feat: Add support for get allowed roles

Fix: osohq#1427
kkirsche · Feb 16, 2023 · 022dedd · 022dedd
1 parent a47a78d
commit 022dedd
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/languages/python/oso/oso/oso.py b/languages/python/oso/oso/oso.py
@@ -143,6 +143,25 @@ def authorize_request(self, actor: _Actor, request: _Request) -> None:
         if not self.query_rule_once("allow_request", actor, request):
             raise self.forbidden_error()
 
+    def authorized_roles(
+        self,
+        actor: _Actor,
+        resource: _Resource,
+    ) -> Set[Any]:
+        """Determine the roles ``actor`` has on ``resource``.
+
+        Collects all roles of the actor in the Polar policy for the given
+        combination of actor and resource.
+
+        :param actor: The actor for whom to collect roles.
+
+        :param resource: The resource being accessed.
+
+        :return: A set containing all assigned roles.
+        """
+        results = self.query_rule("has_role", actor, Variable("role"), resource)
+        return {result.get("bindings").get("role") for result in results}
+
     def authorized_actions(
         self, actor: _Actor, resource: _Resource, allow_wildcard: bool = False
     ) -> Set[Any]: