oso-cloud 1.5.1 → 1.6.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +32 -2
- data/lib/oso/api.rb +46 -1
- data/lib/oso/oso.rb +73 -21
- data/lib/oso/version.rb +1 -1
- data/oso-cloud.gemspec +2 -0
- metadata +30 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b48ecc6151f39a3d6201a3cf2484cfcf38d434f7d611741bd08a6442d321e707
|
|
4
|
+
data.tar.gz: b7b901e42b41796396ef6e58c2f0772cf9f03c35f7349e411c66b32ed54bfcdc
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 562381acc9b486e722b03096a18d588e3971f37f811f33c2286ea7a8655ed6fd462b6b07f7551a10f74c0fc85e2da67b245abfd04854de6aaa975acdea6497c9
|
|
7
|
+
data.tar.gz: c107f84d6290b88fd757221195909d5ba007c89919161fd52f0b169f6a5e51815b272a6b8752e5db078b63111ea6b6755f6c84f0f3fbb07f53ce31cc3785d4ae
|
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
oso-cloud (1.
|
|
4
|
+
oso-cloud (1.6.0)
|
|
5
5
|
faraday (~> 2.5.2)
|
|
6
6
|
faraday-net_http_persistent (~> 2.0)
|
|
7
7
|
faraday-retry (~> 2.0.0)
|
|
@@ -9,7 +9,28 @@ PATH
|
|
|
9
9
|
GEM
|
|
10
10
|
remote: https://rubygems.org/
|
|
11
11
|
specs:
|
|
12
|
+
activemodel (7.1.3)
|
|
13
|
+
activesupport (= 7.1.3)
|
|
14
|
+
activerecord (7.1.3)
|
|
15
|
+
activemodel (= 7.1.3)
|
|
16
|
+
activesupport (= 7.1.3)
|
|
17
|
+
timeout (>= 0.4.0)
|
|
18
|
+
activesupport (7.1.3)
|
|
19
|
+
base64
|
|
20
|
+
bigdecimal
|
|
21
|
+
concurrent-ruby (~> 1.0, >= 1.0.2)
|
|
22
|
+
connection_pool (>= 2.2.5)
|
|
23
|
+
drb
|
|
24
|
+
i18n (>= 1.6, < 2)
|
|
25
|
+
minitest (>= 5.1)
|
|
26
|
+
mutex_m
|
|
27
|
+
tzinfo (~> 2.0)
|
|
28
|
+
base64 (0.2.0)
|
|
29
|
+
bigdecimal (3.1.6)
|
|
30
|
+
concurrent-ruby (1.2.3)
|
|
12
31
|
connection_pool (2.4.1)
|
|
32
|
+
drb (2.2.0)
|
|
33
|
+
ruby2_keywords
|
|
13
34
|
faraday (2.5.2)
|
|
14
35
|
faraday-net_http (>= 2.0, < 3.1)
|
|
15
36
|
ruby2_keywords (>= 0.0.4)
|
|
@@ -19,19 +40,28 @@ GEM
|
|
|
19
40
|
net-http-persistent (~> 4.0)
|
|
20
41
|
faraday-retry (2.0.0)
|
|
21
42
|
faraday (~> 2.0)
|
|
43
|
+
i18n (1.14.1)
|
|
44
|
+
concurrent-ruby (~> 1.0)
|
|
22
45
|
minitest (5.18.0)
|
|
46
|
+
mutex_m (0.2.0)
|
|
23
47
|
net-http-persistent (4.0.2)
|
|
24
48
|
connection_pool (~> 2.2)
|
|
49
|
+
pg (1.5.4)
|
|
25
50
|
rake (12.3.3)
|
|
26
51
|
ruby2_keywords (0.0.5)
|
|
52
|
+
timeout (0.4.1)
|
|
53
|
+
tzinfo (2.0.6)
|
|
54
|
+
concurrent-ruby (~> 1.0)
|
|
27
55
|
|
|
28
56
|
PLATFORMS
|
|
29
57
|
ruby
|
|
30
58
|
|
|
31
59
|
DEPENDENCIES
|
|
60
|
+
activerecord (~> 7.0)
|
|
32
61
|
minitest (~> 5.15)
|
|
33
62
|
oso-cloud!
|
|
63
|
+
pg (~> 1.0)
|
|
34
64
|
rake (~> 12.0)
|
|
35
65
|
|
|
36
66
|
BUNDLED WITH
|
|
37
|
-
2.
|
|
67
|
+
2.5.6
|
data/lib/oso/api.rb
CHANGED
|
@@ -239,9 +239,39 @@ module OsoCloud
|
|
|
239
239
|
end
|
|
240
240
|
end
|
|
241
241
|
|
|
242
|
+
# @!visibility private
|
|
243
|
+
class LocalAuthQuery
|
|
244
|
+
attr_reader :query, :data_bindings
|
|
245
|
+
|
|
246
|
+
def initialize(query:, data_bindings:)
|
|
247
|
+
@query = query
|
|
248
|
+
@data_bindings = data_bindings
|
|
249
|
+
end
|
|
250
|
+
end
|
|
251
|
+
|
|
252
|
+
# @!visibility private
|
|
253
|
+
class LocalListQuery
|
|
254
|
+
attr_reader :query, :column, :data_bindings
|
|
255
|
+
|
|
256
|
+
def initialize(query:, column:, data_bindings:)
|
|
257
|
+
@query = query
|
|
258
|
+
@column = column
|
|
259
|
+
@data_bindings = data_bindings
|
|
260
|
+
end
|
|
261
|
+
end
|
|
262
|
+
|
|
263
|
+
# @!visibility private
|
|
264
|
+
class LocalQueryResult
|
|
265
|
+
attr_reader :sql
|
|
266
|
+
|
|
267
|
+
def initialize(sql:)
|
|
268
|
+
@sql = sql
|
|
269
|
+
end
|
|
270
|
+
end
|
|
271
|
+
|
|
242
272
|
# @!visibility private
|
|
243
273
|
class Api
|
|
244
|
-
def initialize(url: 'https://api.osohq.com', api_key: nil, options: nil)
|
|
274
|
+
def initialize(url: 'https://api.osohq.com', api_key: nil, data_bindings: nil, options: nil)
|
|
245
275
|
@url = url
|
|
246
276
|
@connection = Faraday.new(url: url) do |faraday|
|
|
247
277
|
faraday.request :json
|
|
@@ -291,6 +321,7 @@ module OsoCloud
|
|
|
291
321
|
@api_key = api_key
|
|
292
322
|
@user_agent = "Oso Cloud (ruby #{RUBY_VERSION}p#{RUBY_PATCHLEVEL}; rv:#{VERSION})"
|
|
293
323
|
@last_offset = nil
|
|
324
|
+
@data_bindings = IO.read(data_bindings) unless data_bindings.nil?
|
|
294
325
|
end
|
|
295
326
|
|
|
296
327
|
def fallback_eligible(path)
|
|
@@ -391,6 +422,20 @@ module OsoCloud
|
|
|
391
422
|
StatsResult.new(**result)
|
|
392
423
|
end
|
|
393
424
|
|
|
425
|
+
def post_authorize_query(query)
|
|
426
|
+
url = '/authorize_query'
|
|
427
|
+
data = LocalAuthQuery.new(query: query, data_bindings: @data_bindings)
|
|
428
|
+
result = POST(url, nil, data, false)
|
|
429
|
+
LocalQueryResult.new(**result)
|
|
430
|
+
end
|
|
431
|
+
|
|
432
|
+
def post_list_query(query:, column:)
|
|
433
|
+
url = '/list_query'
|
|
434
|
+
data = LocalListQuery.new(query: query, column: column, data_bindings: @data_bindings)
|
|
435
|
+
result = POST(url, nil, data, false)
|
|
436
|
+
LocalQueryResult.new(**result)
|
|
437
|
+
end
|
|
438
|
+
|
|
394
439
|
def clear_data
|
|
395
440
|
url = '/clear_data'
|
|
396
441
|
result = POST(url, nil, nil, true)
