osohq / oso Goto Github PK
View Code? Open in Web Editor NEWOso is a batteries-included framework for building authorization in your application.
Home Page: https://docs.osohq.com
License: Apache License 2.0
Oso is a batteries-included framework for building authorization in your application.
Home Page: https://docs.osohq.com
License: Apache License 2.0
This is an external tracking issue to:
So please:
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
term is looking for a new maintainer
Details | |
---|---|
Status | unmaintained |
Package | term |
Version | 0.5.2 |
URL | Stebalien/term#93 |
Date | 2018-11-19 |
The author of the term
crate does not have time to maintain it and is looking
for a new maintainer.
Some maintained alternatives you can potentially switch to instead, depending
on your needs:
See advisory page for additional details.
This is an external tracking issue to:
Gauge interest from the community for this feature
Learn about what you'd want to see out of it if we worked on it.
So please:
Upvote the issue if it's important to you, and
Comment with any relevant info on your requirements use cases, etc.
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
Support for exposing custom roles to end users.
It's currently possible to set up a custom role system and dynamically check a user's role(s) in an oso policy.
We've sketched out an example of the above in a Django sample app.
Similar to the built-in roles work available today in the SQLAlchemy integration, we want to provide an out-of-the-box solution for custom roles in all of our language and framework integrations. It will be an extension of the existing roles work in the SQLAlchemy library — likely with a new custom role API for dynamically creating and managing custom roles.
This is an external tracking issue to:
So please:
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
Include a user group model in the definition of a role, so that roles can be assigned to user groups as well. Build in features for writing role-based policies over groups and relating roles from groups to the users in the group.
This is an external tracking issue to:
So please:
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
This is an external tracking issue to:
So please:
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
$ cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 175 security advisories (from /home/ximon/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (306 crate dependencies)
...
Crate: dirs
Version: 1.0.5
Warning: unmaintained
Title: dirs is unmaintained, use dirs-next instead
Date: 2020-10-16
ID: RUSTSEC-2020-0053
URL: https://rustsec.org/advisories/RUSTSEC-2020-0053
Dependency tree:
dirs 1.0.5
└── term 0.5.2
├── lalrpop 0.19.1
│ ├── polar-core 0.9.0
│ │ └── oso 0.9.0
...
Crate: term
Version: 0.5.2
Warning: unmaintained
Title: term is looking for a new maintainer
Date: 2018-11-19
ID: RUSTSEC-2018-0015
URL: https://rustsec.org/advisories/RUSTSEC-2018-0015
Dependency tree:
term 0.5.2
├── lalrpop 0.19.1
│ ├── polar-core 0.9.0
│ │ └── oso 0.9.0
It can be interesting to have it in Haskell.
For example, to integrate it with an API wrote using Yesod framework.
This is an external tracking issue to:
So please:
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
Tree-sitter is a parser generator tool and an incremental parsing library. It can build a concrete syntax tree for a source file and efficiently update the syntax tree as the source file is edited.
Tree-sitter is currently used by Atom and Neovim (in 0.5).
See https://tree-sitter.github.io/tree-sitter/ for more details
We want to add support for Golang.
It would be great to have an example application for Oso's new Go library. Something similar to https://github.com/osohq/oso-flask-tutorial, which we use for our "Add to your application" guide in Python. We'd like to write a similar guide based on this example Go application.
Hi there
Is OSO a way of handling ABAC (attribute based access control)?
Hi there,
thank your for an interesting library, it's very much appreciated.
I played around with sqlalchemy-oso today and encountered the following bug:
When you create a ResourceRoleModel between a generic "user" model and a resource that is not named "repository" then trying to get all the users for a specific role on a specific resource fails (e.g. oso_roles.get_resource_users_by_role(
db_session, organization, "ADMIN"
)):
sqlalchemy.exc.InvalidRequestError: Entity '<class 'app.models.organization_role.OrganizationRole'>' has no property 'repository'
In this case my resource was named "organization". The expectations was that a list of all users with the role "ADMIN" or an empty list was returned, but an exception was raised.
This is due to the fact that in the function "get_resource_users_by_role" the users query has a "filter_by" with a hardcoded "repository" property.
I can provide a pull request if this is welcome. I verified locally that you can just get the resources name and use that in the filter instead of a hardcoded value.
Let me know what you think.
All the best.
This looks like a great library and I think adding .NET support would be really useful.
This is an external tracking issue to:
So please:
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
This is an external tracking issue to:
So please:
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
This is an external tracking issue to:
Gauge interest from the community for this feature
Learn about what you'd want to see out of it if we worked on it.
So please:
Upvote the issue if it's important to you, and
Comment with any relevant info on your requirements use cases, etc.
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
This is an external tracking issue to:
So please:
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
When using ?= ...
inline queries to verify that a Polar policy behaves as expected, in the event that a query fails the error message output by Oso doesn't indicate the query that failed but only says "inline query result was false". I encountered this with Oso 0.8.1 for Rust but looking at the code in the main
branch it seems to be the same:
fn check_inline_queries(&mut self) -> crate::Result<()> {
while let Some(q) = self.inner.next_inline_query(false) {
let query = Query::new(q, self.host.clone());
match query.collect::<crate::Result<Vec<_>>>() {
Ok(v) if !v.is_empty() => continue,
Ok(_) => return lazy_error!("inline query result was false"),
Err(e) => return lazy_error!("error in inline query: {}", e),
}
}
check_messages!(self.inner);
Ok(())
}
Setting environment variable POLAR_LOG=1
helps a bit as you can work out the last query that was being executed, but it's not that easy as you have to look at the log statement indentation to try and work out where the start of the query execution was and thus what the root query being executed was.
With r.rb
as
require 'oso'
$polar=<<POLAR
test(b) if
b = input.foo;
POLAR
input = {"foo" => "baz"}
o = Oso.new
o.load_str($polar)
o.register_constant('input', value: input)
x = Oso::Polar::Variable.new('x')
puts o.query_rule('test', x).force
I get the following output when running the script:
$ bundle exec ruby ../osoq/r.rb
Singleton variable input is unused or undefined, see <https://docs.oso.dev/using/polar-syntax.html#variables>
002: b = input.foo;
^
{"x"=>"baz"}
It seems to work alright, but the warning is wrong?
We want to expose a safe (i.e., sandboxed) way for end users to write custom, dynamic Polar policies.
This is an external tracking issue to:
So please:
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
oso support for PHP
How can I implement watcher to detect and update policy without restarting server.
load_str(polar, "role(user, role_name) if user.role = role_name;", "somefile.policy")
does not saves to file.
I have background workers updating policies, assigning role to user in a organization on user creation.
I need to check newly created users policy.
This is an external tracking issue to:
So please:
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
When trying to assign a variable in a rule where one list item references an object property, I am running into a syntax parsing error "did not expect to find the token ']' at line X"
resource_scope(actor: Person, "read", "Person", filters) if
filters = ["id", "=", actor.id];
The same rule works fine if assigning a dictionary instead of list:
resource_scope(actor: Person, "read", "Person", filters) if
filters = { id: actor.id };
As a workaround, the following will parse correctly:
resource_scope(actor: Person, "read", "Person", filters) if
field = actor.id and
filters = ["id", "=", field];
Hi,
Nearly a week ago now v0.11.0 was released according to https://www.osohq.com/post/oso-release-0-11-0 and https://github.com/osohq/oso/releases/tag/v0.11.0, yet the latest release on crates.io is https://crates.io/crates/oso/0.10.1.
Shouldn't 0.11.0 be available via crates.io?
Thanks,
Ximon
Thanks for putting such a compelling library out into the world! As something like this would quickly become part of an application's core infrastructure, the "developer preview" state is slightly concerning as subsequent releases on the way to 1.0 could result in headaches for those using the library.
I was wondering if you could share:
I understand that answers to the above are conjecture, and aren't commitments to a feature-set or timeline. Thanks!
This would address some issues we're having in our Clojurescript / Clojure Apps. Theoretically could wrap the Node/java libraries.
AWS Amplify / AppSync has some really great Authentication / Authorization mechanisms but mostly as primitives. Seems that Oso could level that up quite nicely.
Is there any particular reason why pypi is missing a 32 bit version for windows? I see the 64bit is there and 32 seems to be for all other OS's
This is an external tracking issue to:
So please:
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
Cut is pretty meaningless. It's hard for beginning Prolog students to understand. Let's name cut something
more meaningful
I suggest commit
- "commit to this rule"
Alternatives are found
, use_rule
, only
.
The cut-fail pattern is something we can encourage by providing !, fail as a primitive.
I suggest impossible
. Alternatives give_up
, abort
, no
.
A rule like:
allow(actor, action, resource: {attr: attr});
still matches even if the object passed in as resource
does not have the attr
attribute. This has to do with how the library handles undefined
(it passed it back into Polar instead of treating it as a failed match).
Hi there! It's been fun to play with oso so far. 😃
One observation: the ruby library (probably the other languages as well?) uses JSON to communicate, and running a toy example, I've triggered a case where the trace is responsible for an evaluation that otherwise was successful.
My toy code is fib
:
fib(0, 1) if cut;
fib(1, 1) if cut;
fib(n, a+b) if fib(n-1, a) and fib(n-2, b);
running this with oso fib.polar
, and querying fib(12, x)
, I get:
Traceback (most recent call last):
15: from b/oso:29:in `<main>'
14: from b/oso:29:in `load'
13: from /Users/stephan/Misc/oso/languages/ruby/bin/oso:7:in `<top (required)>'
12: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/polar.rb:96:in `repl'
11: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/polar.rb:96:in `loop'
10: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/polar.rb:112:in `block in repl'
9: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/polar.rb:112:in `to_a'
8: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/polar.rb:112:in `each'
7: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/polar.rb:112:in `each'
6: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/polar.rb:112:in `each'
5: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/query.rb:115:in `block in start'
4: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/query.rb:115:in `loop'
3: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/query.rb:116:in `block (2 levels) in start'
2: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/ffi/query.rb:60:in `next_event'
1: from /Users/stephan/.rbenv/versions/2.5.3/lib/ruby/2.5.0/json/common.rb:156:in `parse'
/Users/stephan/.rbenv/versions/2.5.3/lib/ruby/2.5.0/json/common.rb:156:in `parse': nesting of 101 is too deep (JSON::NestingError)
I've added a puts event.to_s
in lib/oso/polar/ffi/query.rb
, and it looks like it's the trace
that's too deeply nested. (The Result
bindings are there, so the query was evaluated successfully.)
Skimming the ruby code, I'm not certain that the trace is actually used; however, I've found no way to have JSON.parse
ignore a certain key.
Related question: have you considered using different formats for this? (Anything well-supported enough across languages, flatbuffers, protobuf, ...) I'd suspect that there's performance wins here... 🤔
difference is unmaintained
Details | |
---|---|
Status | unmaintained |
Package | difference |
Version | 2.0.0 |
URL | johannhof/difference.rs#45 |
Date | 2020-12-20 |
The author of the difference
crate is unresponsive.
Maintained alternatives:
See advisory page for additional details.
A TypeORM integration would include support for:
This is an external tracking issue to:
So please:
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
This is an external tracking issue to:
So please:
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
get_allowed_actions()
returns a list of all actions an actor is allowed to take on a resource based on the policy. Currently, this is only implemented in the Python library.
We'd like to add this to the other language libraries:
First reported by @kvokov in bjerkio/nestjs-oso#82.
I believe this is due to setting the stripInternal
compiler option to true
as part of #630:
oso/languages/js/tsconfig.build.json
Line 5 in 5d24a1a
Huge thanks to @audiBookning for noticing the difference between the .d.ts
files included in the 0.9.0
release vs. later releases!
This is an external tracking issue to:
So please:
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
This is an external tracking issue to:
So please:
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.
dirs is unmaintained, use dirs-next instead
Details | |
---|---|
Status | unmaintained |
Package | dirs |
Version | 1.0.5 |
URL | https://github.com/dirs-dev/dirs-rs |
Date | 2020-10-16 |
The dirs
crate is not maintained any more;
use dirs-next
instead.
See advisory page for additional details.
Alice is member at organization-A
Alice is accountant at organization-B
ie Alice have multiple roles in multiple domains
How do I write policy such that Alice can perform account Action in organization-B but not in organization-A.
I really like how this is well structured. But the backend is written in dotnet core. Are they any examples to add support for c# dotnet core?
Hello there,
I appreciate very much this awesome tool that fits very well with the project I am working on.
I am wondering if there somewhere is planned a integration with font-end (Angular/Typescript) side to validate policies.
Can be very powerful to restrict component access based on roles for example.
Thanks a lot for a such awesome tool and keep going!
I known that is written in Rust... but the support for Rust is missing? Reading the documentation I can see any Rust type.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.