Quickstart

This guide will walk you through your first change to an Oso policy file. There are three steps:

  1. Download a minimal Ruby starter project that’s already integrated with Oso.
  2. Run the server and visit the app in your browser.
  3. Make a small change to the policy to allow a new type of access.

1. Clone the repo and install dependencies

First, clone the Ruby quickstart repo, and install the dependencies:

git clone https://github.com/osohq/oso-ruby-quickstart.git
cd oso-ruby-quickstart
bundle install

2. Run the server

With the dependencies installed, you should be ready to start the server:

bundle exec ruby server.rb

If all is well, the server should be listening on port 5000.

Visit http://localhost:5000/repo/gmail in your browser. You should see a successful response, indicating that you have access to the gmail repo.

To see an unsuccessful response, visit http://localhost:5000/repo/react. You’ll see an error: Repo named react was not found. There actually is a repo named react, but you don’t have access to it. Let’s fix that now.

3. Update the policy

In main.polar, add the following two lines to define a new “rule.” This rule will allow any “actor” (or user) to perform the "read" action on a repository if that repository is marked as is_public.

main.polar
actor User {}

resource Repository {
  permissions = ["read", "push", "delete"];
  roles = ["contributor", "maintainer", "admin"];

  "read" if "contributor";
  "push" if "maintainer";
  "delete" if "admin";

  "maintainer" if "admin";
  "contributor" if "maintainer";
}

# This rule tells Oso how to fetch roles for a repository
has_role(actor: User, role_name: String, repository: Repository) if
  role in actor.roles and
  role_name = role.name and
  repository = role.repository;

has_permission(_actor: User, "read", repository: Repository) if
  repository.is_public;

allow(actor, action, resource) if
  has_permission(actor, action, resource);

Restart the server, and again visit http://localhost:5000/repo/react. Now, you’ll see a successful response:

A
200 response from /repo/react

What just happened?

The quickstart server uses an Oso policy to make sure users are allowed to view repos. The call to OSO.authorize() in server.rb performs this check in the /repo/:name route. If the user does not have access to a repository, an error response is returned to them.

In this case, the repo with the name react is public because of its definition in the models.rb file, so it should be accessible to everyone. By making the change to main.polar, you told Oso to allow users to "read" repositories that have the is_public field set to true.

That way, when you visited the react repo in your browser, Oso determined that the action was permitted!

Check out the full code for the example below:

server.rb
# frozen_string_literal: true

require 'oso'
require 'sinatra'

require_relative 'models'

OSO = Oso.new

OSO.register_class(User)
OSO.register_class(Repository)

OSO.load_files(["main.polar"])

get '/repo/:name' do
  repo = Repository.get_by_name(params['name'])

  begin
    OSO.authorize(User.get_current_user, "read", repo)
    "<h1>A Repo</h1><p>Welcome to repo #{repo.name}</p>"
  rescue Oso::NotFoundError
    status 404
    "<h1>Whoops!</h1><p>Repo named #{params['name']} was not found</p>"
  end
end

set :port, 5000
models.rb
class Repository
  attr_reader :name, :is_public

  def initialize(name, is_public: false)
    @name  = name
    @is_public = is_public
  end

  def self.get_by_name(name)
    REPOS_DB[name]
  end
end

REPOS_DB = {
  "gmail" => Repository.new("gmail"),
  "react" => Repository.new("react", is_public: true),
  "oso" => Repository.new("oso")
}

class Role
  attr_reader :name, :repository

  def initialize(name, repository)
    @name  = name
    @repository = repository
  end
end

class User
  attr_reader :roles

  def initialize(roles)
    @roles = roles
  end

  def self.get_current_user
    puts USERS_DB
    USERS_DB['larry']
  end
end

USERS_DB = {
  "larry" => User.new([Role.new("admin", REPOS_DB["gmail"])]),
  "anne" => User.new([Role.new("maintainer", REPOS_DB["react"])]),
  "graham" => User.new([Role.new("contributor", REPOS_DB["oso"])]),
}

Want to talk it through?

If you have any questions, are getting stuck, or just want to talk something through, jump into Slack and an engineer from the core team (or one of the hundreds of developers in the growing community) will help you out.


Was this page useful?