }
+      end
+    end
+
+    # @!visibility private
+    class AuthorizeResourcesResult
+      attr_reader :results
+
+      def initialize(results:)
+        @results = results.map { |v| if v.is_a? Value then v else Value.new(**v) end }
+      end
+    end
+
+    # @!visibility private
+    class AuthorizeResourcesQuery
+      attr_reader :actor_type
+      attr_reader :actor_id
+      attr_reader :action
+      attr_reader :resources
+      attr_reader :context_facts
+
+      def initialize(actor_type:, actor_id:, action:, resources:, context_facts:)
+        @actor_type = actor_type
+        @actor_id = actor_id
+        @action = action
+        @resources = resources.map { |v| if v.is_a? Value then v else Value.new(**v) end }
+        @context_facts = context_facts.map { |v| if v.is_a? Fact then v else Fact.new(**v) end }
+      end
+    end
+
+    # @!visibility private
+    class ListResult
+      attr_reader :results
+
+      def initialize(results:)
+        @results = results
+      end
+    end
+
+    # @!visibility private
+    class ListQuery
+      attr_reader :actor_type
+      attr_reader :actor_id
+      attr_reader :action
+      attr_reader :resource_type
+      attr_reader :context_facts
+
+      def initialize(actor_type:, actor_id:, action:, resource_type:, context_facts:)
+        @actor_type = actor_type
+        @actor_id = actor_id
+        @action = action
+        @resource_type = resource_type
+        @context_facts = context_facts.map { |v| if v.is_a? Fact then v else Fact.new(**v) end }
+      end
+    end
+
+    # @!visibility private
+    class ActionsResult
+      attr_reader :results
+
+      def initialize(results:)
+        @results = results
+      end
+    end
+
+    # @!visibility private
+    class ActionsQuery
+      attr_reader :actor_type
+      attr_reader :actor_id
+      attr_reader :resource_type
+      attr_reader :resource_id
+      attr_reader :context_facts
+
+      def initialize(actor_type:, actor_id:, resource_type:, resource_id:, context_facts:)
+        @actor_type = actor_type
+        @actor_id = actor_id
+        @resource_type = resource_type
+        @resource_id = resource_id
+        @context_facts = context_facts.map { |v| if v.is_a? Fact then v else Fact.new(**v) end }
+      end
+    end
+
+    # @!visibility private
+    class QueryResult
+      attr_reader :results
+
+      def initialize(results:)
+        @results = results.map { |v| if v.is_a? Fact then v else Fact.new(**v) end }
+      end
+    end
+
+    # @!visibility private
+    class Query
+      attr_reader :fact
+      attr_reader :context_facts
+
+      def initialize(fact:, context_facts:)
+        if fact.is_a? Fact
+          @fact = fact
+        else
+          @fact = Fact.new(**fact)
+        end
+        @context_facts = context_facts.map { |v| if v.is_a? Fact then v else Fact.new(**v) end }
+      end
+    end
+
+    # @!visibility private
+    class StatsResult
+      attr_reader :num_roles
+      attr_reader :num_relations
+      attr_reader :num_facts
+
+      def initialize(num_roles:, num_relations:, num_facts:)
+        @num_roles = num_roles
+        @num_relations = num_relations
+        @num_facts = num_facts
+      end
+    end
+
+
+    # @!visibility private
+    class Api
+      def initialize(url: 'https://cloud.osohq.com', api_key: nil, options: nil)
+        @url = url
+        @connection = Faraday.new(url: url) do |faraday|
+          faraday.request :json
+
+          # responses are processed in reverse order; this stack implies the
+          # retries are attempted before an error is raised, and the json
+          # parser is only applied if there are no errors
+          faraday.response :json, preserve_raw: true
+          faraday.response :raise_error
+          faraday.request :retry, {
+            max: (options && options[:max_retries]) || 10,
+            interval: 0.01,
+            interval_randomness: 0.005,
+            max_interval: 1,
+            backoff_factor: 2,
+            retry_statuses: [429, 500, 502, 503, 504],
+            # ensure authorize and related check functions are retried because
+            # they are POST requests, which are not retried automatically
+            retry_if: ->(env, _exc) {
+              %w[
+                /api/authorize
+                /api/authorize_resources
+                /api/list
+                /api/actions
+                /api/query
+              ].include? env.url.path
+            },
+          }
+
+          if (options && options[:test_adapter])
+            faraday.adapter :test do |stub|
+              stub.post(options[:test_adapter][:path]) do |env|
+                options[:test_adapter][:func].call
+              end
+              stub.get(options[:test_adapter][:path]) do |env|
+                options[:test_adapter][:func].call
+              end
+              stub.delete(options[:test_adapter][:path]) do |env|
+                options[:test_adapter][:func].call
+              end
+            end
+          else
+            faraday.adapter :net_http
+          end
+        end
+        @api_key = api_key
+      end
+
+      def get_policy()
+        params = {}
+        data = nil
+        url = "/policy"
+        result = GET(url, params, data)
+        GetPolicyResult.new(**result)
+      end
+
+      def post_policy(data)
+        params = {}
+        data = OsoCloud::Helpers.to_hash(data)
+        url = "/policy"
+        result = POST(url, params, data)
+        ApiResult.new(**result)
+      end
+
+      def post_facts(data)
+        params = {}
+        data = OsoCloud::Helpers.to_hash(data)
+        url = "/facts"
+        result = POST(url, params, data)
+        Fact.new(**result)
+      end
+
+      def delete_facts(data)
+        params = {}
+        data = OsoCloud::Helpers.to_hash(data)
+        url = "/facts"
+        result = DELETE(url, params, data)
+        ApiResult.new(**result)
+      end
+
+      def post_bulk_load(data)
+        params = {}
+        data = OsoCloud::Helpers.to_hash(data)
+        url = "/bulk_load"
+        result = POST(url, params, data)
+        ApiResult.new(**result)
+      end
+
+      def post_bulk_delete(data)
+        params = {}
+        data = OsoCloud::Helpers.to_hash(data)
+        url = "/bulk_delete"
+        result = POST(url, params, data)
+        ApiResult.new(**result)
+      end
+
+      def post_bulk(data)
+        params = {}
+        data = OsoCloud::Helpers.to_hash(data)
+        url = "/bulk"
+        result = POST(url, params, data)
+        ApiResult.new(**result)
+      end
+
+      def post_authorize(data)
+        params = {}
+        data = OsoCloud::Helpers.to_hash(data)
+        url = "/authorize"
+        result = POST(url, params, data)
+        AuthorizeResult.new(**result)
+      end
+
+      def post_authorize_resources(data)
+        params = {}
+        data = OsoCloud::Helpers.to_hash(data)
+        url = "/authorize_resources"
+        result = POST(url, params, data)
+        AuthorizeResourcesResult.new(**result)
+      end
+
+      def post_list(data)
+        params = {}
+        data = OsoCloud::Helpers.to_hash(data)
+        url = "/list"
+        result = POST(url, params, data)
+        ListResult.new(**result)
+      end
+
+      def post_actions(data)
+        params = {}
+        data = OsoCloud::Helpers.to_hash(data)
+        url = "/actions"
+        result = POST(url, params, data)
+        ActionsResult.new(**result)
+      end
+
+      def post_query(data)
+        params = {}
+        data = OsoCloud::Helpers.to_hash(data)
+        url = "/query"
+        result = POST(url, params, data)
+        QueryResult.new(**result)
+      end
+
+      def get_stats()
+        params = {}
+        data = nil
+        url = "/stats"
+        result = GET(url, params, data)
+        StatsResult.new(**result)
+      end
+
+      def clear_data()
+        params = {}
+        data = nil
+        url = "/clear_data"
+        result = POST(url, params, data)
+        ApiResult.new(**result)
+      end
+
+
+      # hard-coded, not generated
+      def get_facts(predicate, args)
+        params = {}
+        params["predicate"] = predicate
+        args.each_with_index do |arg, i|
+          arg_query = OsoCloud::Helpers.extract_arg_query(arg)
+          if arg_query
+            params["args.#{i}.type"] = arg_query.type
+            params["args.#{i}.id"] = arg_query.id
+          end
+        end
+        data = nil
+        url = "/facts"
+        result = GET(url, params, data)
+        result.map { |v| Fact.new(**v) }
+      end
+
+      def headers()
+        {
+          "Authorization" => "Bearer %s" % @api_key,
+          "User-Agent" => "Oso Cloud (ruby)",
+          "Accept": "application/json",
+          "Content-Type": "application/json",
+          "X-OsoApiVersion": "0"
+        }
+      end
+
+      def GET(path, params, body)
+        response = @connection.get("api#{path}", params, headers )
+        handle_faraday_response response
+      rescue Faraday::Error => error
+        handle_faraday_error error
+      end
+
+      def POST(path, params, body)
+        response = @connection.post("api#{path}", body, headers) do |req|
+          req.params = params
+        end
+        handle_faraday_response response
+      rescue Faraday::Error => error
+        handle_faraday_error error
+      end
+
+      def DELETE(path, params, body)
+        response = @connection.delete("api#{path}", params, headers) do |req|
+          req.body = body
+        end
+        handle_faraday_response response
+      rescue Faraday::Error => error
+        handle_faraday_error error
+      end
+
+      def handle_faraday_response(response)
+        # TODO:(@patrickod) refactor duplicative JSON parsing
+        JSON.parse(response.env[:raw_body], symbolize_names: true)
+      end
+
+      def handle_faraday_error(error)
+        err = JSON.parse(error.response[:body], symbolize_names: true)
+        raise ApiError.new(**err)
+      rescue JSON::ParserError => e
+        raise ApiError.new(message: e.message)
+      end
+    end
+
+  end
+end

data/lib/oso/helpers.rb

@@ -0,0 +1,59 @@
+module OsoCloud
+  # @!visibility private
+  module Helpers
+    # @!visibility private
+    def self.extract_value(x)
+      return OsoCloud::Core::Value.new(type: "String", id: x) if x.is_a? String
+
+      return nil if x.nil?
+
+      type = (x.type.nil? ? nil : x.type.to_s)
+      id = (x.id.nil? ? nil : x.id.to_s)
+      OsoCloud::Core::Value.new(type: type, id: id)
+    end
+
+    # @!visibility private
+    def self.extract_arg_query(x)
+      self.extract_value(x)
+    end
+
+    # @!visibility private
+    def self.param_to_fact(predicate, args)
+      OsoCloud::Core::Fact.new(predicate: predicate, args: args.map { |a| self.extract_value(a) })
+    end
+
+    # @!visibility private
+    def self.params_to_facts(facts)
+      facts.map { |predicate, *args| self.param_to_fact(predicate, args) }
+    end
+
+    def self.from_value(value)
+      if value.id.nil?
+        if value.type.nil?
+          nil
+        else
+          { type: value.type }
+        end
+      else
+        if value.type == "String"
+          value.id
+        else
+          { id: value.id, type: value.type }
+        end
+      end
+    end
+
+    # @!visibility private
+    def self.to_hash(o)
+      return o.map { |v| self.to_hash(v) } if o.is_a? Array
+      return o if o.instance_variables.empty?
+      hash = {}
+      o.instance_variables.each { |var|
+        v = var.to_s.delete("@")
+        value = o.send(v)
+        hash[v] = self.to_hash(value)
+      }
+      hash
+    end
+  end
+end

