Class: Gitlab::Glaz::Engine

Inherits:
Object
  • Object
show all
Defined in:
lib/gitlab/glaz/engine.rb

Overview

Wraps a native Glaz::PermissionCheckEngine instance.

The Cedar schema is fixed for the lifetime of the engine: it is loaded exactly once at construction and cannot be re-loaded; build a new Engine to change it. The policy set can be replaced at any time with #load_policies.

Schemas must declare User and Resource entity types and declare each checkable action with appliesTo { principal: [User], resource: [Resource], ... }, because the engine builds User::"<subject_uuid>" and Resource::"<object_uuid>" entity UIDs for every check. The engine also injects user_permissions (a Set containing the checked action) into the Cedar context, so an action's declared context type must include user_permissions: Set<Action> alongside any custom attributes.

Instance Method Summary collapse

Constructor Details

#initialize(schema:, policies:) ⇒ Engine

Returns a new instance of Engine.

Parameters:

  • schema (String)

    Cedar schema source (.cedarschema DSL).

  • policies (String)

    Cedar policy source, validated against the schema; ArgumentError is raised when either does not parse or the policies do not validate.



26
27
28
29
30
# File 'lib/gitlab/glaz/engine.rb', line 26

def initialize(schema:, policies:)
  @native = ::Glaz::PermissionCheckEngine.new
  @native.load_schema(schema)
  @native.load_policies(policies)
end

Instance Method Details

#check_action(subject_uuid:, object_uuid:, action:, context: {}) ⇒ Hash

Evaluate whether the subject may perform action on the object.

Parameters:

  • context (Hash) (defaults to: {})

    ABAC attributes made available to policies as the Cedar context; must match the context type the schema declares for the checked action.

Returns:

  • (Hash)

    { allowed: Boolean, reason: String }



46
47
48
49
50
51
52
53
54
55
56
57
# File 'lib/gitlab/glaz/engine.rb', line 46

def check_action(subject_uuid:, object_uuid:, action:, context: {})
  request = ::Glaz::CheckRequest.encode(
    ::Glaz::CheckRequest.new(
      subject: ::Relationships::V1::Principal.new(id: subject_uuid),
      action: action,
      object: ::Relationships::V1::Object.new(id: object_uuid),
      context: context.to_json
    )
  )

  @native.check_action(request)
end

#load_policies(source) ⇒ Object

Replace the active policy set with the given Cedar policy source, validated against the engine's schema. Raises ArgumentError when the source does not parse or validate; the previous policies then remain active. The swap is atomic with respect to concurrent checks.



36
37
38
# File 'lib/gitlab/glaz/engine.rb', line 36

def load_policies(source)
  @native.load_policies(source)
end