Set Up Your Local Development Environment
Because Oso Cloud lets you define you authorization policy as code, you can do the same sorts of local validation and testing for your authorization code that you do with your application code. This will let you catch many errors early - often before they even make it to version control. Here's how you can set up an effective local development environment.
There are 4 steps to configuring a local development environment for Oso Cloud:
- Install the VS Code extension
- Install the Oso Cloud CLI
- Set up a pre-commit hook to validate polar syntax
- Run policy tests against the Oso Dev Server
Install the VS Code extension.
If you aren't using VS Code, you can skip this section. The other steps will still work.
If you use Visual Studio Code, the first thing you'll want to do is install the Oso Extension and configure it to use the Oso Cloud Polar dialect. This will give you syntax highlighting for your polar code.
Install the Oso Cloud CLI
The Oso Cloud CLI can validate polar syntax and run your policy tests from your local system. You can run policy tests locally or against one of your Oso Cloud environments.
Install the CLI.
$ curl -L https://cloud.osohq.com/install.sh | bash
Validate your policy syntax by running oso-cloud validate /PATH/TO/YOUR/authorization.polar
, for example:
$ oso-cloud validate policy/authorization.polarPolicy validated successfully.
Set up a pre-commit hook to validate polar syntax
Being able to manually validate your polar syntax is great, but it's even better to automatically validate the syntax when you try to commit a change to your policy. This will let you prevent invalid policy code from ever getting into your repository. To do this, you'll create a pre-commit hook.
Copy the script below and save it to .git/hooks/pre-commit
in the repository that contains your policy code:
Change the value of "POLAR_FILES" to the locations of your .polar files.
#!/bin/sh## An example hook script to verify that polar code that# is about to be committed is syntactically valid.# Change this to the paths to your polar filesdeclare -a POLAR_FILES=( "policy/authorization.polar" "policy/authorization2.polar")POLAR_FILES_CHANGED=false# See whether any of the polar files changed in this commitfor POLAR_FILE in "${POLAR_FILES[@]}" ; do if git --no-pager diff --cached --name-status | grep -v "^D" | grep "${POLAR_FILE}" >> /dev/null ; then POLAR_FILES_CHANGED=true break fidone# If at least one polar file has changed, then validate the syntax of all polar files.## NOTE: This is necessary because polar files may reference objects in other polar files.! $POLAR_FILES_CHANGED || oso-cloud validate "${POLAR_FILES[@]}"
If you have multiple polar files, then if any of the files change,
you need to revalidate all of them by calling oso-cloud validate
on the full list of files.
This is because polar files can reference objects in other polar files, so a change to one polar file could break something in a different polar file.
Make the hook executable.
$ chmod 0755 .git/hooks/pre-commit
Now, whenever you commit code that updates your polar files, git will run the oso-cloud validate
command. If the command fails, the commit will be blocked. For example, if you have two syntax errors in two files:
$ git commit -m "Try to commit multiple invalid policies"Policy failed validation:Policy failed validation due to parser error: did not expect to find the token 'not' at line 1, column 1 of file policy/authorization.polar: 001: not-an-actor User { } ^Policy failed validation:Policy failed validation due to parser error: Expected 'actor' or 'resource' but found 'resorce'. at line 25, column 1 of file policy/authorization2.polar: 025: resorce Repository { ^
If you fix the errors and try the commit again, it succeeds:
$ git commit -m "Try to commit multiple valid policies"Policy validated successfully.[add-policy-tests 76d4809] Try to commit multiple valid policies 2 files changed, 147 insertions(+), 1 deletion(-)
This ensures that your polar code is always syntactically valid before you commit it to version control.
Run policy tests against the Oso Dev Server
Now you know that your polar syntax is correct, but that doesn't guarantee that it actually does what you want it to do. You can confirm that by running your policy tests against the Oso Dev Server.
Install the Oso Dev Server using the instructions in the documentation. Once it's installed, start it by running the Oso Dev Server from a command prompt (the extracted file is called standalone
).
$ /path/to/standaloneServer is in test mode, use token 'e_0123456789_12345_osotesttoken01xiIn'🚀 Rocket has launched from http://[::]:8080
By default, the Oso Dev Server runs in the foreground until you stop it (e.g.
by pressing Ctrl+C
).
In another terminal window, set the OSO_AUTH
and OSO_URL
environment variables to point to the Oso Dev Server, then use the oso-cloud test
CLI command to run the policy tests against it.
$ OSO_AUTH="e_0123456789_12345_osotesttoken01xiIn" OSO_URL="http://localhost:8080" oso-cloud test policy/authorization.polarRan 1 test:organization members can read repos and issues: 3/3 PASSPASS
We don't recommend calling these policy tests from a pre-commit hook like we did with syntax validation. That would make your pre-commit hook dependent on the Oso Dev Server - it would be like connecting to a local database in a pre-commit hook.
Automatic policy testing is better suited for later steps in your CI pipeline, such as pre-merge checks
Wrap-up
With these elements in place, you have a robust local development environment for authorization code. You can ensure that your polar syntax is always valid before you commit it, and you can quickly confirm that your policy is functionally correct as you make changes.