oso-oso 0.14.2 → 0.20.1.pre.beta

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 73973c0ee45c628fe89e2310f004d6d10312a40f
-  data.tar.gz: f8365839689e9eac4caedaa04c85eda33ed09836
+  metadata.gz: 7a6c6bd2d2fb38245a5103c0153f943f51060c90
+  data.tar.gz: 33dcb41c1c6bd0aeeec56d88391e1e80a66b6061
 SHA512:
-  metadata.gz: edc94997d13562f6e989d07d59edf528223c82733263ab988ab679356c82618de505976731d12050e08dd2a12521b243a913ea7cf89b84f59e327bcf0f89eb70
-  data.tar.gz: 50d4be1eeb6b17490336c372ff7617f756ba83315529c3f060d6e11e543a30b8b79b2d6e4c02ce5a45e8d3130526a661c3f89623ac20251e73aa3cc6c65e6937
+  metadata.gz: 5c025329ad3a4eff57b2cf5e7d5ca8430ef825ee287111690f06439a7c6f623068048d27ea70358af8ffb8f9d935b926cdecf54baa848f95da9ebaa23b0c0e39
+  data.tar.gz: 2c4a4114eafb5887805a7b92015f466296ae9eaaa4ffe19f1cc60d4f2ec59b6b580ff80ebe60143e639d7f606d79f343c89e3fdd7e7a52789939af9716b9b2c3

data/.gitignore

@@ -7,6 +7,7 @@
 /spec/reports/
 /tmp/
 vendor
+active_record_test.db
 
 # rspec failure tracking
 .rspec_status

data/.rubocop.yml

@@ -1,7 +1,7 @@
 AllCops:
   TargetRubyVersion: 2.4
   Exclude:
-    - '**/*~'
-    - 'bin/oso'
-    - 'vendor/**/*'
+    - "**/*~"
+    - "bin/oso"
+    - "vendor/**/*"
   NewCops: enable

data/Gemfile.lock

@@ -1,28 +1,44 @@
 PATH
   remote: .
   specs:
-    oso-oso (0.14.2)
+    oso-oso (0.20.1.pre.beta)
       ffi (~> 1.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    ast (2.4.1)
-    backport (1.1.2)
-    benchmark (0.1.0)
+    activemodel (5.2.6)
+      activesupport (= 5.2.6)
+    activerecord (5.2.6)
+      activemodel (= 5.2.6)
+      activesupport (= 5.2.6)
+      arel (>= 9.0)
+    activesupport (5.2.6)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    arel (9.0.0)
+    ast (2.4.2)
+    backport (1.2.0)
+    benchmark (0.1.1)
     byebug (11.1.3)
     coderay (1.1.3)
+    concurrent-ruby (1.1.9)
     diff-lcs (1.4.4)
     e2mmap (0.1.0)
-    ffi (1.15.1)
+    ffi (1.15.4)
+    i18n (1.8.10)
+      concurrent-ruby (~> 1.0)
     jaro_winkler (1.5.4)
     maruku (0.7.3)
     method_source (1.0.0)
     mini_portile2 (2.4.0)
+    minitest (5.14.4)
     nokogiri (1.10.10)
       mini_portile2 (~> 2.4.0)
-    parallel (1.19.2)
-    parser (2.7.1.4)
+    parallel (1.20.1)
+    parser (2.7.2.0)
       ast (~> 2.4.1)
     pry (0.13.1)
       coderay (~> 1.1)
@@ -32,23 +48,23 @@ GEM
       pry (~> 0.13.0)
     rainbow (3.0.0)
     rake (12.3.3)
-    regexp_parser (1.7.1)
+    regexp_parser (2.1.1)
     reverse_markdown (2.0.0)
       nokogiri
-    rexml (3.2.4)
-    rspec (3.9.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.2)
-      rspec-support (~> 3.9.3)
-    rspec-expectations (3.9.2)
+    rexml (3.2.5)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.1)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-support (3.9.3)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.2)
     rubocop (0.89.1)
       parallel (~> 1.10)
       parser (>= 2.7.1.1)
@@ -58,10 +74,10 @@ GEM
       rubocop-ast (>= 0.3.0, < 1.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (0.3.0)
-      parser (>= 2.7.1.4)
-    ruby-progressbar (1.10.1)
-    solargraph (0.39.14)
+    rubocop-ast (0.8.0)
+      parser (>= 2.7.1.5)
+    ruby-progressbar (1.11.0)
+    solargraph (0.39.17)
       backport (~> 1.1)
       benchmark
       bundler (>= 1.17.2)
@@ -75,22 +91,29 @@ GEM
       thor (~> 1.0)
       tilt (~> 2.0)
       yard (~> 0.9, >= 0.9.24)
-    thor (1.0.1)
+    sqlite3 (1.4.2)
+    thor (1.1.0)
+    thread_safe (0.3.6)
     tilt (2.0.10)
+    tzinfo (1.2.9)
+      thread_safe (~> 0.1)
     unicode-display_width (1.7.0)
-    yard (0.9.25)
+    yard (0.9.26)
 
