mikras_utils 0.3.3 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bf10f02dfcf24bfe2f518edfda534abbb78047b6876610f6a09adfac5217f73c
-  data.tar.gz: 7801d2245d2cd810b4defcf94b2bace9f8a6587e3fbebccc49240a689b47763e
+  metadata.gz: 74256281ee10bf5186723bfa260cd62dda3057216660aa945c7b591fa1581177
+  data.tar.gz: 882636fab035922c146cc33c33a5af9deaf0da818bec6897e17a84ad8f1f2289
 SHA512:
-  metadata.gz: 565ee40963dc77d9759bd78a55dacddab5296f23c022a07ccce42fd8c890db65eddcb6ce015c909943a34483009233f53d2c75dd0fe05faa1ccca2c1831b5375
-  data.tar.gz: 8d8afe7d2bb415edd5c3a275bca441a0d4bf73299b97e5f2d8578c9efa0b37b62840679ba73eeb60b525dbf0254e1a8a3a893ba11c4ba0add75f89706219bf50
+  metadata.gz: 5ca4be02024c23f2109cc7f3919331c180f6403cb04906d5652446d80241e7b502ed9cfcebfcc5ddf66b098c4b6def8e3f1cd3863942f9e988cb3e5bd1abc501
+  data.tar.gz: 6d82b691b1b68214910dac0acc847a68b928b6e0f45c8a157e272ded5fdc84b2f3fe5e3f23ddbadbee4bd82f1621164eea1d736deb7923787fb9f999926ddf0e

data/exe/mkacl

@@ -3,9 +3,12 @@
 SPEC = %(
   @ Make RLS functions and policies
 
-  -- [DATABASE [USERNAME]] SPEC-FILE
+  -- [DATABASE] SPEC-FILE
 
-  Read SPEC and generate following functions, policies, and triggers
+  Read SPEC and generate following functions, policies, and triggers. The
+  default DATABASE and USERNAME variables are read from the environment and
+  then .prick.state.yml if present; otherwise the current user's database is
+  used
 
   FUNCTIONS
     todo
@@ -36,12 +39,15 @@ SPEC = %(
     implemented in Mikras
 
   OPTIONS
+    -d,dump
+      Dump internal format. Used for debugging
+
     -i,interactive
       Generate code for interactive use by added ON_ERROR_STOP and other variables
 
     -g,generate=LIST
       Generate only the given modules. LIST is a comma-separated list of
-      modules. The following modules are currently available: id_functions,
+      modules. The following modules are currently available: seeds, id_functions,
       insert_triggers, rules, acl_functions, and role_functions
 
     -W,no-warn
@@ -52,14 +58,17 @@ SPEC = %(
 require 'yaml'
 require 'shellopts'
 
+require_relative '../lib/mikras_utils/mikras.rb'
 require_relative '../lib/mikras_utils/mkacl.rb'
 
+PRICK_STATE_FILE = "prick.state.yml"
+
 opts, args = ShellOpts::process(SPEC, ARGV)
 file = args.extract(-1)
-database, username = args.extract(0..2)
-username ||= database || ENV['PRICK_USERNAME']
-database ||= ENV['PRICK_DATABASE']
-conn = PgConn.new database, username
+database = args.extract(0..1)
+
+conn = PgConn.new *Mikras.credentials(database)
+conn.schema.exist?("prick") or ShellOpts.error "Database '#{database}' is not a prick database"
 
 if opts.generate?
   modules = opts.generate.split(',').map(&:to_sym)
@@ -70,8 +79,10 @@ end
 
 spec = MkAcl::Parser.parse(file)
 MkAcl::Analyzer.analyze(spec, conn, warn: !opts.no_warn?)
-#spec.dump
-#exit
+if opts.dump?
+  spec.dump
+  exit
+end
 MkAcl::Generator.generate(spec, conn, modules, interactive: opts.interactive?)
 
 

data/exe/rls

@@ -0,0 +1,30 @@
+#!/usr/bin/env ruby
+
+require 'indented_io'
+require 'shellopts'
+require 'forward_to'
+
+include ForwardTo
+
+require_relative '../lib/mikras_utils/rls/spec.rb'
+require_relative '../lib/mikras_utils/rls/parser.rb'
+require_relative '../lib/mikras_utils/rls/analyzer.rb'
+
+def error(msg) = ShellOpts.error(msg)
+
+SPEC = %(
+  Parse RLS spec file
+
+  -- FILE
+)
+
+opts, args = ShellOpts.process(SPEC, ARGV)
+
+file = args.expect(1)
+spec = Parser.parse(file)
+Analyzer.analyze(spec)
+
+spec.dump
+
+
+

data/lib/mikras_utils/mikras.rb

@@ -0,0 +1,24 @@
+
+module Mikras
+  def self.credentials(database_argument)
+    if database_argument
+      database = database_argument
+      username = database
+    else
+      username ||= database || ENV['PRICK_USERNAME']
+      database ||= ENV['PRICK_DATABASE']
+
+      if database.nil? && File.exist?(PRICK_STATE_FILE)
+        prick_state = YAML.load(IO.read PRICK_STATE_FILE)
+        database = prick_state["database"]
+        username = prick_state["username"]
+      else
+        database ||= ENV["USER"]
+        username ||= database
+      end
+    end
+    [database, username]
+  end
+end
+
+

data/lib/mikras_utils/mkacl/analyzer.rb

@@ -15,19 +15,21 @@ module MkAcl
     end
 
     def analyze
+      # Find child-parent relations between linked tables
       links = conn.tuples %(
         select
-          table_name,
-          ref_table_name,
-          schema_name || '.' || table_name,
-          ref_schema_name || '.' || ref_table_name
+          table_name as "child_table_name",
+          schema_name || '.' || table_name as "child_table_uid",
+          ref_table_name as "parent_table_name",
+          ref_schema_name || '.' || ref_table_name as "parent_table_uid",
+          column_name as "parent_link_field"
         from meta.links
-        where schema_name = '#{spec.app_schema}' 
+        where schema_name = '#{spec.app_schema}'
           and ref_schema_name = '#{spec.app_schema}'
       )
 
-      # Link up tables
-      for child_table_name, parent_table_name, child_table_uid, parent_table_uid in links
+      # Assign table references
+      for child_table_name, child_table_uid, parent_table_name, parent_table_uid, parent_link_field in links
         if !spec.key?(child_table_name)
           @uncovered_tables << child_table_name
           next
@@ -35,8 +37,11 @@ module MkAcl
           @uncovered_tables << parent_table_name
           next
         end
-          
-        spec[child_table_name].parents << spec[parent_table_name] if spec[parent_table_name]
+
+        child_table = spec[child_table_name] or raise "Can't find table #{parent_table_name.inspect}"
+        parent_table = spec[parent_table_name] or raise "Can't find referenced table #{parent_table_name.inspect}"
+
+        child_table.references[parent_table.name] = [parent_table, parent_link_field]
       end
 
 #     if warn && !@uncovered_tables.empty?
@@ -44,29 +49,38 @@ module MkAcl
 #       indent { puts uncovered_tables }
 #     end
 
-      # Assign domains
-      spec.tables.each { |table| 
-        resolve_domain(table) 
-      }
-
-      # Check that no table has more than one parent. FIXME
+      # Assign parents
       spec.tables.each { |table|
-        table.parents.size <= 1 or raise ArgumentError, "Table '#{table.name}' has multiple parents"
+        if table.parent_name
+          table.parent = spec[table.parent_name] or raise ArgumentError, "Can't find '#{table.parent_name}'"
+          table.parent_link_field = table.references[table.parent.name].last
+        else
+          table.references.size <= 1 or raise ArgumentError, "Table '#{table.name}' has multiple references"
+          parent, link_field = table.references.values.first
+          if parent&.acl
+            table.parent = parent
+            table.parent_link_field = link_field
+          end
+        end
       }
 
+      # Resolve domains
+      spec.tables.select(&:acl).each { |t| resolve_domain(t) }
+
       spec
     end
 
     def self.analyze(spec, conn, **opts) self.new(spec, conn, **opts).analyze end
 
   private
-    def find_tables
-      
-    end
-
     def resolve_domain(table)
-      table.domain ||= table.parents.first && resolve_domain(table.parents.first)
+      if table.domain.nil?
+        !table.parent.nil? or raise ArgumentError, "Domain table without domain name - '#{table.name}'"
+        resolve_domain(table.parent)
+        table.domain = table.parent.domain
+      end
     end
   end
 end
 
