mikras_utils 0.1.0

data/lib/mikras_utils/mkacl/parser.rb

@@ -0,0 +1,73 @@
+
+module MkAcl
+  class Parser
+    attr_reader :file
+
+    def initialize(file) @file = file end
+    def parse() parse_spec end
+    def self.parse(file) Parser.new(file).parse end
+
+  private
+    def error(*msg) raise ParseError, *msg end
+    def norm_array(value) value.is_a?(Array) ? value : value&.split end
+
+    def parse_spec
+      hash = YAML.load(IO.read(file), symbolize_names: true)
+
+      schema = hash.delete(:schema) or raise ArgumentError, "Can't find 'schema' declaration"
+      app_schema = schema[:app] or raise ArgumentError, "Can't find 'schema.app' attribute"
+      acl_schema = schema[:acl] or raise ArgumentError, "Can't find 'schema.acl' attribute"
+      spec = Spec.new(file, app_schema, acl_schema)
+      parse_tables(spec, hash)
+      spec
+    end
+
+    def parse_tables(spec, tables)
+      for table_name, actions in tables
+        table = Table.new(spec, table_name, actions.delete(:domain))
+        parse_actions(table, actions)
+      end
+    end
+
+    def parse_actions(table, actions)
+      for action_name, rules in actions
+        constrain?(action_name, :insert, :select, :update, :delete) or error "Illegal action '#{action_name}'"
+        constrain?(rules, String, Array, Hash) or error "Illegal value for #{action} action '#{rules}'"
+        action = Action.new(table, action_name)
+
+        # Normalize rules
+        case rules
+          when Hash
+            rules = [rules]
+          when String
+            rules = [{ role: rules }]
+        end
+
+        parse_rules(action, rules)
+      end
+    end
+
+    def parse_rules(action, rules)
+      index = 0
+      for entry in rules
+        rule = Rule.new(action, index += 1)
+
+        for key, value in entry
+          case key
+            when :role; rule.roles = norm_array(value)
+            when :using; rule.using = value
+            when :check; rule.check = value
+            when :include; rule.include = norm_array(value)
+            when :exclude; rule.exclude = norm_array(value)
+          else
+            raise ArgumentError, "Illegal field '#{key}' in #{action.table}.#{action}"
+          end
+        end
+
+        !action.rules.empty? or 
+            error "At least one rule is required in #{action.table}.#{action}"
+      end
+    end
+  end
+end
+

data/lib/mikras_utils/mkacl/spec.rb

@@ -0,0 +1,154 @@
+
+module MkAcl
+  class Spec
+    attr_reader :file # Only for informational purposes
+    attr_reader :app_schema
+    attr_reader :acl_schema
+    attr_reader :tables
+
+    forward_to :@table_hash, :[], :key?, :keys, :values
+
+    def initialize(file, app_schema, acl_schema)
+      @file = file
+      @app_schema = app_schema
+      @acl_schema = acl_schema
+      @tables = []
+      @table_hash = {}
+    end
+
+    def dump
+      puts "Schema"
+      indent {
+        puts "app_schema: #{app_schema}"
+        puts "acl_schema: #{acl_schema}"
+        puts
+        tables.map(&:dump)
+      }
+    end
+
+  private
+    def attach_table(table)
+      @tables << table
+      @table_hash[table.name] = table
+    end
+  end
+
+  class Table
+    attr_reader :spec
+    attr_accessor :parents # Parent TableSpec objects. Initialized by the analyzer
+    attr_reader :uid # SCHEMA.TABLE name
+    attr_reader :name
+    attr_reader :record_name # Associated record name. Used in function names
+    attr_accessor :domain # Security domain - either 'case' or 'event'. Initialized by the analyzer
+
+    # Action objects
+    def insert = @actions["insert"]
+    def select = @actions["select"]
+    def update = @actions["update"]
+    def delete = @actions["delete"]
+
+    # Hash from action name to action object
+    attr_reader :actions
+
+    def initialize(spec, name, domain)
+      @spec = spec
+      @parents = []
+      @name = name.to_s
+      @uid = "#{@spec.app_schema}.#{@name}"
+      @record_name = Prick::Inflector.singularize(@name)
+      @domain = domain
+      @actions = {}
+      @spec.send :attach_table, self
+      for action_name in %w(insert select update delete)
+        attach_action(Action.new(self, action_name))
+      end
+    end
+
+    def to_s() = name
+    def inspect() "<<#{name}>>" end
+
+    def dump
+      puts "#{name}:"
+      indent { 
+        puts "domain: #{domain}" if domain
+        puts "parents: #{parents.inspect}"
+        for action_name in %w(insert select update delete)
+          actions[action_name]&.dump
+        end
+      }
+    end
+
+  private
+    def attach_action(action)
+      @actions[action.name] = action
+    end
+  end
+
+  class Action
+    attr_reader :table
+    attr_reader :name
+    attr_reader :rules
+
+    def initialize(table, name)
+      @table = table
+      @name = name.to_s
+      @rules = []
+      @table.send :attach_action, self
+    end
+
+    def fields() @include + @exclude.map { "-#{_1}" } end
+
+    def to_s() name end
+
+    def dump
+      if rules.empty?
+        puts "#{name}: []"
+      else
+        puts name
+        indent {
+          for rule in rules
+            print "- "
+            indent(bol: false) { rule.dump }
+          end
+        }
+      end
+    end
+
+  private
+    def attach_rule(rule)
+      @rules << rule
+    end
+  end
+
+  class Rule
+    attr_reader :action
+    forward_to :action, :table, :name
+    attr_reader :index
+    attr_accessor :roles
+    attr_accessor :using # Goes into the postgres policy
+    attr_accessor :check # Goes into the postgres trigger
+    attr_accessor :include
+    attr_accessor :exclude
+
+    def auth_roles() @auth_roles ||= roles.select { _1 == _1.downcase } end
+    def case_roles() @case_roles ||= roles.select { _1 == _1.upcase } end
+
+    def initialize(action, index)
+      @action = action
+      @index = index
+      @roles, @check, @include, @exclude = [], nil, [], []
+      action.send :attach_rule, self
+    end
+
+    def fields() @include + @exclude.map { "-#{_1}" } end
+
+    def dump
+      puts "index: #{index}"
+      puts "roles: #{roles.join(' ')}"
+      puts "check: #{check}" if check
+      puts "include: #{include.join(' ')}" if !include.empty?
+      puts "exclude: #{exclude.join(' ')}" if !exclude.empty?
+    end
+  end
+end
+

data/lib/mikras_utils/mkacl.rb

@@ -0,0 +1,18 @@
+
+require 'pg_conn'
+require 'indented_io'
+require 'string-text'
+require 'forward_to'; include ForwardTo
+require 'constrain'; include Constrain
+require 'prick-inflector'
+
+module MkAcl
+  class ParseError < RuntimeError; end
+
+  ROLES = %w(LA TA KON AKK)
+end
+
+require_relative 'mkacl/spec.rb'
+require_relative 'mkacl/parser.rb'
+require_relative 'mkacl/analyzer.rb'
+require_relative 'mkacl/generator.rb'

data/lib/mikras_utils/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module MikrasUtils
+  VERSION = "0.1.0"
+end

data/lib/mikras_utils.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+require_relative "mikras_utils/version"
+
+module MikrasUtils
+end

data/sig/mikras_utils.rbs

@@ -0,0 +1,4 @@
+module MikrasUtils
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

data/tests/acl.fox

@@ -0,0 +1,312 @@
+
+
+auth.roles
+  - &internal
+    rolename: internal
+  - &hdj
+    rolename: hdj
+  - &bkn
+    rolename: bkn
+  - &hr
+    rolename: hr
+  - &ta
+    rolename: ta
+  - &kon1
+    rolename: kon1
+  - &akk1
+    rolename: akk1
+  - &kon2
+    rolename: kon2
+  - &akk2
+    rolename: akk2
+  - &kon3
+    rolename: kon3
+  - &akk3
+    rolename: akk3
+
+@schema app_portal
+
+cases
+  - &case1
+    name: case1
+  - &case2
+    name: case2
+  - &case3
+    name: case3
+
+role_kinds
+  - kind: RES
+    acl: true
+    ordinal: 1
+  - kind: LA
+    ordinal: 2
+  - kind: TA
+    ordinal: 3
+  - kind: KON
+    acl: true
+    ordinal: 4
+  - kind: AKK
+    acl: true
+    ordinal: 5
+  - kind: ELA
+    acl: true
+    ordinal: 6
+  - kind: CLA
+    acl: true
+    ordinal: 7
+  - kind: ETA
+    acl: true
+    ordinal: 8
+  - kind: CTA
+    acl: true
+    ordinal: 9
+
+case_role_templates
+  - role: RES
+  - role: LA
+  - role: TA
+  - role: CLA
+  - role: CTA
+  - role: KON
+  - role: AKK
+
+case_roles
+  - &case1_res
+    case: *case1
+    role: RES
+  - &case1_la
+    case: *case1
+    role: LA
+  - &case1_ta
+    case: *case1
+    role: TA
+  - &case1_cla
+    case: *case1
+    role: CLA
+  - &case1_cta
+    case: *case1
+    role: CTA
+  - &case1_kon
+    case: *case1
+    role: KON
+  - &case1_akk
+    case: *case1
+    role: AKK
+
+  - &case2_res
+    case: *case2
+    role: RES
+  - &case2_la
+    case: *case2
+    role: LA
+  - &case2_ta
+    case: *case2
+    role: TA
+  - &case2_Cla
+    case: *case2
+    role: CLA
+  - &case2_cta
+    case: *case2
+    role: CTA
+  - &case2_kon
+    case: *case2
+    role: KON
+  - &case2_akk
+    case: *case2
+    role: AKK
+
+  - &case3_res
+    case: *case3
+    role: RES
+  - &case3_la
+    case: *case3
+    role: LA
+  - &case3_ta
+    case: *case3
+    role: TA
+  - &case3_cla
+    case: *case3
+    role: CLA
+  - &case3_cta
+    case: *case3
+    role: CTA
+  - &case3_kon
+    case: *case3
+    role: KON
+  - &case3_akk
+    case: *case3
+    role: AKK
+
+case_users
+  - case_role: *case1_res
+    user: *hdj
+  - case_role: *case1_la
+    user: *hdj
+  - case_role: *case1_ta
+    user: *bkn
+  - case_role: *case1_kon
+    user: *kon1
+  - case_role: *case1_akk
+    user: *akk1
+
+  - case_role: *case2_res
+    user: *hdj
+  - case_role: *case2_la
+    user: *hdj
+  - case_role: *case2_la
+    user: *hr
+  - case_role: *case2_ta
+    user: *ta
+  - case_role: *case2_kon
+    user: *kon2
+  - case_role: *case2_akk
+    user: *akk2
+
+  - case_role: *case3_res
+    user: *hdj
+  - case_role: *case3_la
+    user: *hdj
+  - case_role: *case3_ta
+    user: *bkn
+  - case_role: *case3_ta
+    user: *ta
+  - case_role: *case3_kon
+    user: *kon3
+
+events
+  - &event11
+    case: *case1
+    name: e11
+    closed: true
+  - &event12
+    case: *case1
+    name: e12
+    closed: false
+  - &event13
+    case: *case1
+    name: e13
+    closed: false
+  - &event21
+    case: *case2
+    name: e21
+    closed: false
+
+event_role_templates
+  - role: ELA
+  - role: ETA
+
+event_roles
+  - &event_role11_ela
+    event: *event11
+    role: ELA
+  - &event_role11_eta
+    event: *event11
+    role: ETA
+  - &event_role11_kon
+    event: *event11
+    role: KON
+  - &event_role11_akk
+    event: *event11
+    role: AKK
+
+  - &event_role12_ela
+    event: *event12
+    role: ELA
+  - &event_role12_eta
+    event: *event12
+    role: ETA
+  - &event_role12_kon
+    event: *event12
+    role: KON
+  - &event_role12_akk
+    event: *event12
+    role: AKK
+
+  - &event_role13_ela
+    event: *event13
+    role: ELA
+  - &event_role13_eta
+    event: *event13
+    role: ETA
+  - &event_role13_kon
+    event: *event13
+    role: KON
+  - &event_role13_akk
+    event: *event13
+    role: AKK
+
+  - &event_role21_ela
+    event: *event21
+    role: ELA
+  - &event_role21_eta
+    event: *event21
+    role: ETA
+  - &event_role21_kon
+    event: *event21
+    role: KON
+  - &event_role21_akk
+    event: *event21
+    role: AKK
+
+event_users
+  - event_role: *event_role11_ela
+    user: *hdj
+  - event_role: *event_role12_eta
+    user: *ta # No longer assciated with the case
+  - event_role: *event_role11_kon
+    user: *kon1
+  - event_role: *event_role11_akk
+    user: *akk1
+
+  # No TA on this event
+  - event_role: *event_role12_ela
+    user: *hdj
+  - event_role: *event_role12_kon
+    user: *kon1
+  - event_role: *event_role12_akk
+    user: *akk1
+
+  # Two TAs on this event
+  - event_role: *event_role13_ela
+    user: *hdj
+  - event_role: *event_role13_eta
+    user: *ta
+  - event_role: *event_role13_eta
+    user: *bkn
+  - event_role: *event_role13_kon
+    user: *kon1
+  - event_role: *event_role13_akk
+    user: *akk1
+
+  # Event-specific LA
+  - event_role: *event_role21_ela
+    user: *hr
+  - event_role: *event_role21_eta
+    user: *ta
+  - event_role: *event_role21_kon
+    user: *kon3
+  - event_role: *event_role21_akk
+    user: *akk3
+
+visits
+  - &visit131
+    event: *event13
+    name: "visit 1 of event 3 of case 1"
+  - &visit132
+    event: *event13
+    name: "visit 2 of event 3 of case 1"
+  - &visit211
+    event: *event21
+    name: "visit 1 of event 1 of case 2"
+
+noncompliances
+  - &nc1311
+    visit: *visit131
+    name: "NC 1 of visit 1 of event 3 of case 1"
+  - &nc1312
+    visit: *visit131
+    name: "NC 2 of visit 1 of event 3 of case 1"
+  - &nc2111
+    visit: *visit131
+    name: "NC 1 of visit 1 of event 1 of case 2"
+    

