Class: Cerbos::Output::CheckResources::Result

Inherits:
Object
  • Object
show all
Defined in:
lib/cerbos/output/check_resources.rb

Overview

The outcome of checking a principal's permissions on single resource.

Defined Under Namespace

Classes: Metadata, Resource

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#actionsHash{String => :EFFECT_ALLOW, :EFFECT_DENY} (readonly)

The policy decisions for each action.

Returns:

  • (Hash{String => :EFFECT_ALLOW, :EFFECT_DENY})

76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# File 'lib/cerbos/output/check_resources.rb', line 76

CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata) do
  # @!attribute [r] resource
  #   The resource that was checked.
  #
  #   @return [Resource]

  # @!attribute [r] actions
  #   The policy decisions for each action.
  #
  #   @return [Hash{String => :EFFECT_ALLOW, :EFFECT_DENY}]

  # @!attribute [r] validation_errors
  #   Any schema validation errors for the principal or resource attributes.
  #
  #   @return [Array<ValidationError>]

  # @!attribute [r] metadata
  #   Additional information about how the policy decisions were reached.
  #
  #   @return [Metadata]
  #   @return [nil] if `include_metadata` was `false`.

  # @private
  def self.const_missing(const)
    if const == :ValidationError
      warn "#{name}::ValidationError is deprecated; use #{ValidationError.name} instead (called from #{caller(1..1).first})"
      return ValidationError
    end

    super
  end

  def self.from_protobuf(entry)
    new(
      resource: CheckResources::Result::Resource.from_protobuf(entry.resource),
      actions: entry.actions.to_h,
      validation_errors: (entry.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
      metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta)
    )
  end

  # Check if the policy decision was that a given action should be allowed for the resource.
  #
  # @return [Boolean]
  # @return [nil] if the action is not present in the results.
  def allow?(action)
    actions[action]&.eql?(:EFFECT_ALLOW)
  end

  # Check if the policy decision was that all input actions should be allowed for the resource.
  #
  # @return [Boolean]
  def allow_all?
    actions.each_value.all? { |effect| effect == :EFFECT_ALLOW }
  end

  # List the actions that should be allowed for the resource.
  #
  # @return [Array<String>]
  def allowed_actions
    actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
  end
end

#metadataMetadata? (readonly)

Additional information about how the policy decisions were reached.

Returns:

  • (Metadata)
  • (nil)

    if include_metadata was false.


76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# File 'lib/cerbos/output/check_resources.rb', line 76

CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata) do
  # @!attribute [r] resource
  #   The resource that was checked.
  #
  #   @return [Resource]

  # @!attribute [r] actions
  #   The policy decisions for each action.
  #
  #   @return [Hash{String => :EFFECT_ALLOW, :EFFECT_DENY}]

  # @!attribute [r] validation_errors
  #   Any schema validation errors for the principal or resource attributes.
  #
  #   @return [Array<ValidationError>]

  # @!attribute [r] metadata
  #   Additional information about how the policy decisions were reached.
  #
  #   @return [Metadata]
  #   @return [nil] if `include_metadata` was `false`.

  # @private
  def self.const_missing(const)
    if const == :ValidationError
      warn "#{name}::ValidationError is deprecated; use #{ValidationError.name} instead (called from #{caller(1..1).first})"
      return ValidationError
    end

    super
  end

  def self.from_protobuf(entry)
    new(
      resource: CheckResources::Result::Resource.from_protobuf(entry.resource),
      actions: entry.actions.to_h,
      validation_errors: (entry.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
      metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta)
    )
  end

  # Check if the policy decision was that a given action should be allowed for the resource.
  #
  # @return [Boolean]
  # @return [nil] if the action is not present in the results.
  def allow?(action)
    actions[action]&.eql?(:EFFECT_ALLOW)
  end

  # Check if the policy decision was that all input actions should be allowed for the resource.
  #
  # @return [Boolean]
  def allow_all?
    actions.each_value.all? { |effect| effect == :EFFECT_ALLOW }
  end

  # List the actions that should be allowed for the resource.
  #
  # @return [Array<String>]
  def allowed_actions
    actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
  end
end

#resourceResource (readonly)

The resource that was checked.