+

data/lib/mikras_utils/mkacl/generator.rb

@@ -4,10 +4,11 @@ require_relative './generators/acl_functions.rb'
 require_relative './generators/insert_triggers.rb'
 require_relative './generators/role_functions.rb'
 require_relative './generators/rules.rb'
+require_relative './generators/seeds.rb'
 
 module MkAcl
   class Generator
-    MODULES = [:id_functions, :insert_triggers, :rules, :acl_functions, :role_functions]
+    MODULES = [:id_functions, :insert_triggers, :rules, :acl_functions, :role_functions, :seeds]
 
     using String::Text
 
@@ -32,6 +33,7 @@ module MkAcl
 
       matches = modules.map { |k| [k, true] }.to_h
 
+      Seeds.generate(self) if matches.key?(:seeds)
       IdFunctions.generate(self) if matches.key?(:id_functions)
       for table in spec.tables
         InsertTriggers.generate(self, table) if matches.key?(:insert_triggers)
@@ -42,7 +44,7 @@ module MkAcl
     end
 
     def self.generate(spec, conn, modules = MODULES, **opts)
-      self.new(spec, conn).generate(modules, **opts) 
+      self.new(spec, conn).generate(modules, **opts)
     end
 
     def inspect() "Generator(#{@database.inspect}, #{@username.inspect}, #{@spec})" end

data/lib/mikras_utils/mkacl/generators/acl_functions.rb

@@ -21,11 +21,28 @@ module MkAcl
       def self.generate(generator) self.new(generator).generate end
 
     private
+
+#     %(
+#       update TABLE  tbl
+#         set read_acls = (
+#           select array_agg(role_id)
+#           from acl_portal.eff_object_roles eor
+#           where tbl.DOMAIN_ID = eor.object_id
+#         )
+#     )
+
+#     %(
+#       select
+#       from
+#       where
+#         domain_id_of(DOMAIN, TABLE_NAME, id)
+#     )
+
       def generate_acl_update_function
         signature = "#{acl_schema}.update_acls()"
 
-        stmts = spec.tables.map { |table| 
-          "perform #{acl_schema}.#{table}_update_acls(id) from #{app_schema}.#{table};" 
+        stmts = spec.tables.map { |table|
+          "perform #{acl_schema}.#{table}_update_acls(id) from #{app_schema}.#{table};"
         }
 
         puts %(
@@ -56,7 +73,7 @@ module MkAcl
           -- Note: The different table-level variations of this function can be
           -- collapsed into a single function but it requires dynamic execution of
           -- a delete statement with array-of-array arguments :-O
-          -- 
+          --
           -- Note: This function is auto-generated by #{$PROGRAM_NAME} using #{spec.file}
           --
           drop function if exists #{signature} cascade;
@@ -68,7 +85,7 @@ module MkAcl
               _domain_id integer;
               _acls integer[]; -- per-rule ACLs
               _acl_select integer[][]; -- per-action ACLs
-              _acl_update integer[][]; -- 
+              _acl_update integer[][]; --
               _acl_delete integer[][]; --
             begin
           ).align
@@ -132,7 +149,7 @@ module MkAcl
         end
         puts %(
           -- Update ACL fields
-          update #{table.uid} 
+          update #{table.uid}
             set acl_select = _acl_select,
                 acl_update = _acl_update,
                 acl_delete = _acl_delete
@@ -165,7 +182,7 @@ module MkAcl
 
               -- Create attach ACLs
               insert into acl_portal.attach_acls (parent_table, parent_id, child_table, child_field, acls)
-                with 
+                with
                   case_role_acls as (
                     select
                       id
@@ -182,8 +199,8 @@ module MkAcl
                     where rolename = any(array[#{auth_role_list}]::text[])
                   ),
                   role_acls as (
-                    select * from case_role_acls 
-                    union 
+                    select * from case_role_acls
+                    union
                     select * from auth_role_acls
                   )
                 select
@@ -192,7 +209,7 @@ module MkAcl
                   l.table_name as "child_table",
                   l.column_name as "child_field",
                   array_agg(ra.id) as "acls"
-                from 
+                from
                   acl.links l,
                   role_acls ra
                 where l.table_name = '#{table}'

data/lib/mikras_utils/mkacl/generators/rules.rb

@@ -56,13 +56,13 @@ module MkAcl
           for action in %w(select update delete).map { table.actions[_1] }
             rule_expr = action.rules.map { |rule|
               exprs = []
-              exprs << "acl_#{action.name}[#{rule.index}:#{rule.index}][1:] && public.current_role_ids()" \
+              exprs << "acl_#{action.name}[#{rule.ordinal}:#{rule.ordinal}][1:] && public.current_role_ids()" \
                   if !rule.roles.empty?
               exprs << "(#{rule.using})" if rule.using
               "(#{exprs.join(' and ')})"
             }.join(" or ")
             rule_expr = "false" if rule_expr.empty?
-            
+
             puts %(
               drop policy if exists rls_#{action.name} on #{table.uid} cascade;
               create policy rls_#{action.name} on #{table.uid} for #{action.name}

data/lib/mikras_utils/mkacl/generators/seeds.rb

@@ -0,0 +1,80 @@
+
+module MkAcl
+  class Generator
+    class Seeds
+      using String::Text
+
+      attr_reader :generator
+      forward_to :generator, :conn, :spec, :app_schema, :acl_schema
+
+      def initialize(generator)
+        @generator = generator
+      end
+
+      def generate
+        clean_tables
+        generate_seeds
+      end
+
+      def self.generate(generator) self.new(generator).generate end
+
+    private
+      def clean_tables
+        puts %(
+          delete from acl_portal.acl_rules;
+          delete from acl_portal.acl_actions;
+          delete from acl_portal.acl_tables;
+        ).align
+      end
+
+      def generate_seeds
+        for table in spec.tables
+          puts %(
+            insert into acl_portal.acl_tables (
+                schema_name, table_name, domain,
+                parent_schema_name, parent_table_name, parent_link_field,
+                acl)
+              values (
+                '#{app_schema}', '#{table}', #{conn.quote_value(table.domain)},
+                '#{table.parent && table.app_schema}', '#{table.parent}', '#{table.parent_link_field}',
+                #{table.acl || 'false'})
+              returning id as "table_id"
+            \\gset
+          ).align
+          puts
+
+          table.actions.values.each { |action|
+            puts %(
+              insert into acl_portal.acl_actions (acl_table_id, kind)
+                values (:table_id, '#{action.name.upcase}')
+                returning id as "action_id"
+              \\gset
+            ).align
+            puts
+
+            action.rules.each { |rule|
+              fields = %w(roles filter assert fields tables ordinal)
+              values = fields.map { |field| conn.quote_value(rule.send(field.to_sym), elem_type: :text) }
+              puts %(
+                insert into acl_portal.acl_rules (acl_action_id, roles, filter, assert, fields, tables, ordinal)
+                  values (:action_id, #{values.join(', ')});
+              ).align
+              puts
+            }
+          }
+        end
+
+        puts %(
+          update acl_portal.acl_tables sub
+            set parent_id = (
+              select id
+              from acl_portal.acl_tables super
+              where super.schema_name = sub.parent_schema_name
+                and super.table_name = sub.parent_table_name
+            );
+        ).align
+        puts
+      end
+    end
+  end
+end

data/lib/mikras_utils/mkacl/parser.rb

@@ -2,14 +2,29 @@
 module MkAcl
   class Parser
     attr_reader :file
+    attr_reader :symtab
 
-    def initialize(file) @file = file end
+    def initialize(file)
+      @file = file
+      @symtab = SimpleSymtab::SimpleSymtab.new
+    end
     def parse() parse_spec end
     def self.parse(file) Parser.new(file).parse end
 
   private
     def error(*msg) raise ParseError, *msg end
-    def norm_array(value) value.is_a?(Array) ? value : value&.split end
+
+    def norm_value(value)
+      value && symtab.interpolate(value)
+    end
+
+    def norm_array(value)
+      if value.is_a?(Array)
+        value.map { |v| norm_value(v) }
+      else
+        norm_value(value)&.split
+      end
+    end
 
     def parse_spec
       hash = YAML.load(IO.read(file), symbolize_names: true)
@@ -18,21 +33,31 @@ module MkAcl
       app_schema = schema[:app] or raise ArgumentError, "Can't find 'schema.app' attribute"
       acl_schema = schema[:acl] or raise ArgumentError, "Can't find 'schema.acl' attribute"
       spec = Spec.new(file, app_schema, acl_schema)
+      parse_variables(hash)
       parse_tables(spec, hash)
       spec
     end
 
