mikras_utils 0.1.0

data/lib/mikras_utils/mkacl/generators/id_functions.rb

@@ -0,0 +1,262 @@
+
+module MkAcl
+  class Generator
+    class IdFunctions
+      using String::Text
+
+      attr_reader :generator
+      forward_to :generator, :conn, :spec, :app_schema, :acl_schema
+
+      def initialize(generator)
+        @generator = generator
+      end
+
+      def generate
+        generate_per_table_id_functions
+        generate_general_id_functions
+        generate_general_id_of_record_functions
+      end
+
+      def self.generate(generator) self.new(generator).generate end
+
+    private
+      # Generate a case_id_of_RECORD and event_id_of_RECORD, and a
+      # domain_id_of_RECORD function for each table that returns the associated
+      # case_id/event_id for a given record. Some examples:
+      #
+      #   case_id_of_event(id integer)
+      #   event_id_of_noncompliance(id integer)
+      #   domain_id_of_noncompliance(id integer)
+      #
+      # Returns null if not found. Note that the record has to exists because
+      # we access it to read the foreign keys
+      #
+      # The functions are used to find the roles IDs (case or event) when
+      # inserting a record. The role ids are written into the various acl_*
+      # fields by a trigger
+      #
+      # The alternative would be to cascade case and event keys in all records.
+      # Cascading keys are usually dereferred because it only gives a minor
+      # speed-up in most queries but in this case it optimizes away a recursive
+      # join up the hierarchy from the current table to the events or cases
+      # table. It may be a better solution
+      #
+      # IDEA: Make the implementations also take a record type instead of an
+      # id. This is useful in triggers because we already have the first record
+      # in the acl chain
+      def generate_per_table_id_functions
+        for domain in %w(case event)
+          # Create identity functions (makes some stuff easier)
+          table = "#{domain}s"
+          id_field = "#{domain}_id"
+          signature = "#{acl_schema}.#{id_field}_of_#{domain}(_id integer)"
+          puts %(
+            drop function if exists #{signature} cascade;
+            create function #{signature} returns integer as $$
+              select _id;
+            $$ language sql;
+          ).align
+          puts
+
+          # Create remaining funktions
+          functions = conn.tuples %(
+            select
+              start_table as "table_uid",
+              path as "tables",
+              links
+            from
+              acl.paths
+            where 
+              stop_table = '#{app_schema}.#{table}'
+          )
+
+          for table_uid, tables, links in functions
+            table_name = table_uid.split(".").last
+            record_name = Prick::Inflector.singularize(table_name)
+            id_arg = "_#{id_field}"
+            signature = "#{acl_schema}.#{id_field}_of_#{record_name}(#{id_arg} integer)"
+            puts "drop function if exists #{signature} cascade;" 
+            puts "create function #{signature} returns integer as $$"
+            indent {
+              tables.pop
+              end_id_field = links.pop.first
+
+              puts "select #{end_id_field}"
+              puts "from"
+              indent {
+                puts tables.join(",\n")
+              }
+              puts "where #{tables.first}.id = #{id_arg}"
+              indent {
+                puts links.map { |l| "and #{l.first} = #{l.last}" }.join("\n") if !links.empty?
+              }
+              puts ";"
+            }
+            puts "$$ language sql;"
+            puts
+
+          end
+        end
+
+        for table_uid in functions.map(&:first)
+          table_name = table_uid.split(".").last
+          record_name = Prick::Inflector.singularize(table_name)
+          signature = "#{acl_schema}.domain_id_of_#{record_name}(_id integer)"
+          case_function = "#{acl_schema}.case_id_of_#{record_name}"
+          event_function = "#{acl_schema}.event_id_of_#{record_name}"
+          puts %(
+            drop function if exists #{signature} cascade;
+            create function #{signature} returns integer as $$
+              select coalesce(#{event_function}(_id), #{case_function}(_id));
+            $$ language sql;
+          ).align
+          puts
+        end
+      end
+
+      # Generate general case/event id-of functions:
+      #
+      #   case_id_of(table varchar, id integer)
+      #   event_id_of(table varchar, id integer)
+      #   domain_id_of(table varchar, id integer)
+      #
+      # These methods are practically as efficient as using the more
+      # specialized versions above
+      #
+      def generate_general_id_functions
+        for domain in %w(case event)
+          domain_table = "#{domain}s"
+          field = "#{domain}_id"
+          signature = "#{acl_schema}.#{field}_of(_table varchar, _id integer)"
+
+          puts %(
+            drop function if exists #{signature} cascade;
+            create function #{signature} returns integer as $$
+              select 
+          ).align
+          indent(2) {
+            puts "case _table"
+            tables = conn.values %(
+              select start_table 
+              from acl.paths 
+              where stop_table = '#{app_schema}.#{domain}'
+            ).align
+            indent {
+              for table_uid in tables
+                table_name = table_uid.split(".").last
+                record_name = Prick::Inflector.singularize(table_name)
+                function_name = "#{field}_of_#{record_name}"
+                puts "when '#{table_name}' then #{acl_schema}.#{function_name}(_id)"
+              end
+              puts "when 'cases' then _id"
+              puts "when 'events' then _id"
+              puts "else null"
+            }
+            puts "end case;"
+          }
+          puts "$$ language sql;"
+          puts
+        end
+
+        signature = "#{acl_schema}.domain_id_of(_table varchar, _id integer)"
+        puts %(
+          -- FIXME: Ugly implementation
+          drop function if exists #{signature} cascade;
+          create function #{signature} returns integer as $$
+            select coalesce(acl_portal.event_id_of(_table, _id), acl_portal.case_id_of(_table, _id));
+          $$ language sql;
+        ).align
+        puts
+      end
+
+      # General domain-id-of-record functions
+      #
+      #   case_id_of(record)
+      #   event_id_of(record)
+      #   domain_id_of(record)
+      #
+      # Returns the case or event id associated with the given record. The
+      # record should be an ACL table record
+      #
+      # Very useful in before insert triggers because it takes a record (eg.
+      # NEW) instead of an ID
+      #
+      def generate_general_id_of_record_functions
+        links = (conn.structs %(
+          select
+            table_name,
+            column_name,
+            ref_table_name
+          from
+            acl.links
+          where
+            schema_name = '#{app_schema}'
+        )).group_by(&:table_name)
+
+        for domain in %w(case event)
+          domain_id_field = "#{domain}_id"
+          signature = "#{acl_schema}.#{domain_id_field}_of(_r record)"
+          puts %(
+            drop function if exists #{signature} cascade;
+            create function #{signature} returns integer as $$
+          ).align
+          indent {
+            puts %(
+              declare
+                type text;
+              begin
+                select pg_typeof(_r)::text into type;
+                case type
+            ).align
+            indent {
+              indent {
+                for table in spec.tables
+                  next if domain == "event" && table.domain == "case"
+                  link = links[table.name]&.first
+                  if table.name == "cases"
+                    puts "when '#{table.uid}' then return _r.id;"
+                  elsif domain == "event" && table.name == "events"
+                    puts "when '#{table.uid}' then return _r.id;"
+                  elsif link.ref_table_name == "cases"
+                    puts "when '#{table.uid}' then return _r.#{link.column_name};"
+                  elsif link.ref_table_name == "events" && table.domain == "event"
+                    puts "when '#{table.uid}' then return _r.#{link.column_name};"
+                  else
+                    ref_record = spec[link.ref_table_name].record_name
+                    id_of_function = "#{acl_schema}.#{domain_id_field}_of_#{ref_record}"
+                    puts "when '#{table.uid}' then return #{id_of_function}(_r.#{link.column_name});"
+                  end
+                end
+                puts "else return null;"
+              }
+              puts "end case;"
+            }
+            puts "end;"
+          }
+          puts %(
+            $$ language plpgsql
+              set search_path to '';
+          ).align
+          puts
+        end
+
+        signature = "#{acl_schema}.domain_id_of(_r record)"
+        puts %(
+          -- Note: Ugly implementation but maybe close to optimal
+          drop function if exists #{signature} cascade;
+          create function #{signature} returns integer as $$
+            declare
+              _id integer;
+            begin
+              select coalesce(acl_portal.event_id_of(_r), acl_portal.case_id_of(_r))
+                into _id;
+
+              return _id;
+            end;
+          $$ language plpgsql;
+        ).align
+        puts
+      end
+    end
+  end
+end

data/lib/mikras_utils/mkacl/generators/insert_triggers.rb

@@ -0,0 +1,267 @@
+module MkAcl
+  class Generator
+    class InsertTriggers
+      using String::Text
+
+      attr_reader :generator
+      forward_to :generator, :conn, :spec, :app_schema, :acl_schema
+
+      def initialize(generator)
+        @generator = generator
+      end
+
+      def generate(table)
+        generate_bi_trigger(table)
+        generate_ai_trigger(table)
+      end
+
+      def self.generate(generator, table) self.new(generator).generate(table) end
+
+    private
+      # Generate a TABLE_rls_bi() trigger function for each table. The trigger
+      # checks the current role against the attach_acls table for each foreign
+      # key
+      #
+      def generate_bi_trigger(table)
+        function_name = "#{table}_rls_bi"
+        trigger_name = "#{function_name}_trg"
+        function_uid = "#{acl_schema}.#{function_name}"
+        signature = "#{function_uid}()"
+
+        puts "drop function if exists #{signature} cascade;"
+        puts "create function #{signature} returns trigger as $$"
+        indent {
+          puts %(
+            declare
+              domain_user_roles varchar[];
+            begin
+          ).align
+          indent {
+            generate_bi_trigger_foreign_key_rls(table)
+            generate_bi_trigger_check_conditions(table)
+            puts "return NEW;"
+          }
+          puts "end;"
+        }
+        puts "$$ language plpgsql;"
+        puts
+
+        puts %(
+          create trigger #{trigger_name} before insert on #{table.uid}
+            for each row execute function #{signature};
+        ).align
+        puts
+      end
+
+      def generate_bi_trigger_foreign_key_rls(table)
+        puts "-- Foreign key RLS check(s)"
+        fields = conn.values %(
+          select
+            column_name as field
+          from
+            acl.links
+          where
+            table_name = '#{table}'
+        )
+
+        for field in fields
+          puts %(
+            perform
+              from acl_portal.attach_acls
+              where child_table = '#{table}'
+              and child_field = '#{field}'
+              and parent_id = NEW.#{field}
+              and acls && public.current_role_ids();
+
+            if not found then
+              raise 'Illegal value in #{table}.#{field} - security violation';
+            end if;
+          ).align
+        end
+        puts
+      end
+
+      def generate_bi_trigger_check_conditions(table)
+        using_actions = table.insert.rules.select(&:using)
+        return if using_actions.empty?
+        domain = table.domain
+
+        puts %(
+          -- Per-role(s) using(s)
+          select 
+            acl_portal.#{domain}_user_roles_of(acl_portal.#{domain}_id_of(NEW), public.current_role_id())
+          into domain_user_roles
+          ;
+        ).align
+        puts
+
+        for action in using_actions
+          role_list = "'" + action.roles.join(', ') + "'"
+          puts %(
+            if array[#{role_list}] && domain_user_roles then
+              if not (#{action.using}) then
+                raise 'Check condition failed - security violation';
+              end if;
+            end
+          ).align
+        end
+      end
+
+      # Generate a TABLE_rls_ai() trigger for each table. The trigger creates
+      # an entry in attach_acls for each table refering the current table
+      #
+      # TODO: Delete trigger to cleanup attach_acls
+      #
+      def generate_ai_trigger(table)
+        function_name = "#{table}_rls_ai"
+        trigger_name = "#{function_name}_trg"
+        function_uid = "#{acl_schema}.#{function_name}"
+        signature = "#{function_uid}()"
+
+        puts "drop function if exists #{signature} cascade;"
+        puts "create function #{signature} returns trigger as $$"
+        indent {
+          puts %(
+            declare
+              _domain_id integer;
+            begin
+          ).align
+          indent {
+            puts "-- Find security domain id"
+            puts "_domain_id := #{acl_schema}.#{table.domain}_id_of(NEW);"
+            puts
+            generate_ai_trigger_insert_domain_roles(table) if %w(cases events).include?(table.name)
+            generate_ai_trigger_create_acls(table)
+#           generate_ai_trigger_set_acl_fields(table)
+#           generate_ai_trigger_attach_acls(table)
+            puts "return NEW;"
+          }
+          puts "end;"
+        }
+        puts "$$ language plpgsql;"
+        puts
+
+        puts %(
+          create trigger #{trigger_name} after insert on #{table.uid}
+            for each row execute function #{signature};
+        ).align
+        puts
+      end
+
+      def generate_ai_trigger_insert_domain_roles(table)
+        domain = table.domain
+        domain_roles_table = "#{app_schema}.#{domain}_roles"
+        domain_role_templates_table = "#{app_schema}.#{domain}_role_templates"
+        domain_id_field = "#{domain}_id"
+        puts %(
+          -- Generate domain roles
+          insert into #{domain_roles_table} (#{domain_id_field}, role) 
+            select NEW.id as #{domain_id_field}, role 
+            from #{domain_role_templates_table};
+        ).align
+        puts
+      end
+
+      def generate_ai_trigger_create_acls(table)
+        puts %(
+          -- Generate ACLs
+          perform #{table}_update_acls(NEW.id);
+        ).align
+        puts
+      end
+
+#     def generate_ai_trigger_set_acl_fields(table)
+#       domain = table.domain
+#       id_field = "#{domain}_id"
+#       domain_roles_table = "#{app_schema}.#{domain}_roles"
+#       domain_id_function = "#{acl_schema}.#{id_field}_of"
+#
+#       for action_name in %w(select update delete)
+#         puts "-- Find #{action_name} ACLs"
+#         acl_field = "NEW.acl_#{action_name}"
+#         puts "#{acl_field} := array[]::integer[][];"
+#         puts
+#
+#         for rule in table.actions[action_name].rules
+#           auth_roles = rule.roles.select { _1 == _1.downcase }
+#           case_roles = rule.roles.select { _1 == _1.upcase }
+#
+#           if !auth_roles.empty?
+#             role_seq = conn.quote_value_seq(auth_roles)
+#             puts %(
+#               select #{acl_field} || array_agg(id)
+#               from auth.roles
+#               where rolename = any(array[#{role_seq}]);
+#             ).align
+#             puts
+#           end
+#
+#           if !case_roles.empty?
+#             role_seq = conn.quote_value_seq(case_roles)
+#             puts  %(
+#               select #{acl_field} || array_agg(id)
+#                 into #{acl_field}
+#                 from #{domain_roles_table}
+#                 where #{id_field} = _domain_id
+#                 and role = any(array[#{role_seq}]);
+#             ).align
+#             puts
+#           end
+#         end
+#       end
+#       puts %(
+#         -- Update ACL fields
+#         update #{table.uid} 
+#           set acl_select = NEW.acl_select,
+#               acl_update = NEW.acl_update,
+#               acl_delete = NEW.acl_delete
+#         where id = NEW.id;
+#       ).align
+#       puts
+#     end
+#
+#     def generate_ai_trigger_attach_acls(table)
+#       record = table.record_name
+#
+#       domain = table.domain
+#       domain_table = "#{domain}s"
+#       domain_roles_table ="#{domain}_roles"
+#
+#       # Insert a attach record per parent table. This snippet handles
+#       # multiple parents of a record but the check algorithm probably does
+#       # not TODO
+#       roles = table.insert.rules.map(&:roles).flatten
+#       role_list = conn.quote_value_seq(roles)
+#       for parent in table.parents
+#         id_fields = conn.values %(select column_name from acl.links where table_name = '#{table}')
+#         for id_field in id_fields
+#           id_of_function = "acl_portal.#{table.domain}_id_of"
+#           
+#           puts %(
+#             -- Generate attach ACLs
+#             insert into acl_portal.attach_acls (parent_table, parent_id, child_table, child_field, acls)
+#               select
+#                 '#{parent.name}' as "parent_table",
+#                 NEW.id as "parent_id",
+#                 l.table_name as "child_table",
+#                 l.column_name as "child_field",
+#                 array_agg(dr.id) as "acls"
+#               from 
+#                 acl.links l,
+#                 #{domain_table} d
+#                 join #{domain_roles_table} dr on dr.event_id = d.id
+#               where l.table_name = '#{table.name}'
+#                 and d.id = _domain_id
+#                 and dr.role = any(array[#{role_list}])
+#               group by
+#                 "parent_table", "parent_id",
+#                 "child_table", "child_field";
+#           ).align
+#           puts
+#         end
+#       end
+#     end
+    end
+  end
+end
+

data/lib/mikras_utils/mkacl/generators/role_functions.rb

@@ -0,0 +1,72 @@
+module MkAcl
+  class Generator
+    class RoleFunctions
+      using String::Text
+
+      attr_reader :generator
+      forward_to :generator, :conn, :spec, :app_schema, :acl_schema
+
+      def initialize(generator)
+        @generator = generator
+      end
+
+      def generate
+        generate_role_functions
+      end
+
+      def self.generate(generator) self.new(generator).generate end
+    
+    private
+      def generate_role_functions
+        # TODO: Test. Then combine with per-table methods
+        signature = "public.current_is_role(_case_id integer, _roles text[])"
+        puts %(
+          drop function if exists #{signature} cascade;
+          create function #{signature} returns boolean as $$
+            select exists(
+              select
+              from #{app_schema}.case_roles cr
+              join #{app_schema}.case_role_users cru on cru.case_role_id = cr.id
+              where cr.case_id = _case_id
+                and cru.user_id = public.current_user_id()
+                and cr.kind = any(_roles)
+            );
+          $$ language sql
+            security definer;
+        ).align
+        puts
+
+        signature = "public.current_is_role(_case_id integer, role text)"
+        puts %(
+          drop function if exists #{signature} cascade;
+          create function #{signature} returns boolean as $$
+            select public.current_is_role(_case_id, array[role]);
+          $$ language sql
+            security definer;
+        ).align
+        puts
+
+        for role in MkAcl::ROLES
+          name = role.downcase
+          signature = "public.current_is_#{name}(_case_id integer)"
+          puts %(
+            drop function if exists #{signature} cascade;
+            create function #{signature} returns boolean as $$
+              select exists(
+                select
+                from #{app_schema}.case_roles cr
+                join #{app_schema}.case_role_users cru on cru.case_role_id = cr.id
+                where cr.case_id = _case_id
+                  and cru.user_id = public.current_user_id()
+                  and cr.kind = '#{role}'
+              );
+            $$ language sql
+              security definer;
+          ).align
+          puts
+        end
+      end
+    end
+  end
+end
+

data/lib/mikras_utils/mkacl/generators/rules.rb

@@ -0,0 +1,80 @@
+
+module MkAcl
+  class Generator
+    # Generate a select, update, and delete rule for each table. Create rules
+    # are implemented as triggers and delete should probably also be. The
+    # problem is that a record that fails the rule check is silently ignored
+    # which is probably not what you want
+    #
+    # The roles matches a acl_* array against a role action entry in the spec
+    # file. The acl_* arrays are themselves array of role ids. Each subarray is
+    # indexed using the order in the acl.spec file
+    #
+    # This is not the optimal solution because it makes both data and code more
+    # complex. An alternative would be to unify the roles id of all rules in an
+    # action and then let a trigger take case of 'check' and 'field' checks
+    #
+    class Rules
+      using String::Text
+
+      attr_reader :generator
+      forward_to :generator, :conn, :spec, :app_schema, :acl_schema
+
+      def initialize(generator)
+        @generator = generator
+      end
+
+      def generate
+        generate_rules
+        generate_rule_functions
+      end
+
+    private
+      def generate_rule_functions
+        for action in %w(enable disable)
+          signature = "#{acl_schema}.#{action}_rls()"
+          stmts = spec.tables.map { |table|
+            "alter table #{app_schema}.#{table} #{action} row level security;"
+          }
+          puts %(
+            drop function if exists #{signature} cascade;
+            create function #{signature} returns boolean as $$
+              begin
+          ).align
+          indent(2) { puts stmts }
+          puts %(
+                return true;
+              end;
+            $$ language plpgsql;
+          ).align
+          puts
+        end
+      end
+
+      def generate_rules
+        for table in spec.tables
+          for action in %w(select update delete).map { table.actions[_1] }
+            rule_expr = action.rules.map { |rule|
+              exprs = []
+              exprs << "acl_#{action.name}[#{rule.index}:#{rule.index}][1:] && public.current_role_ids()" \
+                  if !rule.roles.empty?
+              exprs << "(#{rule.using})" if rule.using
+              "(#{exprs.join(' and ')})"
+            }.join(" or ")
+            rule_expr = "false" if rule_expr.empty?
+            
+            puts %(
+              drop policy if exists rls_#{action.name} on #{table.uid} cascade;
+              create policy rls_#{action.name} on #{table.uid} for #{action.name}
+                using (#{rule_expr});
+            ).align
+            puts
+          end
+        end
+      end
+
+      def self.generate(generator) self.new(generator).generate end
+    end
+  end
+end
+