mikras_utils 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 5db4dc4f784bd24e9a739b4de231f2a52c6927e1b5cc4da48256bdfe318b27f3
+  data.tar.gz: 15eb9d1dc3052833d5b8481c0043d3cb32610960ae8b781c63f5ea9f6a827d5a
+SHA512:
+  metadata.gz: db57c96600c9fcd448dfd72a62e3008f59da9d91b14d1aed60c56032b68bec8e78643da77f1c2f42779466ab0a7cc4c69f5aa176b1f2fe8881eadaf990336fdb
+  data.tar.gz: 3c9acdf983bdadeb7891bfa5211107a7a77e7c66001b1c78bdb470712ee7f727dbb98b8061a1cbf9af0516a249aa2767ad72b6f415492bd5bd7e7b8c4f881322

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.ruby-version

@@ -0,0 +1 @@
+ruby-3.1.2

data/Gemfile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in mikras_utils.gemspec
+gemspec
+
+gem "rake", "~> 13.0"
+
+gem "rspec", "~> 3.0"

data/README.md

@@ -0,0 +1,31 @@
+# MikrasUtils
+
+TODO: Delete this and the text below, and describe your gem
+
+Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/mikras_utils`. To experiment with that code, run `bin/console` for an interactive prompt.
+
+## Installation
+
+TODO: Replace `UPDATE_WITH_YOUR_GEM_NAME_PRIOR_TO_RELEASE_TO_RUBYGEMS_ORG` with your gem name right after releasing it to RubyGems.org. Please do not do it earlier due to security reasons. Alternatively, replace this section with instructions to install your gem from git if you don't plan to release to RubyGems.org.
+
+Install the gem and add to the application's Gemfile by executing:
+
+    $ bundle add UPDATE_WITH_YOUR_GEM_NAME_PRIOR_TO_RELEASE_TO_RUBYGEMS_ORG
+
+If bundler is not being used to manage dependencies, install the gem by executing:
+
+    $ gem install UPDATE_WITH_YOUR_GEM_NAME_PRIOR_TO_RELEASE_TO_RUBYGEMS_ORG
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/mikras_utils.

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/acl-build

@@ -0,0 +1,5 @@
+#!/usr/bin/bash
+
+. bash.include
+
+cd tests && ./acl-build

data/build

@@ -0,0 +1,11 @@
+#!/usr/bin/bash
+
+. bash.include
+
+cd tests 
+psql -f app.sql
+cd -
+bundle exec exe/mkacl tests/acl.spec | psql
+cd tests
+fox --delete=touched -r reflections.yml clr acl.fox | psql clr
+psql -f fox.sql

data/exe/mikras_utils

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require 'mikras_utils.rb'
+
+puts MikrasUtils::VERSION

data/exe/mkacl

@@ -0,0 +1,59 @@
+#!/usr/bin/env ruby
+
+SPEC = %(
+  @ Make RLS policies
+
+  -- [DATABASE [USERNAME]] SPEC-FILE
+
+  Read SPEC and generate following functions, policies, and triggers
+
+  SPEC FILE 
+    The format is a YAML file where each root key represents a table. A table
+    consists of insert, select, update, and delete actions that are arrays of
+    ACL entries. An ACL entry list of associated roles and possibly a check SQL
+    condition and a fields list
+
+    Field is a list of field names that can be updated. If the first field is
+    prefixed with a '-', the list is exclusive
+
+    The special 'schemas' root key contains the fields 'app' and 'acl'. The
+    'app' value is the name of the schema used in the spec file. The 'acl'
+    field is the schema where triggers are created (this avoid namespace
+    pollution)
+
+  ROLES
+    The following roles are recognized: LA, TA, KON, AKK.  ADM is excluded
+    because it is now a RBAC fole. PUP and NON is excluded because they are not
+    implemented in Mikras
+
+  OPTIONS
+    -i,interactive
+      Generate code for interactive use by added ON_ERROR_STOP and other variables
+
+    -g,generate=LIST
+      Generate only the given modules. LIST is a comma-separated list of
+      modules. The following modules are currently aavailable: id_functions,
+      insert_triggers, rules, acl_functions, and role_functions
+)
+
+require 'yaml'
+require 'shellopts'
+
+require_relative '../lib/mikras_utils/mkacl.rb'
+
+opts, args = ShellOpts::process(SPEC, ARGV)
+file = args.extract(-1)
+database, username = args.extract(0..2)
+username ||= database || ENV['PRICK_USERNAME']
+database ||= ENV['PRICK_DATABASE']
+conn = PgConn.new database, username
+
+spec = MkAcl::Parser.parse(file)
+MkAcl::Analyzer.analyze(spec, conn)
+#spec.dump
+#puts
+#exit
+
+modules = opts.generate? ? opts.generate.split(',').map(&:to_sym) : MkAcl::Generator::MODULES
+MkAcl::Generator.generate(spec, conn, modules, interactive: opts.interactive?)
+

