Oso is an open source policy engine for authorization that’s embedded in your application

Overview

Oso

Development GitHub release (latest SemVer) Go version Maven version NPM version PyPI version RubyGems version Crates.io version Slack

What is Oso?

Oso is an open source policy engine for authorization that’s embedded in your application. It provides a declarative policy language for expressing authorization logic. You define this logic separately from the rest of your application code, but it executes inside the application and can call directly into it. Oso ships as a library with a built-in debugger and REPL.

Oso is ideal for building permissions into user-facing applications, but you can check out Use Cases to learn about other applications for Oso.

Using Oso consists of two parts:

  1. Writing Oso policies in a declarative policy language called Polar.
  2. Embedding Oso in your application using the appropriate language-specific authorization library.

Oso currently offers libraries for Java, Node.js, Python, Ruby, Rust and Go.

Getting started

To get up and running with Oso, check out the Getting Started guides in the Oso documentation.

Development

Core

Oso's Rust core is developed against Rust's latest stable release.

Language libraries

Oso's language libraries can be developed without touching the Rust core, but you will still need the Rust stable toolchain installed in order to build the core.

To build the WebAssembly core for the Node.js library, you will need to have wasm-pack installed and available on your system PATH.

Language requirements

To work on a language library, you will need to meet the following version requirements:

  • Java: 10+
    • Maven: 3.6+
  • Node.js: 10.14.2+
    • Yarn 1.22+
  • Python: 3.6+
  • Ruby: 2.4+
    • Bundler 2.1.4+
  • Rust: 1.46+
  • Go: 1.12+

Contributing

See: CONTRIBUTING.md.

License

See: LICENSE.

You might also like...
Sample serverless application written in Rust
Sample serverless application written in Rust

This is a simple serverless application built in Rust. It consists of an API Gateway backed by four Lambda functions and a DynamoDB table for storage.

Experiments with Rust CRDTs using Tokio web application framework Axum.

crdt-genome Synopsis Experiments with Rust CRDTs using Tokio web application framework Axum. Background Exploring some ideas of Martin Kleppmann, part

A web application to configuration Caddy based on MoonZoon.

Cream A web application to configuration Caddy based on MoonZoon. MoonZoon is a Rust Fullstack Framework. Live demo Run on a local machine Check you'v

Reference implementation of a full-stack Rust application
Reference implementation of a full-stack Rust application

Full-stack Rust with WebAssembly Look Ma, No JavaScript !!! My very first Rust project (implementation of the "Connect 5" game), I used as a learning

Starknet application for Ledger Nano S, SP, X
Starknet application for Ledger Nano S, SP, X

Ledger Starkware app Please visit our website at zondax.ch This project contains the Starkware app (https://starkware.co/) for Ledger Nano S and X. Le

Web Application with using Rust(Actix, Diesel and etc)
Web Application with using Rust(Actix, Diesel and etc)

Santa Service App Used technology stack Web Server with using Rust (Actix, Actix-web, Diesel) Data base (Postgres) Console Application (Tokio) Tasks o

Code template for a production Web Application using Axum: The AwesomeApp Blueprint for Professional Web Development.

AwesomeApp rust-web-app More info at: https://awesomeapp.dev/rust-web-app/ rust-web-app YouTube episodes: Episode 01 - Rust Web App - Course to Produc

Extremely simple Axum + SolidJS starter for a fullstack web application.

royce Extremely simple Axum + SolidJS starter for a fullstack web application. Deploy immediately with a ready-to-use preconfigured Docker deployment.

Starlight is a JS engine in Rust which focuses on performance rather than ensuring 100% safety of JS runtime.

starlight Starlight is a JS engine in Rust which focuses on performance rather than ensuring 100% safety of JS runtime. Features Bytecode interpreter

Comments
  • Oso does not support Kotlin data classes

    Oso does not support Kotlin data classes

    Hey 👋 Finally getting around to trialing Oso as an auth solution for a Kotlin application that I'm building.

    However, it seems that Oso does not support Kotlin data classes :( Or, as is always possible... I'm just doing something dumb

    I am trying to emulate the Java quickstart example, with a User trying to read from a repository.

    I have the following models

    data class Repo(
      val id: UUID,
      val name: String,
      val isPublic: Boolean
    )
    
    data class User (
      val id: UUID,
      val email: String,
      val repoRoles: List<RepoRole>
    )
    

    I have set up OSO with the following

    private val oso: Oso = Oso()
    
    init {
      // On a tangent... it doesn't seem to even load 
      // unless I explicitly repeat the class name as the second param
      oso.registerClass(Repo::class.java, "Repo")
      oso.registerClass(User::class.java, "User")
      oso.loadStr(
        """
    allow(actor, action, resource) if
    has_permission(actor, action, resource);
    
    actor User {}
    
    resource Repo {
    permissions = ["read", "push", "delete"];
    roles = ["contributor", "maintainer", "admin"];
    
    "read" if "contributor";
    "push" if "maintainer";
    "delete" if "admin";
    
    "maintainer" if "admin";
    "contributor" if "maintainer";
    }
    
    # This rule tells Oso how to fetch roles for a Repo
    has_role(actor: User, role_name: String, Repo: Repo) if
    role in actor.repoRoles and
    role_name = role.name and
    Repo = role.Repo;
    
    has_permission(_actor: User, "read", Repo: Repo) if
    Repo.isPublic;
    
    allow(actor, action, resource) if
    has_permission(actor, action, resource);
    """.trimIndent()
      )
    }
    

