Class CedarPermissionsManager

Hierarchy

Implements

Constructors

constructor

Properties

_cedarEndpoint? _entityDataEndpoint? _isAuthorizedEndpoint? _policyEndpoint? _roleEdges? schemaManager

Methods

_buildCedarQuery _buildEntityData _buildPrincipalAttributes _buildPrincipalData _buildPrincipalParents _buildResourceAttributes _buildResourceData _buildResourceParents _getExistingPrincipalAttributes _getExistingResourceAttributes _getGroupHierarchy _getGroups _getNewResourceAttributes _getRoles _runCedarPolicyCheck compareAuthorisationDecision fetchVertex isAuthorisedToCreateEdge isAuthorisedToCreateVertex isAuthorisedToDeleteEdge isAuthorisedToDeleteVertex isAuthorisedToPerformAction isAuthorisedToUpdateEdge isAuthorisedToUpdateVertex

Constructors

constructor

Properties

Protected Optional _cedarEndpoint

_cedarEndpoint?: string

Protected Optional _entityDataEndpoint

_entityDataEndpoint?: string

Protected Optional _isAuthorizedEndpoint

_isAuthorizedEndpoint?: string

Protected Optional _policyEndpoint

_policyEndpoint?: string

Protected Optional _roleEdges

_roleEdges?: string

Protected schemaManager

schemaManager: SchemaManager

Methods

_buildCedarQuery

  • _buildCedarQuery(principal: Object, action: String, resource: Object): Object

  • This method builds and returns a Cedar query object.

    Returns

    a Cedar query object.

    Parameters

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • action: String

      The action in the authorisatiton request. This is the verb; what the principal wants to do to the resource.

    • resource: Object

      The resource in the authorisation request. This is the entity being acted on.

    Returns Object

_buildEntityData

  • _buildEntityData(context: KosmosUserContext<object> & {
        src?: string;
    }, principal: Object, resource: Object, sourceVertex: undefined | Object, destinationVertex: undefined | Object, requestData: undefined | Object, connectToVertices: undefined | ConnectionToAdd[], dataSourceWrapper: DataSourceWrapper): Promise<any>

  • This method is used to build the entity data object which will be sent to cedar

    Returns

    The complete entity data object formatted for Cedar.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • resource: Object

      The resource in the authorisation request. This is the entity being acted on.

    • sourceVertex: undefined | Object
    • destinationVertex: undefined | Object
    • requestData: undefined | Object

      The data included in the original request being handled.

    • connectToVertices: undefined | ConnectionToAdd[]

      The Kosmos connectToVertices object, which contains vertices that will be connected to.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<any>

_buildPrincipalAttributes

  • _buildPrincipalAttributes(context: KosmosUserContext<object> & {
        src?: string;
    }, principal: Object, dataSourceWrapper: DataSourceWrapper): Promise<any>

  • This method is used to build the principal entity "attributes" object. Attributes can be "existing" (already exist in storage) or "new" (being added by the current request).

    Returns

    An entity attributes object.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal object.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<any>

_buildPrincipalData

  • _buildPrincipalData(context: KosmosUserContext<object> & {
        src?: string;
    }, principal: Object, dataSourceWrapper: DataSourceWrapper): Promise<any>

  • This method is used to build the principal's entity data object which will be sent to cedar

    Returns

    The principal's entity data object.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<any>

_buildPrincipalParents

  • _buildPrincipalParents(context: KosmosUserContext<object> & {
        src?: string;
    }, principal: Object, dataSourceWrapper: DataSourceWrapper): Promise<ParentItem[]>

  • This method is used to build the principal entity "parents" object.

    Returns

    An entity parents array.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal object.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<ParentItem[]>

_buildResourceAttributes

  • _buildResourceAttributes(context: KosmosUserContext<object> & {
        src?: string;
    }, resource: Object, requestData: undefined | Object, connectToVertices: undefined | ConnectionToAdd[], dataSourceWrapper: DataSourceWrapper): Promise<any>

  • This method is used to build the resource entity "attributes" object. Attributes can be "existing" (already exist in storage) or "new" (being added by the current request).

    Returns

    An entity attributes object.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • resource: Object

      The resource object.

    • requestData: undefined | Object

      The data included in the original request being handled.

    • connectToVertices: undefined | ConnectionToAdd[]

      The Kosmos connectToVertices object, which contains vertices that will be connected to.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<any>

_buildResourceData

  • _buildResourceData(context: KosmosUserContext<object> & {
        src?: string;
    }, resource: Object, sourceVertex: undefined | Object, destinationVertex: undefined | Object, requestData: undefined | Object, connectToVertices: undefined | ConnectionToAdd[], dataSourceWrapper: DataSourceWrapper, useEntityTypeAsCedarId?: boolean): Promise<any>

  • This method is used to build the resource's entity data object which will be sent to cedar

    Returns

    The resource's entity data object.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • resource: Object

      The resource in the authorisation request. This is the entity being acted on.

    • sourceVertex: undefined | Object
    • destinationVertex: undefined | Object
    • requestData: undefined | Object

      The data included in the original request being handled.

    • connectToVertices: undefined | ConnectionToAdd[]

      The Kosmos connectToVertices object, which contains vertices that will be connected to.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    • useEntityTypeAsCedarId: boolean = true

    Returns Promise<any>

_buildResourceParents

  • _buildResourceParents(): Promise<ParentItem[]>

  • This method is used to build the resource entity "parents" object. Currently if we're handling a resource, we don't need to fetch any parents (this could change in the future).

    Returns

    An empty parents array.

    Returns Promise<ParentItem[]>

_getExistingPrincipalAttributes

  • _getExistingPrincipalAttributes(context: KosmosUserContext<object> & {
        src?: string;
    }, entity: Object, dataSourceWrapper: DataSourceWrapper): Promise<Object>

  • This method is used to get a principal's "existing" attributes from storage. Attributes can be "existing" (already exist in storage) or "new" (being added by the current request).

    Returns

    An entity attributes object containing "existing" attributes.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • entity: Object
    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<Object>

_getExistingResourceAttributes

  • _getExistingResourceAttributes(context: KosmosUserContext<object> & {
        src?: string;
    }, entity: Object, dataSourceWrapper: DataSourceWrapper): Promise<Object>

  • This method is used to get a resource's "existing" attributes from storage. Attributes can be "existing" (already exist in storage) or "new" (being added by the current request).

    Returns

    An entity attributes object containing "existing" attributes.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • entity: Object
    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<Object>

_getGroupHierarchy

  • _getGroupHierarchy(context: KosmosUserContext<object> & {
        src?: string;
    }, entityId: string, entityType: string, dataSourceWrapper: DataSourceWrapper): Promise<any>

  • This method is used to get the full group hierarchy for a given entity.

    Returns

    an object containing a groupHierarcy array.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • entityId: string

      The ID of the entity to get the group hierarchy for.

    • entityType: string
    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<any>

_getGroups

  • _getGroups(context: KosmosUserContext<object> & {
        src?: string;
    }, entityId: string, dataSourceWrapper: DataSourceWrapper): Promise<any>

  • This method is used to get group memberships (including membership roles) for an entity.

    Returns

    an object containing group membership

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • entityId: string

      The ID of the entity to get group membership for.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<any>

_getNewResourceAttributes

  • _getNewResourceAttributes(context: KosmosUserContext<object> & {
        src?: string;
    }, requestData: undefined | Object, connectToVertices: undefined | ConnectionToAdd[], dataSourceWrapper: DataSourceWrapper): Promise<any>

  • This method is used to get a resource's "new" attributes. Attributes can be "existing" (already exist in storage) or "new" (being added by the current request).

    Returns

    An entity attributes object containing "new" attributes.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • requestData: undefined | Object

      The data included in the original request being handled.

    • connectToVertices: undefined | ConnectionToAdd[]

      The Kosmos connectToVertices object, which contains vertices that will be connected to.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<any>

_getRoles

_runCedarPolicyCheck

  • _runCedarPolicyCheck(principal: Object, action: string, resource: Object, entityData: any, cedarQuery: any): Promise<boolean>

  • This method is used to run the cedar policy check. The entity data is preloaded in cedar as the initial step. Then we check to see if the principal is authorised to perform the action on the resource.

    Preloading entity data is required for cedar-agent. However, for AWS Verified permissions, entity data is included in a single authorisation request.

    Returns

    Cedar's authorisation result: returns true for 'Allow' and false for 'Deny'.

    Parameters

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • action: string

      The action that the principal wants to perform on the resource.

    • resource: Object

      The resource in the authorisation request. This is the entity being acted on.

    • entityData: any

      The entity data object which includes additional info for the request such as principal/resource data.

    • cedarQuery: any

      The formatted query (principal, action, resource) for Cedar to authorise.

    Returns Promise<boolean>

compareAuthorisationDecision

  • This method compares the authorisation results from Cedar & Kosmos and logs a mismatch as an error.

    Returns

    The comparison result: either true for a match or false for a mismatch.

    Parameters

    • cedarAccessDecision: CedarAccessDecision

      The decision from Cedar: true for 'Allow' and false for 'Deny'.

    • kosmosAccessDecision: boolean

      The decision from Kosmos: true for 'Allow' and false for 'Deny'.

    Returns boolean

fetchVertex

isAuthorisedToCreateEdge

  • This method is used to authorise a create edge request using Cedar policies.

    Returns

    Cedar's authorisation result: returns true for 'Allow' and false for 'Deny'.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • resource: Object

      The resource in the authorisation request. This is the edge entity being acted on.

    • sourceVertex: Object

      The source vertex involved in the relationship being deleted.

    • destinationVertex: Object

      The destination vertex involved in the relationship being deleted.

    • properties: Object

      The edge property data included in the original request being handled.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    • connectToVertices: never[] = []

    Returns Promise<any>

isAuthorisedToCreateVertex

  • This method is used to authorise a create request using Cedar policies.

    Returns

    Cedar's authorisation result: returns true for 'Allow' and false for 'Deny'.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • resource: Object

      The resource in the authorisation request. This is the entity being acted on.

    • requestData: Object

      The data included in the original request being handled.

    • connectToVertices: ConnectionToAdd[]
    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<any>

isAuthorisedToDeleteEdge

  • This method is used to authorise a delete edge request using Cedar policies.

    Returns

    Cedar's authorisation result: returns true for 'Allow' and false for 'Deny'.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • resource: Object

      The resource in the authorisation request. This is the edge entity being acted on.

    • sourceVertex: Object

      The source vertex involved in the relationship being deleted.

    • destinationVertex: Object

      The destination vertex involved in the relationship being deleted.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    • connectToVertices: never[] = []

      The Kosmos connectToVertices array.

    Returns Promise<any>

isAuthorisedToDeleteVertex

  • This method is used to authorise a delete request using Cedar policies.

    Returns

    Cedar's authorisation result: returns true for 'Allow' and false for 'Deny'.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • resource: Object

      The resource in the authorisation request. This is the entity being acted on.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<boolean>

isAuthorisedToPerformAction

  • This method is used to authorise any custom actions outside of the standard CRUD on vertices and edges. E.g. the "UpdateSynonyms" action.

    Returns

    Cedar's authorisation result: returns true for 'Allow' and false for 'Deny'.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • action: string

      The action that the principal wants to perform on the resource.

    • resource: Object

      The resource in the authorisation request. This is the edge entity being acted on.

    • requestData: Object

      Any additional request data relevant to the authorisation decision.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<any>

isAuthorisedToUpdateEdge

  • This method is used to authorise a an update edge (properties) request using Cedar policies.

    Returns

    Cedar's authorisation result: returns true for 'Allow' and false for 'Deny'.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • resource: Object

      The resource in the authorisation request. This is the edge entity being acted on.

    • sourceVertex: Object

      The source vertex involved in the relationship being deleted.

    • destinationVertex: Object

      The destination vertex involved in the relationship being deleted.

    • properties: Object

      The edge property data included in the original request being handled.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<any>

isAuthorisedToUpdateVertex

  • This method is used to authorise an update request using Cedar policies.

    Returns

    Cedar's authorisation result: returns true for 'Allow' and false for 'Deny'.

    Parameters

    • context: KosmosUserContext<object> & {
          src?: string;
      }

      The Kosmos context.

    • principal: Object

      The principal in the authorisation request. This is the actor and is typically a User.

    • resource: Object

      The resource in the authorisation request. This is the entity being acted on.

    • requestData: Object

      The data included in the original request being handled.

    • connectToVertices: ConnectionToAdd[]

      The Kosmos connectToVertices object, which contains vertices that will be connected to.

    • dataSourceWrapper: DataSourceWrapper

      The Kosmos DataSourceWrapper object.

    Returns Promise<boolean>

Settings

Member Visibility

Theme

Generated using TypeDoc