Class: Cerbos::Output::CheckResources::Result

Inherits:
Object
  • Object
show all
Defined in:
lib/cerbos/output/check_resources.rb

Overview

The outcome of checking a principal's permissions on single resource.

Defined Under Namespace

Classes: Metadata, Output, Resource

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#actionsHash{String => :EFFECT_ALLOW, :EFFECT_DENY} (readonly)

The policy decisions for each action.

Returns:

  • (Hash{String => :EFFECT_ALLOW, :EFFECT_DENY}) 


76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
 
# File 'lib/cerbos/output/check_resources.rb', line 76

CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata, :outputs) do
  # @!attribute [r] resource
  #   The resource that was checked.
  #
  #   @return [Resource]

  # @!attribute [r] actions
  #   The policy decisions for each action.
  #
  #   @return [Hash{String => :EFFECT_ALLOW, :EFFECT_DENY}]

  # @!attribute [r] validation_errors
  #   Any schema validation errors for the principal or resource attributes.
  #
  #   @return [Array<ValidationError>]

  # @!attribute [r] metadata
  #   Additional information about how the policy decisions were reached.
  #
  #   @return [Metadata]
  #   @return [nil] if `include_metadata` was `false`.

  # @!attribute [r] outputs
  #   User-defined outputs from policy rule evaluations.
  #
  #   @return [Array<Output>]

  # @private
  def self.const_missing(const)
    if const == :ValidationError
      warn "#{name}::ValidationError is deprecated; use #{ValidationError.name} instead (called from #{caller(1..1).first})"
      return ValidationError
    end

    super
  end

  def self.from_protobuf(entry)
    new(
      resource: CheckResources::Result::Resource.from_protobuf(entry.resource),
      actions: entry.actions.to_h,
      validation_errors: (entry.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
      metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta),
      outputs: (entry.outputs || []).map { |output_entry| CheckResources::Result::Output.from_protobuf(output_entry) }
    )
  end

  # Check if the policy decision was that a given action should be allowed for the resource.
  #
  # @return [Boolean]
  # @return [nil] if the action is not present in the results.
  def allow?(action)
    actions[action]&.eql?(:EFFECT_ALLOW)
  end

  # Check if the policy decision was that all input actions should be allowed for the resource.
  #
  # @return [Boolean]
  def allow_all?
    actions.each_value.all?(:EFFECT_ALLOW)
  end

  # List the actions that should be allowed for the resource.
  #
  # @return [Array<String>]
  def allowed_actions
    actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
  end

  # Find the value of the user-defined output for a particular policy rule.
  #
  # @param source [String] the identifier of the policy rule that produced the output.
  # @return [String, Numeric, Boolean, Array, Hash, nil]
  # @return [nil] if the result does not include an output for the source.
  def output(source)
    outputs.find { |output| output.source == source }&.value
  end
end

#metadataMetadata? (readonly)

Additional information about how the policy decisions were reached.

Returns:

  • (Metadata)
  • (nil)

    if include_metadata was false.



76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
 
# File 'lib/cerbos/output/check_resources.rb', line 76

CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata, :outputs) do
  # @!attribute [r] resource
  #   The resource that was checked.
  #
  #   @return [Resource]

  # @!attribute [r] actions
  #   The policy decisions for each action.
  #
  #   @return [Hash{String => :EFFECT_ALLOW, :EFFECT_DENY}]

  # @!attribute [r] validation_errors
  #   Any schema validation errors for the principal or resource attributes.
  #
  #   @return [Array<ValidationError>]

  # @!attribute [r] metadata
  #   Additional information about how the policy decisions were reached.
  #
  #   @return [Metadata]
  #   @return [nil] if `include_metadata` was `false`.

  # @!attribute [r] outputs
  #   User-defined outputs from policy rule evaluations.
  #
  #   @return [Array<Output>]

  # @private
  def self.const_missing(const)
    if const == :ValidationError
      warn "#{name}::ValidationError is deprecated; use #{ValidationError.name} instead (called from #{caller(1..1).first})"
      return ValidationError
    end

    super
  end

  def self.from_protobuf(entry)
    new(
      resource: CheckResources::Result::Resource.from_protobuf(entry.resource),
      actions: entry.actions.to_h,
      validation_errors: (entry.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
      metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta),
      outputs: (entry.outputs || []).map { |output_entry| CheckResources::Result::Output.from_protobuf(output_entry) }
    )
  end

  # Check if the policy decision was that a given action should be allowed for the resource.
  #
  # @return [Boolean]
  # @return [nil] if the action is not present in the results.
  def allow?(action)
    actions[action]&.eql?(:EFFECT_ALLOW)
  end

  # Check if the policy decision was that all input actions should be allowed for the resource.
  #
  # @return [Boolean]
  def allow_all?
    actions.each_value.all?(:EFFECT_ALLOW)
  end

  # List the actions that should be allowed for the resource.
  #
  # @return [Array<String>]
  def allowed_actions
    actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
  end

  # Find the value of the user-defined output for a particular policy rule.
  #
  # @param source [String] the identifier of the policy rule that produced the output.
  # @return [String, Numeric, Boolean, Array, Hash, nil]
  # @return [nil] if the result does not include an output for the source.
  def output(source)
    outputs.find { |output| output.source == source }&.value
  end
end

#outputsArray<Output> (readonly)

User-defined outputs from policy rule evaluations.

Returns:



76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
 
# File 'lib/cerbos/output/check_resources.rb', line 76

CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata, :outputs) do
  # @!attribute [r] resource
  #   The resource that was checked.
  #
  #   @return [Resource]

  # @!attribute [r] actions
  #   The policy decisions for each action.
  #
  #   @return [Hash{String => :EFFECT_ALLOW, :EFFECT_DENY}]

  # @!attribute [r] validation_errors
  #   Any schema validation errors for the principal or resource attributes.
  #
  #   @return [Array<ValidationError>]

  # @!attribute [r] metadata
  #   Additional information about how the policy decisions were reached.
  #
  #   @return [Metadata]
  #   @return [nil] if `include_metadata` was `false`.

  # @!attribute [r] outputs
  #   User-defined outputs from policy rule evaluations.
  #
  #   @return [Array<Output>]

  # @private
  def self.const_missing(const)
    if const == :ValidationError
      warn "#{name}::ValidationError is deprecated; use #{ValidationError.name} instead (called from #{caller(1..1).first})"
      return ValidationError
    end

    super
  end

  def self.from_protobuf(entry)
    new(
      resource: CheckResources::Result::Resource.from_protobuf(entry.resource),
      actions: entry.actions.to_h,
      validation_errors: (entry.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
      metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta),
      outputs: (entry.outputs || []).map { |output_entry| CheckResources::Result::Output.from_protobuf(output_entry) }
    )
  end

  # Check if the policy decision was that a given action should be allowed for the resource.
  #
  # @return [Boolean]
  # @return [nil] if the action is not present in the results.
  def allow?(action)
    actions[action]&.eql?(:EFFECT_ALLOW)
  end

  # Check if the policy decision was that all input actions should be allowed for the resource.
  #
  # @return [Boolean]
  def allow_all?
    actions.each_value.all?(:EFFECT_ALLOW)
  end

  # List the actions that should be allowed for the resource.
  #
  # @return [Array<String>]
  def allowed_actions
    actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
  end

  # Find the value of the user-defined output for a particular policy rule.
  #
  # @param source [String] the identifier of the policy rule that produced the output.
  # @return [String, Numeric, Boolean, Array, Hash, nil]
  # @return [nil] if the result does not include an output for the source.
  def output(source)
    outputs.find { |output| output.source == source }&.value
  end
end

#resourceResource (readonly)

The resource that was checked.

Returns:



76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
 
# File 'lib/cerbos/output/check_resources.rb', line 76

CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata, :outputs) do
  # @!attribute [r] resource
  #   The resource that was checked.
  #
  #   @return [Resource]

  # @!attribute [r] actions
  #   The policy decisions for each action.
  #
  #   @return [Hash{String => :EFFECT_ALLOW, :EFFECT_DENY}]

  # @!attribute [r] validation_errors
  #   Any schema validation errors for the principal or resource attributes.
  #
  #   @return [Array<ValidationError>]

  # @!attribute [r] metadata
  #   Additional information about how the policy decisions were reached.
  #
  #   @return [Metadata]
  #   @return [nil] if `include_metadata` was `false`.

  # @!attribute [r] outputs
  #   User-defined outputs from policy rule evaluations.
  #
  #   @return [Array<Output>]

  # @private
  def self.const_missing(const)
    if const == :ValidationError
      warn "#{name}::ValidationError is deprecated; use #{ValidationError.name} instead (called from #{caller(1..1).first})"
      return ValidationError
    end

    super
  end

  def self.from_protobuf(entry)
    new(
      resource: CheckResources::Result::Resource.from_protobuf(entry.resource),
      actions: entry.actions.to_h,
      validation_errors: (entry.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
      metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta),
      outputs: (entry.outputs || []).map { |output_entry| CheckResources::Result::Output.from_protobuf(output_entry) }
    )
  end

  # Check if the policy decision was that a given action should be allowed for the resource.
  #
  # @return [Boolean]
  # @return [nil] if the action is not present in the results.
  def allow?(action)
    actions[action]&.eql?(:EFFECT_ALLOW)
  end

  # Check if the policy decision was that all input actions should be allowed for the resource.
  #
  # @return [Boolean]
  def allow_all?
    actions.each_value.all?(:EFFECT_ALLOW)
  end

  # List the actions that should be allowed for the resource.
  #
  # @return [Array<String>]
  def allowed_actions
    actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
  end

  # Find the value of the user-defined output for a particular policy rule.
  #
  # @param source [String] the identifier of the policy rule that produced the output.
  # @return [String, Numeric, Boolean, Array, Hash, nil]
  # @return [nil] if the result does not include an output for the source.
  def output(source)
    outputs.find { |output| output.source == source }&.value
  end
end

#validation_errorsArray<ValidationError> (readonly)

Any schema validation errors for the principal or resource attributes.

Returns:



76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
 
# File 'lib/cerbos/output/check_resources.rb', line 76

CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata, :outputs) do
  # @!attribute [r] resource
  #   The resource that was checked.
  #
  #   @return [Resource]

  # @!attribute [r] actions
  #   The policy decisions for each action.
  #
  #   @return [Hash{String => :EFFECT_ALLOW, :EFFECT_DENY}]

  # @!attribute [r] validation_errors
  #   Any schema validation errors for the principal or resource attributes.
  #
  #   @return [Array<ValidationError>]

  # @!attribute [r] metadata
  #   Additional information about how the policy decisions were reached.
  #
  #   @return [Metadata]
  #   @return [nil] if `include_metadata` was `false`.

  # @!attribute [r] outputs
  #   User-defined outputs from policy rule evaluations.
  #
  #   @return [Array<Output>]

  # @private
  def self.const_missing(const)
    if const == :ValidationError
      warn "#{name}::ValidationError is deprecated; use #{ValidationError.name} instead (called from #{caller(1..1).first})"
      return ValidationError
    end

    super
  end

  def self.from_protobuf(entry)
    new(
      resource: CheckResources::Result::Resource.from_protobuf(entry.resource),
      actions: entry.actions.to_h,
      validation_errors: (entry.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
      metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta),
      outputs: (entry.outputs || []).map { |output_entry| CheckResources::Result::Output.from_protobuf(output_entry) }
    )
  end

  # Check if the policy decision was that a given action should be allowed for the resource.
  #
  # @return [Boolean]
  # @return [nil] if the action is not present in the results.
  def allow?(action)
    actions[action]&.eql?(:EFFECT_ALLOW)
  end

  # Check if the policy decision was that all input actions should be allowed for the resource.
  #
  # @return [Boolean]
  def allow_all?
    actions.each_value.all?(:EFFECT_ALLOW)
  end

  # List the actions that should be allowed for the resource.
  #
  # @return [Array<String>]
  def allowed_actions
    actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
  end

  # Find the value of the user-defined output for a particular policy rule.
  #
  # @param source [String] the identifier of the policy rule that produced the output.
  # @return [String, Numeric, Boolean, Array, Hash, nil]
  # @return [nil] if the result does not include an output for the source.
  def output(source)
    outputs.find { |output| output.source == source }&.value
  end
end

Instance Method Details

#allow?(action) ⇒ Boolean?

Check if the policy decision was that a given action should be allowed for the resource.

Returns:

  • (Boolean)
  • (nil)

    if the action is not present in the results.



127
128
129
 
# File 'lib/cerbos/output/check_resources.rb', line 127

def allow?(action)
  actions[action]&.eql?(:EFFECT_ALLOW)
end

#allow_all?Boolean

Check if the policy decision was that all input actions should be allowed for the resource.

Returns:

  • (Boolean) 


134
135
136
 
# File 'lib/cerbos/output/check_resources.rb', line 134

def allow_all?
  actions.each_value.all?(:EFFECT_ALLOW)
end

#allowed_actionsArray<String>

List the actions that should be allowed for the resource.

Returns:

  • (Array<String>) 


141
142
143
 
# File 'lib/cerbos/output/check_resources.rb', line 141

def allowed_actions
  actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
end

#output(source) ⇒ String, ...

Find the value of the user-defined output for a particular policy rule.

Parameters:

  • source (String)

    the identifier of the policy rule that produced the output.

Returns:

  • (String, Numeric, Boolean, Array, Hash, nil)
  • (nil)

    if the result does not include an output for the source.



150
151
152
 
# File 'lib/cerbos/output/check_resources.rb', line 150

def output(source)
  outputs.find { |output| output.source == source }&.value
end