Class: OsoCloud::Oso

Inherits:

Object

• Object
• OsoCloud::Oso

Defined in:

lib/oso/oso.rb

Overview

Oso Cloud client for Ruby

About facts:

Some of these methods accept and return “fact”s. A “fact” is an array with at least one element. The first element must be a string, representing the fact’s name. Any other elements in the array, which together represent the fact’s arguments, can be “OsoCloud::Value” objects or strings.

Instance Method Summary

• #actions(actor, resource, context_facts = []) ⇒ Array<String>

  List authorized actions.

• #actions_local(actor, resource, context_facts = []) ⇒ String

  Fetches a query that can be run against your database to fetch the actions an actor can perform on a resource.

• #authorize(actor, action, resource, context_facts = [], parity_handle: nil) ⇒ Boolean

  Check a permission.

• #authorize_local(actor, action, resource, context_facts = [], parity_handle: nil) ⇒ String

  Check a permission depending on data both in Oso Cloud and stored in a local database.

• #authorize_resources(actor, action, resources, context_facts = []) ⇒ Array<OsoCloud::Value>

  Check authorized resources.

• #bulk(delete: [], insert: []) ⇒ nil

  Transactionally delete and insert fact(s).

• #bulk_actions(actor, queries:) ⇒ Array<Array<String>>

  List authorized actions for a batch of queries.

• #bulk_delete(facts) ⇒ nil

  Delete many facts.

• #bulk_tell(facts) ⇒ nil

  Add many facts.

• #delete(name, *args) ⇒ nil

  Delete fact.

• #get(name, *args) ⇒ Array<fact>

  List facts.

• #get_policy_metadata ⇒ Object

  Returns metadata about the currently active policy.

• #initialize(url: 'https://cloud.osohq.com', api_key: nil, fallback_url: nil, data_bindings: nil) ⇒ Oso constructor

  A new instance of Oso.

• #list(actor, action, resource_type, context_facts = []) ⇒ Array<String>

  List authorized resources.

• #list_local(actor, action, resource_type, column, context_facts = []) ⇒ String

  List authorized resources depending on data both in Oso Cloud and stored in a local database.

• #list_paginated(actor, action, resource_type, page_size, page_token: nil, context_facts: []) ⇒ OsoCloud::Core::ListResult

  List authorized resources with pagination.

• #policy(policy) ⇒ nil

  Update the active policy.

• #query(name, *args, context_facts: []) ⇒ Array<fact>

  List added and derived facts.

• #tell(name, *args) ⇒ nil

  Add a fact.

Constructor Details

#initialize(url: 'https://cloud.osohq.com', api_key: nil, fallback_url: nil, data_bindings: nil) ⇒ Oso

Returns a new instance of Oso.

# File 'lib/oso/oso.rb', line 31

def initialize(url: 'https://cloud.osohq.com', api_key: nil, fallback_url: nil, data_bindings: nil)
  @api = OsoCloud::Core::Api.new(url: url, api_key: api_key, data_bindings: data_bindings,
                                 options: { fallback_url: fallback_url })
end

Instance Method Details

#actions(actor, resource, context_facts = []) ⇒ Array<String>

List authorized actions

Fetches a list of actions which an actor can perform on a particular resource.

Parameters:

• actor (OsoCloud::Value)
• resource (OsoCloud::Value)
• context_facts (Array<fact>) (defaults to: [])

Returns:

• (Array<String>)

See Also:

• for more information about facts

# File 'lib/oso/oso.rb', line 287

def actions(actor, resource, context_facts = [])
  actor_typed_id = actor.to_api_value
  resource_typed_id = resource.to_api_value
  result = @api.post_actions(OsoCloud::Core::ActionsQuery.new(
                               actor_type: actor_typed_id.type,
                               actor_id: actor_typed_id.id,
                               resource_type: resource_typed_id.type,
                               resource_id: resource_typed_id.id,
                               context_facts: OsoCloud::Helpers.params_to_facts(context_facts)
                             ))
  result.results
end

#actions_local(actor, resource, context_facts = []) ⇒ String

Fetches a query that can be run against your database to fetch the actions an actor can perform on a resource.

