Class: Yes::Core::Authorization::CommandCerbosAuthorizer Abstract

Inherits:

CommandAuthorizer

Object
CommandAuthorizer
Yes::Core::Authorization::CommandCerbosAuthorizer

show all

Extended by:: CerbosClientProvider, OpenTelemetry::Trackable

Defined in:: lib/yes/core/authorization/command_cerbos_authorizer.rb

Overview

This class is abstract.

Cerbos-based command authorizer base class.

Subclasses must define a RESOURCE constant:

RESOURCE = { name: 'apprenticeship', read_model: Apprenticeship, draft_read_model: ApprenticeshipDraft }

Constant Summary collapse

NEW_RESOURCE_ID =

'new'

Constants inherited from CommandAuthorizer

Yes::Core::Authorization::CommandAuthorizer::CommandNotAuthorized

Class Method Summary collapse

.call(command, auth_data) ⇒ Boolean

True if command is authorized.

Class Method Details

.call(command, auth_data) ⇒ `Boolean`

Returns true if command is authorized.

Parameters:

command (Yes::Core::Command) —

command to authorize
auth_data (Hash) —

authorization data

Returns:

(Boolean) —

true if command is authorized

Raises:

(CommandNotAuthorized) —

if command is not authorized

# File 'lib/yes/core/authorization/command_cerbos_authorizer.rb', line 23

def call(command, auth_data)
  singleton_class.current_span&.add_attributes({ 'command' => command.to_json })

  check_principal_id_present(auth_data)
  singleton_class.current_span&.add_event('Principal Id Checked')

  resource = load_resource(command)
  singleton_class.current_span&.add_event('Resource Loaded')

  decision = authorize(command, resource, auth_data)
  singleton_class.current_span&.add_event('Cerbos Decision', attributes: { 'decision' => decision.to_json })

  return true if decision.allow_all?

  raise_command_unauthorized_error!(decision)
end