+    def parse_variables(hash)
+      hash.delete_if { |k,v| k.to_s =~ /^(\$[A-Za-z0-9_]+)$/ and symtab[k] = v }
+    end
+
     def parse_tables(spec, tables)
       for table_name, actions in tables
-        table = Table.new(spec, table_name, actions.delete(:domain))
+        acl = actions.key?(:acl) ? actions.delete(:acl) : true
+        parent = actions.delete(:parent)
+        domain = actions.delete(:domain)
+        table = Table.new(spec, table_name, domain, parent, acl)
         parse_actions(table, actions)
       end
     end
 
     def parse_actions(table, actions)
       for action_name, rules in actions
-        constrain?(action_name, :insert, :select, :update, :delete) or error "Illegal action '#{action_name}'"
-        constrain?(rules, String, Array, Hash) or error "Illegal value for #{action} action '#{rules}'"
+        constrain?(action_name, :insert, :select, :update, :delete, :attach) or
+            error "Illegal action '#{action_name}'"
+        constrain?(rules, String, Array, Hash) or
+            error "Illegal value for #{action} action '#{rules}'"
         action = Action.new(table, action_name)
 
         # Normalize rules
@@ -40,7 +65,7 @@ module MkAcl
           when Hash
             rules = [rules]
           when String
-            rules = [{ role: rules }]
+            rules = [{ roles: rules }]
         end
 
         parse_rules(action, rules)
@@ -48,23 +73,22 @@ module MkAcl
     end
 
     def parse_rules(action, rules)
-      index = 0
+      ordinal = 0
       for entry in rules
-        rule = Rule.new(action, index += 1)
-
+        rule = Rule.new(action, ordinal += 1)
         for key, value in entry
           case key
-            when :role; rule.roles = norm_array(value)
-            when :using; rule.using = value
-            when :check; rule.check = value
-            when :include; rule.include = norm_array(value)
-            when :exclude; rule.exclude = norm_array(value)
+            when :roles; rule.roles = norm_array(value)
+            when :filter; rule.filter = norm_value(value)
+            when :assert; rule.assert = norm_value(value)
+            when :fields; rule.fields = norm_array(value)
+            when :tables; rule.tables = norm_array(value)
           else
             raise ArgumentError, "Illegal field '#{key}' in #{action.table}.#{action}"
           end
         end
 
-        !action.rules.empty? or 
+        !action.rules.empty? or
             error "At least one rule is required in #{action.table}.#{action}"
       end
     end

data/lib/mikras_utils/mkacl/simple_symtab.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'set'
+require 'forward_to'
+
+include ForwardTo
+
+module SimpleSymtab
+  class Error < StandardError; end
+
+  class SimpleSymtab
+    def [](key)
+      resolve if !resolved?
+      @variables[key]
+    end
+
+    def []=(key, value)
+      !@variables.key?(key) or raise Error, "Redefinition of '#{key}'"
+      @variables[key] = value
+      @unresolved << key
+    end
+
+    forward_to :"@variables", :key?, :size, :empty?
+
+    def initialize(hash = {})
+      @variables = hash.dup
+      @unresolved = @variables.keys
+    end
+
+    def interpolate(s)
+      resolve if !resolved?
+      resolve_string(s)
+    end
+
+  private
+    def resolved?() @unresolved.empty? end
+
+    def resolve_string(val)
+      val.is_a?(String) or raise ArgumentError
+      seen = Set.new
+      while val =~ /(\$[A-Za-z0-9_]+\b)/
+        var = $1
+        seen.add?(var) or raise Error, "Circular definition of '#{var}'"
+        rep = @variables[var.to_sym] or raise Error, "Unknown variable '#{var}'"
+        val.gsub!(var, rep)
+      end
+      val
+    end
+
+    def resolve
+      @unresolved.each { |var|
+        @variables[var] = resolve_string(@variables[var])
+      }
+      @unresolved = []
+    end
+  end
+end
+

data/lib/mikras_utils/mkacl/spec.rb

@@ -2,7 +2,7 @@
 module MkAcl
   class Spec
     # Source SPEC file. Only for informational purposes
-    attr_reader :file 
+    attr_reader :file
 