Returns a SQL query to run against the local database

Parameters:

• actor (OsoCloud::Value)
• resource (OsoCloud::Value)
• context_facts (Array<fact>) (defaults to: [])

Returns:

• (String)

# File 'lib/oso/oso.rb', line 104

def actions_local(actor, resource, context_facts = [])
  actor_typed_id = actor.to_api_value
  resource_typed_id = resource.to_api_value
  result = @api.post_actions_query(
    OsoCloud::Core::ActionsQuery.new(
      actor_type: actor_typed_id.type,
      actor_id: actor_typed_id.id,
      resource_type: resource_typed_id.type,
      resource_id: resource_typed_id.id,
      context_facts: OsoCloud::Helpers.params_to_facts(context_facts)
    )
  )
  result.sql
end

#authorize(actor, action, resource, context_facts = [], parity_handle: nil) ⇒ Boolean

Check a permission

Returns true if the actor can perform the action on the resource; otherwise false.

This method has an optional parameter ‘parity_handle` which is used to compare the result of your Oso authorization check with your legacy authorization system. Learn more about using the parity_handle with Oso Migrate here:

www.osohq.com/docs/app-integration/client-apis/ruby#oso-migrate

Parameters:

• actor (OsoCloud::Value)
• action (String)
• resource (OsoCloud::Value)
• context_facts (Array<fact>) (defaults to: [])
• parity_handle (OsoCloud::ParityHandle, nil) (defaults to: nil) —

  Optional handle for parity checks with Oso Migrate.

Returns:

• (Boolean)

See Also:

• for more information about facts

# File 'lib/oso/oso.rb', line 157

def authorize(actor, action, resource, context_facts = [], parity_handle: nil)
  actor_typed_id = actor.to_api_value
  resource_typed_id = resource.to_api_value
  result = @api.post_authorize(OsoCloud::Core::AuthorizeQuery.new(
                                 actor_type: actor_typed_id.type,
                                 actor_id: actor_typed_id.id,
                                 action: action,
                                 resource_type: resource_typed_id.type,
                                 resource_id: resource_typed_id.id,
                                 context_facts: OsoCloud::Helpers.params_to_facts(context_facts)
                               ),
                               parity_handle
                               )
  result.allowed
end

#authorize_local(actor, action, resource, context_facts = [], parity_handle: nil) ⇒ String

Check a permission depending on data both in Oso Cloud and stored in a local database

Returns a SQL query to run against the local database

This method has an optional parameter ‘parity_handle` which is used to compare the result of your Oso authorization check with your legacy authorization system. Learn more about using the parity_handle with Oso Migrate here:

www.osohq.com/docs/app-integration/client-apis/ruby#oso-migrate

Parameters:

• actor (OsoCloud::Value)
• action (String)
• resource (OsoCloud::Value)
• context_facts (Array<fact>) (defaults to: [])
• parity_handle (OsoCloud::ParityHandle, nil) (defaults to: nil) —

  Optional handle for parity checks with Oso Migrate.

Returns:

• (String)

# File 'lib/oso/oso.rb', line 53

def authorize_local(actor, action, resource, context_facts = [], parity_handle: nil)
  actor_typed_id = actor.to_api_value
  resource_typed_id = resource.to_api_value
  result = @api.post_authorize_query(
    OsoCloud::Core::AuthorizeQuery.new(
      actor_type: actor_typed_id.type,
      actor_id: actor_typed_id.id,
      action: action,
      resource_type: resource_typed_id.type,
      resource_id: resource_typed_id.id,
      context_facts: OsoCloud::Helpers.params_to_facts(context_facts)
    ), parity_handle
  )
  result.sql
end

#authorize_resources(actor, action, resources, context_facts = []) ⇒ Array<OsoCloud::Value>

Check authorized resources

Returns a subset of the resource which an actor can perform a particular action. Ordering and duplicates, if any exist, are preserved.

Parameters:

• actor (OsoCloud::Value)
• action (String)
• resources (Array<OsoCloud::Value>)
• context_facts (Array<fact>) (defaults to: [])

Returns:

• (Array<OsoCloud::Value>)

See Also:

• for more information about facts

# File 'lib/oso/oso.rb', line 185

def authorize_resources(actor, action, resources, context_facts = [])
  return [] if resources.nil?
  return [] if resources.empty?

  key = lambda do |type, id|
    "#{type}:#{id}"
  end

  resources_extracted = resources.map(&:to_api_value)
  actor_typed_id = actor.to_api_value
  data = OsoCloud::Core::AuthorizeResourcesQuery.new(
    actor_type: actor_typed_id.type, actor_id: actor_typed_id.id,
    action: action,
    resources: resources_extracted,
    context_facts: OsoCloud::Helpers.params_to_facts(context_facts)
  )
  result = @api.post_authorize_resources(data)

  return [] if result.results.empty?

  results_lookup = {}
  result.results.each do |r|
    k = key.call(r.type, r.id)
    results_lookup[k] = true if results_lookup[k].nil?
  end

  resources.select do |r|
    e = r.to_api_value
    exists = results_lookup[key.call(e.type, e.id)]
    exists
  end
end

#bulk(delete: [], insert: []) ⇒ nil

Transactionally delete and insert fact(s)

Delete(s) are processed before insertion(s). nil arguments in facts to be deleted act as wildcards. Does not throw an error if facts to be deleted are not found or facts to be inserted already exist.

Throws an OsoCloud::Core::Api exception if error returned from server.

Parameters:

• delete (Array<fact>) (defaults to: [])
• insert (Array<fact>) (defaults to: [])

Returns:

• (nil)

See Also:

• for more information about facts

# File 'lib/oso/oso.rb', line 369

def bulk(delete: [], insert: [])
  @api.post_bulk(OsoCloud::Core::Bulk.new(delete: OsoCloud::Helpers.params_to_facts(delete),
                                          tell: OsoCloud::Helpers.params_to_facts(insert)))
  nil
end

#bulk_actions(actor, queries:) ⇒ Array<Array<String>>

List authorized actions for a batch of queries

Fetches a list of actions which an actor can perform on a particular resource.

Parameters:

• actor (OsoCloud::Value)
• queries (Array<OsoCloud::Value>) —

  | Array<[OsoCloud::Value, Array<fact>]>

Returns:

• (Array<Array<String>>)

See Also:

• for more information about facts

# File 'lib/oso/oso.rb', line 417

def bulk_actions(actor, queries:)
  actor_typed_id = actor.to_api_value
  data = queries.map do |q|
    context_facts = []
    resource = nil
    if q.is_a?(Array)
      resource = q[0]
      context_facts = q[1]
    else
      resource = q
    end
    resource_typed_id = resource.to_api_value
    OsoCloud::Core::ActionsQuery.new(
      actor_type: actor_typed_id.type,
      actor_id: actor_typed_id.id,
      resource_type: resource_typed_id.type,
      resource_id: resource_typed_id.id,
      context_facts: OsoCloud::Helpers.params_to_facts(context_facts)
    )
  end
  @api.post_bulk_actions(data).map(&:results)
end

#bulk_delete(facts) ⇒ nil

Delete many facts

Deletes many facts at once. Does not throw an error when some of the facts are not found.

Parameters:

• facts (Array<fact>)

Returns:

• (nil)

See Also:

• for more information about facts

# File 'lib/oso/oso.rb', line 350

def bulk_delete(facts)
  @api.post_bulk_delete(OsoCloud::Helpers.params_to_facts(facts))
  nil
end

#bulk_tell(facts) ⇒ nil

Add many facts

Adds many facts at once.

Parameters:

• facts (Array<fact>)

Returns:

• (nil)

See Also:

• for more information about facts

# File 'lib/oso/oso.rb', line 322

def bulk_tell(facts)
  @api.post_bulk_load(OsoCloud::Helpers.params_to_facts(facts))
  nil
end

#delete(name, *args) ⇒ nil

Delete fact

Deletes a fact. Does not throw an error if the fact is not found.

Parameters:

• name (String)
• args (*[String, OsoCloud::Value])

Returns:

• (nil)

# File 'lib/oso/oso.rb', line 335

def delete(name, *args)
  typed_args = args.map { |a| OsoCloud::Helpers.extract_value(a) }
  @api.delete_facts(OsoCloud::Core::Fact.new(predicate: name, args: typed_args))
  nil
end

#get(name, *args) ⇒ Array<fact>

List facts

Lists facts that are stored in Oso Cloud. Can be used to check the existence of a particular fact, or used to fetch all facts that have a particular argument. nil arguments operate as wildcards.

Parameters:

• name (String)
• args (*[String, OsoCloud::Value, nil])

Returns:

• (Array<fact>)

See Also:

• for more information about facts

# File 'lib/oso/oso.rb', line 386

def get(name, *args)
  OsoCloud::Helpers.facts_to_params(@api.get_facts(name, args))
end

#get_policy_metadata ⇒ Object

Returns metadata about the currently active policy

# File 'lib/oso/oso.rb', line 134

def get_policy_metadata
  @api.get_policy_metadata.metadata
end

#list(actor, action, resource_type, context_facts = []) ⇒ Array<String>

List authorized resources

Fetches a list of resource ids on which an actor can perform a particular action.

Parameters:

• actor (OsoCloud::Value)
• action (String)
• resource_type (String)
• context_facts (Array<fact>) (defaults to: [])

Returns:

• (Array<String>)

See Also:

• for more information about facts

# File 'lib/oso/oso.rb', line 230

def list(actor, action, resource_type, context_facts = [])
  all_results = []
  page_token = nil
  loop do
    page = list_paginated(actor, action, resource_type, 10000, page_token: page_token, context_facts: context_facts)
    all_results.concat(page.results)
    break if page.next_page_token.nil?
    page_token = page.next_page_token
  end
  all_results
end

#list_local(actor, action, resource_type, column, context_facts = []) ⇒ String

List authorized resources depending on data both in Oso Cloud and stored in a local database

Returns a SQL query to run against the local database

Parameters:

• actor (OsoCloud::Value)
• action (String)
• resource_type (String)
• column (String)
• context_facts (Array<fact>) (defaults to: [])

Returns:

• (String)

# File 'lib/oso/oso.rb', line 80

def list_local(actor, action, resource_type, column, context_facts = [])
  actor_typed_id = actor.to_api_value
  result = @api.post_list_query(
    query: OsoCloud::Core::ListQuery.new(
      actor_type: actor_typed_id.type,
      actor_id: actor_typed_id.id,
      action: action,
      resource_type: resource_type,
      context_facts: OsoCloud::Helpers.params_to_facts(context_facts)
    ),
    column: column
  )
  result.sql
end

#list_paginated(actor, action, resource_type, page_size, page_token: nil, context_facts: []) ⇒ OsoCloud::Core::ListResult

List authorized resources with pagination

Fetches a page of resource ids on which an actor can perform a particular action. Returns a ListResult with ‘results` and `next_page_token`. Pass `next_page_token` to fetch subsequent pages.

Parameters:

• actor (OsoCloud::Value)
• action (String)
• resource_type (String)
• page_size (Integer)
• page_token (String, nil) (defaults to: nil)
• context_facts (Array<fact>) (defaults to: [])

Returns:

• (OsoCloud::Core::ListResult)

Raises:

• (OsoCloud::Core::ApiError)

# File 'lib/oso/oso.rb', line 256

def list_paginated(actor, action, resource_type, page_size, page_token: nil, context_facts: [])
  actor_typed_id = actor.to_api_value
  10.times do |attempt|
    begin
      return @api.post_list(OsoCloud::Core::ListQuery.new(
                              actor_type: actor_typed_id.type,
                              actor_id: actor_typed_id.id,
                              action: action,
                              resource_type: resource_type,
                              context_facts: OsoCloud::Helpers.params_to_facts(context_facts),
                              page_size: page_size,
                              page_token: page_token
                            ))
    rescue OsoCloud::Core::ApiError => e
      raise unless e.status_code == 409 && e.retry_after && attempt < 9
      sleep(e.retry_after)
    end
  end
  raise OsoCloud::Core::ApiError.new(message: 'Page not available after retries', status_code: 409)
end

#policy(policy) ⇒ nil

Update the active policy

Updates the active policy in Oso Cloud, The string passed into this method should be written in Polar.

Parameters:

• policy (String)

Returns:

• (nil)

# File 'lib/oso/oso.rb', line 127

def policy(policy)
  @api.post_policy(OsoCloud::Core::Policy.new(src: policy, filename: ''))
  nil
end

#query(name, *args, context_facts: []) ⇒ Array<fact>

List added and derived facts

Lists facts that are stored in Oso Cloud in addition to derived facts from evaluating the policy. nil arguments operate as wildcards.

Parameters:

• name (String)
• args (Array<[String, OsoCloud::Value, nil]>)
• context_facts (Array<fact>) (defaults to: [])

Returns:

• (Array<fact>)

See Also:

• for more information about facts

# File 'lib/oso/oso.rb', line 401

def query(name, *args, context_facts: [])
  typed_args = args.map { |a| OsoCloud::Helpers.extract_value(a) }
  result = @api.post_query(OsoCloud::Core::Query.new(fact: OsoCloud::Helpers.param_to_fact(name, typed_args),
                                                     context_facts: OsoCloud::Helpers.params_to_facts(context_facts)))
  OsoCloud::Helpers.facts_to_params(result.results)
end

#tell(name, *args) ⇒ nil

Add a fact

Adds a fact with the given name and arguments.

Parameters:

• name (String)
• args (*[String, OsoCloud::Value])

Returns:

• (nil)

# File 'lib/oso/oso.rb', line 308

def tell(name, *args)
  typed_args = args.map { |a| OsoCloud::Helpers.extract_value(a) }
  @api.post_facts(OsoCloud::Core::Fact.new(predicate: name, args: typed_args))
  nil
end