Returns:


76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# File 'lib/cerbos/output/check_resources.rb', line 76

CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata) do
  # @!attribute [r] resource
  #   The resource that was checked.
  #
  #   @return [Resource]

  # @!attribute [r] actions
  #   The policy decisions for each action.
  #
  #   @return [Hash{String => :EFFECT_ALLOW, :EFFECT_DENY}]

  # @!attribute [r] validation_errors
  #   Any schema validation errors for the principal or resource attributes.
  #
  #   @return [Array<ValidationError>]

  # @!attribute [r] metadata
  #   Additional information about how the policy decisions were reached.
  #
  #   @return [Metadata]
  #   @return [nil] if `include_metadata` was `false`.

  # @private
  def self.const_missing(const)
    if const == :ValidationError
      warn "#{name}::ValidationError is deprecated; use #{ValidationError.name} instead (called from #{caller(1..1).first})"
      return ValidationError
    end

    super
  end

  def self.from_protobuf(entry)
    new(
      resource: CheckResources::Result::Resource.from_protobuf(entry.resource),
      actions: entry.actions.to_h,
      validation_errors: (entry.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
      metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta)
    )
  end

  # Check if the policy decision was that a given action should be allowed for the resource.
  #
  # @return [Boolean]
  # @return [nil] if the action is not present in the results.
  def allow?(action)
    actions[action]&.eql?(:EFFECT_ALLOW)
  end

  # Check if the policy decision was that all input actions should be allowed for the resource.
  #
  # @return [Boolean]
  def allow_all?
    actions.each_value.all? { |effect| effect == :EFFECT_ALLOW }
  end

  # List the actions that should be allowed for the resource.
  #
  # @return [Array<String>]
  def allowed_actions
    actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
  end
end

#validation_errorsArray<ValidationError> (readonly)

Any schema validation errors for the principal or resource attributes.

Returns:


76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# File 'lib/cerbos/output/check_resources.rb', line 76

CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata) do
  # @!attribute [r] resource
  #   The resource that was checked.
  #
  #   @return [Resource]

  # @!attribute [r] actions
  #   The policy decisions for each action.
  #
  #   @return [Hash{String => :EFFECT_ALLOW, :EFFECT_DENY}]

  # @!attribute [r] validation_errors
  #   Any schema validation errors for the principal or resource attributes.
  #
  #   @return [Array<ValidationError>]

  # @!attribute [r] metadata
  #   Additional information about how the policy decisions were reached.
  #
  #   @return [Metadata]
  #   @return [nil] if `include_metadata` was `false`.

  # @private
  def self.const_missing(const)
    if const == :ValidationError
      warn "#{name}::ValidationError is deprecated; use #{ValidationError.name} instead (called from #{caller(1..1).first})"
      return ValidationError
    end

    super
  end

  def self.from_protobuf(entry)
    new(
      resource: CheckResources::Result::Resource.from_protobuf(entry.resource),
      actions: entry.actions.to_h,
      validation_errors: (entry.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
      metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta)
    )
  end

  # Check if the policy decision was that a given action should be allowed for the resource.
  #
  # @return [Boolean]
  # @return [nil] if the action is not present in the results.
  def allow?(action)
    actions[action]&.eql?(:EFFECT_ALLOW)
  end

  # Check if the policy decision was that all input actions should be allowed for the resource.
  #
  # @return [Boolean]
  def allow_all?
    actions.each_value.all? { |effect| effect == :EFFECT_ALLOW }
  end

  # List the actions that should be allowed for the resource.
  #
  # @return [Array<String>]
  def allowed_actions
    actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
  end
end

Instance Method Details

#allow?(action) ⇒ Boolean?

Check if the policy decision was that a given action should be allowed for the resource.

Returns:

  • (Boolean)
  • (nil)

    if the action is not present in the results.


121
122
123
# File 'lib/cerbos/output/check_resources.rb', line 121

def allow?(action)
  actions[action]&.eql?(:EFFECT_ALLOW)
end

#allow_all?Boolean

Check if the policy decision was that all input actions should be allowed for the resource.

Returns:

  • (Boolean)

128
129
130
# File 'lib/cerbos/output/check_resources.rb', line 128

def allow_all?
  actions.each_value.all? { |effect| effect == :EFFECT_ALLOW }
end

#allowed_actionsArray<String>

List the actions that should be allowed for the resource.

Returns:

  • (Array<String>)

135
136
137
# File 'lib/cerbos/output/check_resources.rb', line 135

def allowed_actions
  actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
end