data/lib/mikras_utils/mkacl/analyzer.rb

@@ -0,0 +1,46 @@
+
+module MkAcl
+  class Analyzer
+    attr_reader :spec
+    attr_reader :conn
+
+    def initialize(spec, conn)
+      @spec = spec
+      @conn = conn
+    end
+
+    def analyze
+      links = conn.tuples %(
+        select
+          table_name,
+          ref_table_name,
+          schema_name || '.' || table_name,
+          ref_schema_name || '.' || ref_table_name
+        from meta.links
+      )
+
+      # Link up tables
+      for child_table_name, parent_table_name, child_table_uid, parent_table_uid in links
+        spec[child_table_name].parents << spec[parent_table_name] if spec[parent_table_name]
+      end
+
+      # Assign domains
+      spec.tables.each { |table| resolve_domain(table) }
+
+      # Check that no table has more than one parent. FIXME
+      spec.tables.each { |table|
+        table.parents.size <= 1 or raise ArgumentError, "Table '#{table.name}' has multiple parents"
+      }
+
+      spec
+    end
+
+    def self.analyze(spec, conn) self.new(spec, conn).analyze end
+
+  private
+    def resolve_domain(table)
+      table.domain ||= resolve_domain(table.parents.first)
+    end
+  end
+end
+

data/lib/mikras_utils/mkacl/generator.rb

@@ -0,0 +1,55 @@
+
+require_relative './generators/id_functions.rb'
+require_relative './generators/acl_functions.rb'
+require_relative './generators/insert_triggers.rb'
+require_relative './generators/role_functions.rb'
+require_relative './generators/rules.rb'
+
+module MkAcl
+  class Generator
+    MODULES = [:id_functions, :insert_triggers, :rules, :acl_functions, :role_functions]
+
+    using String::Text
+
+    attr_reader :spec
+    attr_reader :conn
+    forward_to :spec, :app_schema, :acl_schema
+
+    def initialize(spec, conn)
+      @spec = spec
+      @conn = conn
+    end
+
+    def generate(modules = MODULES, interactive: true)
+      if interactive
+        puts "\\set ON_ERROR_STOP on"
+        puts
+      else
+        puts "-- Auto-generated by mkacl(1) - please don't touch"
+        puts "--"
+        puts
+      end
+
+      matches = modules.map { |k| [k, true] }.to_h
+
+      IdFunctions.generate(self) if matches.key?(:id_functions)
+      for table in spec.tables
+        InsertTriggers.generate(self, table) if matches.key?(:insert_triggers)
+      end
+      Rules.generate(self) if matches.key?(:rules)
+      AclFunctions.generate(self) if matches.key?(:acl_functions)
+      RoleFunctions.generate(self) if matches.key?(:role_functions)
+    end
+
+    def self.generate(spec, conn, modules = MODULES, **opts)
+      self.new(spec, conn).generate(modules, **opts) 
+    end
+
+    def inspect() "Generator(#{@database.inspect}, #{@username.inspect}, #{@spec})" end
+
+  private
+    def generate_select_rls_rule(table)
+    end
+  end
+end
+

