oso-oso 0.20.1.pre.beta → 0.22.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7a6c6bd2d2fb38245a5103c0153f943f51060c90
-  data.tar.gz: 33dcb41c1c6bd0aeeec56d88391e1e80a66b6061
+  metadata.gz: 654992655445b1208dd37d8346e2bc969c75a883
+  data.tar.gz: 67f729e79b4ea0912f23141134e0543b7cca023a
 SHA512:
-  metadata.gz: 5c025329ad3a4eff57b2cf5e7d5ca8430ef825ee287111690f06439a7c6f623068048d27ea70358af8ffb8f9d935b926cdecf54baa848f95da9ebaa23b0c0e39
-  data.tar.gz: 2c4a4114eafb5887805a7b92015f466296ae9eaaa4ffe19f1cc60d4f2ec59b6b580ff80ebe60143e639d7f606d79f343c89e3fdd7e7a52789939af9716b9b2c3
+  metadata.gz: 000e0208a70ac3bcb967a3ee7ad2ecf2d89bcdb03a36abfadf89fbf5ab8da3e5f20b5209d9061d4c0f8a0e8c9cb4eec0723696771824e4866f3e6ac4d07734f8
+  data.tar.gz: a73f3e21418f3a3445bdcff2e81a50a36cc6d57bec0e5467c9ae7d4e77220924f1a96bd818d52dc3bfebc9ffc780c5ab6463c18df0ff55774fd5325966472a5f

data/.gitignore

@@ -7,7 +7,7 @@
 /spec/reports/
 /tmp/
 vendor
-active_record_test.db
+*test.db
 
 # rspec failure tracking
 .rspec_status

data/.rubocop.yml

@@ -5,3 +5,6 @@ AllCops:
     - "bin/oso"
     - "vendor/**/*"
   NewCops: enable
+Naming/FileName:
+  Exclude:
+    - "lib/oso-oso.rb"

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    oso-oso (0.20.1.pre.beta)
+    oso-oso (0.22.1)
       ffi (~> 1.0)
 
 GEM
@@ -116,4 +116,4 @@ DEPENDENCIES
   yard (~> 0.9.25)
 
 BUNDLED WITH
-   2.2.15
+   2.2.4

data/lib/oso/oso.rb

@@ -173,14 +173,14 @@ module Oso
       fields
     end
 
-    # Returns a query for resources of type +cls+ that +actor+  is allowed
-    # to perform +action+ on.
+    # Create a query for resources of type +cls+ that +actor+ is
+    # allowed to perform +action+ on.
     #
     # @param actor The actor whose permissions to check.
     # @param action The action being taken on the resource.
     # @param resource_cls The resource being accessed.
     #
-    # @returns A query for resources accessible to the actor.
+    # @return A query for resources accessible to the actor.
     def authorized_query(actor, action, resource_cls) # rubocop:disable Metrics/MethodLength
       resource = Polar::Variable.new 'resource'
 
@@ -204,19 +204,29 @@ module Oso
         .build_query
     end
 
-    # Returns the resources of type +resource_cls+ that +actor+  is allowed
-    # to perform +action+ on.
+    # Determine the resources of type +resource_cls+ that +actor+
+    # is allowed to perform +action+ on.
     #
     # @param actor The actor whose permissions to check.
     # @param action The action being taken on the resource.
     # @param resource_cls The resource being accessed.
     #
-    # @returns A list of resources accessible to the actor.
+    # @return A list of resources accessible to the actor.
     def authorized_resources(actor, action, resource_cls)
       q = authorized_query actor, action, resource_cls
       return [] if q.nil?
 
       host.types[get_class_name resource_cls].exec_query[q]
     end
+
+    # Register default values for data filtering query functions.
+    # These can be overridden by passing specific implementations to
+    # `register_class` or by defining `build_query`, `exec_query` and
+    # `combine_query` methods on the class object.
+    def set_data_filtering_query_defaults(build_query: nil, exec_query: nil, combine_query: nil)
+      host.build_query = build_query if build_query
+      host.exec_query = exec_query if exec_query
+      host.combine_query = combine_query if combine_query
+    end
   end
 end

data/lib/oso/polar/data_filtering.rb

@@ -4,6 +4,7 @@ module Oso
   module Polar
     # Data filtering interface for Ruby
     module DataFiltering
+      GETATTR = ->(x, attr) { attr.nil? ? x : x.send(attr) }
       # Represents a set of filter sequences that should allow the host
       # to obtain the records satisfying a query.
       class FilterPlan
@@ -29,7 +30,7 @@ module Oso
           result_sets.each_with_object([]) do |rs, qb|
             rs.resolve_order.each_with_object({}) do |i, set_results|
               req = rs.requests[i]
-              cs = req.constraints.each { |c| c.ground set_results }
+              cs = req.ground(set_results)
               typ = @polar.host.types[req.class_tag]
               q = typ.build_query[cs]
               if i != rs.result_id
@@ -68,6 +69,7 @@ module Oso
           attr_reader :constraints, :class_tag
 
           def self.parse(polar, parsed_json)
+            @polar = polar
             constraints = parsed_json['constraints'].map do |con|
               Filter.parse polar, con
             end
@@ -76,6 +78,29 @@ module Oso
             new(constraints: constraints, class_tag: class_tag)
           end
 
+          def ground(results) # rubocop:disable Metrics/MethodLength, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/PerceivedComplexity
+            xrefs, rest = constraints.partition do |c|
+              c.value.is_a?(Ref) and !c.value.result_id.nil?
+            end
+
+            yrefs, nrefs = xrefs.partition { |r| %w[In Eq].include? r.kind }
+            [[yrefs, 'In'], [nrefs, 'Nin']].each do |refs, kind|
+              refs.group_by { |f| f.value.result_id }.each do |rid, fils|
+                if fils.length > 1
+                  value = results[rid].map { |r| fils.map { |f| GETATTR[r, f.value.field] } }
+                  field = fils.map(&:field)
+                  rest.push(Filter.new(kind: kind, value: value, field: field))
+                else
+                  fil = fils[0]
+                  field = fil.value.field
+                  value = results[rid].map { |r| field.nil? ? r : r.send(field) }
+                  rest.push(Filter.new(kind: kind, field: fil.field, value: value))
+                end
+              end
+            end
+            rest
+          end
+
           def initialize(constraints:, class_tag:)
             @constraints = constraints
             @class_tag = class_tag
@@ -87,6 +112,11 @@ module Oso
       class Relation
         attr_reader :kind, :other_type, :my_field, :other_field
 
+        # Describe a Relation from one type to another.
+        # @param kind [String] The type of relation, either "one" or "many"
+        # @param other_type The name or class object of the related type
+        # @param my_field The field on this type that matches +other_type+
+        # @param other_field The field on +other_type+ that matches this type
         def initialize(kind:, other_type:, my_field:, other_field:)
           @kind = kind
           @other_type = other_type
@@ -122,15 +152,18 @@ module Oso
           'Eq' => ->(a, b) { a == b },
           'In' => ->(a, b) { b.include? a },
           'Neq' => ->(a, b) { a != b },
+          'Nin' => ->(a, b) { !b.include?(a) },
           'Contains' => ->(a, b) { a.include? b }
         }.freeze
 
+        # Create a new predicate for data filtering.
+        # @param kind [String] Represents a condition. One of "Eq", "Neq", "In", "Contains".
+        # @param field The field the condition applies to.
+        # @param value The value with which to compare the field according to the condition.
         def initialize(kind:, field:, value:)
           @kind = kind
           @field = field
           @value = value
-          @check = CHECKS[kind]
-          raise "Unknown constraint kind `#{kind}`" if @check.nil?
         end
 
         def ground(results)
@@ -141,10 +174,16 @@ module Oso
           @value = value.map { |v| v.send ref.field } unless ref.field.nil?
         end
 
