Package com.osohq.oso

Class Oso


public class Oso extends Polar
  • Constructor Details

    • Oso

      public Oso()
  • Method Details

    • main

      public static void main(String[] args) throws Exceptions.OsoException, IOException
      Throws:
      Exceptions.OsoException
      IOException
    • setReadAction

      public void setReadAction(Object readAction)
      Override the "read" action, which is used to differentiate between a `NotFoundException` and a `ForbiddenException` on authorization failures.
    • isAllowed

      public boolean isAllowed(Object actor, Object action, Object resource) throws Exceptions.OsoException
      Submit an `allow` query to the Polar knowledge base.
      
       Oso oso = new Oso();
       o.loadStr("allow(\"guest\", \"get\", \"widget\");");
       assert o.isAllowed("guest", "get", "widget");
       
      Parameters:
      actor - the actor performing the request
      action - the action the actor is attempting to perform
      resource - the resource being accessed
      Returns:
      boolean
      Throws:
      Exceptions.OsoException
    • getAllowedActions

      public HashSet<Object> getAllowedActions(Object actor, Object resource) throws Exceptions.OsoException
      Return the allowed actions for the given actor and resource, if any.
      
       Oso oso = new Oso();
       o.loadStr("allow(\"guest\", \"get\", \"widget\");");
       HashSet actions = o.getAllowedActions("guest", "widget");
       assert actions.contains("get");
       
      Parameters:
      actor - the actor performing the request
      resource - the resource being accessed
      Returns:
      HashSet
      Throws:
      Exceptions.OsoException
    • getAllowedActions

      public HashSet<Object> getAllowedActions(Object actor, Object resource, boolean allowWildcard) throws Exceptions.OsoException
      Deprecated.
      Use `authorizedActions` instead.
      Return the allowed actions for the given actor and resource, if any. Explicitly allow or disallow wildcard actions. If allowed, wildcard actions are represented as "*".
      Parameters:
      actor - the actor performing the request
      resource - the resource being accessed
      allowWildcard - whether or not to allow wildcard actions
      Returns:
      HashSet
      Throws:
      Exceptions.OsoException
    • authorize

      public void authorize(Object actor, Object action, Object resource, boolean checkRead) throws Exceptions.OsoException
      Ensure that `actor` is allowed to perform `action` on `resource`.

      If the action is permitted with an `allow` rule in the policy, then this method returns `None`. If the action is not permitted by the policy, this method will raise an error.

      The error raised by this method depends on whether the actor can perform the `"read"` action on the resource. If they cannot read the resource, then a `NotFoundException` is raised. Otherwise, a `ForbiddenException` is raised.

      Parameters:
      actor - The actor performing the request.
      action - The action the actor is attempting to perform.
      resource - The resource being accessed.
      checkRead - If set to `false`, a `ForbiddenException` is always thrown on authorization failures, regardless of whether the actor can read the resource. Default is `true`.
      Throws:
      Exceptions.OsoException
    • authorize

      public void authorize(Object actor, Object action, Object resource) throws Exceptions.OsoException
      Throws:
      Exceptions.OsoException
    • authorizeRequest

      public void authorizeRequest(Object actor, Object request) throws Exceptions.OsoException
      Ensure that `actor` is allowed to send `request` to the server.

      Checks the `allow_request` rule of a policy.

      If the request is permitted with an `allow_request` rule in the policy, then this method returns nothing. Otherwise, this method raises a `ForbiddenException`.

      Parameters:
      actor - The actor performing the request.
      request - An object representing the request that was sent by the actor.
      Throws:
      Exceptions.OsoException
    • authorizeField

      public void authorizeField(Object actor, Object action, Object resource, Object field) throws Exceptions.OsoException
      Ensure that `actor` is allowed to perform `action` on a given `resource`'s `field`.

      If the action is permitted by an `allow_field` rule in the policy, then this method returns nothing. If the action is not permitted by the policy, this method will raise a `ForbiddenException`.

      Parameters:
      actor - The actor performing the request.
      action - The action the actor is attempting to perform on the field.
      resource - The resource being accessed.
      field - The name of the field being accessed.
      Throws:
      Exceptions.OsoException
    • authorizedActions

      public HashSet<Object> authorizedActions(Object actor, Object resource, boolean allowWildcard) throws Exceptions.OsoException
      Determine the actions `actor` is allowed to take on `resource`.

      Collects all actions allowed by allow rules in the Polar policy for the given combination of actor and resource.

      Parameters:
      actor - The actor for whom to collect allowed actions
      resource - The resource being accessed
      allowWildcard - Flag to determine behavior if the policy includes a wildcard action. E.g., a rule allowing any action: `allow(_actor, _action, _resource)`. If `true`, the method will return `["*"]`, if `false`, the method will raise an exception.
      Returns:
      HashSet A list of the unique allowed actions.
      Throws:
      Exceptions.OsoException
    • authorizedActions

      public HashSet<Object> authorizedActions(Object actor, Object resource) throws Exceptions.OsoException
      Throws:
      Exceptions.OsoException
    • authorizedFields

      public HashSet<Object> authorizedFields(Object actor, Object action, Object resource, boolean allowWildcard) throws Exceptions.OsoException
      Determine the fields of `resource` on which `actor` is allowed to perform `action`.

      Uses `allow_field` rules in the policy to find all allowed fields.

      Parameters:
      actor - The actor for whom to collect allowed fields.
      action - The action being taken on the field.
      resource - The resource being accessed.
      allowWildcard - Flag to determine behavior if the policy \ includes a wildcard field. E.g., a rule allowing any field: \ `allow_field(_actor, _action, _resource, _field)`. If `true`, the \ method will return `["*"]`, if `false`, the method will raise an \ exception.
      Returns:
      HashSet A set of the unique allowed fields.
      Throws:
      Exceptions.OsoException
    • authorizedFields

      public HashSet<Object> authorizedFields(Object actor, Object action, Object resource) throws Exceptions.OsoException
      Throws:
      Exceptions.OsoException