|
data/lib/oso/oso.rb
CHANGED
|
@@ -28,8 +28,59 @@ module OsoCloud
|
|
|
28
28
|
# Any other elements in the array, which together represent the fact's arguments,
|
|
29
29
|
# can be "OsoCloud::Value" objects or strings.
|
|
30
30
|
class Oso
|
|
31
|
-
def initialize(url: 'https://cloud.osohq.com', api_key: nil, fallback_url: nil)
|
|
32
|
-
@api = OsoCloud::Core::Api.new(url: url, api_key: api_key,
|
|
31
|
+
def initialize(url: 'https://cloud.osohq.com', api_key: nil, fallback_url: nil, data_bindings: nil)
|
|
32
|
+
@api = OsoCloud::Core::Api.new(url: url, api_key: api_key, data_bindings: data_bindings,
|
|
33
|
+
options: { fallback_url: fallback_url })
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
##
|
|
37
|
+
# Check a permission depending on data both in Oso Cloud and stored in a local database
|
|
38
|
+
#
|
|
39
|
+
# Returns a SQL query to run against the local database
|
|
40
|
+
#
|
|
41
|
+
# @param actor [OsoCloud::Value]
|
|
42
|
+
# @param action [String]
|
|
43
|
+
# @param resource [OsoCloud::Value]
|
|
44
|
+
# @return [Array<String>]
|
|
45
|
+
def authorize_local(actor, action, resource)
|
|
46
|
+
actor_typed_id = actor.to_api_value
|
|
47
|
+
resource_typed_id = resource.to_api_value
|
|
48
|
+
result = @api.post_authorize_query(
|
|
49
|
+
OsoCloud::Core::AuthorizeQuery.new(
|
|
50
|
+
actor_type: actor_typed_id.type,
|
|
51
|
+
actor_id: actor_typed_id.id,
|
|
52
|
+
action: action,
|
|
53
|
+
resource_type: resource_typed_id.type,
|
|
54
|
+
resource_id: resource_typed_id.id,
|
|
55
|
+
context_facts: []
|
|
56
|
+
)
|
|
57
|
+
)
|
|
58
|
+
result.sql
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
##
|
|
62
|
+
# List authorized resources depending on data both in Oso Cloud and stored in a local database
|
|
63
|
+
#
|
|
64
|
+
# Returns a SQL query to run against the local database
|
|
65
|
+
#
|
|
66
|
+
# @param actor [OsoCloud::Value]
|
|
67
|
+
# @param action [String]
|
|
68
|
+
# @param resource_type [String]
|
|
69
|
+
# @param column [String]
|
|
70
|
+
# @return [Array<String>]
|
|
71
|
+
def list_local(actor, action, resource_type, column)
|
|
72
|
+
actor_typed_id = actor.to_api_value
|
|
73
|
+
result = @api.post_list_query(
|
|
74
|
+
query: OsoCloud::Core::ListQuery.new(
|
|
75
|
+
actor_type: actor_typed_id.type,
|
|
76
|
+
actor_id: actor_typed_id.id,
|
|
77
|
+
action: action,
|
|
78
|
+
resource_type: resource_type,
|
|
79
|
+
context_facts: []
|
|
80
|
+
),
|
|
81
|
+
column: column
|
|
82
|
+
)
|
|
83
|
+
result.sql
|
|
33
84
|
end
|
|
34
85
|
|
|
35
86
|
##
|
|
@@ -276,6 +327,7 @@ module OsoCloud
|
|
|
276
327
|
context_facts: OsoCloud::Helpers.params_to_facts(context_facts)))
|
|
277
328
|
OsoCloud::Helpers.facts_to_params(result.results)
|
|
278
329
|
end
|
|
330
|
+
|
|
279
331
|
##
|
|
280
332
|
# List authorized actions for a batch of queries
|
|
281
333
|
#
|
|
@@ -286,26 +338,26 @@ module OsoCloud
|
|
|
286
338
|
# @return [Array<Array<String>>]
|
|
287
339
|
# @see Oso for more information about facts
|
|
288
340
|
def bulk_actions(actor, queries:)
|
|
289
|
-
|
|
290
|
-
|
|
291
|
-
|
|
292
|
-
|
|
293
|
-
|
|
294
|
-
|
|
295
|
-
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
|
|
299
|
-
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
306
|
-
|
|
341
|
+
actor_typed_id = actor.to_api_value
|
|
342
|
+
data = queries.map do |q|
|
|
343
|
+
context_facts = []
|
|
344
|
+
resource = nil
|
|
345
|
+
if q.is_a?(Array)
|
|
346
|
+
resource = q[0]
|
|
347
|
+
context_facts = q[1]
|
|
348
|
+
else
|
|
349
|
+
resource = q
|
|
350
|
+
end
|
|
351
|
+
resource_typed_id = resource.to_api_value
|
|
352
|
+
OsoCloud::Core::ActionsQuery.new(
|
|
353
|
+
actor_type: actor_typed_id.type,
|
|
354
|
+
actor_id: actor_typed_id.id,
|
|
355
|
+
resource_type: resource_typed_id.type,
|
|
356
|
+
resource_id: resource_typed_id.id,
|
|
357
|
+
context_facts: OsoCloud::Helpers.params_to_facts(context_facts)
|
|
358
|
+
)
|
|
307
359
|
end
|
|
308
|
-
@api.post_bulk_actions(data).map
|
|
360
|
+
@api.post_bulk_actions(data).map(&:results)
|
|
309
361
|
end
|
|
310
362
|
end
|
|
311
363
|
end
|
data/lib/oso/version.rb
CHANGED
data/oso-cloud.gemspec
CHANGED
|
@@ -24,4 +24,6 @@ Gem::Specification.new do |spec|
|
|
|
24
24
|
spec.add_dependency 'faraday-retry', '~> 2.0.0'
|
|
25
25
|
spec.add_dependency 'faraday-net_http_persistent', '~> 2.0'
|
|
26
26
|
spec.add_development_dependency 'minitest', '~> 5.15'
|
|
27
|
+
spec.add_development_dependency 'pg', '~> 1.0'
|
|
28
|
+
spec.add_development_dependency 'activerecord', '~> 7.0'
|
|
27
29
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: oso-cloud
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Oso Security, Inc.
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-04-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: faraday
|
|
@@ -66,6 +66,34 @@ dependencies:
|
|
|
66
66
|
- - "~>"
|
|
67
67
|
- !ruby/object:Gem::Version
|
|
68
68
|
version: '5.15'
|
|
69
|
+
- !ruby/object:Gem::Dependency
|
|
70
|
+
name: pg
|
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
|
72
|
+
requirements:
|
|
73
|
+
- - "~>"
|
|
74
|
+
- !ruby/object:Gem::Version
|
|
75
|
+
version: '1.0'
|
|
76
|
+
type: :development
|
|
77
|
+
prerelease: false
|
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
79
|
+
requirements:
|
|
80
|
+
- - "~>"
|
|
81
|
+
- !ruby/object:Gem::Version
|
|
82
|
+
version: '1.0'
|
|
83
|
+
- !ruby/object:Gem::Dependency
|
|
84
|
+
name: activerecord
|
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
|
86
|
+
requirements:
|
|
87
|
+
- - "~>"
|
|
88
|
+
- !ruby/object:Gem::Version
|
|
89
|
+
version: '7.0'
|
|
90
|
+
type: :development
|
|
91
|
+
prerelease: false
|
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
93
|
+
requirements:
|
|
94
|
+
- - "~>"
|
|
95
|
+
- !ruby/object:Gem::Version
|
|
96
|
+
version: '7.0'
|
|
69
97
|
description:
|
|
70
98
|
email:
|
|
71
99
|
- support@osohq.com
|