oso-oso 0.13.1 → 0.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ab6ed22597c52c4a77ff24aa6455492ba9cf7ed7
-  data.tar.gz: 3aaa0186592b86e63d9a2dcb2976f03154e0dcda
+  metadata.gz: e2aee8d8308beb5cb906dff373ef43f8a90c5d3f
+  data.tar.gz: a121f6f4b7534f53934f49aab4e634cbbbe7f0db
 SHA512:
-  metadata.gz: 9e7ce6bbf44da47f40c4cc5b53fab5d17870125dd5eed7443be858d9f8e0adb98fcce7799eb7fb404c867d3e10fdb5522b52d69ebc5ac6ffa280f11ad56a9623
-  data.tar.gz: d032a1742948a1f21f8fd19576aaf99479ef534a2247bac4e7a13e9f2910292a0b74eed56cef67deece467e2ae85ba6dc31df6b3a0d2761618703647895ae19a
+  metadata.gz: 6cb9212a01eaa50005a5d3923632741cfbbfff8c28c42a3c7f30b2cf6bf6aeba58fbe4f4c87ff3ccb43deb21dfd2db6e3f95ce7aded5996fe2eb6cb74d5de162
+  data.tar.gz: ef8ec9735a3aba0c18d9da63ea0fda8b36e1d6c6cd3306611b1b126d6587f1381b2e558680058c4c926ed9d736b7fa21c96f92ae179b0df485d24ea3bd1c1791

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    oso-oso (0.13.1)
+    oso-oso (0.14.0)
       ffi (~> 1.0)
 
 GEM

data/lib/oso/polar.rb

@@ -1,8 +1,10 @@
 # frozen_string_literal: true
 
 require 'oso/polar/errors'
+require 'oso/polar/expression'
 require 'oso/polar/ffi'
 require 'oso/polar/host'
+require 'oso/polar/pattern'
 require 'oso/polar/polar'
 require 'oso/polar/predicate'
 require 'oso/polar/query'

data/lib/oso/polar/errors.rb

@@ -100,8 +100,11 @@ module Oso
     class ApiError < Error; end
     class ParameterError < ApiError; end
 
+    class ValidationError < Error; end
+    class RolesValidationError < Error; end
+
     UNEXPECTED_EXPRESSION_MESSAGE = <<~MSG
-      Recieved Expression from Polar VM. The Expression type is not yet supported in this language.
+      Received Expression from Polar VM. The Expression type is not yet supported in this language.
 
       This may mean you performed an operation in your policy over an unbound variable.
     MSG

data/lib/oso/polar/expression.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Oso
+  module Polar
+    # Polar expression.
+    class Expression
+      attr_reader :operator, :args
+
+      # @param operator [String]
+      # @param args [Array<Object>]
+      def initialize(operator, args)
+        @operator = operator
+        @args = args
+      end
+
+      # @param other [Expression]
+      # @return [Boolean]
+      def ==(other)
+        operator == other.operator && args == other.args
+      end
+
+      # @see #==
+      alias eql? ==
+    end
+  end
+end

data/lib/oso/polar/ffi/error.rb

@@ -24,14 +24,22 @@ module Oso
         #
         # @return [::Oso::Polar::Error] if there's an FFI error.
         # @return [::Oso::Polar::FFIErrorNotFound] if there isn't one.
-        def self.get # rubocop:disable Metrics/MethodLength
+        def self.get # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength
           error = Rust.get
           return ::Oso::Polar::FFIErrorNotFound if error.null?
 
           error = JSON.parse(error.to_s)
           msg = error['formatted']
           kind, body = error['kind'].first
-          subkind, details = body.first
+
+          # Not all errors have subkind and details.
+          # TODO (gj): This bug may exist in other libraries.
+          if body.is_a? Hash
+            subkind, details = body.first
+          else
+            subkind, details = nil
+          end
+
           case kind
           when 'Parse'
             parse_error(subkind, msg: msg, details: details)
@@ -41,6 +49,8 @@ module Oso
             operational_error(subkind, msg: msg, details: details)
           when 'Parameter'
             api_error(subkind, msg: msg, details: details)
+          when 'RolesValidation'
+            validation_error(msg, details: details)
           end
         end
 
@@ -121,6 +131,16 @@ module Oso
             ::Oso::Polar::ApiError.new(msg, details: details)
           end
         end
+
+        # Map FFI Validation errors into Ruby exceptions.
+        #
+        # @param msg [String]
+        # @param details [Hash<String, Object>]
+        # @return [::Oso::Polar::ValidationError] the object converted into the expected format.
+        private_class_method def self.validation_error(msg, details:)
+          # This is currently the only type of validation error.
+          ::Oso::Polar::RolesValidationError.new(msg, details: details)
+        end
       end
     end
   end

data/lib/oso/polar/ffi/polar.rb

@@ -12,6 +12,8 @@ module Oso
           ffi_lib FFI::LIB_PATH
 
           attach_function :new, :polar_new, [], FFI::Polar
+          attach_function :enable_roles, :polar_enable_roles, [FFI::Polar], :int32
+          attach_function :validate_roles_config, :polar_validate_roles_config, [FFI::Polar, :string], :int32
           attach_function :load, :polar_load, [FFI::Polar, :string, :string], :int32
           attach_function :clear_rules, :polar_clear_rules, [FFI::Polar], :int32
           attach_function :next_inline_query, :polar_next_inline_query, [FFI::Polar, :uint32], FFI::Query
@@ -33,6 +35,20 @@ module Oso
           polar
         end
 
+        # @raise [FFI::Error] if the FFI call returns an error.
+        def enable_roles
+          result = Rust.enable_roles(self)
+          process_messages
+          raise FFI::Error.get if result.zero?
+        end
+
+        # @raise [FFI::Error] if the FFI call returns an error.
+        def validate_roles_config(config)
+          result = Rust.validate_roles_config(self, JSON.dump(config))
+          process_messages
+          raise FFI::Error.get if result.zero?
+        end
+
         # @param src [String]
         # @param filename [String]
         # @raise [FFI::Error] if the FFI call returns an error.

data/lib/oso/polar/host.rb

@@ -2,6 +2,38 @@
 
 module Oso
   module Polar
+    # Ruby code reloaders (i.e. the one used by rails) swap out the value of
+    # a constant on code changes. Because of this, we can't reliably call
+    # `is_a?` on the constant that was passed to `register_class`.
+    #
+    # Example (where Foo is a class defined in foo.rb):
+    #   > klass = Foo
+    #   > Foo.new.is_a? klass
+    #     => true
+    #   > ... user changes foo.rb ...
+    #   > Foo.new.is_a? klass
+    #     => false
+    #
+    # To solve this, when we need to access the class (e.g. during isa), we
+    # look it up using const_get, which will always return the up-to-date
+    # version of the class.
+    class PolarClass
+      attr_reader :name, :anon_class
+
+      def initialize(klass)
+        @name = klass.name
+        # If the class doesn't have a name, it is anonymous, meaning we should
+        # actually store it directly
+        @anon_class = klass if klass.name.nil?
+      end
+
+      def get
+        return anon_class if anon_class
+
+        Object.const_get(name)
+      end
+    end
+
     # Translate between Polar and the host language (Ruby).
     class Host # rubocop:disable Metrics/ClassLength
       protected
@@ -12,13 +44,18 @@ module Oso
       attr_reader :classes
       # @return [Hash<Integer, Object>]
       attr_reader :instances
+      # @return [Boolean]
+      attr_reader :accept_expression
 
       public
 
+      attr_writer :accept_expression
+
       def initialize(ffi_polar)
         @ffi_polar = ffi_polar
         @classes = {}
         @instances = {}
+        @accept_expression = false
       end
 
       def initialize_copy(other)
@@ -35,7 +72,7 @@ module Oso
       def get_class(name)
         raise UnregisteredClassError, name unless classes.key? name
 
-        classes[name]
+        classes[name].get
       end
 
       # Store a Ruby class in the {#classes} cache.
@@ -48,7 +85,7 @@ module Oso
       def cache_class(cls, name:)
         raise DuplicateClassAliasError.new name: name, old: get_class(name), new: cls if classes.key? name
 
-        classes[name] = cls
+        classes[name] = PolarClass.new(cls)
         name
       end
 
@@ -73,7 +110,10 @@ module Oso
       def get_instance(id)
         raise UnregisteredInstanceError, id unless instance? id
 
-        instances[id]
+        instance = instances[id]
+        return instance.get if instance.is_a? PolarClass
+
+        instance
       end
 
       # Cache a Ruby instance in the {#instances} cache, fetching a new id if
@@ -84,6 +124,8 @@ module Oso
       # @return [Integer] the instance ID.
       def cache_instance(instance, id: nil)
         id = ffi_polar.new_id if id.nil?
+        # Save the instance as a PolarClass if it is a non-anonymous class
+        instance = PolarClass.new(instance) if instance.is_a?(Class)
         instances[id] = instance
         id
       end
@@ -173,7 +215,16 @@ module Oso
                   { 'Call' => { 'name' => value.name, 'args' => value.args.map { |el| to_polar(el) } } }
                 when value.instance_of?(Variable)
                   # This is supported so that we can query for unbound variables
-                  { 'Variable' => value }
+                  { 'Variable' => value.name }
+                when value.instance_of?(Expression)
+                  { 'Expression' => { 'operator' => value.operator, 'args' => value.args.map { |el| to_polar(el) } } }
+                when value.instance_of?(Pattern)
+                  dict = to_polar(value.fields)['value']
+                  if value.tag.nil?
+                    { 'Pattern' => dict }
+                  else
+                    { 'Pattern' => { 'Instance' => { 'tag' => value.tag, 'fields' => dict['Dictionary'] } } }
+                  end
                 else
                   { 'ExternalInstance' => { 'instance_id' => cache_instance(value), 'repr' => value.to_s } }
                 end
@@ -219,7 +270,24 @@ module Oso
         when 'Call'
           Predicate.new(value['name'], args: value['args'].map { |a| to_ruby(a) })
         when 'Variable'
-          Variable.new(value['name'])
+          Variable.new(value)
+        when 'Expression'
+          raise UnexpectedPolarTypeError, tag unless accept_expression
+
+          args = value['args'].map { |a| to_ruby(a) }
+          Expression.new(value['operator'], args)
+        when 'Pattern'
+          case value.keys.first
+          when 'Instance'
+            tag = value.values.first['tag']
+            fields = value.values.first['fields']['fields'].transform_values { |v| to_ruby(v) }
+            Pattern.new(tag, fields)
+          when 'Dictionary'
+            fields = value.values.first['fields'].transform_values { |v| to_ruby(v) }
+            Pattern.new(nil, fields)
+          else
+            raise UnexpectedPolarTypeError, "#{value.keys.first} variant of Pattern"
+          end
         else
           raise UnexpectedPolarTypeError, tag
         end

data/lib/oso/polar/pattern.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Oso
+  module Polar
+    # Polar pattern.
+    class Pattern
+      attr_reader :tag, :fields
+
+      # @param tag [String]
+      # @param fields [Hash<String, Object>]
+      def initialize(tag, fields)
+        @tag = tag
+        @fields = fields
+      end
+
+      # @param other [Pattern]
+      # @return [Boolean]
+      def ==(other)
+        tag == other.tag && fields == other.fields
+      end
+
+      # @see #==
+      alias eql? ==
+    end
+  end
+end

data/lib/oso/polar/polar.rb

@@ -37,6 +37,7 @@ module Oso
       def initialize
         @ffi_polar = FFI::Polar.create
         @host = Host.new(ffi_polar)
+        @polar_roles_enabled = false
 
         # Register global constants.
         register_constant nil, name: 'nil'
@@ -50,11 +51,48 @@ module Oso
         register_class String
       end
 
+      def enable_roles # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+        return if polar_roles_enabled
+
+        roles_helper = Class.new do
+          def self.join(separator, left, right)
+            [left, right].join(separator)
+          end
+        end
+        register_constant(roles_helper, name: '__oso_internal_roles_helpers__')
+        ffi_polar.enable_roles
+        self.polar_roles_enabled = true
+
+        # validate config
+        validation_query_results = []
+        loop do
+          query = ffi_polar.next_inline_query
+          break if query.nil?
+
+          new_host = host.dup
+          new_host.accept_expression = true
+          results = Query.new(query, host: new_host).to_a
+          raise InlineQueryFailedError, query.source if results.empty?
+
+          validation_query_results.push results
+        end
+
+        # turn bindings back into polar
+        validation_query_results = validation_query_results.map do |results|
+          results.map do |result|
+            { 'bindings' => result.transform_values { |v| host.to_polar(v) } }
+          end
+        end
+
+        ffi_polar.validate_roles_config(validation_query_results)
+      end
+
       # Clear all rules and rule sources from the current Polar instance
       #
       # @return [self] for chaining.
       def clear_rules
         ffi_polar.clear_rules
+        ffi_polar.enable_roles if polar_roles_enabled
         self
       end
 
@@ -81,7 +119,7 @@ module Oso
       # @raise [InlineQueryFailedError] on the first failed inline query.
       # @raise [Error] if any of the FFI calls raise one.
       # @return [self] for chaining.
-      def load_str(str, filename: nil)
+      def load_str(str, filename: nil) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
         raise NullByteInPolarFileError if str.chomp("\0").include?("\0")
 
         ffi_polar.load(str, filename: filename)
@@ -91,6 +129,13 @@ module Oso
 
           raise InlineQueryFailedError, next_query.source if Query.new(next_query, host: host).first.nil?
         end
+
+        # If roles are enabled, re-validate config when new rules are loaded.
+        if polar_roles_enabled
+          self.polar_roles_enabled = false
+          enable_roles
+        end
+
         self
       end
 
@@ -170,6 +215,7 @@ module Oso
 
       # @return [FFI::Polar]
       attr_reader :ffi_polar
+      attr_accessor :polar_roles_enabled
 
       # The R and L in REPL for systems where readline is available.
       def repl_readline(prompt)

data/lib/oso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Oso
-  VERSION = '0.13.1'
+  VERSION = '0.14.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: oso-oso
 version: !ruby/object:Gem::Version
-  version: 0.13.1
+  version: 0.14.0
 platform: ruby
 authors:
 - Oso Security, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-06-30 00:00:00.000000000 Z
+date: 2021-07-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
@@ -133,6 +133,7 @@ files:
 - lib/oso/oso.rb
 - lib/oso/polar.rb
 - lib/oso/polar/errors.rb
+- lib/oso/polar/expression.rb
 - lib/oso/polar/ffi.rb
 - lib/oso/polar/ffi/error.rb
 - lib/oso/polar/ffi/message.rb
@@ -141,6 +142,7 @@ files:
 - lib/oso/polar/ffi/query_event.rb
 - lib/oso/polar/ffi/source.rb
 - lib/oso/polar/host.rb
+- lib/oso/polar/pattern.rb
 - lib/oso/polar/polar.rb
 - lib/oso/polar/predicate.rb
 - lib/oso/polar/query.rb