oso-oso 0.25.0 → 0.26.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c65ea3a330a9a56b2ac4e58594e379409f6a4617
-  data.tar.gz: 51cbba24a5b9f529df29a059f1cfe0230c50d36a
+  metadata.gz: cf0c10b0c91583c11a50068bb59f33c7c44146c1
+  data.tar.gz: c115ab372e3b70dc4dfa36ad7c2466fe4129aaf7
 SHA512:
-  metadata.gz: 324927c416971e4a1b8baa5eebb19b1c155b0f66607277ca416482d1e2e588ed44efe8a05824cf939fe85bb13b8bbf400769c1f979b0bdf5865b8630123c4d53
-  data.tar.gz: 4437ddc46fbcf28ade62f9537fcdb180cea4b7ceb11c065bb94ed9e3868c61276dbd9e9e107d7d61a4dc25e40d7ef52551bdb493a36b7a27f63e9a2c70dc157f
+  metadata.gz: 3baf118cf112eb427e2b369bbd064eca8e239a4f6c5a864ec13b81615160845d68c7db7d4bb40df4e35e771b4a30022e3fe34681263e6c53972eedebb95a6c7e
+  data.tar.gz: 16ea938c4230e2c6942831d263ebf9b0016fba9265a8a098aec557c2d2ba052aa5133c3eb3bc084d27f3375bc6777ba1cd5e7f0b788f9874bc11c671e3caf6e7

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    oso-oso (0.25.0)
+    oso-oso (0.26.1)
       ffi (~> 1.0)
 
 GEM

data/lib/oso/oso.rb

@@ -182,16 +182,7 @@ module Oso
     #
     # @return A query for resources accessible to the actor.
     def authorized_query(actor, action, resource_cls)
-      if host.use_new_data_filtering?
-
-        unless host.types[resource_cls].build_query == ::Oso::Polar::Host::DEFAULT_BUILD_QUERY
-          warn 'Warning: redundant data filtering configuration detected'
-        end
-
-        new_authorized_query(actor, action, resource_cls)
-      else
-        old_authorized_query(actor, action, resource_cls)
-      end
+      new_authorized_query(actor, action, resource_cls)
     end
 
     # Determine the resources of type +resource_cls+ that +actor+
@@ -203,25 +194,7 @@ module Oso
     #
     # @return A list of resources accessible to the actor.
     def authorized_resources(actor, action, resource_cls)
-      q = authorized_query(actor, action, resource_cls)
-
-      if host.use_new_data_filtering?
-        host.adapter.execute_query q
-      elsif q.nil?
-        []
-      else
-        host.types[resource_cls].exec_query[q]
-      end
-    end
-
-    # Register default values for data filtering query functions.
-    # These can be overridden by passing specific implementations to
-    # `register_class` or by defining `build_query`, `exec_query` and
-    # `combine_query` methods on the class object.
-    def set_data_filtering_query_defaults(build_query: nil, exec_query: nil, combine_query: nil)
-      host.build_query = build_query if build_query
-      host.exec_query = exec_query if exec_query
-      host.combine_query = combine_query if combine_query
+      host.adapter.execute_query authorized_query(actor, action, resource_cls)
     end
 
     def data_filtering_adapter=(adapter)

