Options
All
  • Public
  • Public/Protected
  • All
Menu

Class Oso<Actor, Action, Resource, Field, Request, Query>

The Oso authorization API.

Type parameters

  • Actor = unknown

  • Action = unknown

  • Resource = unknown

  • Field = unknown

  • Request = unknown

  • Query = unknown

Hierarchy

  • Polar<Query, Resource>
    • Oso

Index

Constructors

constructor

  • new Oso<Actor, Action, Resource, Field, Request, Query>(opts?: Options): Oso<Actor, Action, Resource, Field, Request, Query>
  • Type parameters

    • Actor = unknown

    • Action = unknown

    • Resource = unknown

    • Field = unknown

    • Request = unknown

    • Query = unknown

    Parameters

    Returns Oso<Actor, Action, Resource, Field, Request, Query>

Methods

authorize

  • authorize(actor: Actor, action: Action, resource: Resource, options?: { checkRead?: boolean }): Promise<void>
  • Ensure that actor is allowed to perform action on resource.

    If the action is permitted with an allow rule in the policy, then this method returns None. If the action is not permitted by the policy, this method will raise an error.

    The error raised by this method depends on whether the actor can perform the "read" action on the resource. If they cannot read the resource, then a NotFound error is raised. Otherwise, a ForbiddenError is raised.

    Parameters

    • actor: Actor

      The actor performing the request.

    • action: Action

      The action the actor is attempting to perform.

    • resource: Resource

      The resource being accessed.

    • options: { checkRead?: boolean } = {}
      • Optional checkRead?: boolean

    Returns Promise<void>

authorizeField

  • authorizeField(actor: Actor, action: Action, resource: Resource, field: Field): Promise<void>
  • Ensure that actor is allowed to perform action on a given resource's field.

    If the action is permitted by an allow_field rule in the policy, then this method returns nothing. If the action is not permitted by the policy, this method will raise a ForbiddenError.

    Parameters

    • actor: Actor

      The actor performing the request.

    • action: Action

      The action the actor is attempting to perform on the field.

    • resource: Resource

      The resource being accessed.

    • field: Field

      The name of the field being accessed.

    Returns Promise<void>

authorizeRequest

  • authorizeRequest(actor: Actor, request: Request): Promise<void>
  • Ensure that actor is allowed to send request to the server.

    Checks the allow_request rule of a policy.

    If the request is permitted with an allow_request rule in the policy, then this method returns nothing. Otherwise, this method raises a ForbiddenError.

    Parameters

    • actor: Actor

      The actor performing the request.

    • request: Request

      An object representing the request that was sent by the actor.

    Returns Promise<void>

authorizedActions

  • authorizedActions(actor: Actor, resource: Resource, options?: { allowWildcard?: boolean }): Promise<Set<Action | "*">>
  • Determine the actions actor is allowed to take on resource.

    Collects all actions allowed by allow rules in the Polar policy for the given combination of actor and resource.

    Parameters

    • actor: Actor

      The actor for whom to collect allowed actions

    • resource: Resource

      The resource being accessed

    • options: { allowWildcard?: boolean } = {}
      • Optional allowWildcard?: boolean

    Returns Promise<Set<Action | "*">>

    A list of the unique allowed actions.

authorizedFields

  • authorizedFields(actor: Actor, action: Action, resource: Resource, options?: { allowWildcard?: boolean }): Promise<Set<Field | "*">>
  • Determine the fields of resource on which actor is allowed to perform action.

    Uses allow_field rules in the policy to find all allowed fields.

    Parameters

    • actor: Actor

      The actor for whom to collect allowed fields.

    • action: Action

      The action being taken on the field.

    • resource: Resource

      The resource being accessed.

    • options: { allowWildcard?: boolean } = {}
      • Optional allowWildcard?: boolean

    Returns Promise<Set<Field | "*">>

    A list of the unique allowed fields.

authorizedQuery

  • authorizedQuery(actor: Actor, action: Action, resourceCls: string | Class<Resource>): Promise<Query>
  • Create a query for all the resources of type resourceCls that actor is allowed to perform action on.

    Parameters

    • actor: Actor

      Subject.

    • action: Action

      Verb.

    • resourceCls: string | Class<Resource>

      Object type.

    Returns Promise<Query>

    A query that selects authorized resources of type resourceCls

authorizedResources

  • authorizedResources(actor: Actor, action: Action, resourceCls: string | Class<Resource>): Promise<Resource[]>
  • Determine the resources of type resourceCls that actor is allowed to perform action on.

    Parameters

    • actor: Actor

      Subject.

    • action: Action

      Verb.

    • resourceCls: string | Class<Resource>

      Object type or string name of class

    Returns Promise<Resource[]>

    An array of authorized resources.

clearRules

  • clearRules(): void

free

  • free(): void
  • Free the underlying WASM instance.

    Invariant: ensure that you do not do anything else with an instance after calling free() on it.

    This should not be something you need to do during the course of regular usage. It's generally only useful for scenarios where large numbers of instances are spun up and not cleanly reaped by the GC, such as during a long-running test process in 'watch' mode.

    Returns void

getFfi

  • getFfi(): Polar

getHost

  • getHost(): Host<Query, Resource>

isAllowed

  • isAllowed(actor: Actor, action: Action, resource: Resource): Promise<boolean>
  • Query the knowledge base to determine whether an actor is allowed to perform an action upon a resource.

    Parameters

    • actor: Actor

      Subject.

    • action: Action

      Verb.

    • resource: Resource

      Object.

    Returns Promise<boolean>

    An access control decision.

loadFile

  • loadFile(filename: string): Promise<void>

loadFiles

  • loadFiles(filenames: string[]): Promise<void>

loadStr

  • loadStr(contents: string, filename?: string): Promise<void>
  • Load a Polar policy string.

    Parameters

    • contents: string
    • Optional filename: string

    Returns Promise<void>

query

queryRule

queryRuleOnce

  • queryRuleOnce(name: string, ...args: unknown[]): Promise<boolean>
  • Query for a Polar rule, returning true if there are any results.

    Parameters

    • name: string
    • Rest ...args: unknown[]

    Returns Promise<boolean>

registerClass

  • Register a JavaScript class for use in Polar policies.

    Parameters

    • cls: Class<unknown>

      The class to register.

    • Optional params: ClassParams

      An optional object with extra parameters.

    Returns void

registerConstant

  • registerConstant(value: unknown, name: string): void

repl

  • repl(files?: string[]): Promise<void>
  • Start a REPL session.

    Parameters

    • Optional files: string[]

    Returns Promise<void>

setDataFilteringAdapter

  • setDataFilteringAdapter(adapter: Adapter<Query, Resource>): void
  • Register adapter for data filtering query functions.

    Parameters

    • adapter: Adapter<Query, Resource>

    Returns void