Pick a language:

oso 0.22.0

Core

Breaking changes

Warning

This release contains breaking changes. Be sure to follow migration steps before upgrading.

Undefined rule validation

Oso will now raise an error if your policy contains calls to rules which are not defined.

For example this policy which relies on an undefined is_admin rule

allow(actor, action, resource) if is_admin(actor)

will produce the following error:

ValidationError: Call to undefined rule "is_admin" at line 1, column 37

To resolve these validation errors you can either update the policy to include a definition for the missing rule or remove the offending call entirely.

New features

Improved policy validation

Oso now provides better errors and guidance in many common error cases:

  • Oso will issue a warning if there is no allow rule in your policy (and also no allow_request or allow_field rules).
  • Oso will propose a suggested fix if you forget to write an actor block when using resource blocks.
  • Oso will issue a warning if there are resource blocks in your policy but no calls to has_permission in any rules.
  • Oso will propose a suggested fix if you define a rule without sufficient parameter type specialization.
  • Oso will produce a more helpful message if a required data filtering callback hasn’t been provided.
New syntax
  • Polar dictionary patterns and literals now support a shorthand syntax similar to JavaScript and Rust: { value: value } can now be written more concisely as { value }.
Build improvements
  • Fixed the way we build our static library on Linux so it doesn’t embed musl and instead links to the system c runtime library. Languages that depend on the static lib Linux build such as python and go should support more platforms now.

Bug fixes & other changes

  • Fixed a bug which led to var matches Type failing when var was unbound.
  • Fixed a bug that caused type constraint checking to incorrectly succeed, resulting in incorrect filters or infinite loops.
  • Same-type relations defined in resource blocks will now work as expected.

Python

Breaking changes

  • The types field to register_class that takes the types of the fields is now called fields.

Other bugs & improvements

  • The Python library for macOS now supports M1/ARM processors.

Node.js

Other bugs & improvements

  • Oso now defaults to using Lodash’s isEqual function when comparing JavaScript values for equality.
  • Fixed a bug preventing dictionaries created in Polar from making the round-trip to JS and back. Many thanks to @rradczewski for raising and reproducing the issue, and confirming the fix!

Rust

Other bugs & improvements

  • Changed an internal debugging flag away from using RUST_LOG so that Rust users won’t be flooded with messages that they probably don’t want.

Go

Other bugs & improvements

  • Fixed a bug that prevented loading multiple files via the LoadFiles API.

Connect with us on Slack

If you have any questions, or just want to talk something through, jump into Slack. An Oso engineer or one of the thousands of developers in the growing community will be happy to help.