data/lib/oso/polar/data_filtering.rb

@@ -4,110 +4,6 @@ module Oso
   module Polar
     # Data filtering interface for Ruby
     module DataFiltering
-      GETATTR = ->(x, attr) { attr.nil? ? x : x.send(attr) }
-      # Represents a set of filter sequences that should allow the host
-      # to obtain the records satisfying a query.
-      class FilterPlan
-        attr_reader :result_sets
-
-        def self.parse(polar, partials, class_name)
-          types = polar.host.serialize_types
-          parsed_json = polar.ffi.build_filter_plan(types, partials, 'resource', class_name)
-          result_sets = parsed_json['result_sets'].map do |rset|
-            ResultSet.parse polar, rset
-          end
-
-          new polar: polar, result_sets: result_sets
-        end
-
-        def initialize(polar:, result_sets:)
-          @polar = polar
-          @result_sets = result_sets
-        end
-
-        def build_query # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
-          combine = nil
-          result_sets.each_with_object([]) do |rs, qb|
-            rs.resolve_order.each_with_object({}) do |i, set_results|
-              req = rs.requests[i]
-              cs = req.ground(set_results)
-              typ = @polar.host.types[req.class_tag]
-              q = typ.build_query[cs]
-              if i != rs.result_id
-                set_results[i] = typ.exec_query[q]
-              else
-                combine = typ.combine_query
-                qb.push q
-              end
-            end
-          end.reduce(&combine)
-        end
-
-        # Represents a sequence of filters for one set of results
-        class ResultSet
-          attr_reader :requests, :resolve_order, :result_id
-
-          def self.parse(polar, parsed_json)
-            resolve_order = parsed_json['resolve_order']
-            result_id = parsed_json['result_id']
-            requests = parsed_json['requests'].each_with_object({}) do |req, reqs|
-              reqs[req[0].to_i] = Request.parse(polar, req[1])
-            end
-
-            new resolve_order: resolve_order, result_id: result_id, requests: requests
-          end
-
-          def initialize(requests:, resolve_order:, result_id:)
-            @resolve_order = resolve_order
-            @requests = requests
-            @result_id = result_id
-          end
-        end
-
-        # Represents a filter for a result set
-        class Request
-          attr_reader :constraints, :class_tag
-
-          def self.parse(polar, parsed_json)
-            @polar = polar
-            constraints = parsed_json['constraints'].map do |con|
-              Filter.parse polar, con
-            end
-            class_tag = parsed_json['class_tag']
-
-            new(constraints: constraints, class_tag: class_tag)
-          end
-
-          def ground(results) # rubocop:disable Metrics/MethodLength, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/PerceivedComplexity
-            xrefs, rest = constraints.partition do |c|
-              c.value.is_a?(Ref) and !c.value.result_id.nil?
-            end
-
-            yrefs, nrefs = xrefs.partition { |r| %w[In Eq].include? r.kind }
-            [[yrefs, 'In'], [nrefs, 'Nin']].each do |refs, kind|
-              refs.group_by { |f| f.value.result_id }.each do |rid, fils|
-                if fils.length > 1
-                  value = results[rid].map { |r| fils.map { |f| GETATTR[r, f.value.field] } }
-                  field = fils.map(&:field)
-                  rest.push(Filter.new(kind: kind, value: value, field: field))
-                else
-                  fil = fils[0]
-                  field = fil.value.field
-                  value = results[rid].map { |r| field.nil? ? r : r.send(field) }
-                  rest.push(Filter.new(kind: kind, field: fil.field, value: value))
-                end
-              end
-            end
-            rest
-          end
-
-          def initialize(constraints:, class_tag:)
-            @constraints = constraints
-            @class_tag = class_tag
-          end
-        end
-      end
-
       # Represents relationships between resources, eg. one-one or one-many
       class Relation
         attr_reader :kind, :other_type, :my_field, :other_field
@@ -124,92 +20,6 @@ module Oso
           @other_field = other_field
         end
       end
-
-      # Represents field-field relationships on one resource.
-      class Field
-        attr_reader :field
-
-        def initialize(field:)
-          @field = field
-        end
-      end
-
-      # Represents field-field relationships on different resources.
-      class Ref
-        attr_reader :field, :result_id
-
-        def initialize(field:, result_id:)
-          @field = field
-          @result_id = result_id
-        end
-      end
-
-      # Represents a condition that must hold on a resource.
-      class Filter
-        attr_reader :kind, :field, :value
-
-        CHECKS = {
-          'Eq' => ->(a, b) { a == b },
-          'In' => ->(a, b) { b.include? a },
-          'Neq' => ->(a, b) { a != b },
-          'Nin' => ->(a, b) { !b.include?(a) },
-          'Contains' => ->(a, b) { a.include? b }
-        }.freeze
-
-        # Create a new predicate for data filtering.
-        # @param kind [String] Represents a condition. One of "Eq", "Neq", "In", "Contains".
-        # @param field The field the condition applies to.
-        # @param value The value with which to compare the field according to the condition.
-        def initialize(kind:, field:, value:)
-          @kind = kind
-          @field = field
-          @value = value
-        end
-
-        def ground(results)
-          return unless value.is_a? Ref
-
-          ref = value
-          @value = results[ref.result_id]
-          @value = value.map { |v| v.send ref.field } unless ref.field.nil?
-        end
-
-        def check(item) # rubocop:disable Metrics/AbcSize
-          val = value.is_a?(Field) ? item.send(value.field) : value
-          item = if field.nil?
-                   item
-                 elsif field.is_a? Array
-                   field.map { |f| GETATTR[item, f] }
-                 else
-                   item.send field
-                 end
-          CHECKS[@kind][item, val]
-        end
-
-        def self.parse(polar, constraint) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
-          kind = constraint['kind']
-          field = constraint['field']
-          value = constraint['value']
-
-          value_kind = value.keys.first
-          value = value[value_kind]
-
-          case value_kind
-          when 'Term'
-            value = polar.host.to_ruby value
-          when 'Ref'
-            child_field = value['field']
-            result_id = value['result_id']
-            value = Ref.new field: child_field, result_id: result_id
-          when 'Field'
-            value = Field.new field: value
-          else
-            raise "Unknown value kind `#{value_kind}`"
-          end
-
-          new kind: kind, field: field, value: value
-        end
-      end
     end
   end
 end

data/lib/oso/polar/errors.rb

@@ -96,6 +96,7 @@ module Oso
 
     class ValidationError < Error; end
 
+    # @!visibility private
     UNEXPECTED_EXPRESSION_MESSAGE = <<~MSG
       Received Expression from Polar VM. The Expression type is not yet supported in this language.
 

