Package com.osohq.oso

Class Oso

  • public class Oso
extends Polar

    • Constructor Detail

      • Oso

        public Oso()

    • Method Detail

      • setReadAction

        public void setReadAction​(Object readAction)
        Override the "read" action, which is used to differentiate between a `NotFoundException` and a `ForbiddenException` on authorization failures.

      • isAllowed

        public boolean isAllowed​(Object actor,
                         Object action,
                         Object resource)
                  throws Exceptions.OsoException
        Submit an `allow` query to the Polar knowledge base. 
        
 Oso oso = new Oso();
 o.loadStr("allow(\"guest\", \"get\", \"widget\");");
 assert o.isAllowed("guest", "get", "widget");
        Parameters:
        actor - the actor performing the request
        action - the action the actor is attempting to perform
        resource - the resource being accessed
        Returns:
        boolean
        Throws:
        Exceptions.OsoException

      • getAllowedActions

        public HashSet<Object> getAllowedActions​(Object actor,
                                         Object resource)
                                  throws Exceptions.OsoException
        Return the allowed actions for the given actor and resource, if any. 
        
 Oso oso = new Oso();
 o.loadStr("allow(\"guest\", \"get\", \"widget\");");
 HashSet actions = o.getAllowedActions("guest", "widget");
 assert actions.contains("get");
        Parameters:
        actor - the actor performing the request
        resource - the resource being accessed
        Returns:
        HashSet
        Throws:
        Exceptions.OsoException

        • getAllowedActions

          public HashSet<Object> getAllowedActions​(Object actor,
                                         Object resource,
                                         boolean allowWildcard)
                                  throws Exceptions.OsoException
          Deprecated.
          Use `authorizedActions` instead.
          Return the allowed actions for the given actor and resource, if any. Explicitly allow or disallow wildcard actions. If allowed, wildcard actions are represented as "*".
          Parameters:
          actor - the actor performing the request
          resource - the resource being accessed
          allowWildcard - whether or not to allow wildcard actions
          Returns:
          HashSet
          Throws:
          Exceptions.OsoException

          • authorize

            public void authorize​(Object actor,
                      Object action,
                      Object resource,
                      boolean checkRead)
               throws Exceptions.OsoException
            Ensure that `actor` is allowed to perform `action` on `resource`.

            If the action is permitted with an `allow` rule in the policy, then this method returns `None`. If the action is not permitted by the policy, this method will raise an error.

            The error raised by this method depends on whether the actor can perform the `"read"` action on the resource. If they cannot read the resource, then a `NotFoundException` is raised. Otherwise, a `ForbiddenException` is raised.

            Parameters:
            actor - The actor performing the request.
            action - The action the actor is attempting to perform.
            resource - The resource being accessed.
            checkRead - If set to `false`, a `ForbiddenException` is always thrown on authorization failures, regardless of whether the actor can read the resource. Default is `true`.
            Throws:
            Exceptions.OsoException

          • authorizeRequest

            public void authorizeRequest​(Object actor,
                             Object request)
                      throws Exceptions.OsoException
            Ensure that `actor` is allowed to send `request` to the server.

            Checks the `allow_request` rule of a policy.

            If the request is permitted with an `allow_request` rule in the policy, then this method returns nothing. Otherwise, this method raises a `ForbiddenException`.

            Parameters:
            actor - The actor performing the request.
            request - An object representing the request that was sent by the actor.
            Throws:
            Exceptions.OsoException

          • authorizeField

            public void authorizeField​(Object actor,
                           Object action,
                           Object resource,
                           Object field)
                    throws Exceptions.OsoException
            Ensure that `actor` is allowed to perform `action` on a given `resource`'s `field`.

            If the action is permitted by an `allow_field` rule in the policy, then this method returns nothing. If the action is not permitted by the policy, this method will raise a `ForbiddenException`.

            Parameters:
            actor - The actor performing the request.
            action - The action the actor is attempting to perform on the field.
            resource - The resource being accessed.
            field - The name of the field being accessed.
            Throws:
            Exceptions.OsoException

          • authorizedActions

            public HashSet<Object> authorizedActions​(Object actor,
                                         Object resource,
                                         boolean allowWildcard)
                                  throws Exceptions.OsoException
            Determine the actions `actor` is allowed to take on `resource`.

            Collects all actions allowed by allow rules in the Polar policy for the given combination of actor and resource.

            Parameters:
            actor - The actor for whom to collect allowed actions
            resource - The resource being accessed
            allowWildcard - Flag to determine behavior if the policy includes a wildcard action. E.g., a rule allowing any action: `allow(_actor, _action, _resource)`. If `true`, the method will return `["*"]`, if `false`, the method will raise an exception.
            Returns:
            HashSet A list of the unique allowed actions.
            Throws:
            Exceptions.OsoException

            • authorizedFields

              public HashSet<Object> authorizedFields​(Object actor,
                                        Object action,
                                        Object resource,
                                        boolean allowWildcard)
                                 throws Exceptions.OsoException
              Determine the fields of `resource` on which `actor` is allowed to perform `action`.

              Uses `allow_field` rules in the policy to find all allowed fields.

              Parameters:
              actor - The actor for whom to collect allowed fields.
              action - The action being taken on the field.
              resource - The resource being accessed.
              allowWildcard - Flag to determine behavior if the policy \ includes a wildcard field. E.g., a rule allowing any field: \ `allow_field(_actor, _action, _resource, _field)`. If `true`, the \ method will return `["*"]`, if `false`, the method will raise an \ exception.
              Returns:
              HashSet A set of the unique allowed fields.
              Throws:
              Exceptions.OsoException