oso-cloud 1.5.1 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +32 -2
- data/lib/oso/api.rb +46 -1
- data/lib/oso/oso.rb +73 -21
- data/lib/oso/version.rb +1 -1
- data/oso-cloud.gemspec +2 -0
- metadata +30 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b48ecc6151f39a3d6201a3cf2484cfcf38d434f7d611741bd08a6442d321e707
|
|
4
|
+
data.tar.gz: b7b901e42b41796396ef6e58c2f0772cf9f03c35f7349e411c66b32ed54bfcdc
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 562381acc9b486e722b03096a18d588e3971f37f811f33c2286ea7a8655ed6fd462b6b07f7551a10f74c0fc85e2da67b245abfd04854de6aaa975acdea6497c9
|
|
7
|
+
data.tar.gz: c107f84d6290b88fd757221195909d5ba007c89919161fd52f0b169f6a5e51815b272a6b8752e5db078b63111ea6b6755f6c84f0f3fbb07f53ce31cc3785d4ae
|
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
oso-cloud (1.
|
|
4
|
+
oso-cloud (1.6.0)
|
|
5
5
|
faraday (~> 2.5.2)
|
|
6
6
|
faraday-net_http_persistent (~> 2.0)
|
|
7
7
|
faraday-retry (~> 2.0.0)
|
|
@@ -9,7 +9,28 @@ PATH
|
|
|
9
9
|
GEM
|
|
10
10
|
remote: https://rubygems.org/
|
|
11
11
|
specs:
|
|
12
|
+
activemodel (7.1.3)
|
|
13
|
+
activesupport (= 7.1.3)
|
|
14
|
+
activerecord (7.1.3)
|
|
15
|
+
activemodel (= 7.1.3)
|
|
16
|
+
activesupport (= 7.1.3)
|
|
17
|
+
timeout (>= 0.4.0)
|
|
18
|
+
activesupport (7.1.3)
|
|
19
|
+
base64
|
|
20
|
+
bigdecimal
|
|
21
|
+
concurrent-ruby (~> 1.0, >= 1.0.2)
|
|
22
|
+
connection_pool (>= 2.2.5)
|
|
23
|
+
drb
|
|
24
|
+
i18n (>= 1.6, < 2)
|
|
25
|
+
minitest (>= 5.1)
|
|
26
|
+
mutex_m
|
|
27
|
+
tzinfo (~> 2.0)
|
|
28
|
+
base64 (0.2.0)
|
|
29
|
+
bigdecimal (3.1.6)
|
|
30
|
+
concurrent-ruby (1.2.3)
|
|
12
31
|
connection_pool (2.4.1)
|
|
32
|
+
drb (2.2.0)
|
|
33
|
+
ruby2_keywords
|
|
13
34
|
faraday (2.5.2)
|
|
14
35
|
faraday-net_http (>= 2.0, < 3.1)
|
|
15
36
|
ruby2_keywords (>= 0.0.4)
|
|
@@ -19,19 +40,28 @@ GEM
|
|
|
19
40
|
net-http-persistent (~> 4.0)
|
|
20
41
|
faraday-retry (2.0.0)
|
|
21
42
|
faraday (~> 2.0)
|
|
43
|
+
i18n (1.14.1)
|
|
44
|
+
concurrent-ruby (~> 1.0)
|
|
22
45
|
minitest (5.18.0)
|
|
46
|
+
mutex_m (0.2.0)
|
|
23
47
|
net-http-persistent (4.0.2)
|
|
24
48
|
connection_pool (~> 2.2)
|
|
49
|
+
pg (1.5.4)
|
|
25
50
|
rake (12.3.3)
|
|
26
51
|
ruby2_keywords (0.0.5)
|
|
52
|
+
timeout (0.4.1)
|
|
53
|
+
tzinfo (2.0.6)
|
|
54
|
+
concurrent-ruby (~> 1.0)
|
|
27
55
|
|
|
28
56
|
PLATFORMS
|
|
29
57
|
ruby
|
|
30
58
|
|
|
31
59
|
DEPENDENCIES
|
|
60
|
+
activerecord (~> 7.0)
|
|
32
61
|
minitest (~> 5.15)
|
|
33
62
|
oso-cloud!