data/lib/oso/oso.rb

@@ -0,0 +1,255 @@
+require 'json'
+require 'net/http'
+require 'uri'
+
+require 'oso/version'
+require 'oso/api'
+require 'oso/helpers'
+
+##
+# For more detailed documentation, see
+# https://www.osohq.com/docs/reference/client-apis/ruby
+module OsoCloud
+
+  # Represents an object in your application, with a type and id.
+  # Both "type" and "id" should be strings.
+  Value = Struct::new(:type, :id, keyword_init: true) do
+
+    def to_api_value
+      OsoCloud::Helpers.extract_value(self)
+    end
+  end
+
+  # Oso Cloud client for Ruby
+  #
+  # About facts:
+  #
+  # Some of these methods accept and return "fact"s.
+  # A "fact" is an array with at least one element.
+  # The first element must be a string, representing the fact's name.
+  # Any other elements in the array, which together represent the fact's arguments,
+  # can be "OsoCloud::Value" objects or strings.
+  class Oso
+    def initialize(url: 'https://cloud.osohq.com', api_key: nil)
+      @api = OsoCloud::Core::Api.new(url: url, api_key: api_key)
+    end
+
+    ##
+    # Update the active policy
+    #
+    # Updates the active policy in Oso Cloud, The string passed into
+    # this method should be written in Polar.
+    #
+    # @param policy [String]
+    # @return [nil]
+    def policy(policy)
+      @api.post_policy(OsoCloud::Core::Policy.new(src: policy, filename: ""))
+      nil
+    end
+
+    ##
+    # Check a permission
+    #
+    # Returns true if the actor can perform the action on the resource;
+    # otherwise false.
+    #
+    # @param actor [OsoCloud::Value]
+    # @param action [String]
+    # @param resource [OsoCloud::Value]
+    # @param context_facts [Array<fact>]
+    # @return [Boolean]
+    # @see Oso more information about facts
+    def authorize(actor, action, resource, context_facts = [])
+      actor_typed_id = actor.to_api_value
+      resource_typed_id = resource.to_api_value
+      result = @api.post_authorize(OsoCloud::Core::AuthorizeQuery.new(
+        actor_type: actor_typed_id.type,
+        actor_id: actor_typed_id.id,
+        action: action,
+        resource_type: resource_typed_id.type,
+        resource_id: resource_typed_id.id,
+        context_facts: OsoCloud::Helpers.params_to_facts(context_facts)
+      ))
+      result.allowed
+    end
+
+    ##
+    # Check authorized resources
+    #
+    # Returns a subset of the resource which an actor can perform
+    # a particular action. Ordering and duplicates, if any exist, are preserved.
+    #
+    # @param actor [OsoCloud::Value]
+    # @param action [String]
+    # @param resources [Array<OsoCloud::Value>]
+    # @param context_facts [Array<fact>]
+    # @return [Array<OsoCloud::Value>]
+    # @see Oso more information about facts
+    def authorize_resources(actor, action, resources, context_facts = [])
+      return [] if resources.nil?
+      return [] if resources.empty?
+
+      key = lambda do |type, id|
+        "#{type}:#{id}"
+      end
+
+      resources_extracted = resources.map(&:to_api_value)
+      actor_typed_id = actor.to_api_value
+      data = OsoCloud::Core::AuthorizeResourcesQuery.new(
+        actor_type: actor_typed_id.type, actor_id: actor_typed_id.id,
+        action: action,
+        resources: resources_extracted,
+        context_facts: OsoCloud::Helpers::params_to_facts(context_facts)
+      )
+      result = @api.post_authorize_resources(data)
+
+      return [] if result.results.empty?
+
+      results_lookup = Hash.new
+      result.results.each do |r|
+        k = key.call(r.type, r.id)
+        if results_lookup[k] == nil
+          results_lookup[k] = true
+        end
+      end
+
+      results = resources.select do |r|
+        e = r.to_api_value
+        exists = results_lookup[key.call(e.type, e.id)]
+        exists
+      end
+      results
+    end
+
+    ##
+    # List authorized resources
+    #
+    # Fetches a list of resource ids on which an actor can perform a
+    # particular action.
+    #
+    # @param actor [OsoCloud::Value]
+    # @param action [String]
+    # @param resource_type [String]
+    # @param context_facts [Array<fact>]
+    # @return [Array<String>]
+    # @see Oso more information about facts
+    def list(actor, action, resource_type, context_facts = [])
+      actor_typed_id = actor.to_api_value
+      result = @api.post_list(OsoCloud::Core::ListQuery.new(
+        actor_type: actor_typed_id.type,
+        actor_id: actor_typed_id.id,
+        action: action,
+        resource_type: resource_type,
+        context_facts: OsoCloud::Helpers.params_to_facts(context_facts)
+      ))
+      result.results
+    end
+
+    ##
+    # List authorized actions
+    #
+    # Fetches a list of actions which an actor can perform on a particular resource.
+    #
+    # @param actor [OsoCloud::Value]
+    # @param resource [OsoCloud::Value]
+    # @param context_facts [Array<fact>]
+    # @return [Array<String>]
+    # @see Oso more information about facts
+    def actions(actor, resource, context_facts = [])
+      actor_typed_id = actor.to_api_value
+      resource_typed_id = resource.to_api_value
+      result = @api.post_actions(OsoCloud::Core::ActionsQuery.new(
+        actor_type: actor_typed_id.type,
+        actor_id: actor_typed_id.id,
+        resource_type: resource_typed_id.type,
+        resource_id: resource_typed_id.id,
+        context_facts: OsoCloud::Helpers.params_to_facts(context_facts)
+      ))
+      result.results
+    end
+
+    ##
+    # Add a fact
+    #
+    # Adds a fact with the given name and arguments.
+    #
+    # @param name [String]
+    # @param args [*[String, OsoCloud::Value]]
+    # @return [nil]
+    def tell(name, *args)
+      typed_args = args.map { |a| OsoCloud::Helpers.extract_value(a)}
+      @api.post_facts(OsoCloud::Core::Fact.new(predicate: name, args: typed_args))
+      nil
+    end
+
+    ##
+    # Add many facts
+    #
+    # Adds many facts at once.
+    #
+    # @param facts [Array<fact>]
+    # @return [nil]
+    # @see Oso more information about facts
+    def bulk_tell(facts)
+      @api.post_bulk_load(OsoCloud::Helpers.params_to_facts(facts))
+      nil
+    end
+
+    ##
+    # Delete fact
+    #
+    # Deletes a fact. Does not throw an error if the fact is not found.
+    #
+    # @param name [String]
+    # @param args [*[String, OsoCloud::Value]]
+    # @return [nil]
+    def delete(name, *args)
+      typed_args = args.map { |a| OsoCloud::Helpers.extract_value(a) }
+      @api.delete_facts(OsoCloud::Core::Fact.new(predicate: name, args: typed_args))
+      nil
+    end
+
+    ##
+    # Delete many facts
+    #
+    # Deletes many facts at once. Does not throw an error when some of
+    # the facts are not found.
+    #
+    # @param facts [Array<fact>]
+    # @return [nil]
+    # @see Oso more information about facts
+    def bulk_delete(facts)
+      @api.post_bulk_delete(OsoCloud::Helpers.params_to_facts(facts))
+      nil
+    end
+
+    ##
+    # List facts
+    #
+    # Lists facts that are stored in Oso Cloud. Can be used to check the existence
+    # of a particular fact, or used to fetch all facts that have a particular
+    # argument. nil arguments operate as wildcards.
+    #
+    # @param name [String]
+    # @param args [*[String, OsoCloud::Value, nil]]
+    # @return [Array<fact>]
+    # @see Oso more information about facts
+    def get(name, *args)
+      @api.get_facts(name, args).map do |f|
+        name = f.predicate
+        args = f.args.map do |a|
+          v = OsoCloud::Helpers.from_value(a)
+          if v.is_a? Hash
+            OsoCloud::Value.new(type: v[:type], id: v[:id])
+          else
+            v
+          end
+        end
+        [name, *args]
+      end
+    end
+
+
+    # TODO query, bulk
+  end
+end

