oso-cloud 0.5.4

Oso Cloud client
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147

use serde::{Deserialize, Serialize};

use crate::{Oso, Value};

type Result<T> = core::result::Result<T, crate::Error>;

/// An [`Oso`] wrapper for using [Local Authorization] with decentralized data.
///
/// [Local Authorization]: https://www.osohq.com/docs/app-integration/integrate-authorization/filter-lists#list-filtering-with-local-data
#[derive(Clone, Debug)]
pub struct LocalFilteringHandle<S> {
    oso: Oso,
    data_bindings: S,
}

impl Oso {
    /// Convert into a [`LocalFilteringHandle`].
    pub fn into_local_filtering_handle<S>(self, data_bindings: S) -> LocalFilteringHandle<S> {
        LocalFilteringHandle {
            oso: self,
            data_bindings,
        }
    }
}

impl<S> LocalFilteringHandle<S> {
    /// Get the underlying [`Oso`] client.
    pub fn oso(&self) -> &Oso {
        &self.oso
    }
}

#[derive(Deserialize)]
struct LocalQueryResult {
    sql: String,
}

impl<S: AsRef<str>> LocalFilteringHandle<S> {
    /// Fetches a query that can be run against your database to determine whether
    /// an actor can perform an action on a resource.
    ///
    /// The query will always return a single record with a single boolean column
    /// named `allowed`, indicating whether or not the action is permitted.
    ///
    /// Example output:
    /// | allowed |
    /// |---------|
    /// | true    |
    pub async fn authorize_local(
        &self,
        actor: impl Into<Value<'_>>,
        action: &str,
        resource: impl Into<Value<'_>>,
    ) -> Result<String> {
        #[derive(Debug, Serialize)]
        struct AuthorizeRequest<'a> {
            actor_type: &'a str,
            actor_id: &'a str,
            action: &'a str,
            resource_type: &'a str,
            resource_id: &'a str,
        }
        #[derive(Debug, Serialize)]
        struct LocalAuthQuery<'a> {
            query: AuthorizeRequest<'a>,
            data_bindings: &'a str,
        }

        let actor = actor.into();
        let resource = resource.into();
        let (Some(actor_type), Some(actor_id)) = (actor.type_.as_ref(), actor.id.as_ref()) else {
            return Err(crate::Error::Input(
                "Actor must be a concrete value. Try `oso.query` if you want to get all permitted actors".to_owned(),
            ));
        };
        let (Some(resource_type), Some(resource_id)) = (resource.type_.as_ref(), resource.id.as_ref()) else {
            return Err(crate::Error::Input(
                "Resource must be a concrete value. Try `oso.list` if you want to get all allowed resources".to_owned(),
            ));
        };

        let query = AuthorizeRequest {
            actor_type,
            actor_id,
            action,
            resource_type,
            resource_id,
        };

        let body = LocalAuthQuery {
            query,
            data_bindings: self.data_bindings.as_ref(),
        };

        let resp: LocalQueryResult = self.oso.client.post("authorize_query", &body, false).await?;

        Ok(resp.sql)
    }

    /// Fetches a filter that can be applied to a database query to return just
    /// the resources on which an actor can perform an action.
    pub async fn list_local(
        &self,
        actor: impl Into<Value<'_>>,
        action: &str,
        resource_type: &str,
        column: &str,
    ) -> Result<String> {
        #[derive(Debug, Serialize)]
        struct ListRequest<'a> {
            actor_type: &'a str,
            actor_id: &'a str,
            action: &'a str,
            resource_type: &'a str,
        }
        #[derive(Debug, Serialize)]
        struct LocalListQuery<'a> {
            query: ListRequest<'a>,
            column: &'a str,
            data_bindings: &'a str,
        }

        let actor = actor.into();

        let (Some(actor_type), Some(actor_id)) = (actor.type_.as_ref(), actor.id.as_ref()) else {
            return Err(crate::Error::Input(
                "Actor must be a concrete value. Try `oso.query` if you want to get all permitted actors".to_owned(),
            ));
        };

        let query = ListRequest {
            actor_type,
            actor_id,
            action,
            resource_type,
        };

        let body = LocalListQuery {
            query,
            column,
            data_bindings: self.data_bindings.as_ref(),
        };

        let resp: LocalQueryResult = self.oso.client.post("list_query", &body, false).await?;
        Ok(resp.sql)
    }
}