|
|
63
|
+
pg (~> 1.0)
|
|
34
64
|
rake (~> 12.0)
|
|
35
65
|
|
|
36
66
|
BUNDLED WITH
|
|
37
|
-
2.
|
|
67
|
+
2.5.6
|
data/lib/oso/api.rb
CHANGED
|
@@ -239,9 +239,39 @@ module OsoCloud
|
|
|
239
239
|
end
|
|
240
240
|
end
|
|
241
241
|
|
|
242
|
+
# @!visibility private
|
|
243
|
+
class LocalAuthQuery
|
|
244
|
+
attr_reader :query, :data_bindings
|
|
245
|
+
|
|
246
|
+
def initialize(query:, data_bindings:)
|
|
247
|
+
@query = query
|
|
248
|
+
@data_bindings = data_bindings
|
|
249
|
+
end
|
|
250
|
+
end
|
|
251
|
+
|
|
252
|
+
# @!visibility private
|
|
253
|
+
class LocalListQuery
|
|
254
|
+
attr_reader :query, :column, :data_bindings
|
|
255
|
+
|
|
256
|
+
def initialize(query:, column:, data_bindings:)
|
|
257
|
+
@query = query
|
|
258
|
+
@column = column
|
|
259
|
+
@data_bindings = data_bindings
|
|
260
|
+
end
|
|
261
|
+
end
|
|
262
|
+
|
|
263
|
+
# @!visibility private
|
|
264
|
+
class LocalQueryResult
|
|
265
|
+
attr_reader :sql
|
|
266
|
+
|
|
267
|
+
def initialize(sql:)
|
|
268
|
+
@sql = sql
|
|
269
|
+
end
|
|
270
|
+
end
|
|
271
|
+
|
|
242
272
|
# @!visibility private
|
|
243
273
|
class Api
|
|
244
|
-
def initialize(url: 'https://api.osohq.com', api_key: nil, options: nil)
|
|
274
|
+
def initialize(url: 'https://api.osohq.com', api_key: nil, data_bindings: nil, options: nil)
|
|
245
275
|
@url = url
|
|
246
276
|
@connection = Faraday.new(url: url) do |faraday|
|
|
247
277
|
faraday.request :json
|
|
@@ -291,6 +321,7 @@ module OsoCloud
|
|
|
291
321
|
@api_key = api_key
|
|
292
322
|
@user_agent = "Oso Cloud (ruby #{RUBY_VERSION}p#{RUBY_PATCHLEVEL}; rv:#{VERSION})"
|
|
293
323
|
@last_offset = nil
|
|
324
|
+
@data_bindings = IO.read(data_bindings) unless data_bindings.nil?
|
|
294
325
|
end
|
|
295
326
|
|
|
296
327
|
def fallback_eligible(path)
|
|
@@ -391,6 +422,20 @@ module OsoCloud
|
|
|
391
422
|
StatsResult.new(**result)
|
|
392
423
|
end
|
|
393
424
|
|
|
425
|
+
def post_authorize_query(query)
|
|
426
|
+
url = '/authorize_query'
|
|
427
|
+
data = LocalAuthQuery.new(query: query, data_bindings: @data_bindings)
|
|
428
|
+
result = POST(url, nil, data, false)
|
|
429
|
+
LocalQueryResult.new(**result)
|
|
430
|
+
end
|
|
431
|
+
|
|
432
|
+
def post_list_query(query:, column:)
|
|
433
|
+
url = '/list_query'
|
|
434
|
+
data = LocalListQuery.new(query: query, column: column, data_bindings: @data_bindings)
|
|
435
|
+
result = POST(url, nil, data, false)
|
|
436
|
+
LocalQueryResult.new(**result)
|
|
437
|
+
end
|
|
438
|
+
|
|
394
439
|
def clear_data
|
|
395
440
|
url = '/clear_data'
|
|
396
441
|
result = POST(url, nil, nil, true)
