Class: Cerbos::Output::CheckResources

Inherits:

Object

• Object
• Cerbos::Output::CheckResources

Defined in:

lib/cerbos/output/check_resources.rb

Overview

The outcome of checking a principal's permissions on a set of resources.

See Also:

• Client#check_resources

Defined Under Namespace

Classes: Result

Instance Attribute Summary

• #request_id ⇒ String readonly

  The identifier for tracing the request.

• #results ⇒ Array<Result> readonly

  The outcomes of the permission checks for each resource.

Instance Method Summary

• #allow?(resource:, action:) ⇒ Boolean^?

  Check if the policy decision was that an action should be allowed for a resource.

• #allow_all?(resource) ⇒ Boolean^?

  Check if the policy decision was that all input actions should be allowed for a resource.

• #find_result(resource) ⇒ Result^?

  Find an item from #results by resource.

• #validation_errors ⇒ Array<ValidationError>

  List unique schema validation errors for the principal or resource attributes.

Instance Attribute Details

#request_id ⇒ String (readonly)

The identifier for tracing the request.

Returns:

• (String)

# File 'lib/cerbos/output/check_resources.rb', line 8

CheckResources = Output.new_class(:request_id, :results) do
  # @!attribute [r] request_id
  #   The identifier for tracing the request.
  #
  #   @return [String]

  # @!attribute [r] results
  #   The outcomes of the permission checks for each resource.
  #
  #   @return [Array<Result>]

  def self.from_protobuf(check_resources)
    new(
      request_id: check_resources.request_id,
      results: (check_resources.results || []).map { |entry| CheckResources::Result.from_protobuf(entry) }
    )
  end

  # Check if the policy decision was that an action should be allowed for a resource.
  #
  # @param resource [Input::Resource, Hash] the resource search criteria (see {#find_result}).
  # @param action [String] the action to check.
  #
  # @return [Boolean]
  # @return [nil] if the resource or action is not present in the results.
  def allow?(resource:, action:)
    find_result(resource)&.allow?(action)
  end

  # Check if the policy decision was that all input actions should be allowed for a resource.
  #
  # @param resource [Input::Resource, Hash] the resource search criteria (see {#find_result}).
  #
  # @return [Boolean]
  # @return [nil] if the resource is not present in the results.
  def allow_all?(resource)
    find_result(resource)&.allow_all?
  end

  # Find an item from {#results} by resource.
  #
  # @param resource [Input::Resource, Hash] the resource search criteria. `kind` and `id` are required; `policy_version` and `scope` may also be provided if needed to distinguish between multiple results for the same `kind` and `id`.
  #
  # @return [Result]
  # @return [nil] if not found.
  def find_result(resource)
    search = Input.coerce_required(resource, Input::Resource)
    results.find { |result| matching_resource?(search, result.resource) }
  end

  # List unique schema validation errors for the principal or resource attributes.
  #
  # @return [Array<ValidationError>]
  def validation_errors
    results.flat_map(&:validation_errors).uniq
  end

  private

  def matching_resource?(search, candidate)
    search.kind == candidate.kind &&
      search.id == candidate.id &&
      (search.policy_version.nil? || search.policy_version == candidate.policy_version) &&
      (search.scope.nil? || search.scope == candidate.scope)
  end
end

#results ⇒ Array<Result> (readonly)

The outcomes of the permission checks for each resource.

Returns:

• (Array<Result>)

# File 'lib/cerbos/output/check_resources.rb', line 8

CheckResources = Output.new_class(:request_id, :results) do
  # @!attribute [r] request_id
  #   The identifier for tracing the request.
  #
  #   @return [String]

  # @!attribute [r] results
  #   The outcomes of the permission checks for each resource.
  #
  #   @return [Array<Result>]

  def self.from_protobuf(check_resources)
    new(
      request_id: check_resources.request_id,
      results: (check_resources.results || []).map { |entry| CheckResources::Result.from_protobuf(entry) }
    )
  end

  # Check if the policy decision was that an action should be allowed for a resource.
  #
  # @param resource [Input::Resource, Hash] the resource search criteria (see {#find_result}).
  # @param action [String] the action to check.
  #
  # @return [Boolean]
  # @return [nil] if the resource or action is not present in the results.
  def allow?(resource:, action:)
    find_result(resource)&.allow?(action)
  end

  # Check if the policy decision was that all input actions should be allowed for a resource.
  #
  # @param resource [Input::Resource, Hash] the resource search criteria (see {#find_result}).
  #
  # @return [Boolean]
  # @return [nil] if the resource is not present in the results.
  def allow_all?(resource)
    find_result(resource)&.allow_all?
  end

  # Find an item from {#results} by resource.
  #
  # @param resource [Input::Resource, Hash] the resource search criteria. `kind` and `id` are required; `policy_version` and `scope` may also be provided if needed to distinguish between multiple results for the same `kind` and `id`.
  #
  # @return [Result]
  # @return [nil] if not found.
  def find_result(resource)
    search = Input.coerce_required(resource, Input::Resource)
    results.find { |result| matching_resource?(search, result.resource) }
  end

  # List unique schema validation errors for the principal or resource attributes.
  #
  # @return [Array<ValidationError>]
  def validation_errors
    results.flat_map(&:validation_errors).uniq
  end

  private

  def matching_resource?(search, candidate)
    search.kind == candidate.kind &&
      search.id == candidate.id &&
      (search.policy_version.nil? || search.policy_version == candidate.policy_version) &&
      (search.scope.nil? || search.scope == candidate.scope)
  end
end

Instance Method Details

#allow?(resource:, action:) ⇒ Boolean^?

Check if the policy decision was that an action should be allowed for a resource.

Parameters:

• resource (Input::Resource, Hash) —

  the resource search criteria (see #find_result).

• action (String) —

  the action to check.

Returns:

• (Boolean)
• (nil) —

  if the resource or action is not present in the results.

# File 'lib/cerbos/output/check_resources.rb', line 33

def allow?(resource:, action:)
  find_result(resource)&.allow?(action)
end

#allow_all?(resource) ⇒ Boolean^?

Check if the policy decision was that all input actions should be allowed for a resource.

Parameters:

• resource (Input::Resource, Hash) —

  the resource search criteria (see #find_result).

Returns:

• (Boolean)
• (nil) —

  if the resource is not present in the results.

# File 'lib/cerbos/output/check_resources.rb', line 43

def allow_all?(resource)
  find_result(resource)&.allow_all?
end

#find_result(resource) ⇒ Result^?

Find an item from #results by resource.

Parameters:

• resource (Input::Resource, Hash) —

  the resource search criteria. kind and id are required; policy_version and scope may also be provided if needed to distinguish between multiple results for the same kind and id.

Returns:

• (Result)
• (nil) —

  if not found.

# File 'lib/cerbos/output/check_resources.rb', line 53

def find_result(resource)
  search = Input.coerce_required(resource, Input::Resource)
  results.find { |result| matching_resource?(search, result.resource) }
end

#validation_errors ⇒ Array<ValidationError>

List unique schema validation errors for the principal or resource attributes.

Returns:

• (Array<ValidationError>)

# File 'lib/cerbos/output/check_resources.rb', line 61

def validation_errors
  results.flat_map(&:validation_errors).uniq
end