    Just as a test, I have created a repo with isPublic=true with name test. However, when I run the following

    fun readByName(name: String): RepoModels.Response {
        val result = Repo(
          id = UUID.randomUUID(),
          name = name,
          isPublic = true
        )
        val user = User(
          id = UUID.randomUUID(),
          email = "[email protected]",
          repoRoles = listOf(RepoRole(role = "admin", repo = result))
        )
        oso.authorize(user, "read", result)
        return RepoModels.Response.fromRepo(result)
      }
    

    I get an authorization error from oso

    com.osohq.oso.Exceptions$NotFoundException: Oso NotFoundException -- The current user does not have permission to read the given resource. You should handle this error by returning a 404 error to the client.
    	at com.osohq.oso.Oso.authorize(Oso.java:110)
    	at com.osohq.oso.Oso.authorize(Oso.java:118)
    	at io.bkbn.sourdough.api.service.RepoService.readByName(RepoService.kt:81)
            // ...
    

    If it helps, I have pushed all of this code to a repo https://github.com/bkbnio/oso-poc Instructions in the README for how to run the app. If you have any issues with getting it set up just let me know :)

    You can emulate this error by running GET localhost:8080/repo?name=test

    opened by unredundant 0
  • [python] Allow use of other JSON encoder/decoders

    [python] Allow use of other JSON encoder/decoders

    Thanks for oso!

    It would be lovely if there was a simple way for polar to make use of other, more performant JSON encoder/decoder libraries.

    For example, by monkeypatching the rust-based orjson into polar.(cffi|query|errors), I've observed calls to json.loads pretty much disappearing into noise when profiled with pyinstrument, whereas previously it was rather pronounced.

    opened by bollwyvl 2
  • Fix macro namespacing and serialization bugs

    Fix macro namespacing and serialization bugs

    Though polar_core macros are exposed publicly, they are not usable without importing polar_core::* since they expect other polar_core macros to be in scope. Using $crate references as appropriate fixes this. Also, fix a Value::String string injection bug and Operator::Dot bug causing incorrect serialization when the second argument is a Value::String that requires quotes.

    PR checklist:

    • [x] Added changelog entry.
    opened by onalante-msft 3
  • Update django-oso to use automatic AppConfig discovery for Django 3.2+

    Update django-oso to use automatic AppConfig discovery for Django 3.2+

    Update django-oso to use automatic AppConfig discovery for Django 3.2+ which avoids RemovedInDjango41Warning: 'django_oso' defines default_app_config = 'django_oso.apps.DjangoOsoConfig'. Django now detects this configuration automatically. You can remove default_app_config. warning. See https://docs.djangoproject.com/en/3.2/releases/3.2/#automatic-appconfig-discovery

    opened by devmonkey22 1
Releases(v0.26.4)
Owner
oso
Putting security into the hands of developers
oso
A Rust crate for managing authentication and authorization with support for multi-tenant / B2B products, powered by PropelAuth

PropelAuth Add authentication and authorization to your application. This library is meant to be used with a PropelAuth account. You can sign up and g

PropelAuth 3 Dec 10, 2022
Jotsy is a self-hosted, free and open-source note taking app with a goal of simplicity in mind

Jotsy: Just your notes Jotsy is a self-hosted, free and open-source note taking app with a goal of simplicity in mind. It is powered by Skytable. Read

Sayan 433 Dec 30, 2022
Open Source command line client of VRChat Package Manager.

vrc-get Open Source command line client of VRChat Package Manager. Goals Provide Open Source command line client of VRChat Package Manager. Provide mo

null 10 Jan 26, 2023
Rust Open Source Login/Register API

Actix Web API with Rustls (OpenSSL available/Without SSL/TLS too) This API uses Actix Web to serve secure HTTP endpoints, utilizing Rustls for TLS enc

Alzareim 4 Sep 27, 2023
Search Confluence from Alfred and open results in your browser.

Alfred Confluence Workflow Search Confluence from Alfred and open results in your browser. Features Search Confluence from Alfred and open results in

Johan M. 26 Nov 7, 2022
Build, bundle & ship your Rust WASM application to the web.

Trunk Build, bundle & ship your Rust WASM application to the web. ”Pack your things, we’re going on an adventure!” ~ Ferris Trunk is a WASM web applic

Anthony Dodd 2.2k Jan 7, 2023
Axum + JWT authentication Middleware that allows you to start building your application fast

axum_jwt_ware Integration Guide Simple Axum + JWT authentication middleware with implemented Login and refresh token. Goal I aim to simplify the proce

Eze Sunday 3 Dec 2, 2023
A Rust application which funnels external webhook event data to an Urbit chat.

Urbit Webhook Funnel This is a simple Rust application which funnels external webhook event data to an Urbit chat. This application is intended to be

Robert Kornacki 15 Jan 2, 2022
The official DAW application of the RustyDAW project (name in progress)

rusty-daw-application The official DAW application of the RustyDAW project (name in progress) Take a look at the design doc. Join our community at the

null 15 Jun 14, 2021
a port of yaxpeax-dis that runs as a web application

this a rough translation of yaxpeax-dis, the CLI tool, to instead accept architectures and data to disassemble as an HTTP request. the package is then deployed to dis.yaxpeax.net as a compute@edge application.

iximeow 5 Aug 8, 2021