-        def check(item)
+        def check(item) # rubocop:disable Metrics/AbcSize
           val = value.is_a?(Field) ? item.send(value.field) : value
-          item = field.nil? ? item : item.send(field)
-          @check[item, val]
+          item = if field.nil?
+                   item
+                 elsif field.is_a? Array
+                   field.map { |f| GETATTR[item, f] }
+                 else
+                   item.send field
+                 end
+          CHECKS[@kind][item, val]
         end
 
         def self.parse(polar, constraint) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength

data/lib/oso/polar/host.rb

@@ -67,12 +67,20 @@ module Oso
       public
 
       attr_writer :accept_expression
+      attr_accessor :build_query, :combine_query, :exec_query
+
+      DEFAULT_COMBINE_QUERY = proc { raise 'implement combine_query to use data filtering' }
+      DEFAULT_BUILD_QUERY = proc { raise 'implement build_query to use data filtering' }
+      DEFAULT_EXEC_QUERY = proc { raise 'implement exec_query to use data filtering' }
 
       def initialize(ffi_polar)
         @ffi_polar = ffi_polar
         @types = {}
         @instances = {}
         @accept_expression = false
+        @combine_query = DEFAULT_COMBINE_QUERY
+        @build_query = DEFAULT_BUILD_QUERY
+        @exec_query = DEFAULT_EXEC_QUERY
       end
 
       def initialize_copy(other)
@@ -107,9 +115,9 @@ module Oso
           klass: PolarClass.new(cls),
           id: cache_instance(cls),
           fields: fields || {},
-          combine_query: combine_query,
-          exec_query: exec_query,
-          build_query: build_query
+          combine_query: combine_query || self.combine_query,
+          exec_query: exec_query || self.exec_query,
+          build_query: build_query || self.build_query
         )
         name
       end

data/lib/oso/polar/polar.rb

@@ -136,12 +136,12 @@ module Oso
       # @return [self] for chaining.
       #
       # @deprecated {#load_file} has been deprecated in favor of {#load_files}
-      #   as of the 0.20.0 release. Please see changelog for migration
+      #   as of the 0.20 release. Please see changelog for migration
       #   instructions:
       #   https://docs.osohq.com/project/changelogs/2021-09-15.html
       def load_file(filename)
         warn <<~WARNING
-          `Oso#load_file` has been deprecated in favor of `Oso#load_files` as of the 0.20.0 release.
+          `Oso#load_file` has been deprecated in favor of `Oso#load_files` as of the 0.20 release.
 
           Please see changelog for migration instructions: https://docs.osohq.com/project/changelogs/2021-09-15.html
         WARNING
@@ -211,6 +211,10 @@ module Oso
       #
       # @param cls [Class] the class to register.
       # @param name [String] the name to register the class as. Defaults to the name of the class.
+      # @param fields [Hash] a map from field names on instances of +cls+ to types, or Relation objects.
+      # @param build_query [Proc] a method to produce a query for +cls+ objects, given a list of Filters.
+      # @param exec_query [Proc] a method to execute a query produced by +build_query+
+      # @param combine_query [Proc] a method to merge two queries produced by +build_query+
       # @raise [DuplicateClassAliasError] if attempting to register a class
       # under a previously-registered name.
       # @raise [FFI::Error] if the FFI call returns an error.

data/lib/oso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Oso
-  VERSION = '0.20.1-beta'
+  VERSION = '0.22.1'
 end

data/lib/oso-oso.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require_relative './oso'

data/lib/oso.rb

@@ -7,6 +7,9 @@ require 'oso/version'
 
 # Top-level namespace for Oso authorization library.
 module Oso
+  Relation = ::Oso::Polar::DataFiltering::Relation
+  Filter = ::Oso::Polar::DataFiltering::Filter
+
   def self.new(not_found_error: NotFoundError, forbidden_error: ForbiddenError, read_action: 'read')
     ::Oso::Oso.new(not_found_error: not_found_error, forbidden_error: forbidden_error, read_action: read_action)
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: oso-oso
 version: !ruby/object:Gem::Version
-  version: 0.20.1.pre.beta
+  version: 0.22.1
 platform: ruby
 authors:
 - Oso Security, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-09-10 00:00:00.000000000 Z
+date: 2021-11-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
@@ -157,6 +157,7 @@ files:
 - ext/oso-oso/lib/libpolar.dylib
 - ext/oso-oso/lib/libpolar.so
 - ext/oso-oso/lib/polar.dll
+- lib/oso-oso.rb
 - lib/oso.rb
 - lib/oso/errors.rb
 - lib/oso/oso.rb
@@ -197,9 +198,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.6.14.4