data/lib/oso/polar/host.rb

@@ -319,17 +319,24 @@ module Oso
                   end
                 else
                   instance_id = nil
-                  instance_id = types[value].id if value.is_a?(Class) && types.key?(value)
-
-                  # only pass class_repr for registered types
+                  class_id = nil
                   class_repr = nil
-                  class_repr = value.class.to_s if types.key?(value.class)
+                  # id=class_id,
+
+                  # pass `class_id` & `class_repr` for registered types
+                  if value.is_a?(Class) && types.key?(value)
+                    instance_id = class_id = types[value].id
+                  elsif types.key?(value.class)
+                    class_id = types[value.class].id
+                    class_repr = types[value.class].name
+                  end
 
                   {
                     'ExternalInstance' => {
                       'instance_id' => cache_instance(value, id: instance_id),
                       'repr' => nil,
-                      'class_repr' => class_repr
+                      'class_repr' => class_repr,
+                      'class_id' => class_id
                     }
                   }
                 end
@@ -407,10 +414,6 @@ module Oso
           get_instance(Regexp.last_match[1].to_i).to_s
         end
       end
-
-      def use_new_data_filtering?
-        !adapter.nil?
-      end
     end
   end
 end

data/lib/oso/polar/polar.rb

@@ -217,6 +217,7 @@ module Oso
           exec_query: exec_query || maybe_mtd(cls, :exec_query)
         )
         register_constant(cls, name: name)
+        host.register_mros
       end
 
       # Register a Ruby object with Polar.
@@ -277,13 +278,6 @@ module Oso
         host.adapter.build_query filter
       end
 
-      def old_authorized_query(actor, action, resource_cls)
-        results = partial_query(actor, action, resource_cls)
-        ::Oso::Polar::DataFiltering::FilterPlan
-          .parse(self, results, class_to_name(resource_cls))
-          .build_query
-      end
-
       # handle Isa constraints in a partial query
       def prefilter_isas(key, val) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
         # this will usually be the case! sometimes not, if it's an instance.
@@ -343,7 +337,6 @@ module Oso
       # Register MROs, load Polar code, and check inline queries.
       # @param sources [Array<Source>] Polar sources to load.
       def load_sources(sources)
-        host.register_mros
         ffi_polar.load(sources)
         check_inline_queries
       end

data/lib/oso/polar/query.rb

@@ -245,31 +245,22 @@ module Oso
       def handle_relationship(call_id, instance, rel) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
         typ = host.types[rel.other_type]
 
-        if host.use_new_data_filtering?
-          cls = typ.klass.get
-
-          condition = ::Oso::Polar::Data::Filter::Condition.new(
-            ::Oso::Polar::Data::Filter::Projection.new(cls, rel.other_field),
-            'Eq',
-            instance.send(rel.my_field)
-          )
-
-          filter = ::Oso::Polar::Data::Filter.new(
-            model: cls,
-            relations: [],
-            conditions: [[condition]],
-            types: host.types
-          )
-
-          res = host.adapter.execute_query host.adapter.build_query(filter)
-        else
-          constraint = ::Oso::Polar::DataFiltering::Filter.new(
-            kind: 'Eq',
-            field: rel.other_field,
-            value: instance.send(rel.my_field)
-          )
-          res = typ.exec_query[typ.build_query[[constraint]]]
-        end
+        cls = typ.klass.get
+
+        condition = ::Oso::Polar::Data::Filter::Condition.new(
+          ::Oso::Polar::Data::Filter::Projection.new(cls, rel.other_field),
+          'Eq',
+          instance.send(rel.my_field)
+        )
+
+        filter = ::Oso::Polar::Data::Filter.new(
+          model: cls,
+          relations: [],
+          conditions: [[condition]],
+          types: host.types
+        )
+
+        res = host.adapter.execute_query host.adapter.build_query(filter)
 
         if rel.kind == 'one'
           raise "multiple parents: #{res}" unless res.length == 1

data/lib/oso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Oso
-  VERSION = '0.25.0'
+  VERSION = '0.26.1'
 end

data/lib/oso.rb

@@ -8,7 +8,6 @@ require 'oso/version'
 # Top-level namespace for Oso authorization library.
 module Oso
   Relation = ::Oso::Polar::DataFiltering::Relation
-  Filter = ::Oso::Polar::DataFiltering::Filter
 
   def self.new(not_found_error: NotFoundError, forbidden_error: ForbiddenError, read_action: 'read')
     ::Oso::Oso.new(not_found_error: not_found_error, forbidden_error: forbidden_error, read_action: read_action)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: oso-oso
 version: !ruby/object:Gem::Version
-  version: 0.25.0
+  version: 0.26.1
 platform: ruby
 authors:
 - Oso Security, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-12-21 00:00:00.000000000 Z
+date: 2022-05-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi