Class: Cerbos::Output::PlanResources

Inherits:
Object
  • Object
show all
Defined in:
lib/cerbos/output/plan_resources.rb

Overview

A query plan that can be used to obtain a list of resources on which a principal is allowed to perform a particular action.

Defined Under Namespace

Classes: Expression, Metadata

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#conditionExpression, ... (readonly)

The root node of the query condition abstract syntax tree.

Returns:

  • (Expression, Expression::Variable)
  • (nil)

    if the specified action is not conditional (is always allowed or denied) for the principal on resources matching the input.

See Also:


8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# File 'lib/cerbos/output/plan_resources.rb', line 8

PlanResources = Output.new_class(:request_id, :kind, :condition, :validation_errors, :metadata) do
  # @!attribute [r] request_id
  #   The identifier for tracing the request.
  #
  #   @return [String]

  # @!attribute [r] kind
  #   The type of plan.
  #
  #   @return [:KIND_ALWAYS_ALLOWED, :KIND_ALWAYS_DENIED, :KIND_CONDITIONAL]

  # @!attribute [r] condition
  #   The root node of the query condition abstract syntax tree.
  #
  #   @return [Expression, Expression::Variable]
  #   @return [nil] if the specified action is not conditional (is always allowed or denied) for the principal on resources matching the input.
  #
  #   @see #always_allowed?
  #   @see #always_denied?
  #   @see #conditional?

  # @!attribute [r] validation_errors
  #   Any schema validation errors for the principal or resource attributes.
  #
  #   @return [Array<ValidationError>]

  # @!attribute [r] metadata
  #   Additional information about the query plan.
  #
  #   @return [Metadata]
  #   @return [nil] if `include_metadata` was `false`.

  def self.from_protobuf(plan_resources)
    new(
      request_id: plan_resources.request_id,
      kind: plan_resources.filter.kind,
      condition: PlanResources::Expression::Operand.from_protobuf(plan_resources.filter.condition),
      validation_errors: (plan_resources.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
      metadata: PlanResources::Metadata.from_protobuf(plan_resources.meta)
    )
  end

  # Check if the specified action is always allowed for the principal on resources matching the input.
  #
  # @return [Boolean]
  def always_allowed?
    kind == :KIND_ALWAYS_ALLOWED
  end

  # Check if the specified action is always denied for the principal on resources matching the input.
  #
  # @return [Boolean]
  def always_denied?
    kind == :KIND_ALWAYS_DENIED
  end

  # Check if the specified action is conditionally allowed for the principal on resources matching the input.
  #
  # @return [Boolean]
  def conditional?
    kind == :KIND_CONDITIONAL
  end
end

#kind:KIND_ALWAYS_ALLOWED, ... (readonly)

The type of plan.

Returns:

  • (:KIND_ALWAYS_ALLOWED, :KIND_ALWAYS_DENIED, :KIND_CONDITIONAL)

8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# File 'lib/cerbos/output/plan_resources.rb', line 8

PlanResources = Output.new_class(:request_id, :kind, :condition, :validation_errors, :metadata) do
  # @!attribute [r] request_id
  #   The identifier for tracing the request.
  #
  #   @return [String]

  # @!attribute [r] kind
  #   The type of plan.
  #
  #   @return [:KIND_ALWAYS_ALLOWED, :KIND_ALWAYS_DENIED, :KIND_CONDITIONAL]

  # @!attribute [r] condition
  #   The root node of the query condition abstract syntax tree.
  #
  #   @return [Expression, Expression::Variable]
  #   @return [nil] if the specified action is not conditional (is always allowed or denied) for the principal on resources matching the input.
  #
  #   @see #always_allowed?
  #   @see #always_denied?
  #   @see #conditional?

  # @!attribute [r] validation_errors
  #   Any schema validation errors for the principal or resource attributes.
  #
  #   @return [Array<ValidationError>]

  # @!attribute [r] metadata
  #   Additional information about the query plan.
  #
  #   @return [Metadata]
  #   @return [nil] if `include_metadata` was `false`.

  def self.from_protobuf(plan_resources)
    new(
      request_id: plan_resources.request_id,
      kind: plan_resources.filter.kind,
      condition: PlanResources::Expression::Operand.from_protobuf(plan_resources.filter.condition),
      validation_errors: (plan_resources.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
      metadata: PlanResources::Metadata.from_protobuf(plan_resources.meta)
    )
  end

  # Check if the specified action is always allowed for the principal on resources matching the input.
  #
  # @return [Boolean]
  def always_allowed?
    kind == :KIND_ALWAYS_ALLOWED
  end

  # Check if the specified action is always denied for the principal on resources matching the input.
  #
  # @return [Boolean]
  def always_denied?
    kind == :KIND_ALWAYS_DENIED
  end

  # Check if the specified action is conditionally allowed for the principal on resources matching the input.
  #
  # @return [Boolean]
  def conditional?
    kind == :KIND_CONDITIONAL
  end
end

#metadataMetadata? (readonly)

Additional information about the query plan.

Returns:

  • (Metadata)
  • (nil)

    if include_metadata was false.


8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# File 'lib/cerbos/output/plan_resources.rb', line 8

PlanResources = Output.new_class(:request_id, :kind, :condition, :validation_errors, :metadata) do
  # @!attribute [r] request_id
  #   The identifier for tracing the request.
  #
  #   @return [String]

  # @!attribute [r] kind
  #   The type of plan.
  #
  #   @return [:KIND_ALWAYS_ALLOWED, :KIND_ALWAYS_DENIED, :KIND_CONDITIONAL]

  # @!attribute [r] condition
  #   The root node of the query condition abstract syntax tree.
  #
  #   @return [Expression, Expression::Variable]
  #   @return [nil] if the specified action is not conditional (is always allowed or denied) for the principal on resources matching the input.
  #
  #   @see #always_allowed?
  #   @see #always_denied?
  #   @see #conditional?

  # @!attribute [r] validation_errors
  #   Any schema validation errors for the principal or resource attributes.
  #
  #   @return [Array<ValidationError>]

  # @!attribute [r] metadata
  #   Additional information about the query plan.
  #
  #   @return [Metadata]
  #   @return [nil] if `include_metadata` was `false`.

  def self.from_protobuf(plan_resources)
    new(
      request_id: plan_resources.request_id,
      kind: plan_resources.filter.kind,
      condition: PlanResources::Expression::Operand.from_protobuf(plan_resources.filter.condition),
      validation_errors: (plan_resources.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
      metadata: PlanResources::Metadata.from_protobuf(plan_resources.meta)
    )
  end

  # Check if the specified action is always allowed for the principal on resources matching the input.
  #
  # @return [Boolean]
  def always_allowed?
    kind == :KIND_ALWAYS_ALLOWED
  end

  # Check if the specified action is always denied for the principal on resources matching the input.
  #
  # @return [Boolean]
  def always_denied?
    kind == :KIND_ALWAYS_DENIED
  end

  # Check if the specified action is conditionally allowed for the principal on resources matching the input.
  #
  # @return [Boolean]
  def conditional?
    kind == :KIND_CONDITIONAL
  end
end

#request_idString (readonly)

The identifier for tracing the request.

Returns:

  • (String)

8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# File 'lib/cerbos/output/plan_resources.rb', line 8

PlanResources = Output.new_class(:request_id, :kind, :condition, :validation_errors, :metadata) do
  # @!attribute [r] request_id
  #   The identifier for tracing the request.
  #
  #   @return [String]

  # @!attribute [r] kind
  #   The type of plan.
  #
  #   @return [:KIND_ALWAYS_ALLOWED, :KIND_ALWAYS_DENIED, :KIND_CONDITIONAL]

  # @!attribute [r] condition
  #   The root node of the query condition abstract syntax tree.
  #
  #   @return [Expression, Expression::Variable]
  #   @return [nil] if the specified action is not conditional (is always allowed or denied) for the principal on resources matching the input.
  #
  #   @see #always_allowed?
  #   @see #always_denied?
  #   @see #conditional?

  # @!attribute [r] validation_errors
  #   Any schema validation errors for the principal or resource attributes.
  #
  #   @return [Array<ValidationError>]

  # @!attribute [r] metadata
  #   Additional information about the query plan.
  #
  #   @return [Metadata]
  #   @return [nil] if `include_metadata` was `false`.

  def self.from_protobuf(plan_resources)
    new(
      request_id: plan_resources.request_id,
      kind: plan_resources.filter.kind,
      condition: PlanResources::Expression::Operand.from_protobuf(plan_resources.filter.condition),
      validation_errors: (plan_resources.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
      metadata: PlanResources::Metadata.from_protobuf(plan_resources.meta)
    )
  end

  # Check if the specified action is always allowed for the principal on resources matching the input.
  #
  # @return [Boolean]
  def always_allowed?
    kind == :KIND_ALWAYS_ALLOWED
  end

  # Check if the specified action is always denied for the principal on resources matching the input.
  #
  # @return [Boolean]
  def always_denied?
    kind == :KIND_ALWAYS_DENIED
  end

  # Check if the specified action is conditionally allowed for the principal on resources matching the input.
  #
  # @return [Boolean]
  def conditional?
    kind == :KIND_CONDITIONAL
  end
end

#validation_errorsArray<ValidationError> (readonly)

Any schema validation errors for the principal or resource attributes.

Returns:


8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# File 'lib/cerbos/output/plan_resources.rb', line 8

PlanResources = Output.new_class(:request_id, :kind, :condition, :validation_errors, :metadata) do
  # @!attribute [r] request_id
  #   The identifier for tracing the request.
  #
  #   @return [String]

  # @!attribute [r] kind
  #   The type of plan.
  #
  #   @return [:KIND_ALWAYS_ALLOWED, :KIND_ALWAYS_DENIED, :KIND_CONDITIONAL]

  # @!attribute [r] condition
  #   The root node of the query condition abstract syntax tree.
  #
  #   @return [Expression, Expression::Variable]
  #   @return [nil] if the specified action is not conditional (is always allowed or denied) for the principal on resources matching the input.
  #
  #   @see #always_allowed?
  #   @see #always_denied?
  #   @see #conditional?

  # @!attribute [r] validation_errors
  #   Any schema validation errors for the principal or resource attributes.
  #
  #   @return [Array<ValidationError>]

  # @!attribute [r] metadata
  #   Additional information about the query plan.
  #
  #   @return [Metadata]
  #   @return [nil] if `include_metadata` was `false`.

  def self.from_protobuf(plan_resources)
    new(
      request_id: plan_resources.request_id,
      kind: plan_resources.filter.kind,
      condition: PlanResources::Expression::Operand.from_protobuf(plan_resources.filter.condition),
      validation_errors: (plan_resources.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
      metadata: PlanResources::Metadata.from_protobuf(plan_resources.meta)
    )
  end

  # Check if the specified action is always allowed for the principal on resources matching the input.
  #
  # @return [Boolean]
  def always_allowed?
    kind == :KIND_ALWAYS_ALLOWED
  end

  # Check if the specified action is always denied for the principal on resources matching the input.
  #
  # @return [Boolean]
  def always_denied?
    kind == :KIND_ALWAYS_DENIED
  end

  # Check if the specified action is conditionally allowed for the principal on resources matching the input.
  #
  # @return [Boolean]
  def conditional?
    kind == :KIND_CONDITIONAL
  end
end

Instance Method Details

#always_allowed?Boolean

Check if the specified action is always allowed for the principal on resources matching the input.

Returns:

  • (Boolean)

53
54
55
# File 'lib/cerbos/output/plan_resources.rb', line 53

def always_allowed?
  kind == :KIND_ALWAYS_ALLOWED
end

#always_denied?Boolean

Check if the specified action is always denied for the principal on resources matching the input.

Returns:

  • (Boolean)

60
61
62
# File 'lib/cerbos/output/plan_resources.rb', line 60

def always_denied?
  kind == :KIND_ALWAYS_DENIED
end

#conditional?Boolean

Check if the specified action is conditionally allowed for the principal on resources matching the input.

Returns:

  • (Boolean)

67
68
69
# File 'lib/cerbos/output/plan_resources.rb', line 67

def conditional?
  kind == :KIND_CONDITIONAL
end