     # Application schema that contains the ACL controlled tables
     attr_reader :app_schema
@@ -11,7 +11,7 @@ module MkAcl
     # (relatively) clean
     attr_reader :acl_schema
 
-    # List of tables. Initialized by Table::initialize through #attach_table
+    # List of tables. Maintained by #attach_table
     attr_reader :tables
 
     # Spec acts as a hash from table name to Table object. Initialized by
@@ -45,11 +45,35 @@ module MkAcl
 
   class Table
     attr_reader :spec
-    attr_accessor :parents # Parent TableSpec objects. Initialized by the analyzer
-    attr_reader :uid # SCHEMA.TABLE name
+    forward_to :@spec, :app_schema, :acl_schema
+
+    # Hash from referenced table name to a tuple of the table object and the
+    # link field.  Initialized by the analyzer
+    attr_accessor :references
+
+    # Table name and uid
     attr_reader :name
-    attr_reader :record_name # Associated record name. Used in function names
-    attr_accessor :domain # Security domain - either 'case' or 'event'. Initialized by the analyzer
+    attr_reader :uid # SCHEMA.TABLE name
+
+    # Parent domain table. Initialized by the analyzer
+    attr_accessor :parent
+
+    # Name of parent table. May be nil. Initialized by the parser
+    attr_accessor :parent_name
+
+    # Name of link field to parent record. Initialized by the analyzer
+    attr_accessor :parent_link_field
+
+    # Security domain name for this object. Domain object have themselves as
+    # domain, all other portal objects use the parent's domain. Initialized by
+    # the analyzer
+    attr_accessor :domain
+
+    # SQL to create the ACL for a table. No ACL if false, default ACL if nil
+    attr_accessor :acl
+
+    # Associated record name. Used in function names
+    attr_reader :record_name
 
     # Action objects
     def insert = @actions["insert"]
@@ -60,13 +84,15 @@ module MkAcl
     # Hash from action name to action object
     attr_reader :actions
 
-    def initialize(spec, name, domain)
+    def initialize(spec, name, domain, parent_name, acl)
       @spec = spec
-      @parents = []
+      @references = {}
       @name = name.to_s
-      @uid = "#{@spec.app_schema}.#{@name}"
+      @uid = "#{app_schema}.#{@name}"
       @record_name = Prick::Inflector.singularize(@name)
+      @parent_name = parent_name
       @domain = domain
+      @acl = acl
       @actions = {}
       @spec.send :attach_table, self
       for action_name in %w(insert select update delete)
@@ -79,12 +105,19 @@ module MkAcl
 
     def dump
       puts "#{name}:"
-      indent { 
+      indent {
         puts "domain: #{domain}" if domain
-        puts "parents: #{parents.inspect}"
+        puts "parent: #{parent}" if parent
+        puts "references: [#{references.values.map(&:first).map(&:name).join(' ')}]"
         for action_name in %w(insert select update delete)
           actions[action_name]&.dump
         end
+        case acl
+          when false; puts "acl: false"
+          when true;
+            puts "acl:"
+            indent { puts acl }
+        end
       }
     end
 
@@ -106,8 +139,6 @@ module MkAcl
       @table.send :attach_action, self
     end
 
-    def fields() @include + @exclude.map { "-#{_1}" } end
-
     def to_s() name end
 
     def dump
@@ -116,7 +147,7 @@ module MkAcl
       else
         puts name
         indent {
-          for rule in rules
+          for rule in rules.sort_by(&:ordinal)
             print "- "
             indent(bol: false) { rule.dump }
           end
@@ -131,33 +162,40 @@ module MkAcl
   end
 
   class Rule
+    using String::Text
+
     attr_reader :action
     forward_to :action, :table, :name
-    attr_reader :index
     attr_accessor :roles
-    attr_accessor :using # Goes into the postgres policy
-    attr_accessor :check # Goes into the postgres trigger
-    attr_accessor :include
-    attr_accessor :exclude
+    attr_accessor :filter # Goes into the postgres policy
+    attr_accessor :assert # Goes into the postgres trigger
+    attr_accessor :fields # Only used for insert and update
+    attr_accessor :tables # Only used for attach
+    attr_reader :ordinal
 
+    # admin, internal, etc.
     def auth_roles() @auth_roles ||= roles.select { _1 == _1.downcase } end
+
+    # KON, AKK, etc.
     def case_roles() @case_roles ||= roles.select { _1 == _1.upcase } end
 
-    def initialize(action, index)
+    def initialize(action, ordinal)
       @action = action
-      @index = index
-      @roles, @check, @include, @exclude = [], nil, [], []
+      @ordinal = ordinal
+      @roles = []
+      @fields = []
+      @tables = []
+
       action.send :attach_rule, self
     end
 
-    def fields() @include + @exclude.map { "-#{_1}" } end
-
     def dump
-      puts "index: #{index}"
-      puts "roles: #{roles.join(' ')}"
-      puts "check: #{check}" if check
-      puts "include: #{include.join(' ')}" if !include.empty?
-      puts "exclude: #{exclude.join(' ')}" if !exclude.empty?
+      puts "roles: [#{roles.join(' ')}]"
+      puts "filter: #{filter}" if filter
+      puts "assert: #{assert}" if assert
+      puts "fields: [#{fields.join(' ')}]" if !fields.empty?
+      puts "tables: [#{tables.join(' ')}]" if !tables.empty?
+      puts "ordinal: #{ordinal}"
     end
   end
 end

data/lib/mikras_utils/mkacl.rb

@@ -1,7 +1,7 @@
 
 require 'pg_conn'
 require 'indented_io'
-require 'string-text'
+require 'string-text'; using String::Text
 require 'forward_to'; include ForwardTo
 require 'constrain'; include Constrain
 require 'prick-inflector'
@@ -20,6 +20,7 @@ module MkAcl
   ROLES = CASE_ROLES + EVENT_ROLES + VISIT_ROLES
 end
 
+require_relative 'mkacl/simple_symtab.rb'
 require_relative 'mkacl/spec.rb'
 require_relative 'mkacl/parser.rb'
 require_relative 'mkacl/analyzer.rb'

data/lib/mikras_utils/rls/analyzer.rb

@@ -0,0 +1,108 @@
+
+class Analyzer
+  attr_reader :spec
+  def vars = spec.variables
+
+  def initialize(spec)
+    @spec = spec
+  end
+
+  def analyze
+    interpolate
+    expand_rules
+    merge_rules
+    spec
+  end
+
+  def self.analyze(spec)
+    self.new(spec).analyze
+  end
+
+private
+  #
+  # Interpolate variables
+  #
+  def interpolate
+    interpolate_variables
+    interpolate_spec
+  end
+
+  def interpolate_variables
+    spec.variables.transform_values! { |a|
+      a.map { |e|
+        if e =~ /^\$[A-Za-z0-9_]+$/
+          spec.variables[e] or ShellOpts::error "Unknown variable #{e}"
+        else
+          e
+        end
+      }.flatten
+    }
+  end
+
+  def interpolate_spec
+    spec.rules.each { |r| interpolate_rule(r) }
+  end
+
+  def interpolate_rule(rule)
+    rule.tables = interpolate_array(rule.tables)
+    p rule.opers.map(&:class)
+
+    rule.opers.each { |op| interpolate_oper(op) }
+  end
+
+  def interpolate_oper(oper)
+    oper.accesses.each { |a| interpolate_access(a) }
+  end
+
+  def interpolate_access(access)
+    access.roles = interpolate_array(access.roles)
+    access.tables = interpolate_string(access.tables)
+    access.fields = interpolate_array(access.fields)
+    access.where = interpolate_string(access.where)
+  end
+
+  def interpolate_string(string)
+    return nil if string.nil?
+    for key, value in vars
+      next if !value.is_a?(String)
+      string.gsub!(/#{key}/, value)
+    end
+    string
+  end
+
+  def interpolate_array(array)
+    return nil if array.nil?
+    array.map { |e| vars[e] || e }.flatten
+  end
+
+  #
+  # Expand rules
+  #
+  def expand_rules()
+    rules = []
+    spec.rules.each { |rule|
+      rule.tables.each { |t| r = rule.dup; r.tables = [t]; rules << r }
+    }
+    spec.rules = rules
+  end
+
+  #
+  # Merge rules
+  #
+  def merge_rules()
+    spec.rules = spec.rules.group_by { |rule| rule.tables.first }.map { |table, rules|
+      rule = Rule.new([table])
+      for oper in Spec::OPERS
+        rule[oper] = merge_opers(oper, rules.map { |r| r[oper] }.flatten)
+      end
+      rule
+    }
+  end
+
+  def merge_opers(oper, opers)
+    oper = Oper.new(oper)
+    oper.accesses = opers.map { |op| op.accesses }.flatten
+    oper
+  end
+end
+

