oso-oso 0.12.4 → 0.14.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5adc1e8d113b85c152b3168283dc65faeeeee66c
-  data.tar.gz: a24516694f568ef878f905e918f60ef8b62fcb59
+  metadata.gz: e611289b05e0398183cb6e7f29929b2854b1aaad
+  data.tar.gz: bd8af76c1433c16193b4cf2587cc5ca9f953c5b8
 SHA512:
-  metadata.gz: 6dde362c0e9628faed46026a782aae82bb3d711640409a851823291b7c7ac0c517a107a7a668efed9acb1c370e9416116434564472090f8b99f706ca85483660
-  data.tar.gz: 409b7fb99a4ac4497abbd6da542da7067245e8c1218885f3683c03cbd9a0c507287bc0e03f4449f6dc5c1eff0ae6ef6122b51967bbca194d632f7ad6baa81a72
+  metadata.gz: 6778dedbfe11bb27219ed96712e3e93e79d3187455aad86040764e25b34079a4645ec16de0afed876faa88b290e58fad7e22ccd2ee6aaa61529bd1f9b6231a28
+  data.tar.gz: d21fda13edd7176ecc3dad96258f57f19f51b3114ee02c1fb844277befd0abf9a8cfb035df0593a49977a884aa2bc3fbfd6734cc547be0ef5093d149f866c8d7

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    oso-oso (0.12.4)
+    oso-oso (0.14.1)
       ffi (~> 1.0)
 
 GEM

data/lib/oso/oso.rb

@@ -17,10 +17,7 @@ module Oso
     # @param resource [Object] Object.
     # @return [Boolean] An access control decision.
     def allowed?(actor:, action:, resource:)
-      query_rule('allow', actor, action, resource).next
-      true
-    rescue StopIteration
-      false
+      !query_rule('allow', actor, action, resource).first.nil?
     end
   end
 end

data/lib/oso/polar.rb

@@ -1,8 +1,10 @@
 # frozen_string_literal: true
 
 require 'oso/polar/errors'
+require 'oso/polar/expression'
 require 'oso/polar/ffi'
 require 'oso/polar/host'
+require 'oso/polar/pattern'
 require 'oso/polar/polar'
 require 'oso/polar/predicate'
 require 'oso/polar/query'

data/lib/oso/polar/errors.rb

@@ -100,8 +100,11 @@ module Oso
     class ApiError < Error; end
     class ParameterError < ApiError; end
 
+    class ValidationError < Error; end
+    class RolesValidationError < Error; end
+
     UNEXPECTED_EXPRESSION_MESSAGE = <<~MSG
-      Recieved Expression from Polar VM. The Expression type is not yet supported in this language.
+      Received Expression from Polar VM. The Expression type is not yet supported in this language.
 
       This may mean you performed an operation in your policy over an unbound variable.
     MSG

data/lib/oso/polar/expression.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Oso
+  module Polar
+    # Polar expression.
+    class Expression
+      attr_reader :operator, :args
+
+      # @param operator [String]
+      # @param args [Array<Object>]
+      def initialize(operator, args)
+        @operator = operator
+        @args = args
+      end
+
+      # @param other [Expression]
+      # @return [Boolean]
+      def ==(other)
+        operator == other.operator && args == other.args
+      end
+
+      # @see #==
+      alias eql? ==
+    end
+  end
+end

data/lib/oso/polar/ffi/error.rb

@@ -24,14 +24,22 @@ module Oso
         #
         # @return [::Oso::Polar::Error] if there's an FFI error.
         # @return [::Oso::Polar::FFIErrorNotFound] if there isn't one.
-        def self.get # rubocop:disable Metrics/MethodLength
+        def self.get # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength
           error = Rust.get
           return ::Oso::Polar::FFIErrorNotFound if error.null?
 
           error = JSON.parse(error.to_s)
           msg = error['formatted']
           kind, body = error['kind'].first
-          subkind, details = body.first
+
+          # Not all errors have subkind and details.
+          # TODO (gj): This bug may exist in other libraries.
+          if body.is_a? Hash
+            subkind, details = body.first
+          else
+            subkind, details = nil
+          end
+
           case kind
           when 'Parse'
             parse_error(subkind, msg: msg, details: details)
@@ -41,6 +49,8 @@ module Oso
             operational_error(subkind, msg: msg, details: details)
           when 'Parameter'
             api_error(subkind, msg: msg, details: details)
+          when 'RolesValidation'
+            validation_error(msg, details: details)
           end
         end
 
@@ -121,6 +131,16 @@ module Oso
             ::Oso::Polar::ApiError.new(msg, details: details)
           end
         end
+
+        # Map FFI Validation errors into Ruby exceptions.
+        #
+        # @param msg [String]
+        # @param details [Hash<String, Object>]
+        # @return [::Oso::Polar::ValidationError] the object converted into the expected format.
+        private_class_method def self.validation_error(msg, details:)
+          # This is currently the only type of validation error.
+          ::Oso::Polar::RolesValidationError.new(msg, details: details)
+        end
       end
     end
   end

data/lib/oso/polar/ffi/polar.rb

@@ -12,6 +12,8 @@ module Oso
           ffi_lib FFI::LIB_PATH
 
           attach_function :new, :polar_new, [], FFI::Polar
+          attach_function :enable_roles, :polar_enable_roles, [FFI::Polar], :int32
+          attach_function :validate_roles_config, :polar_validate_roles_config, [FFI::Polar, :string], :int32
           attach_function :load, :polar_load, [FFI::Polar, :string, :string], :int32
           attach_function :clear_rules, :polar_clear_rules, [FFI::Polar], :int32
           attach_function :next_inline_query, :polar_next_inline_query, [FFI::Polar, :uint32], FFI::Query
@@ -33,6 +35,20 @@ module Oso
           polar
         end
 
+        # @raise [FFI::Error] if the FFI call returns an error.
+        def enable_roles
+          result = Rust.enable_roles(self)
+          process_messages
+          raise FFI::Error.get if result.zero?
+        end
+
+        # @raise [FFI::Error] if the FFI call returns an error.
+        def validate_roles_config(config)
+          result = Rust.validate_roles_config(self, JSON.dump(config))
+          process_messages
+          raise FFI::Error.get if result.zero?
+        end
+
         # @param src [String]
         # @param filename [String]
         # @raise [FFI::Error] if the FFI call returns an error.

data/lib/oso/polar/host.rb

@@ -2,6 +2,38 @@
 
 module Oso
   module Polar
+    # Ruby code reloaders (i.e. the one used by rails) swap out the value of
+    # a constant on code changes. Because of this, we can't reliably call
+    # `is_a?` on the constant that was passed to `register_class`.
+    #
+    # Example (where Foo is a class defined in foo.rb):
+    #   > klass = Foo
+    #   > Foo.new.is_a? klass
+    #     => true
+    #   > ... user changes foo.rb ...
+    #   > Foo.new.is_a? klass
+    #     => false
+    #
+    # To solve this, when we need to access the class (e.g. during isa), we
+    # look it up using const_get, which will always return the up-to-date
+    # version of the class.
+    class PolarClass
+      attr_reader :name, :anon_class
+
+      def initialize(klass)
+        @name = klass.name
+        # If the class doesn't have a name, it is anonymous, meaning we should
+        # actually store it directly
+        @anon_class = klass if klass.name.nil?
+      end
+
+      def get
+        return anon_class if anon_class
+
+        Object.const_get(name)
+      end
+    end
+
     # Translate between Polar and the host language (Ruby).
     class Host # rubocop:disable Metrics/ClassLength
       protected
@@ -12,13 +44,18 @@ module Oso
       attr_reader :classes
       # @return [Hash<Integer, Object>]
       attr_reader :instances
+      # @return [Boolean]
+      attr_reader :accept_expression
 
       public
 
+      attr_writer :accept_expression
+
       def initialize(ffi_polar)
         @ffi_polar = ffi_polar
         @classes = {}
         @instances = {}
+        @accept_expression = false
       end
 
       def initialize_copy(other)
@@ -35,7 +72,7 @@ module Oso
       def get_class(name)
         raise UnregisteredClassError, name unless classes.key? name
 
-        classes[name]
+        classes[name].get
       end
 
       # Store a Ruby class in the {#classes} cache.
@@ -48,7 +85,7 @@ module Oso
       def cache_class(cls, name:)
         raise DuplicateClassAliasError.new name: name, old: get_class(name), new: cls if classes.key? name
 
-        classes[name] = cls
+        classes[name] = PolarClass.new(cls)
         name
       end
 
@@ -73,7 +110,10 @@ module Oso
       def get_instance(id)
         raise UnregisteredInstanceError, id unless instance? id
 
-        instances[id]
+        instance = instances[id]
+        return instance.get if instance.is_a? PolarClass
+
+        instance
       end
 
       # Cache a Ruby instance in the {#instances} cache, fetching a new id if
@@ -84,6 +124,8 @@ module Oso
       # @return [Integer] the instance ID.
       def cache_instance(instance, id: nil)
         id = ffi_polar.new_id if id.nil?
+        # Save the instance as a PolarClass if it is a non-anonymous class
+        instance = PolarClass.new(instance) if instance.is_a?(Class)
         instances[id] = instance
         id
       end
@@ -107,6 +149,33 @@ module Oso
         raise PolarRuntimeError, "Error constructing instance of #{cls_name}: #{e}"
       end
 
+      OPS = {
+        'Lt' => :<,
+        'Gt' => :>,
+        'Eq' => :==,
+        'Geq' => :>=,
+        'Leq' => :<=,
+        'Neq' => :!=
+      }.freeze
+
+      # Compare two values
+      #
+      # @param op [String] operation to perform.
+      # @param args [Array<Object>] left and right args to operation.
+      # @raise [PolarRuntimeError] if operation fails or is unsupported.
+      # @return [Boolean]
+      def operator(operation, args)
+        left, right = args
+        op = OPS[operation]
+        raise PolarRuntimeError, "Unsupported external operation '#{left.class} #{operation} #{right.class}'" if op.nil?
+
+        begin
+          left.__send__ op, right
+        rescue StandardError
+          raise PolarRuntimeError, "External operation '#{left.class} #{operation} #{right.class}' failed."
+        end
+      end
+
       # Check if the left class is more specific than the right class
       # with respect to the given instance.
       #
@@ -132,17 +201,6 @@ module Oso
         instance.is_a? cls
       end
 
-      # Check if two instances unify
-      #
-      # @param left_instance_id [Integer]
-      # @param right_instance_id [Integer]
-      # @return [Boolean]
-      def unify?(left_instance_id, right_instance_id)
-        left_instance = get_instance(left_instance_id)
-        right_instance = get_instance(right_instance_id)
-        left_instance == right_instance
-      end
-
       # Turn a Ruby value into a Polar term that's ready to be sent across the
       # FFI boundary.
       #
@@ -173,7 +231,16 @@ module Oso
                   { 'Call' => { 'name' => value.name, 'args' => value.args.map { |el| to_polar(el) } } }
                 when value.instance_of?(Variable)
                   # This is supported so that we can query for unbound variables
-                  { 'Variable' => value }
+                  { 'Variable' => value.name }
+                when value.instance_of?(Expression)
+                  { 'Expression' => { 'operator' => value.operator, 'args' => value.args.map { |el| to_polar(el) } } }
+                when value.instance_of?(Pattern)
+                  dict = to_polar(value.fields)['value']
+                  if value.tag.nil?
+                    { 'Pattern' => dict }
+                  else
+                    { 'Pattern' => { 'Instance' => { 'tag' => value.tag, 'fields' => dict['Dictionary'] } } }
+                  end
                 else
                   { 'ExternalInstance' => { 'instance_id' => cache_instance(value), 'repr' => value.to_s } }
                 end
@@ -219,7 +286,24 @@ module Oso
         when 'Call'
           Predicate.new(value['name'], args: value['args'].map { |a| to_ruby(a) })
         when 'Variable'
-          Variable.new(value['name'])
+          Variable.new(value)
+        when 'Expression'
+          raise UnexpectedPolarTypeError, tag unless accept_expression
+
+          args = value['args'].map { |a| to_ruby(a) }
+          Expression.new(value['operator'], args)
+        when 'Pattern'
+          case value.keys.first
+          when 'Instance'
+            tag = value.values.first['tag']
+            fields = value.values.first['fields']['fields'].transform_values { |v| to_ruby(v) }
+            Pattern.new(tag, fields)
+          when 'Dictionary'
+            fields = value.values.first['fields'].transform_values { |v| to_ruby(v) }
+            Pattern.new(nil, fields)
+          else
+            raise UnexpectedPolarTypeError, "#{value.keys.first} variant of Pattern"
+          end
         else
           raise UnexpectedPolarTypeError, tag
         end

data/lib/oso/polar/pattern.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Oso
+  module Polar
+    # Polar pattern.
+    class Pattern
+      attr_reader :tag, :fields
+
+      # @param tag [String]
+      # @param fields [Hash<String, Object>]
+      def initialize(tag, fields)
+        @tag = tag
+        @fields = fields
+      end
+
+      # @param other [Pattern]
+      # @return [Boolean]
+      def ==(other)
+        tag == other.tag && fields == other.fields
+      end
+
+      # @see #==
+      alias eql? ==
+    end
+  end
+end

data/lib/oso/polar/polar.rb

@@ -37,6 +37,7 @@ module Oso
       def initialize
         @ffi_polar = FFI::Polar.create
         @host = Host.new(ffi_polar)
+        @polar_roles_enabled = false
 
         # Register global constants.
         register_constant nil, name: 'nil'
@@ -50,11 +51,48 @@ module Oso
         register_class String
       end
 
+      def enable_roles # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+        return if polar_roles_enabled
+
+        roles_helper = Class.new do
+          def self.join(separator, left, right)
+            [left, right].join(separator)
+          end
+        end
+        register_constant(roles_helper, name: '__oso_internal_roles_helpers__')
+        ffi_polar.enable_roles
+        self.polar_roles_enabled = true
+
+        # validate config
+        validation_query_results = []
+        loop do
+          query = ffi_polar.next_inline_query
+          break if query.nil?
+
+          new_host = host.dup
+          new_host.accept_expression = true
+          results = Query.new(query, host: new_host).to_a
+          raise InlineQueryFailedError, query.source if results.empty?
+
+          validation_query_results.push results
+        end
+
+        # turn bindings back into polar
+        validation_query_results = validation_query_results.map do |results|
+          results.map do |result|
+            { 'bindings' => result.transform_values { |v| host.to_polar(v) } }
+          end
+        end
+
+        ffi_polar.validate_roles_config(validation_query_results)
+      end
+
       # Clear all rules and rule sources from the current Polar instance
       #
       # @return [self] for chaining.
       def clear_rules
         ffi_polar.clear_rules
+        ffi_polar.enable_roles if polar_roles_enabled
         self
       end
 
@@ -81,7 +119,7 @@ module Oso
       # @raise [InlineQueryFailedError] on the first failed inline query.
       # @raise [Error] if any of the FFI calls raise one.
       # @return [self] for chaining.
-      def load_str(str, filename: nil) # rubocop:disable Metrics/MethodLength
+      def load_str(str, filename: nil) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
         raise NullByteInPolarFileError if str.chomp("\0").include?("\0")
 
         ffi_polar.load(str, filename: filename)
@@ -89,12 +127,15 @@ module Oso
           next_query = ffi_polar.next_inline_query
           break if next_query.nil?
 
-          begin
-            Query.new(next_query, host: host).results.next
-          rescue StopIteration
-            raise InlineQueryFailedError, next_query.source
-          end
+          raise InlineQueryFailedError, next_query.source if Query.new(next_query, host: host).first.nil?
+        end
+
+        # If roles are enabled, re-validate config when new rules are loaded.
+        if polar_roles_enabled
+          self.polar_roles_enabled = false
+          enable_roles
         end
+
         self
       end
 
@@ -118,7 +159,7 @@ module Oso
         else
           raise InvalidQueryTypeError
         end
-        Query.new(ffi_query, host: new_host).results
+        Query.new(ffi_query, host: new_host)
       end
 
       # Query for a rule.
@@ -174,6 +215,7 @@ module Oso
 
       # @return [FFI::Polar]
       attr_reader :ffi_polar
+      attr_accessor :polar_roles_enabled
 
       # The R and L in REPL for systems where readline is available.
       def repl_readline(prompt)
@@ -214,7 +256,7 @@ module Oso
         end
 
         begin
-          results = Query.new(ffi_query, host: host).results.to_a
+          results = Query.new(ffi_query, host: host).to_a
         rescue PolarRuntimeError => e
           print_error(e)
           return

data/lib/oso/polar/query.rb

@@ -6,8 +6,7 @@ module Oso
   module Polar
     # A single Polar query.
     class Query # rubocop:disable Metrics/ClassLength
-      # @return [Enumerator]
-      attr_reader :results
+      include Enumerable
 
       # @param ffi_query [FFI::Query]
       # @param host [Oso::Polar::Host]
@@ -15,7 +14,6 @@ module Oso
         @calls = {}
         @ffi_query = ffi_query
         @host = host
-        @results = start
       end
 
       private
@@ -120,61 +118,57 @@ module Oso
       # @yieldparam [Hash<String, Object>]
       # @return [Enumerator]
       # @raise [Error] if any of the FFI calls raise one.
-      def start # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
-        Enumerator.new do |yielder| # rubocop:disable Metrics/BlockLength
-          loop do # rubocop:disable Metrics/BlockLength
-            event = ffi_query.next_event
-            case event.kind
-            when 'Done'
-              break
-            when 'Result'
-              yielder << event.data['bindings'].transform_values { |v| host.to_ruby(v) }
-            when 'MakeExternal'
-              handle_make_external(event.data)
-            when 'ExternalCall'
-              call_id = event.data['call_id']
-              instance = event.data['instance']
-              attribute = event.data['attribute']
-              args = event.data['args'] || []
-              kwargs = event.data['kwargs'] || {}
-              handle_call(attribute, call_id: call_id, instance: instance, args: args, kwargs: kwargs)
-            when 'ExternalIsSubSpecializer'
-              instance_id = event.data['instance_id']
-              left_tag = event.data['left_class_tag']
-              right_tag = event.data['right_class_tag']
-              answer = host.subspecializer?(instance_id, left_tag: left_tag, right_tag: right_tag)
-              question_result(answer, call_id: event.data['call_id'])
-            when 'ExternalIsa'
-              instance = event.data['instance']
-              class_tag = event.data['class_tag']
-              answer = host.isa?(instance, class_tag: class_tag)
-              question_result(answer, call_id: event.data['call_id'])
-            when 'ExternalUnify'
-              left_instance_id = event.data['left_instance_id']
-              right_instance_id = event.data['right_instance_id']
-              answer = host.unify?(left_instance_id, right_instance_id)
-              question_result(answer, call_id: event.data['call_id'])
-            when 'Debug'
-              puts event.data['message'] if event.data['message']
-              print 'debug> '
-              begin
-                input = $stdin.readline.chomp.chomp(';')
-              rescue EOFError
-                next
-              end
-              command = JSON.dump(host.to_polar(input))
-              ffi_query.debug_command(command)
-            when 'ExternalOp'
-              raise UnimplementedOperationError, 'comparison operators'
-            when 'NextExternal'
-              call_id = event.data['call_id']
-              iterable = event.data['iterable']
-              handle_next_external(call_id, iterable)
-            else
-              raise "Unhandled event: #{JSON.dump(event.inspect)}"
+      def each # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+        loop do # rubocop:disable Metrics/BlockLength
+          event = ffi_query.next_event
+          case event.kind
+          when 'Done'
+            break
+          when 'Result'
+            yield event.data['bindings'].transform_values { |v| host.to_ruby(v) }
+          when 'MakeExternal'
+            handle_make_external(event.data)
+          when 'ExternalCall'
+            call_id = event.data['call_id']
+            instance = event.data['instance']
+            attribute = event.data['attribute']
+            args = event.data['args'] || []
+            kwargs = event.data['kwargs'] || {}
+            handle_call(attribute, call_id: call_id, instance: instance, args: args, kwargs: kwargs)
+          when 'ExternalIsSubSpecializer'
+            instance_id = event.data['instance_id']
+            left_tag = event.data['left_class_tag']
+            right_tag = event.data['right_class_tag']
+            answer = host.subspecializer?(instance_id, left_tag: left_tag, right_tag: right_tag)
+            question_result(answer, call_id: event.data['call_id'])
+          when 'ExternalIsa'
+            instance = event.data['instance']
+            class_tag = event.data['class_tag']
+            answer = host.isa?(instance, class_tag: class_tag)
+            question_result(answer, call_id: event.data['call_id'])
+          when 'Debug'
+            puts event.data['message'] if event.data['message']
+            print 'debug> '
+            begin
+              input = $stdin.readline.chomp.chomp(';')
+            rescue EOFError
+              next
             end
+            command = JSON.dump(host.to_polar(input))
+            ffi_query.debug_command(command)
+          when 'ExternalOp'
+            op = event.data['operator']
+            args = event.data['args'].map(&host.method(:to_ruby))
+            answer = host.operator(op, args)
+            question_result(answer, call_id: event.data['call_id'])
+          when 'NextExternal'
+            call_id = event.data['call_id']
+            iterable = event.data['iterable']
+            handle_next_external(call_id, iterable)
+          else
+            raise "Unhandled event: #{JSON.dump(event.inspect)}"
           end
-        end.lazy
+        end
       end
     end
   end

data/lib/oso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Oso
-  VERSION = '0.12.4'
+  VERSION = '0.14.1'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: oso-oso
 version: !ruby/object:Gem::Version
-  version: 0.12.4
+  version: 0.14.1
 platform: ruby
 authors:
 - Oso Security, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-06-09 00:00:00.000000000 Z
+date: 2021-08-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
@@ -133,6 +133,7 @@ files:
 - lib/oso/oso.rb
 - lib/oso/polar.rb
 - lib/oso/polar/errors.rb
+- lib/oso/polar/expression.rb
 - lib/oso/polar/ffi.rb
 - lib/oso/polar/ffi/error.rb
 - lib/oso/polar/ffi/message.rb
@@ -141,6 +142,7 @@ files:
 - lib/oso/polar/ffi/query_event.rb
 - lib/oso/polar/ffi/source.rb
 - lib/oso/polar/host.rb
+- lib/oso/polar/pattern.rb
 - lib/oso/polar/polar.rb
 - lib/oso/polar/predicate.rb
 - lib/oso/polar/query.rb