Class AWSVerifiedPermissionsManager

Hierarchy

Constructors

constructor

Properties

_cedarEndpoint? _entityDataEndpoint? _isAuthorizedEndpoint? _policyEndpoint? _policyStoreId _policyStoreRegion _roleEdges? schemaManager

Methods

_buildCedarQuery _buildEntityData _buildPrincipalAttributes _buildPrincipalData _buildPrincipalParents _buildResourceAttributes _buildResourceData _buildResourceParents _getExistingPrincipalAttributes _getExistingResourceAttributes _getGroupHierarchy _getGroups _getNewResourceAttributes _getRoles _runCedarPolicyCheck compareAuthorisationDecision convertEntityData convertValue fetchVertex isAuthorisedToCreateEdge isAuthorisedToCreateVertex isAuthorisedToDeleteEdge isAuthorisedToDeleteVertex isAuthorisedToPerformAction isAuthorisedToUpdateEdge isAuthorisedToUpdateVertex

Constructors

constructor

Properties

Protected Optional _cedarEndpoint

_cedarEndpoint?: string

Protected Optional _entityDataEndpoint

_entityDataEndpoint?: string

Protected Optional _isAuthorizedEndpoint

_isAuthorizedEndpoint?: string

Protected Optional _policyEndpoint

_policyEndpoint?: string

Protected _policyStoreId

_policyStoreId: string

Protected _policyStoreRegion

_policyStoreRegion: string

Protected Optional _roleEdges

_roleEdges?: string

Protected schemaManager

schemaManager: SchemaManager

Methods

_buildCedarQuery

  • _buildCedarQuery(principal: Object, action: String, resource: Object): Object

  • This method builds and returns a Cedar query object.

    Returns

    a Cedar query object.

    Parameters

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • action: String

      The action in the authorisatiton request. This is the verb; what the principal wants to do to the resource.

    • resource: Object

      The resource in the authorisation request. This is the entity being acted on.

    Returns Object

_buildEntityData

  • _buildEntityData(context: KosmosUserContext<object> & {
        src?: string;
    }, principal: Object, resource: Object, sourceVertex: undefined | Object, destinationVertex: undefined | Object, requestData: undefined | Object, connectToVertices: undefined | ConnectionToAdd[], dataSourceWrapper: DataSourceWrapper): Promise<any>

  • This method is used to build the entity data object which will be sent to Verified Permissions

    Returns

    The complete entity data object formatted for Verified Permissions.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • resource: Object

      The resource in the authorisation request. This is the entity being acted on.

    • sourceVertex: undefined | Object
    • destinationVertex: undefined | Object
    • requestData: undefined | Object

      The data included in the original request being handled.

    • connectToVertices: undefined | ConnectionToAdd[]

      The Kosmos connectToVertices object, which contains vertices that will be connected to.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<any>

_buildPrincipalAttributes

_buildPrincipalData

_buildPrincipalParents

_buildResourceAttributes

  • _buildResourceAttributes(context: KosmosUserContext<object> & {
        src?: string;
    }, resource: Object, requestData: undefined | Object, connectToVertices: undefined | ConnectionToAdd[], dataSourceWrapper: DataSourceWrapper): Promise<any>

  • This method is used to build the resource entity "attributes" object. Attributes can be "existing" (already exist in storage) or "new" (being added by the current request).

    Returns

    An entity attributes object.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • resource: Object

      The resource object.

    • requestData: undefined | Object

      The data included in the original request being handled.

    • connectToVertices: undefined | ConnectionToAdd[]

      The Kosmos connectToVertices object, which contains vertices that will be connected to.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<any>

_buildResourceData

  • _buildResourceData(context: KosmosUserContext<object> & {
        src?: string;
    }, resource: Object, sourceVertex: undefined | Object, destinationVertex: undefined | Object, requestData: undefined | Object, connectToVertices: undefined | ConnectionToAdd[], dataSourceWrapper: DataSourceWrapper, useEntityTypeAsCedarId?: boolean): Promise<any>

  • This method is used to build the resource's entity data object which will be sent to cedar

    Returns

    The resource's entity data object.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • resource: Object

      The resource in the authorisation request. This is the entity being acted on.

    • sourceVertex: undefined | Object
    • destinationVertex: undefined | Object
    • requestData: undefined | Object

      The data included in the original request being handled.

    • connectToVertices: undefined | ConnectionToAdd[]

      The Kosmos connectToVertices object, which contains vertices that will be connected to.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    • useEntityTypeAsCedarId: boolean = true

    Returns Promise<any>

_buildResourceParents

_getExistingPrincipalAttributes

_getExistingResourceAttributes

_getGroupHierarchy

_getGroups

_getNewResourceAttributes

  • _getNewResourceAttributes(context: KosmosUserContext<object> & {
        src?: string;
    }, requestData: undefined | Object, connectToVertices: undefined | ConnectionToAdd[], dataSourceWrapper: DataSourceWrapper): Promise<any>

  • This method is used to get a resource's "new" attributes. Attributes can be "existing" (already exist in storage) or "new" (being added by the current request).

    Returns

    An entity attributes object containing "new" attributes.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • requestData: undefined | Object

      The data included in the original request being handled.

    • connectToVertices: undefined | ConnectionToAdd[]

      The Kosmos connectToVertices object, which contains vertices that will be connected to.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<any>

_getRoles

_runCedarPolicyCheck

  • _runCedarPolicyCheck(principal: Object, action: string, resource: Object, entityData: any): Promise<any>

  • This method is used to run the cedar policy check.

    Preloading entity data is required for cedar-agent. However, for AWS Verified permissions, entity data is included in a single authorisation request.

    Returns

    Cedar's authorisation result: returns true for 'ALLOW' and false for 'DENY'.

    Parameters

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • action: string

      The action that the principal wants to perform on the resource.

    • resource: Object

      The resource in the authorisation request. This is the entity being acted on.

    • entityData: any

      The entity data object which includes additional info for the request such as principal/resource data.

    Returns Promise<any>

compareAuthorisationDecision

  • This method compares the authorisation results from Cedar & Kosmos and logs a mismatch as an error.

    Returns

    The comparison result: either true for a match or false for a mismatch.

    Parameters

    • cedarAccessDecision: CedarAccessDecision

      The decision from Cedar: true for 'Allow' and false for 'Deny'.

    • kosmosAccessDecision: boolean

      The decision from Kosmos: true for 'Allow' and false for 'Deny'.

    Returns boolean

convertEntityData

  • Verified Permissions requires the entity data to be in a specific format which is different to cedar-agent. This function converts the cedar-agent entity data into the format required by Verified Permissions.

    Parameters

    • cedarEntityData: CedarEntityDataObject[]

    Returns VerifiedPermissionsEntityDataObject[]

convertValue

  • This is a helper function used by convertEntityData() to recursively convert values based on their type and nesting

    Parameters

    • value: any

    Returns ConvertedValue

fetchVertex

isAuthorisedToCreateEdge

  • This method is used to authorise a create edge request using Cedar policies.

    Returns

    Cedar's authorisation result: returns true for 'Allow' and false for 'Deny'.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • resource: Object

      The resource in the authorisation request. This is the edge entity being acted on.

    • sourceVertex: Object

      The source vertex involved in the relationship being deleted.

    • destinationVertex: Object

      The destination vertex involved in the relationship being deleted.

    • properties: Object

      The edge property data included in the original request being handled.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    • connectToVertices: never[] = []

    Returns Promise<any>

isAuthorisedToCreateVertex

  • This method is used to authorise a create request using Cedar policies.

    Returns

    Cedar's authorisation result: returns true for 'Allow' and false for 'Deny'.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • resource: Object

      The resource in the authorisation request. This is the entity being acted on.

    • requestData: Object

      The data included in the original request being handled.

    • connectToVertices: ConnectionToAdd[]
    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<any>

isAuthorisedToDeleteEdge

  • This method is used to authorise a delete edge request using Cedar policies.

    Returns

    Cedar's authorisation result: returns true for 'Allow' and false for 'Deny'.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • resource: Object

      The resource in the authorisation request. This is the edge entity being acted on.

    • sourceVertex: Object

      The source vertex involved in the relationship being deleted.

    • destinationVertex: Object

      The destination vertex involved in the relationship being deleted.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    • connectToVertices: never[] = []

      The Kosmos connectToVertices array.

    Returns Promise<any>

isAuthorisedToDeleteVertex

  • This method is used to authorise a delete request using Cedar policies.

    Returns

    Cedar's authorisation result: returns true for 'Allow' and false for 'Deny'.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • resource: Object

      The resource in the authorisation request. This is the entity being acted on.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<boolean>

isAuthorisedToPerformAction

  • This method is used to authorise any custom actions outside of the standard CRUD on vertices and edges. E.g. the "UpdateSynonyms" action.

    Returns

    Cedar's authorisation result: returns true for 'Allow' and false for 'Deny'.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • action: string

      The action that the principal wants to perform on the resource.

    • resource: Object

      The resource in the authorisation request. This is the edge entity being acted on.

    • requestData: Object

      Any additional request data relevant to the authorisation decision.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<any>

isAuthorisedToUpdateEdge

  • This method is used to authorise a an update edge (properties) request using Cedar policies.

    Returns

    Cedar's authorisation result: returns true for 'Allow' and false for 'Deny'.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • resource: Object

      The resource in the authorisation request. This is the edge entity being acted on.

    • sourceVertex: Object

      The source vertex involved in the relationship being deleted.

    • destinationVertex: Object

      The destination vertex involved in the relationship being deleted.

    • properties: Object

      The edge property data included in the original request being handled.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<any>

isAuthorisedToUpdateVertex

  • This method is used to authorise an update request using Cedar policies.

    Returns

    Cedar's authorisation result: returns true for 'Allow' and false for 'Deny'.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • resource: Object

      The resource in the authorisation request. This is the entity being acted on.

    • requestData: Object

      The data included in the original request being handled.

    • connectToVertices: ConnectionToAdd[]

      The Kosmos connectToVertices object, which contains vertices that will be connected to.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<boolean>

Settings

Member Visibility

Theme

Generated using TypeDoc