oso-oso 0.13.1 → 0.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ab6ed22597c52c4a77ff24aa6455492ba9cf7ed7
-  data.tar.gz: 3aaa0186592b86e63d9a2dcb2976f03154e0dcda
+  metadata.gz: 12fca0670b29961bafc90ea1565f5ef2e501a778
+  data.tar.gz: ca3fee786141d350b6d79e67ab042e650a082566
 SHA512:
-  metadata.gz: 9e7ce6bbf44da47f40c4cc5b53fab5d17870125dd5eed7443be858d9f8e0adb98fcce7799eb7fb404c867d3e10fdb5522b52d69ebc5ac6ffa280f11ad56a9623
-  data.tar.gz: d032a1742948a1f21f8fd19576aaf99479ef534a2247bac4e7a13e9f2910292a0b74eed56cef67deece467e2ae85ba6dc31df6b3a0d2761618703647895ae19a
+  metadata.gz: edcc9dd56153cc927d2791dfe398264c538030f44e7a1e36e9157b37bacc05033ad31f24d6d0c0f95b71a8de166633bcd24755e94fcb90683fee70a02711d0c2
+  data.tar.gz: e3155aef370a1d61c388f0342ee5a692afad0a473a362e740e1f8124afc86d3d18ae080e7acac856b081b7fc7e27d50b56b5e273d51e7cc1359092896480e92b

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    oso-oso (0.13.1)
+    oso-oso (0.15.0)
       ffi (~> 1.0)
 
 GEM

data/lib/oso/polar.rb

@@ -1,8 +1,10 @@
 # frozen_string_literal: true
 
 require 'oso/polar/errors'
+require 'oso/polar/expression'
 require 'oso/polar/ffi'
 require 'oso/polar/host'
+require 'oso/polar/pattern'
 require 'oso/polar/polar'
 require 'oso/polar/predicate'
 require 'oso/polar/query'

data/lib/oso/polar/errors.rb

@@ -100,8 +100,11 @@ module Oso
     class ApiError < Error; end
     class ParameterError < ApiError; end
 
+    class ValidationError < Error; end
+    class RolesValidationError < Error; end
+
     UNEXPECTED_EXPRESSION_MESSAGE = <<~MSG
-      Recieved Expression from Polar VM. The Expression type is not yet supported in this language.
+      Received Expression from Polar VM. The Expression type is not yet supported in this language.
 
       This may mean you performed an operation in your policy over an unbound variable.
     MSG

data/lib/oso/polar/expression.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Oso
+  module Polar
+    # Polar expression.
+    class Expression
+      attr_reader :operator, :args
+
+      # @param operator [String]
+      # @param args [Array<Object>]
+      def initialize(operator, args)
+        @operator = operator
+        @args = args
+      end
+
+      # @param other [Expression]
+      # @return [Boolean]
+      def ==(other)
+        operator == other.operator && args == other.args
+      end
+
+      # @see #==
+      alias eql? ==
+    end
+  end
+end

data/lib/oso/polar/ffi/error.rb

@@ -24,14 +24,29 @@ module Oso
         #
         # @return [::Oso::Polar::Error] if there's an FFI error.
         # @return [::Oso::Polar::FFIErrorNotFound] if there isn't one.
-        def self.get # rubocop:disable Metrics/MethodLength
+        def self.get(enrich_message) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
           error = Rust.get
           return ::Oso::Polar::FFIErrorNotFound if error.null?
 
           error = JSON.parse(error.to_s)
           msg = error['formatted']
           kind, body = error['kind'].first
-          subkind, details = body.first
+
+          # Not all errors have subkind and details.
+          # TODO (gj): This bug may exist in other libraries.
+          if body.is_a? Hash
+            subkind, details = body.first
+          else
+            subkind, details = nil
+          end
+
+          # Enrich error message and stack trace
+          msg = enrich_message.call(msg) if msg
+          if details
+            details['stack_trace'] = enrich_message.call(details['stack_trace']) if details['stack_trace']
+            details['msg'] = enrich_message.call(details['msg']) if details['msg']
+          end
+
           case kind
           when 'Parse'
             parse_error(subkind, msg: msg, details: details)
@@ -41,6 +56,8 @@ module Oso
             operational_error(subkind, msg: msg, details: details)
           when 'Parameter'
             api_error(subkind, msg: msg, details: details)
+          when 'RolesValidation'
+            validation_error(msg, details: details)
           end
         end
 