 PLATFORMS
   ruby
+  x86_64-darwin-20
 
 DEPENDENCIES
+  activerecord
   oso-oso!
   pry-byebug (~> 3.9.0)
   rake (~> 12.0)
   rspec (~> 3.0)
   rubocop (~> 0.89.1)
   solargraph (~> 0.39.14)
+  sqlite3
   yard (~> 0.9.25)
 
 BUNDLED WITH
-   2.2.4
+   2.2.15

data/README.md

@@ -4,9 +4,7 @@
 
 Add this line to your application's Gemfile:
 
-```ruby
-gem 'oso-oso'
-```
+    gem 'oso-oso'
 
 And then execute:
 

data/lib/oso/errors.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Oso
+  class Error < ::RuntimeError
+  end
+
+  class AuthorizationError < Error
+  end
+
+  # Thrown by the +authorize+, +authorize_field+, and +authorize_request+
+  # methods when the action is not allowed.
+  #
+  # Most of the time, your app should handle this error by returning a 403 HTTP
+  # error to the client.
+  class ForbiddenError < AuthorizationError
+    def initialize
+      super(
+        'Oso ForbiddenError -- The requested action was not allowed for the ' \
+        'given resource. You should handle this error by returning a 403 error ' \
+        'to the client.'
+      )
+    end
+  end
+
+  # Thrown by the +authorize+ method of an +Oso+ instance. This error indicates
+  # that the actor is not only not allowed to perform the given action, but also
+  # is not allowed to +"read"+ the given resource.
+  #
+  # Most of the time, your app should handle this error by returning a 404 HTTP
+  # error to the client.
+  #
+  # To control which action is used for the distinction between
+  # +NotFoundError+ and +ForbiddenError+, you can customize the
+  # +read_action+ on your +Oso+ instance.
+  class NotFoundError < AuthorizationError
+    def initialize
+      super(
+        'Oso NotFoundError -- The current user does not have permission to read ' \
+        'the given resource. You should handle this error by returning a 404 ' \
+        'error to the client.'
+      )
+    end
+  end
+end

data/lib/oso/oso.rb

@@ -1,12 +1,27 @@
 # frozen_string_literal: true
 
+require 'set'
 require_relative 'polar/polar'
 
 module Oso
   # oso authorization API.
   class Oso < Polar::Polar
-    def initialize
-      super
+    # Create an Oso instance, which is used to configure and enforce an Oso
+    # policy in an app.
+    #
+    # @param forbidden_error [Class] Optionally override the "forbidden" error
+    #   class thrown by the `authorize*` methods. Defaults to
+    #   {Oso::ForbiddenError}.
+    # @param not_found_error [Class] Optionally override the "not found" error
+    #   class thrown by {#authorize}. Defaults to {Oso::NotFoundError}.
+    # @param read_action The action used by the {#authorize} method to
+    #   determine whether an authorization failure should
+    #   raise a {Oso::NotFoundError} or a {Oso::ForbiddenError}
+    def initialize(not_found_error: NotFoundError, forbidden_error: ForbiddenError, read_action: 'read')
+      super()
+      @not_found_error = not_found_error
+      @forbidden_error = forbidden_error
+      @read_action = read_action
     end
 
     # Query the knowledge base to determine whether an actor is allowed to
@@ -17,7 +32,191 @@ module Oso
     # @param resource [Object] Object.
     # @return [Boolean] An access control decision.
     def allowed?(actor:, action:, resource:)
-      !query_rule('allow', actor, action, resource).first.nil?
+      query_rule_once('allow', actor, action, resource)
+    end
+
+    # Ensure that +actor+ is allowed to perform +action+ on
+    # +resource+.
+    #
+    # If the action is permitted with an +allow+ rule in the policy, then
+    # this method returns +None+. If the action is not permitted by the
+    # policy, this method will raise an error.
+    #
+    # The error raised by this method depends on whether the actor can perform
+    # the +"read"+ action on the resource. If they cannot read the resource,
+    # then a {Oso::NotFoundError} error is raised. Otherwise, a
+    # {Oso::ForbiddenError} is raised.
+    #
+    # @param actor The actor performing the request.
+    # @param action The action the actor is attempting to perform.
+    # @param resource The resource being accessed.
+    # @param check_read [Boolean] If set to +false+, a {Oso::ForbiddenError} is
+    #   always thrown on authorization failures, regardless of whether the actor
+    #   can read the resource. Default is +true+.
+    #
+    # @raise [Oso::ForbiddenError] Raised if the actor does not have permission
+    #   to perform this action on this resource, but _does_ have +"read"+
+    #   permission on the resource.
+    # @raise [Oso::NotFoundError] Raised if the actor does not have permission
+    #   to perform this action on this resource and additionally does not have
+    #   permission to +"read"+ the resource.
+    def authorize(actor, action, resource, check_read: true)
+      return if query_rule_once('allow', actor, action, resource)
+
+      if check_read && (action == @read_action || !query_rule_once('allow', actor, @read_action, resource))
+        raise @not_found_error
+      end
+
+      raise @forbidden_error
+    end
+
+    # Ensure that +actor+ is allowed to send +request+ to the server.
+    #
+    # Checks the +allow_request+ rule of a policy.
+    #
+    # If the request is permitted with an +allow_request+ rule in the
+    # policy, then this method returns nothing. Otherwise, this method raises
+    # a {Oso::ForbiddenError}.
+    #
+    # @param actor The actor performing the request.
+    # @param request An object representing the request that was sent by the
+    #   actor.
+    #
+    # @raise [Oso::ForbiddenError] Raised if the actor does not have permission
+    #   to send the request.
+    def authorize_request(actor, request)
+      raise @forbidden_error unless query_rule_once('allow_request', actor, request)
+    end
+
+    # Ensure that +actor+ is allowed to perform +action+ on a given
+    # +resource+'s +field+.
+    #
+    # If the action is permitted by an +allow_field+ rule in the policy,
+    # then this method returns nothing. If the action is not permitted by the
+    # policy, this method will raise a {Oso::ForbiddenError}.
+    #
+    # @param actor The actor performing the request.
+    # @param action The action the actor is attempting to perform on the
+    #   field.
+    # @param resource The resource being accessed.
+    # @param field The name of the field being accessed.
+    #
+    # @raise [Oso::ForbiddenError] Raised if the actor does not have permission
+    #   to access this field.
+    def authorize_field(actor, action, resource, field)
+      raise @forbidden_error unless query_rule_once('allow_field', actor, action, resource, field)
+    end
+
+    # Determine the actions +actor+ is allowed to take on +resource+.
+    #
+    # Collects all actions allowed by allow rules in the Polar policy for the
+    # given combination of actor and resource.
+    #
+    # @param actor The actor for whom to collect allowed actions
+    # @param resource The resource being accessed
+    # @param allow_wildcard Flag to determine behavior if the policy
+    #   includes a wildcard action. E.g., a rule allowing any action:
+    #   +allow(_actor, _action, _resource)+. If +true+, the method will
+    #   return +Set["*"]+, if +false+, the method will raise an exception.
+    # @return A set of the unique allowed actions.
+    def authorized_actions(actor, resource, allow_wildcard: false) # rubocop:disable Metrics/MethodLength
+      results = query_rule('allow', actor, Polar::Variable.new('action'), resource)
+      actions = Set.new
+      results.each do |result|
+        action = result['action']
+        if action.is_a?(Polar::Variable)
+          return Set['*'] if allow_wildcard
+
+          raise ::Oso::Error,
+                'The result of authorized_actions() contained an '\
+                '"unconstrained" action that could represent any '\
+                'action, but allow_wildcard was set to False. To fix, '\
+                'set allow_wildcard to True and compare with the "*" '\
+                'string.'
+        end
+        actions.add(action)
+      end
+      actions
+    end
+
+    # Determine the fields of +resource+ on which +actor+ is allowed to
+    # perform  +action+.
+    #
+    # Uses +allow_field+ rules in the policy to find all allowed fields.
+    #
+    # @param actor The actor for whom to collect allowed fields.
+    # @param action The action being taken on the field.
+    # @param resource The resource being accessed.
+    # @param allow_wildcard Flag to determine behavior if the policy \
+    #   includes a wildcard field. E.g., a rule allowing any field: \
+    #   +allow_field(_actor, _action, _resource, _field)+. If +true+, the \
+    #   method will return +Set["*"]+, if +false+, the method will raise an \
+    #   exception.
+    # @return A set of the unique allowed fields.
+    def authorized_fields(actor, action, resource, allow_wildcard: false) # rubocop:disable Metrics/MethodLength
+      results = query_rule('allow_field', actor, action, resource, Polar::Variable.new('field'))
+      fields = Set.new
+      results.each do |result|
+        field = result['field']
+        if field.is_a?(Polar::Variable)
+          return Set['*'] if allow_wildcard
+
+          raise ::Oso::Error,
+                'The result of authorized_fields() contained an '\
+                '"unconstrained" field that could represent any '\
+                'field, but allow_wildcard was set to False. To fix, '\
+                'set allow_wildcard to True and compare with the "*" '\
+                'string.'
+        end
+        fields.add(field)
+      end
+      fields
+    end
+
+    # Returns a query for resources of type +cls+ that +actor+  is allowed
+    # to perform +action+ on.
+    #
+    # @param actor The actor whose permissions to check.
+    # @param action The action being taken on the resource.
+    # @param resource_cls The resource being accessed.
+    #
+    # @returns A query for resources accessible to the actor.
+    def authorized_query(actor, action, resource_cls) # rubocop:disable Metrics/MethodLength
+      resource = Polar::Variable.new 'resource'
+
+      results = query_rule(
+        'allow',
+        actor,
+        action,
+        resource,
+        bindings: { 'resource' => type_constraint(resource, resource_cls) },
+        accept_expression: true
+      )
+
+      results = results.each_with_object([]) do |result, out|
+        result.each do |key, val|
+          out.push({ 'bindings' => { key => host.to_polar(val) } })
+        end
+      end
+
+      ::Oso::Polar::DataFiltering::FilterPlan
+        .parse(self, results, get_class_name(resource_cls))
+        .build_query
+    end
+
+    # Returns the resources of type +resource_cls+ that +actor+  is allowed
+    # to perform +action+ on.
+    #
+    # @param actor The actor whose permissions to check.
+    # @param action The action being taken on the resource.
+    # @param resource_cls The resource being accessed.
+    #
+    # @returns A list of resources accessible to the actor.
+    def authorized_resources(actor, action, resource_cls)
+      q = authorized_query actor, action, resource_cls
+      return [] if q.nil?
+
+      host.types[get_class_name resource_cls].exec_query[q]
     end
   end
 end