oso

package module
v0.27.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 13, 2024 License: Apache-2.0 Imports: 16 Imported by: 12

README

Deprecated

We have deprecated the legacy Oso open source library. We have plans for the next open source release and we’re looking forward to getting feedback from the community leading up to that point (please reach out to us in the Slack #help channel). In the meantime, if you’re happy using the Oso open source library now, nothing needs to change – i.e., we are not end-of-lifing (EOL) the library and we’ll continue to provide support and critical bug fixes. (Link to Docs message) (We released a writeup with more context)

Oso go library

This is the publish repository for the oso go library. It contains prebuilt oso-core libraries so that you can reference this module directly in go code.

All development happens on https://github.com/osohq/oso.

go get github.com/osohq/go-oso

    import "github.com/osohq/go-oso"
    ...

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Oso

type Oso struct {
	// contains filtered or unexported fields
}

The central object to manage policy state and verify requests.

func NewOso

func NewOso() (Oso, error)

Construct a new Oso instance.

import oso "github.com/osohq/go-oso"
if o, err := oso.NewOso(); err != nil {
	t.Fatalf("Failed to set up Oso: %v", err)
}

func (Oso) Authorize added in v0.20.1

func (o Oso) Authorize(actor interface{}, action interface{}, resource interface{}) error

Ensure that `actor` is allowed to perform `action` on `resource`.

If the action is permitted with an `allow` rule in the policy, then this method returns `nil`. If the action is not permitted by the policy, this method will return an error.

The error returned by this method depends on whether the actor can perform the `"read"` action on the resource. If they cannot read the resource, then a `NotFoundError` error is returned. Otherwise, a `ForbiddenError` is returned.

You can customize the errors returned by this function using the `SetReadAction`, `SetForbiddenError`, and `SetNotFoundError` configuration functions.

func (Oso) AuthorizeField added in v0.20.1

func (o Oso) AuthorizeField(actor interface{}, action interface{}, resource interface{}, field interface{}) error

Ensure that `actor` is allowed to perform `action` on a given `resource`'s `field`.

Checks the `allow_field` rule of a policy.

If the action is permitted by an `allow_field` rule in the policy, then this method returns `nil`. If the action is not permitted by the policy, this method returns a `ForbiddenError`.

func (Oso) AuthorizeRequest added in v0.20.1

func (o Oso) AuthorizeRequest(actor interface{}, request interface{}) error

Ensure that `actor` is allowed to send `request` to the server.

Checks the `allow_request` rule of a policy.

If the request is permitted with an `allow_request` rule in the policy, then this method returns `nil`. Otherwise, this method returns a `ForbiddenError`.

func (Oso) AuthorizedActions added in v0.20.1

func (o Oso) AuthorizedActions(actor interface{}, resource interface{}, allowWildcard bool) (map[interface{}]struct{}, error)

Return a set of actions allowed by the given (actor, resource) combination allowed by the policy.

func (Oso) AuthorizedFields added in v0.20.1

func (o Oso) AuthorizedFields(actor interface{}, action interface{}, resource interface{}, allowWildcard bool) (map[interface{}]struct{}, error)

Determine the fields of `resource` on which `actor` is allowed to perform `action`.

Uses `allow_field` rules in the policy to find all allowed fields.

func (Oso) AuthorizedQuery added in v0.25.0

func (o Oso) AuthorizedQuery(actor interface{}, action interface{}, resource_type string) (interface{}, error)

func (Oso) AuthorizedResources added in v0.25.0

func (o Oso) AuthorizedResources(actor interface{}, action interface{}, resource_type string) ([]interface{}, error)

func (Oso) ClearRules

func (o Oso) ClearRules() error

Clear all rules from the Oso knowledge base (i.e., remove all loaded policies).

func (Oso) GetAllowedActions deprecated added in v0.14.0

func (o Oso) GetAllowedActions(actor interface{}, resource interface{}, allowWildcard bool) (map[interface{}]struct{}, error)

Return a set of actions allowed by the given (actor, resource) combination allowed by the policy.

Deprecated: Use AuthorizedActions instead.

func (*Oso) GetHost added in v0.26.0

func (o *Oso) GetHost() *host.Host

func (Oso) IsAllowed

func (o Oso) IsAllowed(actor interface{}, action interface{}, resource interface{}) (bool, error)

Check if an (actor, action, resource) combination is allowed by the policy. Returns the result as a bool, or an error.

func (Oso) LoadFile deprecated

func (o Oso) LoadFile(f string) error

Load Polar policy from a ".polar" file, checking that all inline queries succeed.

Deprecated: `Oso.LoadFile` has been deprecated in favor of `Oso.LoadFiles` as of the 0.20 release. Please see changelog for migration instructions: https://docs.osohq.com/project/changelogs/2021-09-15.html

func (Oso) LoadFiles added in v0.20.1

func (o Oso) LoadFiles(files []string) error

Load Polar policy from ".polar" files, checking that all inline queries succeed.

func (Oso) LoadString

func (o Oso) LoadString(s string) error

Load Polar policy from a string, checking that all inline queries succeed.

func (Oso) NewQueryFromRule

func (o Oso) NewQueryFromRule(name string, args ...interface{}) (*Query, error)

Create policy query for a rule. Accepts the name of the rule to query, and a variadic list of rule arguments. Returns a new *Query, on which `Next()` can be called to get the next result, or an error.

func (Oso) NewQueryFromStr

func (o Oso) NewQueryFromStr(q string) (*Query, error)

Create policy query from a query string. Accepts the string to query for. Returns a new *Query, on which `Next()` can be called to get the next result, or an error.

func (Oso) QueryRule

func (o Oso) QueryRule(name string, args ...interface{}) (<-chan map[string]interface{}, <-chan error)

Query the policy for a rule; the query is run in a new Go routine. Accepts the name of the rule to query, and a variadic list of rule arguments. Returns a channel of resulting binding maps, and a channel for errors. As the query is evaluated, all resulting bindings will be written to the results channel, and any errors will be written to the error channel. The results channel must be completely consumed or it will leak memory.

func (Oso) QueryRuleOnce added in v0.20.1

func (o Oso) QueryRuleOnce(name string, args ...interface{}) (bool, error)

Query the policy for a rule, and return true if there are any results. Returns false if there are no results.

func (Oso) QueryStr

func (o Oso) QueryStr(q string) (<-chan map[string]interface{}, <-chan error)

Query the policy using a query string; the query is run in a new Go routine. Accepts the string to query for. Returns a channel of resulting binding maps, and a channel for errors. As the query is evaluated, all resulting bindings will be written to the results channel, and any errors will be written to the error channel. The results channel must be completely consumed or it will leak memory.

func (Oso) RegisterClass added in v0.0.3

func (o Oso) RegisterClass(cls interface{}, ctor interface{}) error

Register a Go type so that it can be referenced within Polar files. Accepts a concrete value of the Go type and a constructor function or nil if no constructor is required.

func (Oso) RegisterClassWithName added in v0.0.3

func (o Oso) RegisterClassWithName(cls interface{}, ctor interface{}, name string) error

Register a Go type under a certain name/alias so that it can be referenced within Polar files by that name. Accepts a concrete value of the Go type and a constructor function or nil if no constructor is required.

func (Oso) RegisterClassWithNameAndFields added in v0.25.0

func (o Oso) RegisterClassWithNameAndFields(cls interface{}, ctor interface{}, name string, fields map[string]interface{}) error

Register a Go type under a certain name/alias so that it can be referenced within Polar files by that name. Accepts a concrete value of the Go type and a constructor function or nil if no constructor is required.

func (Oso) RegisterConstant added in v0.0.3

func (o Oso) RegisterConstant(value interface{}, name string) error

Register a Go value as a Polar constant variable called `name`.

func (Oso) Repl added in v0.11.0

func (o Oso) Repl() error

Start the oso repl where you can make queries and see results printed out.

func (Oso) SetDataFilteringAdapter added in v0.25.0

func (o Oso) SetDataFilteringAdapter(adapter types.Adapter)

func (*Oso) SetForbiddenError added in v0.20.1

func (o *Oso) SetForbiddenError(forbiddenError func() error)

Override the default ForbiddenError, returned when authorization fails.

o, _ = oso.NewOso()
o.SetForbiddenError(func() error { return &MyCustomError{} })

func (*Oso) SetNotFoundError added in v0.20.1

func (o *Oso) SetNotFoundError(notFoundError func() error)

Override the default NotFoundError, returned by the Authorize method when a user does not have read permission.

o, _ = oso.NewOso()
o.SetNotFoundError(func() error { return &MyCustomError{} })

func (*Oso) SetReadAction added in v0.20.1

func (o *Oso) SetReadAction(readAction interface{})

Override the "read" action, which is used to differentiate between a NotFoundError and a ForbiddenError on authorization failures.

o, _ = oso.NewOso()
o.SetReadAction("READ")

type Polar

type Polar struct {
	// contains filtered or unexported fields
}

type Query

type Query struct {
	// contains filtered or unexported fields
}

Execute a Polar query through the FFI/event interface.

func (*Query) Bind added in v0.25.0

func (q *Query) Bind(name string, value *types.Term) error

func (*Query) Cleanup added in v0.12.4

func (q *Query) Cleanup()

func (*Query) GetAllResults added in v0.0.3

func (q *Query) GetAllResults() ([]map[string]interface{}, error)

Executes the query until all results have been returned, and returns results as a list of binding maps.

func (*Query) Next

func (q *Query) Next() (*map[string]interface{}, error)

Get the next query result. Returns a pointer to a map of result bindings, or a nil pointer if there are no results.

func (*Query) SetAcceptExpression added in v0.24.0

func (q *Query) SetAcceptExpression(acceptExpression bool)

Set whether the Host accepts Expression types from Polar, or raises an error.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL