oso-oso 0.15.1 → 0.21.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 32e04bc53de8b9a2a8820365219be2b0e345e765
-  data.tar.gz: 911eea4f97fe5aba8cb0f97485e7c9c86c68772e
+  metadata.gz: a9fbbff1209cf44803895d162562cb6d9c8a4c37
+  data.tar.gz: 8196f85296430d4c85a283bfec132c05a86e1433
 SHA512:
-  metadata.gz: 70a6be55d3f0291aa53ff067dfdeea504cd261b40f2aeb4c613887c78fb7cf8d86de91e34f169c2e1198fa0f1c49a999dda8d4d608b9e61ca3011cb72925a8cf
-  data.tar.gz: e23bca87576a43d12e54d4206fbb50595f4bc6d8c0c06eb7a090c2fad5978c3a5f63f851d974ec5ec2469f6b9b20246826c58f29654d34ea5fe5fa8ef197d6cd
+  metadata.gz: 2d49aec9759922b92b874f981709a57b6c04afc1b30762302c6020a37bde144d0b56b0343482f7f18ed96f3c3d298a0e493967fbbf8939fb91cc7dc493417e54
+  data.tar.gz: 867123b379ef0ff554f9c433d317826e6b6e3b84a26008fe97e56f83d588737064ba71b61f4c5848969b7c6f6a0fd2cef9e8a488f238a86a152dcef7b452844e

data/.gitignore

@@ -7,6 +7,7 @@
 /spec/reports/
 /tmp/
 vendor
+active_record_test.db
 
 # rspec failure tracking
 .rspec_status

data/.rubocop.yml

@@ -1,7 +1,10 @@
 AllCops:
   TargetRubyVersion: 2.4
   Exclude:
-    - '**/*~'
-    - 'bin/oso'
-    - 'vendor/**/*'
+    - "**/*~"
+    - "bin/oso"
+    - "vendor/**/*"
   NewCops: enable
+Naming/FileName:
+  Exclude:
+    - "lib/oso-oso.rb"

data/Gemfile.lock

@@ -1,28 +1,44 @@
 PATH
   remote: .
   specs:
-    oso-oso (0.15.1)
+    oso-oso (0.21.0)
       ffi (~> 1.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    ast (2.4.1)
-    backport (1.1.2)
-    benchmark (0.1.0)
+    activemodel (5.2.6)
+      activesupport (= 5.2.6)
+    activerecord (5.2.6)
+      activemodel (= 5.2.6)
+      activesupport (= 5.2.6)
+      arel (>= 9.0)
+    activesupport (5.2.6)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    arel (9.0.0)
+    ast (2.4.2)
+    backport (1.2.0)
+    benchmark (0.1.1)
     byebug (11.1.3)
     coderay (1.1.3)
+    concurrent-ruby (1.1.9)
     diff-lcs (1.4.4)
     e2mmap (0.1.0)
-    ffi (1.15.1)
+    ffi (1.15.4)
+    i18n (1.8.10)
+      concurrent-ruby (~> 1.0)
     jaro_winkler (1.5.4)
     maruku (0.7.3)
     method_source (1.0.0)
     mini_portile2 (2.4.0)
+    minitest (5.14.4)
     nokogiri (1.10.10)
       mini_portile2 (~> 2.4.0)
-    parallel (1.19.2)
-    parser (2.7.1.4)
+    parallel (1.20.1)
+    parser (2.7.2.0)
       ast (~> 2.4.1)
     pry (0.13.1)
       coderay (~> 1.1)
@@ -32,23 +48,23 @@ GEM
       pry (~> 0.13.0)
     rainbow (3.0.0)
     rake (12.3.3)
-    regexp_parser (1.7.1)
+    regexp_parser (2.1.1)
     reverse_markdown (2.0.0)
       nokogiri
-    rexml (3.2.4)
-    rspec (3.9.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.2)
-      rspec-support (~> 3.9.3)
-    rspec-expectations (3.9.2)
+    rexml (3.2.5)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.1)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-support (3.9.3)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.2)
     rubocop (0.89.1)
       parallel (~> 1.10)
       parser (>= 2.7.1.1)
@@ -58,10 +74,10 @@ GEM
       rubocop-ast (>= 0.3.0, < 1.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (0.3.0)
-      parser (>= 2.7.1.4)
-    ruby-progressbar (1.10.1)
-    solargraph (0.39.14)
+    rubocop-ast (0.8.0)
+      parser (>= 2.7.1.5)
+    ruby-progressbar (1.11.0)
+    solargraph (0.39.17)
       backport (~> 1.1)
       benchmark
       bundler (>= 1.17.2)
@@ -75,21 +91,28 @@ GEM
       thor (~> 1.0)
       tilt (~> 2.0)
       yard (~> 0.9, >= 0.9.24)
-    thor (1.0.1)
+    sqlite3 (1.4.2)
+    thor (1.1.0)
+    thread_safe (0.3.6)
     tilt (2.0.10)
+    tzinfo (1.2.9)
+      thread_safe (~> 0.1)
     unicode-display_width (1.7.0)
-    yard (0.9.25)
+    yard (0.9.26)
 
 PLATFORMS
   ruby
+  x86_64-darwin-20
 
 DEPENDENCIES
+  activerecord
   oso-oso!
   pry-byebug (~> 3.9.0)
   rake (~> 12.0)
   rspec (~> 3.0)
   rubocop (~> 0.89.1)
   solargraph (~> 0.39.14)
+  sqlite3
   yard (~> 0.9.25)
 
 BUNDLED WITH

data/README.md

@@ -4,9 +4,7 @@
 
 Add this line to your application's Gemfile:
 
-```ruby
-gem 'oso-oso'
-```
+    gem 'oso-oso'
 
 And then execute:
 

data/lib/oso/errors.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Oso
+  class Error < ::RuntimeError
+  end
+
+  class AuthorizationError < Error
+  end
+
+  # Thrown by the +authorize+, +authorize_field+, and +authorize_request+
+  # methods when the action is not allowed.
+  #
+  # Most of the time, your app should handle this error by returning a 403 HTTP
+  # error to the client.
+  class ForbiddenError < AuthorizationError
+    def initialize
+      super(
+        'Oso ForbiddenError -- The requested action was not allowed for the ' \
+        'given resource. You should handle this error by returning a 403 error ' \
+        'to the client.'
+      )
+    end
+  end
+
+  # Thrown by the +authorize+ method of an +Oso+ instance. This error indicates
+  # that the actor is not only not allowed to perform the given action, but also
+  # is not allowed to +"read"+ the given resource.
+  #
+  # Most of the time, your app should handle this error by returning a 404 HTTP
+  # error to the client.
+  #
+  # To control which action is used for the distinction between
+  # +NotFoundError+ and +ForbiddenError+, you can customize the
+  # +read_action+ on your +Oso+ instance.
+  class NotFoundError < AuthorizationError
+    def initialize
+      super(
+        'Oso NotFoundError -- The current user does not have permission to read ' \
+        'the given resource. You should handle this error by returning a 404 ' \
+        'error to the client.'
+      )
+    end
+  end
+end

data/lib/oso/oso.rb

@@ -1,12 +1,27 @@
 # frozen_string_literal: true
 
+require 'set'
 require_relative 'polar/polar'
 
 module Oso
   # oso authorization API.
   class Oso < Polar::Polar
-    def initialize
-      super
+    # Create an Oso instance, which is used to configure and enforce an Oso
+    # policy in an app.
+    #
+    # @param forbidden_error [Class] Optionally override the "forbidden" error
+    #   class thrown by the `authorize*` methods. Defaults to
+    #   {Oso::ForbiddenError}.
+    # @param not_found_error [Class] Optionally override the "not found" error
+    #   class thrown by {#authorize}. Defaults to {Oso::NotFoundError}.
+    # @param read_action The action used by the {#authorize} method to
+    #   determine whether an authorization failure should
+    #   raise a {Oso::NotFoundError} or a {Oso::ForbiddenError}
+    def initialize(not_found_error: NotFoundError, forbidden_error: ForbiddenError, read_action: 'read')
+      super()
+      @not_found_error = not_found_error
+      @forbidden_error = forbidden_error
+      @read_action = read_action
     end
 
     # Query the knowledge base to determine whether an actor is allowed to
@@ -17,7 +32,191 @@ module Oso
     # @param resource [Object] Object.
     # @return [Boolean] An access control decision.
     def allowed?(actor:, action:, resource:)
-      !query_rule('allow', actor, action, resource).first.nil?
+      query_rule_once('allow', actor, action, resource)
+    end
+
+    # Ensure that +actor+ is allowed to perform +action+ on
+    # +resource+.
+    #
+    # If the action is permitted with an +allow+ rule in the policy, then
+    # this method returns +None+. If the action is not permitted by the
+    # policy, this method will raise an error.
+    #
+    # The error raised by this method depends on whether the actor can perform
+    # the +"read"+ action on the resource. If they cannot read the resource,
+    # then a {Oso::NotFoundError} error is raised. Otherwise, a
+    # {Oso::ForbiddenError} is raised.
+    #
+    # @param actor The actor performing the request.
+    # @param action The action the actor is attempting to perform.
+    # @param resource The resource being accessed.
+    # @param check_read [Boolean] If set to +false+, a {Oso::ForbiddenError} is
+    #   always thrown on authorization failures, regardless of whether the actor
+    #   can read the resource. Default is +true+.
+    #
+    # @raise [Oso::ForbiddenError] Raised if the actor does not have permission
+    #   to perform this action on this resource, but _does_ have +"read"+
+    #   permission on the resource.
+    # @raise [Oso::NotFoundError] Raised if the actor does not have permission
+    #   to perform this action on this resource and additionally does not have
+    #   permission to +"read"+ the resource.
+    def authorize(actor, action, resource, check_read: true)
+      return if query_rule_once('allow', actor, action, resource)
+
+      if check_read && (action == @read_action || !query_rule_once('allow', actor, @read_action, resource))
+        raise @not_found_error
+      end
+
+      raise @forbidden_error
+    end
+
+    # Ensure that +actor+ is allowed to send +request+ to the server.
+    #
+    # Checks the +allow_request+ rule of a policy.
+    #
+    # If the request is permitted with an +allow_request+ rule in the
+    # policy, then this method returns nothing. Otherwise, this method raises
+    # a {Oso::ForbiddenError}.
+    #
+    # @param actor The actor performing the request.
+    # @param request An object representing the request that was sent by the
+    #   actor.
+    #
+    # @raise [Oso::ForbiddenError] Raised if the actor does not have permission
+    #   to send the request.
+    def authorize_request(actor, request)
+      raise @forbidden_error unless query_rule_once('allow_request', actor, request)
+    end
+
+    # Ensure that +actor+ is allowed to perform +action+ on a given
+    # +resource+'s +field+.
+    #
+    # If the action is permitted by an +allow_field+ rule in the policy,
+    # then this method returns nothing. If the action is not permitted by the
+    # policy, this method will raise a {Oso::ForbiddenError}.
+    #
+    # @param actor The actor performing the request.
+    # @param action The action the actor is attempting to perform on the
+    #   field.
+    # @param resource The resource being accessed.
+    # @param field The name of the field being accessed.
+    #
+    # @raise [Oso::ForbiddenError] Raised if the actor does not have permission
+    #   to access this field.
+    def authorize_field(actor, action, resource, field)
+      raise @forbidden_error unless query_rule_once('allow_field', actor, action, resource, field)
+    end
+
+    # Determine the actions +actor+ is allowed to take on +resource+.
+    #
+    # Collects all actions allowed by allow rules in the Polar policy for the
+    # given combination of actor and resource.
+    #
+    # @param actor The actor for whom to collect allowed actions
+    # @param resource The resource being accessed
+    # @param allow_wildcard Flag to determine behavior if the policy
+    #   includes a wildcard action. E.g., a rule allowing any action:
+    #   +allow(_actor, _action, _resource)+. If +true+, the method will
+    #   return +Set["*"]+, if +false+, the method will raise an exception.
+    # @return A set of the unique allowed actions.
+    def authorized_actions(actor, resource, allow_wildcard: false) # rubocop:disable Metrics/MethodLength
+      results = query_rule('allow', actor, Polar::Variable.new('action'), resource)
+      actions = Set.new
+      results.each do |result|
+        action = result['action']
+        if action.is_a?(Polar::Variable)
+          return Set['*'] if allow_wildcard
+
+          raise ::Oso::Error,
+                'The result of authorized_actions() contained an '\
+                '"unconstrained" action that could represent any '\
+                'action, but allow_wildcard was set to False. To fix, '\
+                'set allow_wildcard to True and compare with the "*" '\
+                'string.'
+        end
+        actions.add(action)
+      end
+      actions
+    end
+
+    # Determine the fields of +resource+ on which +actor+ is allowed to
+    # perform  +action+.
+    #
+    # Uses +allow_field+ rules in the policy to find all allowed fields.
+    #
+    # @param actor The actor for whom to collect allowed fields.
+    # @param action The action being taken on the field.
+    # @param resource The resource being accessed.
+    # @param allow_wildcard Flag to determine behavior if the policy \
+    #   includes a wildcard field. E.g., a rule allowing any field: \
+    #   +allow_field(_actor, _action, _resource, _field)+. If +true+, the \
+    #   method will return +Set["*"]+, if +false+, the method will raise an \
+    #   exception.
+    # @return A set of the unique allowed fields.
+    def authorized_fields(actor, action, resource, allow_wildcard: false) # rubocop:disable Metrics/MethodLength
+      results = query_rule('allow_field', actor, action, resource, Polar::Variable.new('field'))
+      fields = Set.new
+      results.each do |result|
+        field = result['field']
+        if field.is_a?(Polar::Variable)
+          return Set['*'] if allow_wildcard
+
+          raise ::Oso::Error,
+                'The result of authorized_fields() contained an '\
+                '"unconstrained" field that could represent any '\
+                'field, but allow_wildcard was set to False. To fix, '\
+                'set allow_wildcard to True and compare with the "*" '\
+                'string.'
+        end
+        fields.add(field)
+      end
+      fields
+    end
+
+    # Create a query for resources of type +cls+ that +actor+ is
+    # allowed to perform +action+ on.
+    #
+    # @param actor The actor whose permissions to check.
+    # @param action The action being taken on the resource.
+    # @param resource_cls The resource being accessed.
+    #
+    # @return A query for resources accessible to the actor.
+    def authorized_query(actor, action, resource_cls) # rubocop:disable Metrics/MethodLength
+      resource = Polar::Variable.new 'resource'
+
+      results = query_rule(
+        'allow',
+        actor,
+        action,
+        resource,
+        bindings: { 'resource' => type_constraint(resource, resource_cls) },
+        accept_expression: true
+      )
+
+      results = results.each_with_object([]) do |result, out|
+        result.each do |key, val|
+          out.push({ 'bindings' => { key => host.to_polar(val) } })
+        end
+      end
+
+      ::Oso::Polar::DataFiltering::FilterPlan
+        .parse(self, results, get_class_name(resource_cls))
+        .build_query
+    end
+
+    # Determine the resources of type +resource_cls+ that +actor+
+    # is allowed to perform +action+ on.
+    #
+    # @param actor The actor whose permissions to check.
+    # @param action The action being taken on the resource.
+    # @param resource_cls The resource being accessed.
+    #
+    # @return A list of resources accessible to the actor.
+    def authorized_resources(actor, action, resource_cls)
+      q = authorized_query actor, action, resource_cls
+      return [] if q.nil?
+
+      host.types[get_class_name resource_cls].exec_query[q]
     end
   end
 end