data/lib/oso/version.rb

@@ -1,3 +1,3 @@
-module Oso
-  VERSION = '0.7.0'.freeze
+module OsoCloud
+  VERSION = '1.0.1'.freeze
 end

data/lib/oso-cloud.rb

@@ -0,0 +1 @@
+require 'oso/oso'

data/oso-cloud.gemspec

@@ -2,13 +2,14 @@ require_relative 'lib/oso/version'
 
 Gem::Specification.new do |spec|
   spec.name          = 'oso-cloud'
-  spec.version       = Oso::VERSION
+  spec.version       = OsoCloud::VERSION
   spec.authors       = ['Oso Security, Inc.']
   spec.email         = ['support@osohq.com']
-  spec.summary       = 'Oso authorization library.'
+  spec.summary       = 'Oso Cloud Ruby client'
   spec.homepage      = 'https://www.osohq.com/'
+  spec.license       = 'Apache-2.0'
 
-  spec.required_ruby_version = Gem::Requirement.new('>= 2.7.0')
+  spec.required_ruby_version = Gem::Requirement.new('>= 3.0.0')
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
@@ -19,5 +20,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
+  spec.add_dependency 'faraday', '~> 2.5.2'
+  spec.add_dependency 'faraday-retry', '~> 2.0.0'
   spec.add_development_dependency 'minitest', '~> 5.15'
 end

metadata

@@ -1,15 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: oso-cloud
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 1.0.1
 platform: ruby
 authors:
 - Oso Security, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-06-24 00:00:00.000000000 Z
+date: 2023-03-29 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.5.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.5.2
+- !ruby/object:Gem::Dependency
+  name: faraday-retry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -38,11 +66,15 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
-- lib/oso/client.rb
+- lib/oso-cloud.rb
+- lib/oso/api.rb
+- lib/oso/helpers.rb
+- lib/oso/oso.rb
 - lib/oso/version.rb
 - oso-cloud.gemspec
 homepage: https://www.osohq.com/
-licenses: []
+licenses:
+- Apache-2.0
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -52,15 +84,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 3.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.2.33
 signing_key: 
 specification_version: 4
-summary: Oso authorization library.
+summary: Oso Cloud Ruby client
 test_files: []

data/lib/oso/client.rb

@@ -1,198 +0,0 @@
-require 'json'
-require 'net/http'
-require 'uri'
-
-require 'oso/version'
-
-module Oso
-  class Client
-    def initialize(url: 'https://cloud.osohq.com', api_key: nil)
-      @url = url
-      @api_key = api_key
-    end
-
-    def policy(policy)
-      POST('policy', { src: policy })
-    end
-
-    def authorize(actor, action, resource, context_facts = [])
-      actor_typed_id = extract_typed_id actor
-      resource_typed_id = extract_typed_id resource
-      result = POST('authorize', {
-        actor_type: actor_typed_id.type, actor_id: actor_typed_id.id,
-        action: action,
-        resource_type: resource_typed_id.type, resource_id: resource_typed_id.id,
-        context_facts: facts_to_params(context_facts)
-      })
-      allowed = result['allowed']
-      allowed
-    end
-
-    def authorize_resources(actor, action, resources, context_facts = [])
-      return [] if resources.nil?
-      return [] if resources.empty?
-
-      key = lambda do |type, id|
-        "#{type}:#{id}"
-      end
-
-      resources_extracted = resources.map { |r| extract_typed_id(r) }
-      actor_typed_id = extract_typed_id actor
-      result = POST('authorize_resources', {
-        actor_type: actor_typed_id.type, actor_id: actor_typed_id.id,
-        action: action,
-        resources: resources_extracted,
-        context_facts: facts_to_params(context_facts)
-      })
-
-      return [] if result['results'].empty?
-
-      results_lookup = Hash.new
-      result['results'].each do |r|
-        k = key.call(r['type'], r['id'])
-        if results_lookup[k] == nil
-          results_lookup[k] = true
-        end
-      end
-
-      results = resources.select do |r|
-        e = extract_typed_id(r)
-        exists = results_lookup[key.call(e.type, e.id)]
-        exists
-      end
-      results
-    end
-
-    def list(actor, action, resource_type, context_facts = [])
-      actor_typed_id = extract_typed_id actor
-      result = POST('list', {
-        actor_type: actor_typed_id.type, actor_id: actor_typed_id.id,
-        action: action,
-        resource_type: resource_type,
-        context_facts: facts_to_params(context_facts)
-      })
-      results = result['results']
-      results
-    end
-
-    def actions(actor, resource, context_facts = [])
-      actor_typed_id = extract_typed_id actor
-      resource_typed_id = extract_typed_id resource
-      result = POST('actions', {
-        actor_type: actor_typed_id.type, actor_id: actor_typed_id.id,
-        resource_type: resource_typed_id.type, resource_id: resource_typed_id.id,
-        context_facts: facts_to_params(context_facts)
-      })
-      results = result['results']
-      results
-    end
-
-    def tell(predicate, *args)
-      typed_args = args.map { |a| extract_typed_id a}
-      POST('facts', { predicate: predicate, args: typed_args })
-    end
-
-    def bulk_tell(facts)
-      POST('bulk_load', facts_to_params(facts))
-    end
-
-    def delete(predicate, *args)
-      typed_args = args.map { |a| extract_typed_id a}
-      DELETE('facts', { predicate: predicate, args: typed_args })
-    end
-
-    def bulk_delete(facts)
-      POST('bulk_delete', facts_to_params(facts))
-    end
-
-    def get(predicate, *args)
-      params = {predicate: predicate}
-      args.each_with_index do |arg, i|
-        typed_id = extract_arg_query(arg)
-        if typed_id
-          params["args.#{i}.type"] = typed_id.type
-          params["args.#{i}.id"] = typed_id.id
-        end
-      end
-
-      GET('facts', params)
-    end
-
-    private
-
-    def headers()
-      {
-        "Authorization" => "Basic %s" % @api_key,
-        "User-Agent" => "Oso Cloud (ruby)",
-        "Accept": "application/json",
-        "Content-Type": "application/json"
-      }
-    end
-
-
-    def GET(path, params)
-      uri = URI("#{@url}/api/#{path}")
-      uri.query = URI::encode_www_form(params)
-      use_ssl = (uri.scheme == 'https')
-
-      result = Net::HTTP.start(uri.hostname, uri.port, use_ssl: use_ssl ) { |http|
-        http.request(Net::HTTP::Get.new(uri, headers)) {|r|
-          r.read_body
-        }
-      }
-      handle_result result
-
-    end
-
-    def POST(path, params)
-      result = Net::HTTP.post(URI("#{@url}/api/#{path}"), params.to_json, headers)
-      handle_result result
-    end
-
-    def DELETE(path, params)
-      uri = URI("#{@url}/api/#{path}")
-      use_ssl = (uri.scheme == 'https')
-      result = Net::HTTP.start(uri.hostname, uri.port, use_ssl: use_ssl ) { |http|
-        http.request(Net::HTTP::Delete.new(uri, headers), params.to_json) {|r|
-          r.read_body
-        }
-      }
-      handle_result result
-    end
-
-    def handle_result(result)
-      unless result.is_a?(Net::HTTPSuccess)
-        raise "Got an unexpected error from Oso Service: #{result.code}\n#{result.body}"
-      end
-
-      JSON.parse(result.body)
-    end
-
-    def extract_typed_id(x)
-      return TypedId.new(type: "String", id: x) if x.is_a? String
-
-      raise "#{x} does not have an 'id' field" unless x.respond_to? :id
-      raise "Invalid 'id' field on #{x}: #{x.id}" if x.id.nil?
-
-      TypedId.new(type: x.class.name, id: x.id.to_s)
-    end
-
-    def extract_arg_query(x)
-      return nil if x.nil?
-      extract_typed_id(x)
-    end
-
-    def facts_to_params(facts)
-      facts.map { |predicate, *args|
-        typed_args = args.map { |a| extract_typed_id a}
-        { predicate: predicate, args: typed_args }
-      }
-    end
-
-    TypedId = Struct.new(:type, :id, keyword_init: true) do
-      def to_json(*args)
-        to_h.to_json(*args)
-      end
-    end
-  end
-end