data/tests/acl.spec

@@ -0,0 +1,135 @@
+
+schema:
+  app: app_portal
+  acl: acl_portal
+
+#
+# CASES AND ROLES
+#
+# insert, update, and delete are not used for many tables because data are
+# loaded from sagsys databases without policy checks and without triggers
+#
+
+cases:
+  domain: case
+  insert: admin
+  select: internal TA KON AKK
+  update:
+    - role: admin
+    - role: RES CLA
+      exclude: serial ident name
+  delete: admin
+
+case_roles: # TODO: RBAC
+  select: internal KON AKK
+
+case_users:
+  insert: CLA admin
+  select: internal
+  delete: CLA admin
+
+#
+# EVENTS AND VISITS
+#
+
+events:
+  domain: event
+  insert: CLA
+  select: internal ETA KON AKK
+  update: 
+    role: CLA ELA
+    include: kind
+  delete: CLA ELA
+
+event_roles:
+  select: internal ETA KON AKK
+
+event_users:
+  # insert: CLA ELA
+  # insert:
+  #   role: CLA ELA
+  #   call: acl_portal.insert_event_user(NEW.event_id, NEW.role, NEW.user_id) # In instead-of trigger
+  # delete
+  #   role: CLA ELA
+  #   call: acl_portal.delete_event_user(OLD.event_id, OLD.user_id) # In instead-of trigger
+  
+  select: internal ETA KON AKK
+
+visits:
+  insert: CLA ELA
+  select: internal ETA KON AKK
+  update: 
+    role: CLA ELA
+    include: notes closed progress progress_description visit_at mat_received_at reported_at deadline_at
+  delete: CLA ELA
+
+noncompliances:
+  insert:
+    - role: CLA ELA
+    - role: ETA
+      check: true # FIXME Example
+  select: 
+    - role: internal CTA
+    - role: KON AKK
+      using: true # FIXME Example
+  update: CLA ELA ETA KON AKK # FLS managed by trigger
+  delete: CLA ELA ETA KON AKK # FLS managed by trigger
+
+noncompliance_uploads:
+  insert: CLA ELA ETA KON AKK
+  select: internal ETA KON AKK
+  update:
+    - role: CLA ELA
+      include: description visible
+    - role: ETA KON AKK
+      include: description
+  delete: 
+    - role: CLA ELA
+    - role: ETA KON AKK
+      using: uploaded_by_id = current_user_id()
+
+bookings:
+  insert: CLA ELA
+  select: internal ETA KON AKK
+  update: CLA ELA
+  delete: CLA ELA
+
+user_bookings:
+  insert: CLA ELA
+  select: internal KON AKK
+  update:
+    - role: CLA ELA
+    - role: ETA KON AKK
+      using: user_id = current_user_id()
+      include: mask note locked
+  delete: CLA ELA
+
+#
+# METHOD LINES
+#
+
+#method_lines:
+# insert: CLA AKK KON
+# select: CLA CTA KON AKK internal
+# update: CLA KON AKK
+# delete: CLA KON AKK
+#
+#buckets:
+# insert: CLA
+# select: CLA CTA KON AKK internal
+# update: CLA
+# delete: CLA
+#
+#bucket_kinds:
+# select: CLA CTA KON AKK internal
+#
+#bucket_method_lines:
+# insert: CLA
+# select: CLA CTA KON AKK internal
+# update: CLA
+# delete: CLA
+
+
+
+
+