data/lib/oso/polar/data_filtering.rb

@@ -0,0 +1,185 @@
+# frozen_string_literal: true
+
+module Oso
+  module Polar
+    # Data filtering interface for Ruby
+    module DataFiltering
+      # Represents a set of filter sequences that should allow the host
+      # to obtain the records satisfying a query.
+      class FilterPlan
+        attr_reader :result_sets
+
+        def self.parse(polar, partials, class_name)
+          types = polar.host.serialize_types
+          parsed_json = polar.ffi.build_filter_plan(types, partials, 'resource', class_name)
+          result_sets = parsed_json['result_sets'].map do |rset|
+            ResultSet.parse polar, rset
+          end
+
+          new polar: polar, result_sets: result_sets
+        end
+
+        def initialize(polar:, result_sets:)
+          @polar = polar
+          @result_sets = result_sets
+        end
+
+        def build_query # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
+          combine = nil
+          result_sets.each_with_object([]) do |rs, qb|
+            rs.resolve_order.each_with_object({}) do |i, set_results|
+              req = rs.requests[i]
+              cs = req.constraints.each { |c| c.ground set_results }
+              typ = @polar.host.types[req.class_tag]
+              q = typ.build_query[cs]
+              if i != rs.result_id
+                set_results[i] = typ.exec_query[q]
+              else
+                combine = typ.combine_query
+                qb.push q
+              end
+            end
+          end.reduce(&combine)
+        end
+
+        # Represents a sequence of filters for one set of results
+        class ResultSet
+          attr_reader :requests, :resolve_order, :result_id
+
+          def self.parse(polar, parsed_json)
+            resolve_order = parsed_json['resolve_order']
+            result_id = parsed_json['result_id']
+            requests = parsed_json['requests'].each_with_object({}) do |req, reqs|
+              reqs[req[0].to_i] = Request.parse(polar, req[1])
+            end
+
+            new resolve_order: resolve_order, result_id: result_id, requests: requests
+          end
+
+          def initialize(requests:, resolve_order:, result_id:)
+            @resolve_order = resolve_order
+            @requests = requests
+            @result_id = result_id
+          end
+        end
+
+        # Represents a filter for a result set
+        class Request
+          attr_reader :constraints, :class_tag
+
+          def self.parse(polar, parsed_json)
+            constraints = parsed_json['constraints'].map do |con|
+              Filter.parse polar, con
+            end
+            class_tag = parsed_json['class_tag']
+
+            new(constraints: constraints, class_tag: class_tag)
+          end
+
+          def initialize(constraints:, class_tag:)
+            @constraints = constraints
+            @class_tag = class_tag
+          end
+        end
+      end
+
+      # Represents relationships between resources, eg. one-one or one-many
+      class Relation
+        attr_reader :kind, :other_type, :my_field, :other_field
+
+        # Describe a Relation from one type to another.
+        # @param kind [String] The type of relation, either "one" or "many"
+        # @param other_type The name or class object of the related type
+        # @param my_field The field on this type that matches +other_type+
+        # @param other_field The field on +other_type+ that matches this type
+        def initialize(kind:, other_type:, my_field:, other_field:)
+          @kind = kind
+          @other_type = other_type
+          @my_field = my_field
+          @other_field = other_field
+        end
+      end
+
+      # Represents field-field relationships on one resource.
+      class Field
+        attr_reader :field
+
+        def initialize(field:)
+          @field = field
+        end
+      end
+
+      # Represents field-field relationships on different resources.
+      class Ref
+        attr_reader :field, :result_id
+
+        def initialize(field:, result_id:)
+          @field = field
+          @result_id = result_id
+        end
+      end
+
+      # Represents a condition that must hold on a resource.
+      class Filter
+        attr_reader :kind, :field, :value
+
+        CHECKS = {
+          'Eq' => ->(a, b) { a == b },
+          'In' => ->(a, b) { b.include? a },
+          'Neq' => ->(a, b) { a != b },
+          'Contains' => ->(a, b) { a.include? b }
+        }.freeze
+
+        # Create a new predicate for data filtering.
+        # @param kind [String] Represents a condition. One of "Eq", "Neq", "In", "Contains".
+        # @param field The field the condition applies to.
+        # @param value The value with which to compare the field according to the condition.
+        def initialize(kind:, field:, value:)
+          @kind = kind
+          @field = field
+          @value = value
+          @check = CHECKS[kind]
+          raise "Unknown constraint kind `#{kind}`" if @check.nil?
+        end
+
+        def ground(results)
+          return unless value.is_a? Ref
+
+          ref = value
+          @value = results[ref.result_id]
+          @value = value.map { |v| v.send ref.field } unless ref.field.nil?
+        end
+
+        def check(item)
+          val = value.is_a?(Field) ? item.send(value.field) : value
+          item = field.nil? ? item : item.send(field)
+          @check[item, val]
+        end
+
+        def self.parse(polar, constraint) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+          kind = constraint['kind']
+          field = constraint['field']
+          value = constraint['value']
+
+          value_kind = value.keys.first
+          value = value[value_kind]
+
+          case value_kind
+          when 'Term'
+            value = polar.host.to_ruby value
+          when 'Ref'
+            child_field = value['field']
+            result_id = value['result_id']
+            value = Ref.new field: child_field, result_id: result_id
+          when 'Field'
+            value = Field.new field: value
+          else
+            raise "Unknown value kind `#{value_kind}`"
+          end
+
+          new kind: kind, field: field, value: value
+        end
+      end
+    end
+  end
+end

data/lib/oso/polar/errors.rb

@@ -3,7 +3,7 @@
 module Oso
   module Polar
     # Base error type for Oso::Polar.
-    class Error < ::RuntimeError
+    class Error < ::Oso::Error
       attr_reader :stack_trace
 
       # @param message [String]
@@ -68,7 +68,7 @@ module Oso
       end
     end
     class DuplicateClassAliasError < PolarRuntimeError # rubocop:disable Style/Documentation
-      # @param as [String]
+      # @param name [String]
       # @param old [Class]
       # @param new [Class]
       def initialize(name:, old:, new:)
@@ -101,7 +101,6 @@ module Oso
     class ParameterError < ApiError; end
 
     class ValidationError < Error; end
-    class RolesValidationError < Error; end
 
     UNEXPECTED_EXPRESSION_MESSAGE = <<~MSG
       Received Expression from Polar VM. The Expression type is not yet supported in this language.

data/lib/oso/polar/ffi/error.rb

@@ -56,7 +56,7 @@ module Oso
             operational_error(subkind, msg: msg, details: details)
           when 'Parameter'
             api_error(subkind, msg: msg, details: details)
-          when 'RolesValidation'
+          when 'Validation'
             validation_error(msg, details: details)
           end
         end
@@ -146,7 +146,7 @@ module Oso
         # @return [::Oso::Polar::ValidationError] the object converted into the expected format.
         private_class_method def self.validation_error(msg, details:)
           # This is currently the only type of validation error.
-          ::Oso::Polar::RolesValidationError.new(msg, details: details)
+          ::Oso::Polar::ValidationError.new(msg, details: details)
         end
       end
     end