|
data/lib/oso/oso.rb
CHANGED
|
@@ -28,8 +28,59 @@ module OsoCloud
|
|
|
28
28
|
# Any other elements in the array, which together represent the fact's arguments,
|
|
29
29
|
# can be "OsoCloud::Value" objects or strings.
|
|
30
30
|
class Oso
|
|
31
|
-
def initialize(url: 'https://cloud.osohq.com', api_key: nil, fallback_url: nil)
|
|
32
|
-
@api = OsoCloud::Core::Api.new(url: url, api_key: api_key,
|
|
31
|
+
def initialize(url: 'https://cloud.osohq.com', api_key: nil, fallback_url: nil, data_bindings: nil)
|
|
32
|
+
@api = OsoCloud::Core::Api.new(url: url, api_key: api_key, data_bindings: data_bindings,
|
|
33
|
+
options: { fallback_url: fallback_url })
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
##
|
|
37
|
+
# Check a permission depending on data both in Oso Cloud and stored in a local database
|
|
38
|
+
#
|
|
39
|
+
# Returns a SQL query to run against the local database
|
|
40
|
+
#
|
|
41
|
+
# @param actor [OsoCloud::Value]
|
|
42
|
+
# @param action [String]
|
|
43
|
+
# @param resource [OsoCloud::Value]
|
|
44
|
+
# @return [Array<String>]
|
|
45
|
+
def authorize_local(actor, action, resource)
|
|
46
|
+
actor_typed_id = actor.to_api_value
|
|
47
|
+
resource_typed_id = resource.to_api_value
|
|
48
|
+
result = @api.post_authorize_query(
|
|
49
|
+
OsoCloud::Core::AuthorizeQuery.new(
|
|
50
|
+
actor_type: actor_typed_id.type,
|
|
51
|
+
actor_id: actor_typed_id.id,
|
|
52
|
+
action: action,
|
|
53
|
+
resource_type: resource_typed_id.type,
|
|
54
|
+
resource_id: resource_typed_id.id,
|
|
55
|
+
context_facts: []
|
|
56
|
+
)
|
|
57
|
+
)
|
|
58
|
+
result.sql
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
##
|
|
62
|
+
# List authorized resources depending on data both in Oso Cloud and stored in a local database
|
|
63
|
+
#
|
|
64
|
+
# Returns a SQL query to run against the local database
|
|
65
|
+
#
|
|
66
|
+
# @param actor [OsoCloud::Value]
|
|
67
|
+
# @param action [String]
|
|
68
|
+
# @param resource_type [String]
|
|
69
|
+
# @param column [String]
|
|
70
|
+
# @return [Array<String>]
|
|
71
|
+
def list_local(actor, action, resource_type, column)
|
|
72
|
+
actor_typed_id = actor.to_api_value
|
|
73
|
+
result = @api.post_list_query(
|
|
74
|
+
query: OsoCloud::Core::ListQuery.new(
|
|
75
|
+
actor_type: actor_typed_id.type,
|
|
76
|
+
actor_id: actor_typed_id.id,
|
|
77
|
+
action: action,
|
|
78
|
+
resource_type: resource_type,
|
|
79
|
+
context_facts: []
|
|
80
|
+
),
|
|
81
|
+
column: column
|
|
82
|
+
)
|
|
83
|
+
result.sql
|
|
33
84
|
end
|
|
34
85
|
|
|
35
86
|
##
|
|
@@ -276,6 +327,7 @@ module OsoCloud
|
|
|
276
327
|
context_facts: OsoCloud::Helpers.params_to_facts(context_facts)))
|
|
277
328
|
OsoCloud::Helpers.facts_to_params(result.results)
|
|
278
329
|
end
|
|
330
|
+
|
|
279
331
|
##
|
|
280
332
|
# List authorized actions for a batch of queries
|
|
281
333
|
#
|
|
@@ -286,26 +338,26 @@ module OsoCloud
|
|
|
286
338
|
# @return [Array<Array<String>>]
|
|
287
339
|
# @see Oso for more information about facts
|
|
288
340
|
def bulk_actions(actor, queries:)
|
|
289
|
-
|
|
290
|
-
|
|
291
|
-
|
|
292
|
-
|
|
293
|
-
|
|
294
|
-
|
|
295
|
-
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
|
|
299
|
-
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
306
|
-
|
|
341
|
+
actor_typed_id = actor.to_api_value
|
|
342
|
+
data = queries.map do |q|
|
|
343
|
+
context_facts = []
|
|
344
|
+
resource = nil
|
|
345
|
+
if q.is_a?(Array)
|
|
346
|
+
resource = q[0]
|
|
347
|
+
context_facts = q[1]
|
|
348
|
+
else
|
|
349
|
+
resource = q
|
|
350
|
+
end
|
|
351
|
+
resource_typed_id = resource.to_api_value
|
|
352
|
+
OsoCloud::Core::ActionsQuery.new(
|
|
353
|
+
actor_type: actor_typed_id.type,
|
|
354
|
+
actor_id: actor_typed_id.id,
|
|
355
|
+
resource_type: resource_typed_id.type,
|
|
356
|
+
resource_id: resource_typed_id.id,
|
|
357
|
+
context_facts: OsoCloud::Helpers.params_to_facts(context_facts)
|
|
358
|
+
)
|
|
307
359
|
end
|
|
308
|
-
@api.post_bulk_actions(data).map
|
|
360
|
+
@api.post_bulk_actions(data).map(&:results)
|
|
309
361
|
end
|
|
310
362
|
end
|
|
311
363
|
end
|
data/lib/oso/version.rb
CHANGED
data/oso-cloud.gemspec
CHANGED
|
@@ -24,4 +24,6 @@ Gem::Specification.new do |spec|
|
|
|
24
24
|
spec.add_dependency 'faraday-retry', '~> 2.0.0'
|
|
25
25
|
spec.add_dependency 'faraday-net_http_persistent', '~> 2.0'
|
|
26
26
|
spec.add_development_dependency 'minitest', '~> 5.15'
|
|
27
|
+
spec.add_development_dependency 'pg', '~> 1.0'
|
|
28
|
+
spec.add_development_dependency 'activerecord', '~> 7.0'
|
|
27
29
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: oso-cloud
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Oso Security, Inc.
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-04-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: faraday
|
|
@@ -66,6 +66,34 @@ dependencies:
|
|
|
66
66
|
- - "~>"
|
|
67
67
|
- !ruby/object:Gem::Version
|
|
68
68
|
version: '5.15'
|
|
69
|
+
- !ruby/object:Gem::Dependency
|
|
70
|
+
name: pg
|
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
|
72
|
+
requirements:
|
|
73
|
+
- - "~>"
|
|
74
|
+
- !ruby/object:Gem::Version
|
|
75
|
+
version: '1.0'
|
|
76
|
+
type: :development
|
|
77
|
+
prerelease: false
|
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
79
|
+
requirements:
|
|
80
|
+
- - "~>"
|
|
81
|
+
- !ruby/object:Gem::Version
|
|
82
|
+
version: '1.0'
|
|
83
|
+
- !ruby/object:Gem::Dependency
|
|
84
|
+
name: activerecord
|
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
|
86
|
+
requirements:
|
|
87
|
+
- - "~>"
|
|
88
|
+
- !ruby/object:Gem::Version
|
|
89
|
+
version: '7.0'
|
|
90
|
+
type: :development
|
|
91
|
+
prerelease: false
|
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
93
|
+
requirements:
|
|
94
|
+
- - "~>"
|
|
95
|
+
- !ruby/object:Gem::Version
|
|
96
|
+
version: '7.0'
|
|
69
97
|
description:
|
|
70
98
|
email:
|
|
71
99
|
- support@osohq.com
|