Class: Cerbos::Output::CheckResources

Inherits:
Object
  • Object
show all
Defined in:
lib/cerbos/output/check_resources.rb

Overview

The outcome of checking a principal's permissions on a set of resources.

Defined Under Namespace

Classes: Result

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#request_idString (readonly)

The identifier for tracing the request.

Returns:

  • (String)

8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# File 'lib/cerbos/output/check_resources.rb', line 8

CheckResources = Output.new_class(:request_id, :results) do
  # @!attribute [r] request_id
  #   The identifier for tracing the request.
  #
  #   @return [String]

  # @!attribute [r] results
  #   The outcomes of the permission checks for each resource.
  #
  #   @return [Array<Result>]

  def self.from_protobuf(check_resources)
    new(
      request_id: check_resources.request_id,
      results: (check_resources.results || []).map { |entry| CheckResources::Result.from_protobuf(entry) }
    )
  end

  # Check if the policy decision was that an action should be allowed for a resource.
  #
  # @param resource [Input::Resource, Hash] the resource search criteria (see {#find_result}).
  # @param action [String] the action to check.
  #
  # @return [Boolean]
  # @return [nil] if the resource or action is not present in the results.
  def allow?(resource:, action:)
    find_result(resource)&.allow?(action)
  end

  # Check if the policy decision was that all input actions should be allowed for a resource.
  #
  # @param resource [Input::Resource, Hash] the resource search criteria (see {#find_result}).
  #
  # @return [Boolean]
  # @return [nil] if the resource is not present in the results.
  def allow_all?(resource)
    find_result(resource)&.allow_all?
  end

  # Find an item from {#results} by resource.
  #
  # @param resource [Input::Resource, Hash] the resource search criteria. `kind` and `id` are required; `policy_version` and `scope` may also be provided if needed to distinguish between multiple results for the same `kind` and `id`.
  #
  # @return [Result]
  # @return [nil] if not found.
  def find_result(resource)
    search = Input.coerce_required(resource, Input::Resource)
    results.find { |result| matching_resource?(search, result.resource) }
  end

  # List unique schema validation errors for the principal or resource attributes.
  #
  # @return [Array<ValidationError>]
  def validation_errors
    results.flat_map(&:validation_errors).uniq
  end

  private

  def matching_resource?(search, candidate)
    search.kind == candidate.kind &&
      search.id == candidate.id &&
      (search.policy_version.nil? || search.policy_version == candidate.policy_version) &&
      (search.scope.nil? || search.scope == candidate.scope)
  end
end

#resultsArray<Result> (readonly)

The outcomes of the permission checks for each resource.

Returns:


8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# File 'lib/cerbos/output/check_resources.rb', line 8

CheckResources = Output.new_class(:request_id, :results) do
  # @!attribute [r] request_id
  #   The identifier for tracing the request.
  #
  #   @return [String]

  # @!attribute [r] results
  #   The outcomes of the permission checks for each resource.
  #
  #   @return [Array<Result>]

  def self.from_protobuf(check_resources)
    new(
      request_id: check_resources.request_id,
      results: (check_resources.results || []).map { |entry| CheckResources::Result.from_protobuf(entry) }
    )
  end

  # Check if the policy decision was that an action should be allowed for a resource.
  #
  # @param resource [Input::Resource, Hash] the resource search criteria (see {#find_result}).
  # @param action [String] the action to check.
  #
  # @return [Boolean]
  # @return [nil] if the resource or action is not present in the results.
  def allow?(resource:, action:)
    find_result(resource)&.allow?(action)
  end

  # Check if the policy decision was that all input actions should be allowed for a resource.
  #
  # @param resource [Input::Resource, Hash] the resource search criteria (see {#find_result}).
  #
  # @return [Boolean]
  # @return [nil] if the resource is not present in the results.
  def allow_all?(resource)
    find_result(resource)&.allow_all?
  end

  # Find an item from {#results} by resource.
  #
  # @param resource [Input::Resource, Hash] the resource search criteria. `kind` and `id` are required; `policy_version` and `scope` may also be provided if needed to distinguish between multiple results for the same `kind` and `id`.
  #
  # @return [Result]
  # @return [nil] if not found.
  def find_result(resource)
    search = Input.coerce_required(resource, Input::Resource)
    results.find { |result| matching_resource?(search, result.resource) }
  end

  # List unique schema validation errors for the principal or resource attributes.
  #
  # @return [Array<ValidationError>]
  def validation_errors
    results.flat_map(&:validation_errors).uniq
  end

  private

  def matching_resource?(search, candidate)
    search.kind == candidate.kind &&
      search.id == candidate.id &&
      (search.policy_version.nil? || search.policy_version == candidate.policy_version) &&
      (search.scope.nil? || search.scope == candidate.scope)
  end
end

Instance Method Details

#allow?(resource:, action:) ⇒ Boolean?

Check if the policy decision was that an action should be allowed for a resource.

Parameters:

Returns:

  • (Boolean)
  • (nil)

    if the resource or action is not present in the results.


33
34
35
# File 'lib/cerbos/output/check_resources.rb', line 33

def allow?(resource:, action:)
  find_result(resource)&.allow?(action)
end

#allow_all?(resource) ⇒ Boolean?

Check if the policy decision was that all input actions should be allowed for a resource.

Parameters:

Returns:

  • (Boolean)
  • (nil)

    if the resource is not present in the results.


43
44
45
# File 'lib/cerbos/output/check_resources.rb', line 43

def allow_all?(resource)
  find_result(resource)&.allow_all?
end

#find_result(resource) ⇒ Result?

Find an item from #results by resource.

Parameters:

  • resource (Input::Resource, Hash)

    the resource search criteria. kind and id are required; policy_version and scope may also be provided if needed to distinguish between multiple results for the same kind and id.

Returns:

  • (Result)
  • (nil)

    if not found.


53
54
55
56
# File 'lib/cerbos/output/check_resources.rb', line 53

def find_result(resource)
  search = Input.coerce_required(resource, Input::Resource)
  results.find { |result| matching_resource?(search, result.resource) }
end

#validation_errorsArray<ValidationError>

List unique schema validation errors for the principal or resource attributes.

Returns:


61
62
63
# File 'lib/cerbos/output/check_resources.rb', line 61

def validation_errors
  results.flat_map(&:validation_errors).uniq
end