@@ -121,6 +138,16 @@ module Oso
             ::Oso::Polar::ApiError.new(msg, details: details)
           end
         end
+
+        # Map FFI Validation errors into Ruby exceptions.
+        #
+        # @param msg [String]
+        # @param details [Hash<String, Object>]
+        # @return [::Oso::Polar::ValidationError] the object converted into the expected format.
+        private_class_method def self.validation_error(msg, details:)
+          # This is currently the only type of validation error.
+          ::Oso::Polar::RolesValidationError.new(msg, details: details)
+        end
       end
     end
   end

data/lib/oso/polar/ffi/message.rb

@@ -19,10 +19,11 @@ module Oso
           attach_function :free, :string_free, [Message], :int32
         end
 
-        def process
+        def process(enrich_message)
           message = JSON.parse(to_s)
           kind = message['kind']
           msg = message['msg']
+          msg = enrich_message.call(msg)
 
           case kind
           when 'Print'

data/lib/oso/polar/ffi/polar.rb

@@ -7,11 +7,15 @@ module Oso
     module FFI
       # Wrapper class for Polar FFI pointer + operations.
       class Polar < ::FFI::AutoPointer
+        attr_accessor :enrich_message
+
         Rust = Module.new do
           extend ::FFI::Library
           ffi_lib FFI::LIB_PATH
 
           attach_function :new, :polar_new, [], FFI::Polar
+          attach_function :enable_roles, :polar_enable_roles, [FFI::Polar], :int32
+          attach_function :validate_roles_config, :polar_validate_roles_config, [FFI::Polar, :string], :int32
           attach_function :load, :polar_load, [FFI::Polar, :string, :string], :int32
           attach_function :clear_rules, :polar_clear_rules, [FFI::Polar], :int32
           attach_function :next_inline_query, :polar_next_inline_query, [FFI::Polar, :uint32], FFI::Query
@@ -28,25 +32,39 @@ module Oso
         # @raise [FFI::Error] if the FFI call returns an error.
         def self.create
           polar = Rust.new
-          raise FFI::Error.get if polar.null?
+          handle_error if polar.null?
 
           polar
         end
 
+        # @raise [FFI::Error] if the FFI call returns an error.
+        def enable_roles
+          result = Rust.enable_roles(self)
+          process_messages
+          handle_error if result.zero?
+        end
+
+        # @raise [FFI::Error] if the FFI call returns an error.
+        def validate_roles_config(config)
+          result = Rust.validate_roles_config(self, JSON.dump(config))
+          process_messages
+          handle_error if result.zero?
+        end
+
         # @param src [String]
         # @param filename [String]
         # @raise [FFI::Error] if the FFI call returns an error.
         def load(src, filename: nil)
           loaded = Rust.load(self, src, filename)
           process_messages
-          raise FFI::Error.get if loaded.zero?
+          handle_error if loaded.zero?
         end
 
         # @raise [FFI::Error] if the FFI call returns an error.
         def clear_rules
           cleared = Rust.clear_rules(self)
           process_messages
-          raise FFI::Error.get if cleared.zero?
+          handle_error if cleared.zero?
         end
 
         # @return [FFI::Query] if there are remaining inline queries.
@@ -64,7 +82,7 @@ module Oso
           id = Rust.new_id(self)
           # TODO(gj): I don't think this error check is correct. If getting a new ID fails on the
           # Rust side, it'll probably surface as a panic (e.g., the KB lock is poisoned).
-          raise FFI::Error.get if id.zero?
+          handle_error if id.zero?
 
           id
         end
@@ -75,7 +93,7 @@ module Oso
         def new_query_from_str(str)
           query = Rust.new_query_from_str(self, str, 0)
           process_messages
-          raise FFI::Error.get if query.null?
+          handle_error if query.null?
 
           query
         end
@@ -86,7 +104,7 @@ module Oso
         def new_query_from_term(term)
           query = Rust.new_query_from_term(self, JSON.dump(term), 0)
           process_messages
-          raise FFI::Error.get if query.null?
+          handle_error if query.null?
 
           query
         end
@@ -96,7 +114,7 @@ module Oso
         # @raise [FFI::Error] if the FFI call returns an error.
         def register_constant(value, name:)
           registered = Rust.register_constant(self, name, JSON.dump(value))
-          raise FFI::Error.get if registered.zero?
+          handle_error if registered.zero?
         end
 
         def next_message
@@ -108,9 +126,13 @@ module Oso
             message = next_message
             break if message.null?
 
-            message.process
+            message.process(enrich_message)
           end
         end
+
+        def handle_error
+          raise FFI::Error.get(enrich_message)
+        end
       end
     end
   end

data/lib/oso/polar/ffi/query.rb

@@ -7,6 +7,8 @@ module Oso
     module FFI
       # Wrapper class for Query FFI pointer + operations.
       class Query < ::FFI::AutoPointer
+        attr_accessor :enrich_message
+
         Rust = Module.new do
           extend ::FFI::Library
           ffi_lib FFI::LIB_PATH
@@ -27,7 +29,7 @@ module Oso
         def debug_command(cmd)
           res = Rust.debug_command(self, cmd)
           process_messages
-          raise FFI::Error.get if res.zero?
+          handle_error if res.zero?
         end
 
         # @param result [String]
@@ -35,7 +37,7 @@ module Oso
         # @raise [FFI::Error] if the FFI call returns an error.
         def call_result(result, call_id:)
           res = Rust.call_result(self, call_id, result)
-          raise FFI::Error.get if res.zero?
+          handle_error if res.zero?
         end
 
         # @param result [Boolean]
@@ -44,7 +46,7 @@ module Oso
         def question_result(result, call_id:)
           result = result ? 1 : 0
           res = Rust.question_result(self, call_id, result)
-          raise FFI::Error.get if res.zero?
+          handle_error if res.zero?
         end
 
         # @param result [Boolean]
@@ -52,7 +54,7 @@ module Oso
         # @raise [FFI::Error] if the FFI call returns an error.
         def application_error(message)
           res = Rust.application_error(self, message)
-          raise FFI::Error.get if res.zero?
+          handle_error if res.zero?
         end
 
         # @return [::Oso::Polar::QueryEvent]
@@ -60,7 +62,7 @@ module Oso
         def next_event
           event = Rust.next_event(self)
           process_messages
-          raise FFI::Error.get if event.null?
+          handle_error if event.null?
 
           ::Oso::Polar::QueryEvent.new(JSON.parse(event.to_s))
         end
@@ -74,7 +76,7 @@ module Oso
             message = next_message
             break if message.null?
 
-            message.process
+            message.process(enrich_message)
           end
         end
 
@@ -82,10 +84,14 @@ module Oso
         # @raise [FFI::Error] if the FFI call returns an error.
         def source
           res = Rust.source(self)
-          raise FFI::Error.get if res.null?
+          handle_error if res.null?
 
           res.to_s
         end
+
+        def handle_error
+          raise FFI::Error.get(enrich_message)
+        end
       end
     end
   end

data/lib/oso/polar/host.rb

@@ -2,6 +2,38 @@
 
 module Oso
   module Polar
+    # Ruby code reloaders (i.e. the one used by rails) swap out the value of
+    # a constant on code changes. Because of this, we can't reliably call
+    # `is_a?` on the constant that was passed to `register_class`.
+    #
+    # Example (where Foo is a class defined in foo.rb):
+    #   > klass = Foo
+    #   > Foo.new.is_a? klass
+    #     => true
+    #   > ... user changes foo.rb ...
+    #   > Foo.new.is_a? klass
+    #     => false
+    #
+    # To solve this, when we need to access the class (e.g. during isa), we
+    # look it up using const_get, which will always return the up-to-date
+    # version of the class.
+    class PolarClass
+      attr_reader :name, :anon_class
+
+      def initialize(klass)
+        @name = klass.name
+        # If the class doesn't have a name, it is anonymous, meaning we should
+        # actually store it directly
+        @anon_class = klass if klass.name.nil?
+      end
+
+      def get
+        return anon_class if anon_class
+
+        Object.const_get(name)
+      end
+    end
+
     # Translate between Polar and the host language (Ruby).
     class Host # rubocop:disable Metrics/ClassLength
       protected
@@ -12,13 +44,18 @@ module Oso
       attr_reader :classes
       # @return [Hash<Integer, Object>]
       attr_reader :instances
+      # @return [Boolean]
+      attr_reader :accept_expression
 
       public
 
+      attr_writer :accept_expression
+
       def initialize(ffi_polar)
         @ffi_polar = ffi_polar
         @classes = {}
         @instances = {}
+        @accept_expression = false
       end
 
       def initialize_copy(other)
@@ -35,7 +72,7 @@ module Oso
       def get_class(name)
         raise UnregisteredClassError, name unless classes.key? name
 
-        classes[name]
+        classes[name].get
       end
 
       # Store a Ruby class in the {#classes} cache.
@@ -48,7 +85,7 @@ module Oso
       def cache_class(cls, name:)
         raise DuplicateClassAliasError.new name: name, old: get_class(name), new: cls if classes.key? name
 
-        classes[name] = cls
+        classes[name] = PolarClass.new(cls)
         name
       end
 
@@ -73,7 +110,10 @@ module Oso
       def get_instance(id)
         raise UnregisteredInstanceError, id unless instance? id
 
-        instances[id]
+        instance = instances[id]
+        return instance.get if instance.is_a? PolarClass
+
+        instance
       end
 
       # Cache a Ruby instance in the {#instances} cache, fetching a new id if
@@ -84,6 +124,8 @@ module Oso
       # @return [Integer] the instance ID.
       def cache_instance(instance, id: nil)
         id = ffi_polar.new_id if id.nil?
+        # Save the instance as a PolarClass if it is a non-anonymous class
+        instance = PolarClass.new(instance) if instance.is_a?(Class)
         instances[id] = instance
         id
       end
@@ -107,6 +149,33 @@ module Oso
         raise PolarRuntimeError, "Error constructing instance of #{cls_name}: #{e}"
       end
 
+      OPS = {
+        'Lt' => :<,
+        'Gt' => :>,
+        'Eq' => :==,
+        'Geq' => :>=,
+        'Leq' => :<=,
+        'Neq' => :!=
+      }.freeze
+
+      # Compare two values
+      #
+      # @param op [String] operation to perform.
+      # @param args [Array<Object>] left and right args to operation.
+      # @raise [PolarRuntimeError] if operation fails or is unsupported.
+      # @return [Boolean]
+      def operator(operation, args)
+        left, right = args
+        op = OPS[operation]
+        raise PolarRuntimeError, "Unsupported external operation '#{left.class} #{operation} #{right.class}'" if op.nil?
+
+        begin
+          left.__send__ op, right
+        rescue StandardError
+          raise PolarRuntimeError, "External operation '#{left.class} #{operation} #{right.class}' failed."
+        end
+      end
+
       # Check if the left class is more specific than the right class
       # with respect to the given instance.
       #
@@ -132,17 +201,6 @@ module Oso
         instance.is_a? cls
       end
 
-      # Check if two instances unify
-      #
-      # @param left_instance_id [Integer]
-      # @param right_instance_id [Integer]
-      # @return [Boolean]
-      def unify?(left_instance_id, right_instance_id)
-        left_instance = get_instance(left_instance_id)
-        right_instance = get_instance(right_instance_id)
-        left_instance == right_instance
-      end
-
       # Turn a Ruby value into a Polar term that's ready to be sent across the
       # FFI boundary.
       #
@@ -173,9 +231,18 @@ module Oso
                   { 'Call' => { 'name' => value.name, 'args' => value.args.map { |el| to_polar(el) } } }
                 when value.instance_of?(Variable)
                   # This is supported so that we can query for unbound variables
-                  { 'Variable' => value }
+                  { 'Variable' => value.name }
+                when value.instance_of?(Expression)
+                  { 'Expression' => { 'operator' => value.operator, 'args' => value.args.map { |el| to_polar(el) } } }
+                when value.instance_of?(Pattern)
+                  dict = to_polar(value.fields)['value']
+                  if value.tag.nil?
+                    { 'Pattern' => dict }
+                  else
+                    { 'Pattern' => { 'Instance' => { 'tag' => value.tag, 'fields' => dict['Dictionary'] } } }
+                  end
                 else
-                  { 'ExternalInstance' => { 'instance_id' => cache_instance(value), 'repr' => value.to_s } }
+                  { 'ExternalInstance' => { 'instance_id' => cache_instance(value), 'repr' => nil } }
                 end
         { 'value' => value }
       end
@@ -219,11 +286,34 @@ module Oso
         when 'Call'
           Predicate.new(value['name'], args: value['args'].map { |a| to_ruby(a) })
         when 'Variable'
-          Variable.new(value['name'])
+          Variable.new(value)
+        when 'Expression'
+          raise UnexpectedPolarTypeError, tag unless accept_expression
+
+          args = value['args'].map { |a| to_ruby(a) }
+          Expression.new(value['operator'], args)
+        when 'Pattern'
+          case value.keys.first
+          when 'Instance'
+            tag = value.values.first['tag']
+            fields = value.values.first['fields']['fields'].transform_values { |v| to_ruby(v) }
+            Pattern.new(tag, fields)
+          when 'Dictionary'
+            fields = value.values.first['fields'].transform_values { |v| to_ruby(v) }
+            Pattern.new(nil, fields)
+          else
+            raise UnexpectedPolarTypeError, "#{value.keys.first} variant of Pattern"
+          end
         else
           raise UnexpectedPolarTypeError, tag
         end
       end
+
+      def enrich_message(msg)
+        msg.gsub(/\^\{id: ([0-9]+)\}/) do
+          get_instance(Regexp.last_match[1].to_i).to_s
+        end
+      end
     end
   end
 end

data/lib/oso/polar/pattern.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Oso
+  module Polar
+    # Polar pattern.
+    class Pattern
+      attr_reader :tag, :fields
+
+      # @param tag [String]
+      # @param fields [Hash<String, Object>]
+      def initialize(tag, fields)
+        @tag = tag
+        @fields = fields
+      end
+
+      # @param other [Pattern]
+      # @return [Boolean]
+      def ==(other)
+        tag == other.tag && fields == other.fields
+      end
+
+      # @see #==
+      alias eql? ==
+    end
+  end
+end

data/lib/oso/polar/polar.rb

@@ -34,9 +34,11 @@ module Oso
       # @return [Host]
       attr_reader :host
 
-      def initialize
+      def initialize # rubocop:disable Metrics/MethodLength
         @ffi_polar = FFI::Polar.create
         @host = Host.new(ffi_polar)
+        @ffi_polar.enrich_message = @host.method(:enrich_message)
+        @polar_roles_enabled = false
 
         # Register global constants.
         register_constant nil, name: 'nil'
@@ -50,11 +52,48 @@ module Oso
         register_class String
       end
 
+      def enable_roles # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+        return if polar_roles_enabled
+
+        roles_helper = Class.new do
+          def self.join(separator, left, right)
+            [left, right].join(separator)
+          end
+        end
+        register_constant(roles_helper, name: '__oso_internal_roles_helpers__')
+        ffi_polar.enable_roles
+        self.polar_roles_enabled = true
+
+        # validate config
+        validation_query_results = []
+        loop do
+          query = ffi_polar.next_inline_query
+          break if query.nil?
+
+          new_host = host.dup
+          new_host.accept_expression = true
+          results = Query.new(query, host: new_host).to_a
+          raise InlineQueryFailedError, query.source if results.empty?
+
+          validation_query_results.push results
+        end
+
+        # turn bindings back into polar
+        validation_query_results = validation_query_results.map do |results|
+          results.map do |result|
+            { 'bindings' => result.transform_values { |v| host.to_polar(v) } }
+          end
+        end
+
+        ffi_polar.validate_roles_config(validation_query_results)
+      end
+
       # Clear all rules and rule sources from the current Polar instance
       #
       # @return [self] for chaining.
       def clear_rules
         ffi_polar.clear_rules
+        ffi_polar.enable_roles if polar_roles_enabled
         self
       end
 
@@ -81,7 +120,7 @@ module Oso
       # @raise [InlineQueryFailedError] on the first failed inline query.
       # @raise [Error] if any of the FFI calls raise one.
       # @return [self] for chaining.
-      def load_str(str, filename: nil)
+      def load_str(str, filename: nil) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
         raise NullByteInPolarFileError if str.chomp("\0").include?("\0")
 
         ffi_polar.load(str, filename: filename)
@@ -91,6 +130,13 @@ module Oso
 
           raise InlineQueryFailedError, next_query.source if Query.new(next_query, host: host).first.nil?
         end
+
+        # If roles are enabled, re-validate config when new rules are loaded.
+        if polar_roles_enabled
+          self.polar_roles_enabled = false
+          enable_roles
+        end
+
         self
       end
 
@@ -170,6 +216,7 @@ module Oso
 
       # @return [FFI::Polar]
       attr_reader :ffi_polar
+      attr_accessor :polar_roles_enabled
 
       # The R and L in REPL for systems where readline is available.
       def repl_readline(prompt)

data/lib/oso/polar/query.rb

@@ -13,6 +13,7 @@ module Oso
       def initialize(ffi_query, host:)
         @calls = {}
         @ffi_query = ffi_query
+        ffi_query.enrich_message = host.method(:enrich_message)
         @host = host
       end
 
@@ -146,13 +147,12 @@ module Oso
             class_tag = event.data['class_tag']
             answer = host.isa?(instance, class_tag: class_tag)
             question_result(answer, call_id: event.data['call_id'])
-          when 'ExternalUnify'
-            left_instance_id = event.data['left_instance_id']
-            right_instance_id = event.data['right_instance_id']
-            answer = host.unify?(left_instance_id, right_instance_id)
-            question_result(answer, call_id: event.data['call_id'])
           when 'Debug'
-            puts event.data['message'] if event.data['message']
+            msg = event.data['message']
+            if msg
+              msg = host.enrich_message(msg) if msg
+              puts msg
+            end
             print 'debug> '
             begin
               input = $stdin.readline.chomp.chomp(';')
@@ -162,7 +162,10 @@ module Oso
             command = JSON.dump(host.to_polar(input))
             ffi_query.debug_command(command)
           when 'ExternalOp'
-            raise UnimplementedOperationError, 'comparison operators'
+            op = event.data['operator']
+            args = event.data['args'].map(&host.method(:to_ruby))
+            answer = host.operator(op, args)
+            question_result(answer, call_id: event.data['call_id'])
           when 'NextExternal'
             call_id = event.data['call_id']
             iterable = event.data['iterable']

data/lib/oso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Oso
-  VERSION = '0.13.1'
+  VERSION = '0.15.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: oso-oso
 version: !ruby/object:Gem::Version
-  version: 0.13.1
+  version: 0.15.0
 platform: ruby
 authors:
 - Oso Security, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-06-30 00:00:00.000000000 Z
+date: 2021-08-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
@@ -133,6 +133,7 @@ files:
 - lib/oso/oso.rb
 - lib/oso/polar.rb
 - lib/oso/polar/errors.rb
+- lib/oso/polar/expression.rb
 - lib/oso/polar/ffi.rb
 - lib/oso/polar/ffi/error.rb
 - lib/oso/polar/ffi/message.rb
@@ -141,6 +142,7 @@ files:
 - lib/oso/polar/ffi/query_event.rb
 - lib/oso/polar/ffi/source.rb
 - lib/oso/polar/host.rb
+- lib/oso/polar/pattern.rb
 - lib/oso/polar/polar.rb
 - lib/oso/polar/predicate.rb
 - lib/oso/polar/query.rb