data/lib/mikras_utils/mkacl/generators/acl_functions.rb

@@ -0,0 +1,208 @@
+
+module MkAcl
+  class Generator
+    class AclFunctions
+      using String::Text
+
+      attr_reader :generator
+      forward_to :generator, :conn, :spec, :app_schema, :acl_schema
+
+      def initialize(generator)
+        @generator = generator
+      end
+
+      def generate
+        for table in spec.tables
+          generate_acl_table_update_function(table)
+        end
+        generate_acl_update_function
+      end
+
+      def self.generate(generator) self.new(generator).generate end
+
+    private
+      def generate_acl_update_function
+        signature = "#{acl_schema}.update_acls()"
+
+        stmts = spec.tables.map { |table| 
+          "perform #{acl_schema}.#{table}_update_acls(id) from #{app_schema}.#{table};" 
+        }
+
+        puts %(
+          -- Set the ACL fields and add attach ACLs for all ACL tables
+          --
+          drop function if exists #{signature} cascade;
+          create function #{signature} returns boolean as $$
+            begin
+        ).align
+        indent(2) { puts stmts }
+        puts %(
+              return true;
+            end;
+          $$ language plpgsql;
+        ).align
+        puts
+      end
+
+      def generate_acl_table_update_function(table)
+        function_name = "#{table}_update_acls"
+        function_uid = "#{acl_schema}.#{function_name}"
+        signature = "#{function_uid}(_id integer)"
+
+        puts %(
+          -- Set the ACL fields of the given record and create an attach_acls
+          -- record for insert ACLs. Existing ACLs are ignored/deleted
+          --
+          -- Note: The different table-level variations of this function can be
+          -- collapsed into a single function but it requires dynamic execution of
+          -- a delete statement with array-of-array arguments :-O
+          -- 
+          -- Note: This function is auto-generated by #{$PROGRAM_NAME} using #{spec.file}
+          --
+          drop function if exists #{signature} cascade;
+          create function #{signature} returns integer as $$
+        ).align
+        indent {
+          puts %(
+            declare
+              _domain_id integer;
+              _acls integer[]; -- per-rule ACLs
+              _acl_select integer[][]; -- per-action ACLs
+              _acl_update integer[][];
+              _acl_delete integer[][];
+            begin
+          ).align
+          indent {
+            puts "-- Find security domain id"
+            puts "_domain_id := #{acl_schema}.#{table.domain}_id_of_#{table.record_name}(_id);"
+            puts
+            generate_acl_function_set_acl_fields(table)
+            generate_acl_function_create_attach_acls(table)
+            puts "return _id;"
+          }
+          puts "end;"
+        }
+        puts "$$ language plpgsql;"
+        puts
+      end
+
+      def generate_acl_function_set_acl_fields(table)
+        acls = {} # Map from action name to array of arrays of role IDs
+
+        for action in %w(select update delete).map { |key| table.actions[key] }
+          puts "-- #{action} ACLs"
+          acl_field = "acl_#{action}"
+          acl_var = "_acl_#{action}"
+          puts "#{acl_var} := array[]::integer[][];"
+          puts
+
+          for rule in action.rules
+            auth_roles = rule.roles.select { _1 == _1.downcase }
+            case_roles = rule.roles.select { _1 == _1.upcase }
+
+            if !auth_roles.empty?
+              role_seq = conn.quote_value_seq(auth_roles)
+              puts %(
+                -- Find "#{action}" system role ACLs
+                _acls := array[]::integer[];
+                select _acls || array_agg(id)
+                  into _acls
+                  from auth.roles
+                  where rolename = any(array[#{role_seq}]);
+              ).align
+              puts
+            end
+
+            if !case_roles.empty?
+              role_seq = conn.quote_value_seq(case_roles)
+              puts  %(
+                -- Find "#{action}" case role ACLs
+                select _acls || array_agg(id)
+                  into _acls
+                  from acl_portal.domain_roles
+                  where domain_id = _domain_id
+                  and role = any(array[#{role_seq}]);
+              ).align
+              puts
+            end
+
+            puts "#{acl_var} := #{acl_var} || _acls;"
+            puts
+          end
+        end
+        puts %(
+          -- Update ACL fields
+          update #{table.uid} 
+            set acl_select = _acl_select,
+                acl_update = _acl_update,
+                acl_delete = _acl_delete
+          where id = _id;
+        ).align
+        puts
+      end
+
+      def generate_acl_function_create_attach_acls(table)
+        record = table.record_name
+
+        domain = table.domain
+        domain_table = "#{domain}s"
+        domain_roles_table ="#{domain}_roles"
+
+        # Insert a attach record per parent table. This snippet handles
+        # multiple parents of a record but the check algorithm probably does
+        # not TODO
+        auth_role_list = conn.quote_value_seq table.insert.rules.map(&:auth_roles).flatten
+        case_role_list = conn.quote_value_seq table.insert.rules.map(&:case_roles).flatten
+        for parent in table.parents
+          id_fields = conn.values %(select column_name from acl.links where table_name = '#{table}')
+          for id_field in id_fields
+            puts %(
+              -- Delete attach ACLs
+              delete
+                from acl_portal.attach_acls
+                where parent_table = '#{parent.name}'
+                and parent_id = _id;
+
+              -- Create attach ACLs
+              insert into acl_portal.attach_acls (parent_table, parent_id, child_table, child_field, acls)
+                with 
+                  case_role_acls as (
+                    select
+                      id
+                    from
+                      acl_portal.domain_roles
+                      where domain_id = _id
+                        and role = any(array[#{case_role_list}]::text[])
+                  ),
+                  auth_role_acls as (
+                    select
+                      id
+                    from
+                      auth.roles
+                    where rolename = any(array[#{auth_role_list}]::text[])
+                  ),
+                  role_acls as (
+                    select * from case_role_acls 
+                    union 
+                    select * from auth_role_acls
+                  )
+                select
+                  '#{parent.name}' as "parent_table",
+                  _id as "parent_id",
+                  l.table_name as "child_table",
+                  l.column_name as "child_field",
+                  array_agg(ra.id) as "acls"
+                from 
+                  acl.links l,
+                  role_acls ra
+                where l.table_name = '#{table}'
+                group by
+                  "parent_table", "parent_id",
+                  "child_table", "child_field";
+            ).align
+          end
+        end
+      end
+    end
+  end
+end