mikras_utils 0.3.2 → 0.4.0

data/lib/mikras_utils/mkacl/generators/role_functions.rb

@@ -1,4 +1,21 @@
 module MkAcl
+  # Generates the functions
+  #
+  #   acl_portal.user_is_role(_user_id integer, _object_id integer, _roles text[])
+  #   acl_portal.user_is_role(_user_id integer, _object_id integer, _roles text)
+  #     Returns true if the user has one of the given roles on the domain
+  #     object
+  #
+  #   public.current_is_role(_object_id integer, _roles text[])
+  #   public.current_is_role(_object_id integer, _roles text)
+  #     Returns true if the current user has one of the given roles on the
+  #     domain object
+  #
+  #   public.current_is_ROLE(_object_id integer)
+  #     ROLE is one of the role kinds. Returns true if the current user has the
+  #     given role
+  #
+
   class Generator
     class RoleFunctions
       using String::Text
@@ -20,54 +37,34 @@ module MkAcl
     private
       def generate_user_role_functions
         # TODO: Test. Then combine with per-table methods
-        signature = "#{acl_schema}.user_is_role(_user_id integer, _domain_id integer, _roles text[])"
+        signature = "#{acl_schema}.user_is_role(_user_id integer, _object_id integer, _roles text[])"
         puts %(
           -- Return true if the user possess one or more of the given roles on the
-          -- domain record (cases, events, visits) with the given ID
+          -- object (cases, events, visits) with the given ID
           --
           drop function if exists #{signature} cascade;
           create function #{signature} returns boolean as $$
             select exists (
               select
-              from #{app_schema}.case_roles cr
-              join #{app_schema}.case_role_users cru on cru.case_role_id = cr.id
-              where cr.case_id = _domain_id
-                and cru.user_id = _user_id
-                and cr.kind = any(_roles)
-
-              union
-
-              select
-              from #{app_schema}.event_roles cr
-              join #{app_schema}.event_role_users cru on cru.event_role_id = cr.id
-              where cr.event_id = _domain_id
-                and cru.user_id = _user_id
-                and cr.kind = any(_roles)
-
-              union
-
-              select
-              from #{app_schema}.visit_roles cr
-              join #{app_schema}.visit_role_users cru on cru.visit_role_id = cr.id
-              where cr.visit_id = _domain_id
-                and cru.user_id = _user_id
-                and cr.kind = any(_roles)
-
-            );
+              from app_portal.domain_users
+              where domain_id = _domain_id
+              and user_id = _user_id
+              and role = any(_roles)
+            )
           $$ language sql
             security definer;
         ).align
         puts
 
-        signature = "#{acl_schema}.user_is_role(_user_id integer, _domain_id integer, role text)"
+        signature = "#{acl_schema}.user_is_role(_user_id integer, _object_id integer, role text)"
         puts %(
-          -- Return true if the user has the given role on the domain record
+          -- Return true if the user has the given role on the object
           -- (cases, events, visits). Note that this function overloads the multi-role
           -- version
           --
           drop function if exists #{signature} cascade;
           create function #{signature} returns boolean as $$
-            select #{acl_schema}.user_is_role(_user_id, _domain_id, array[role]);
+            select #{acl_schema}.user_is_role(_user_id, _object_id, array[role]);
           $$ language sql
             security definer;
         ).align
@@ -75,13 +72,13 @@ module MkAcl
 
         for domain, roles in DOMAINS.zip([CASE_ROLES, EVENT_ROLES, VISIT_ROLES])
           for role in roles
-            signature = "#{acl_schema}.user_is_#{role.downcase}(_user_id integer, _domain_id integer)"
+            signature = "#{acl_schema}.user_is_#{role.downcase}(_user_id integer, _object_id integer)"
             puts %(
               -- Return true if the user possess the '#{role}' role
               --
               drop function if exists #{signature} cascade;
               create function #{signature} returns boolean as $$
-                select #{acl_schema}.user_is_role(_user_id, _domain_id, '#{role}');
+                select #{acl_schema}.user_is_role(_user_id, _object_id, '#{role}');
               $$ language sql
                 security definer;
             ).align
@@ -92,28 +89,28 @@ module MkAcl
 
       def generate_current_role_functions
         # TODO: Test. Then combine with per-table methods
-        signature = "public.current_is_role(_domain_id integer, _roles text[])"
+        signature = "public.current_is_role(_object_id integer, _roles text[])"
         puts %(
           -- Return true if the current user possess one or more of the given roles on the
-          -- domain record (cases, events, visits) with the given ID
+          -- object (cases, events, visits) with the given ID
           --
           drop function if exists #{signature} cascade;
           create function #{signature} returns boolean as $$
-            select #{acl_schema}.user_is_role(public.current_user_id(), _domain_id, _roles);
+            select #{acl_schema}.user_is_role(public.current_user_id(), _object_id, _roles);
           $$ language sql
             security definer;
         ).align
         puts
 
-        signature = "public.current_is_role(_domain_id integer, _role text)"
+        signature = "public.current_is_role(_object_id integer, _role text)"
         puts %(
-          -- Return true if the current user possess the given role on the domain record
+          -- Return true if the current user possess the given role on the object
           -- (cases, events, visits). Note that this function overloads the multi-role
           -- version
           --
           drop function if exists #{signature} cascade;
           create function #{signature} returns boolean as $$
-            select #{acl_schema}.user_is_role(public.current_user_id(), _domain_id, array[_role]);
+            select #{acl_schema}.user_is_role(public.current_user_id(), _object_id, array[_role]);
           $$ language sql
             security definer;
         ).align
@@ -121,13 +118,13 @@ module MkAcl
 
         for domain, roles in DOMAINS.zip([CASE_ROLES, EVENT_ROLES, VISIT_ROLES])
           for role in roles
-            signature = "public.current_is_#{role.downcase}(_domain_id integer)"
+            signature = "public.current_is_#{role.downcase}(_object_id integer)"
             puts %(
               -- Return true if the current user possess the '#{role}' role
               --
               drop function if exists #{signature} cascade;
               create function #{signature} returns boolean as $$
-                select #{acl_schema}.user_is_role(public.current_user_id(), _domain_id, '#{role}');
+                select #{acl_schema}.user_is_role(public.current_user_id(), _object_id, '#{role}');
               $$ language sql
                 security definer;
             ).align

data/lib/mikras_utils/mkacl/generators/rules.rb

@@ -56,13 +56,13 @@ module MkAcl
           for action in %w(select update delete).map { table.actions[_1] }
             rule_expr = action.rules.map { |rule|
               exprs = []
-              exprs << "acl_#{action.name}[#{rule.index}:#{rule.index}][1:] && public.current_role_ids()" \
+              exprs << "acl_#{action.name}[#{rule.ordinal}:#{rule.ordinal}][1:] && public.current_role_ids()" \
                   if !rule.roles.empty?
               exprs << "(#{rule.using})" if rule.using
               "(#{exprs.join(' and ')})"
             }.join(" or ")
             rule_expr = "false" if rule_expr.empty?
-            
+
             puts %(
               drop policy if exists rls_#{action.name} on #{table.uid} cascade;
               create policy rls_#{action.name} on #{table.uid} for #{action.name}

data/lib/mikras_utils/mkacl/generators/seeds.rb

@@ -0,0 +1,80 @@
+
+module MkAcl
+  class Generator
+    class Seeds
+      using String::Text
+
+      attr_reader :generator
+      forward_to :generator, :conn, :spec, :app_schema, :acl_schema
+
+      def initialize(generator)
+        @generator = generator
+      end
+
+      def generate
+        clean_tables
+        generate_seeds
+      end
+
+      def self.generate(generator) self.new(generator).generate end
+
+    private
+      def clean_tables
+        puts %(
+          delete from acl_portal.acl_rules;
+          delete from acl_portal.acl_actions;
+          delete from acl_portal.acl_tables;
+        ).align
+      end
+
+      def generate_seeds
+        for table in spec.tables
+          puts %(
+            insert into acl_portal.acl_tables (
+                schema_name, table_name, domain,
+                parent_schema_name, parent_table_name, parent_link_field,
+                acl)
+              values (
+                '#{app_schema}', '#{table}', #{conn.quote_value(table.domain)},
+                '#{table.parent && table.app_schema}', '#{table.parent}', '#{table.parent_link_field}',
+                #{table.acl || 'false'})
+              returning id as "table_id"
+            \\gset
+          ).align
+          puts
+
+          table.actions.values.each { |action|
+            puts %(
+              insert into acl_portal.acl_actions (acl_table_id, kind)
+                values (:table_id, '#{action.name.upcase}')
+                returning id as "action_id"
+              \\gset
+            ).align
+            puts
+
+            action.rules.each { |rule|
+              fields = %w(roles filter assert fields tables ordinal)
+              values = fields.map { |field| conn.quote_value(rule.send(field.to_sym), elem_type: :text) }
+              puts %(
+                insert into acl_portal.acl_rules (acl_action_id, roles, filter, assert, fields, tables, ordinal)
+                  values (:action_id, #{values.join(', ')});
+              ).align
+              puts
+            }
+          }
+        end
+
+        puts %(
+          update acl_portal.acl_tables sub
+            set parent_id = (
+              select id
+              from acl_portal.acl_tables super
+              where super.schema_name = sub.parent_schema_name
+                and super.table_name = sub.parent_table_name
+            );
+        ).align
+        puts
+      end
+    end
+  end
+end

data/lib/mikras_utils/mkacl/parser.rb

@@ -2,14 +2,29 @@
 module MkAcl
   class Parser
     attr_reader :file
+    attr_reader :symtab
 
-    def initialize(file) @file = file end
+    def initialize(file)
+      @file = file
+      @symtab = SimpleSymtab::SimpleSymtab.new
+    end
     def parse() parse_spec end
     def self.parse(file) Parser.new(file).parse end
 
   private
     def error(*msg) raise ParseError, *msg end
-    def norm_array(value) value.is_a?(Array) ? value : value&.split end
+
+    def norm_value(value)
+      value && symtab.interpolate(value)
+    end
+
+    def norm_array(value)
+      if value.is_a?(Array)
+        value.map { |v| norm_value(v) }
+      else
+        norm_value(value)&.split
+      end
+    end
 
     def parse_spec
       hash = YAML.load(IO.read(file), symbolize_names: true)
@@ -18,21 +33,31 @@ module MkAcl
       app_schema = schema[:app] or raise ArgumentError, "Can't find 'schema.app' attribute"
       acl_schema = schema[:acl] or raise ArgumentError, "Can't find 'schema.acl' attribute"
       spec = Spec.new(file, app_schema, acl_schema)
+      parse_variables(hash)
       parse_tables(spec, hash)
       spec
     end
 
+    def parse_variables(hash)
+      hash.delete_if { |k,v| k.to_s =~ /^(\$[A-Za-z0-9_]+)$/ and symtab[k] = v }
+    end
+
     def parse_tables(spec, tables)
       for table_name, actions in tables
-        table = Table.new(spec, table_name, actions.delete(:domain))
+        acl = actions.key?(:acl) ? actions.delete(:acl) : true
+        parent = actions.delete(:parent)
+        domain = actions.delete(:domain)
+        table = Table.new(spec, table_name, domain, parent, acl)
         parse_actions(table, actions)
       end
     end
 
     def parse_actions(table, actions)
       for action_name, rules in actions
-        constrain?(action_name, :insert, :select, :update, :delete) or error "Illegal action '#{action_name}'"
-        constrain?(rules, String, Array, Hash) or error "Illegal value for #{action} action '#{rules}'"
+        constrain?(action_name, :insert, :select, :update, :delete, :attach) or
+            error "Illegal action '#{action_name}'"
+        constrain?(rules, String, Array, Hash) or
+            error "Illegal value for #{action} action '#{rules}'"
         action = Action.new(table, action_name)
 
         # Normalize rules
@@ -40,7 +65,7 @@ module MkAcl
           when Hash
             rules = [rules]
           when String
-            rules = [{ role: rules }]
+            rules = [{ roles: rules }]
         end
 
         parse_rules(action, rules)
@@ -48,23 +73,22 @@ module MkAcl
     end
 
     def parse_rules(action, rules)
-      index = 0
+      ordinal = 0
       for entry in rules
-        rule = Rule.new(action, index += 1)
-
+        rule = Rule.new(action, ordinal += 1)
         for key, value in entry
           case key
-            when :role; rule.roles = norm_array(value)
-            when :using; rule.using = value
-            when :check; rule.check = value
-            when :include; rule.include = norm_array(value)
-            when :exclude; rule.exclude = norm_array(value)
+            when :roles; rule.roles = norm_array(value)
+            when :filter; rule.filter = norm_value(value)
+            when :assert; rule.assert = norm_value(value)
+            when :fields; rule.fields = norm_array(value)
+            when :tables; rule.tables = norm_array(value)
           else
             raise ArgumentError, "Illegal field '#{key}' in #{action.table}.#{action}"
           end
         end
 
-        !action.rules.empty? or 
+        !action.rules.empty? or
             error "At least one rule is required in #{action.table}.#{action}"
       end
     end

data/lib/mikras_utils/mkacl/simple_symtab.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'set'
+require 'forward_to'
+
+include ForwardTo
+
+module SimpleSymtab
+  class Error < StandardError; end
+
+  class SimpleSymtab
+    def [](key)
+      resolve if !resolved?
+      @variables[key]
+    end
+
+    def []=(key, value)
+      !@variables.key?(key) or raise Error, "Redefinition of '#{key}'"
+      @variables[key] = value
+      @unresolved << key
+    end
+
+    forward_to :"@variables", :key?, :size, :empty?
+
+    def initialize(hash = {})
+      @variables = hash.dup
+      @unresolved = @variables.keys
+    end
+
+    def interpolate(s)
+      resolve if !resolved?
+      resolve_string(s)
+    end
+
+  private
+    def resolved?() @unresolved.empty? end
+
+    def resolve_string(val)
+      val.is_a?(String) or raise ArgumentError
+      seen = Set.new
+      while val =~ /(\$[A-Za-z0-9_]+\b)/
+        var = $1
+        seen.add?(var) or raise Error, "Circular definition of '#{var}'"
+        rep = @variables[var.to_sym] or raise Error, "Unknown variable '#{var}'"
+        val.gsub!(var, rep)
+      end
+      val
+    end
+
+    def resolve
+      @unresolved.each { |var|
+        @variables[var] = resolve_string(@variables[var])
+      }
+      @unresolved = []
+    end
+  end
+end
+

data/lib/mikras_utils/mkacl/spec.rb

@@ -2,7 +2,7 @@
 module MkAcl
   class Spec
     # Source SPEC file. Only for informational purposes
-    attr_reader :file 
+    attr_reader :file
 
     # Application schema that contains the ACL controlled tables
     attr_reader :app_schema
@@ -11,7 +11,7 @@ module MkAcl
     # (relatively) clean
     attr_reader :acl_schema
 
-    # List of tables. Initialized by Table::initialize through #attach_table
+    # List of tables. Maintained by #attach_table
     attr_reader :tables
 
     # Spec acts as a hash from table name to Table object. Initialized by
@@ -45,11 +45,35 @@ module MkAcl
 
   class Table
     attr_reader :spec
-    attr_accessor :parents # Parent TableSpec objects. Initialized by the analyzer
-    attr_reader :uid # SCHEMA.TABLE name
+    forward_to :@spec, :app_schema, :acl_schema
+
+    # Hash from referenced table name to a tuple of the table object and the
+    # link field.  Initialized by the analyzer
+    attr_accessor :references
+
+    # Table name and uid
     attr_reader :name
-    attr_reader :record_name # Associated record name. Used in function names
-    attr_accessor :domain # Security domain - either 'case' or 'event'. Initialized by the analyzer
+    attr_reader :uid # SCHEMA.TABLE name
+
+    # Parent domain table. Initialized by the analyzer
+    attr_accessor :parent
+
+    # Name of parent table. May be nil. Initialized by the parser
+    attr_accessor :parent_name
+
+    # Name of link field to parent record. Initialized by the analyzer
+    attr_accessor :parent_link_field
+
+    # Security domain name for this object. Domain object have themselves as
+    # domain, all other portal objects use the parent's domain. Initialized by
+    # the analyzer
+    attr_accessor :domain
+
+    # SQL to create the ACL for a table. No ACL if false, default ACL if nil
+    attr_accessor :acl
+
+    # Associated record name. Used in function names
+    attr_reader :record_name
 
     # Action objects
     def insert = @actions["insert"]
@@ -60,13 +84,15 @@ module MkAcl
     # Hash from action name to action object
     attr_reader :actions
 
-    def initialize(spec, name, domain)
+    def initialize(spec, name, domain, parent_name, acl)
       @spec = spec
-      @parents = []
+      @references = {}
       @name = name.to_s
-      @uid = "#{@spec.app_schema}.#{@name}"
+      @uid = "#{app_schema}.#{@name}"
       @record_name = Prick::Inflector.singularize(@name)
+      @parent_name = parent_name
       @domain = domain
+      @acl = acl
       @actions = {}
       @spec.send :attach_table, self
       for action_name in %w(insert select update delete)
@@ -79,12 +105,19 @@ module MkAcl
 
     def dump
       puts "#{name}:"
-      indent { 
+      indent {
         puts "domain: #{domain}" if domain
-        puts "parents: #{parents.inspect}"
+        puts "parent: #{parent}" if parent
+        puts "references: [#{references.values.map(&:first).map(&:name).join(' ')}]"
         for action_name in %w(insert select update delete)
           actions[action_name]&.dump
         end
+        case acl
+          when false; puts "acl: false"
+          when true;
+            puts "acl:"
+            indent { puts acl }
+        end
       }
     end
 
@@ -106,8 +139,6 @@ module MkAcl
       @table.send :attach_action, self
     end
 
-    def fields() @include + @exclude.map { "-#{_1}" } end
-
     def to_s() name end
 
     def dump
@@ -116,7 +147,7 @@ module MkAcl
       else
         puts name
         indent {
-          for rule in rules
+          for rule in rules.sort_by(&:ordinal)
             print "- "
             indent(bol: false) { rule.dump }
           end
@@ -131,33 +162,40 @@ module MkAcl
   end
 
   class Rule
+    using String::Text
+
     attr_reader :action
     forward_to :action, :table, :name
-    attr_reader :index
     attr_accessor :roles
-    attr_accessor :using # Goes into the postgres policy
-    attr_accessor :check # Goes into the postgres trigger
-    attr_accessor :include
-    attr_accessor :exclude
+    attr_accessor :filter # Goes into the postgres policy
+    attr_accessor :assert # Goes into the postgres trigger
+    attr_accessor :fields # Only used for insert and update
+    attr_accessor :tables # Only used for attach
+    attr_reader :ordinal
 
+    # admin, internal, etc.
     def auth_roles() @auth_roles ||= roles.select { _1 == _1.downcase } end
+
+    # KON, AKK, etc.
     def case_roles() @case_roles ||= roles.select { _1 == _1.upcase } end
 
-    def initialize(action, index)
+    def initialize(action, ordinal)
       @action = action
-      @index = index
-      @roles, @check, @include, @exclude = [], nil, [], []
+      @ordinal = ordinal
+      @roles = []
+      @fields = []
+      @tables = []
+
       action.send :attach_rule, self
     end
 
-    def fields() @include + @exclude.map { "-#{_1}" } end
-
     def dump
-      puts "index: #{index}"
-      puts "roles: #{roles.join(' ')}"
-      puts "check: #{check}" if check
-      puts "include: #{include.join(' ')}" if !include.empty?
-      puts "exclude: #{exclude.join(' ')}" if !exclude.empty?
+      puts "roles: [#{roles.join(' ')}]"
+      puts "filter: #{filter}" if filter
+      puts "assert: #{assert}" if assert
+      puts "fields: [#{fields.join(' ')}]" if !fields.empty?
+      puts "tables: [#{tables.join(' ')}]" if !tables.empty?
+      puts "ordinal: #{ordinal}"
     end
   end
 end

data/lib/mikras_utils/mkacl.rb

@@ -1,7 +1,7 @@
 
 require 'pg_conn'
 require 'indented_io'
-require 'string-text'
+require 'string-text'; using String::Text
 require 'forward_to'; include ForwardTo
 require 'constrain'; include Constrain
 require 'prick-inflector'
@@ -12,6 +12,7 @@ module MkAcl
   DOMAINS = %w(case event visit)
   DOMAIN_TABLES = DOMAINS.map { "#{_1}s" }
 
+  # TODO Read from database (or maybe not)
   CASE_ROLES = %w(LA TA KON AKK RLA CLA CTA)
   EVENT_ROLES = %w(ELA ETA)
   VISIT_ROLES = %w(VLA VTA)
@@ -19,6 +20,7 @@ module MkAcl
   ROLES = CASE_ROLES + EVENT_ROLES + VISIT_ROLES
 end
 
+require_relative 'mkacl/simple_symtab.rb'
 require_relative 'mkacl/spec.rb'
 require_relative 'mkacl/parser.rb'
 require_relative 'mkacl/analyzer.rb'