data/lib/mikras_utils/rls/parser.rb

@@ -0,0 +1,70 @@
+#!/usr/bin/env ruby
+
+require 'yaml'
+
+include ForwardTo
+
+class Parser
+  def initialize(file)
+    @file = file
+  end
+
+  def parse
+    yaml = YAML.load(IO.read(@file).sub(/^__END__$.*/m, ""), symbolize_names: true)
+    rules = nil
+    variables = {}
+    yaml.each { |key, value|
+      case key
+        when :rules; rules = value.map { |v| parse_rule(v) }
+        when /^\$[A-Z0-9_]+$/; variables[key.to_s] = parse_array(value)
+      else
+        raise "Illegal section: #{key}"
+      end
+    }
+    Spec.new(@file, rules, variables)
+  end
+
+  def self.parse(file) self.new(file).parse end
+
+private
+  def parse_rule(hash)
+    tables = parse_array(hash[:tables]) or error "Can't find 'table' key"
+    rule = Rule.new(tables)
+    for oper in Spec::OPERS
+      value = hash[oper] or next
+      rule.send(:"#{oper}=", parse_oper(oper, value))
+    end
+    rule
+  end
+
+  def parse_oper(oper, value)
+    case value
+      when String; Oper.new(oper, [Access.new(parse_array(value), nil, nil, nil)])
+      when Hash; Oper.new(oper, [parse_access(value)])
+      when Array; Oper.new(oper, value.map { |hash| parse_access(hash) })
+    else
+      error "Illegal argument: #{value.invaluet}"
+    end
+  end
+
+  def parse_access(hash)
+    illegal_keys = hash.keys - Spec::FIELDS
+    illegal_keys.empty? or error "Illegal keys: #{illegal_keys.join(', ')}"
+    roles = parse_array(hash[:roles])
+    tables = parse_array(hash[:tables])
+    fields = parse_array(hash[:fields])
+    where = hash[:where]
+    Access.new(roles, tables, fields, where)
+  end
+
+  def parse_array(value)
+    case value
+      when String; value.split
+      when Array; value
+      when nil; nil
+    else
+      error "Illegal array value: #{value.inspect}"
+    end
+  end
+end
+

data/lib/mikras_utils/rls/spec.rb

@@ -0,0 +1,86 @@
+
+class Spec
+  OPERS = [:select, :insert, :update, :delete, :attach]
+  FIELDS = [:roles, :tables, :fields, :where]
+
+  attr_reader :file
+  attr_accessor :rules
+  attr_accessor :variables
+
+  forward_to :variables, :[], :[]=
+
+  def initialize(file, rules, variables)
+    @file, @rules, @variables = file, rules, variables
+  end
+
+  def dump
+    puts "File: #{file}"
+    puts "Variables"
+    indent { variables.each { |k,v| puts "#{k} = #{v.inspect}" } }
+    puts "Rules"
+    indent { rules.sort_by { |rule| rule.tables.first }.each(&:dump) }
+  end
+end
+
+class Rule
+  attr_accessor :tables
+  attr_accessor *Spec::OPERS
+
+  def initialize(tables)
+    @tables = tables
+    Spec::OPERS.each { |op| self[op] = Oper.new(op) }
+  end
+
+  def opers() = Spec::OPERS.map { |op| self.send(op) }.compact
+  def [](key) = self.send(key)
+  def []=(key, value) self.send(:"#{key}=", value) end
+
+  def to_s() = "Rule, tables: #{tables.join(', ')}"
+
+  def dump
+    puts "Rule"
+    indent {
+      puts "tables: #{tables}"
+      opers.each { |op| op.dump }
+    }
+  end
+end
+
+class Oper
+  attr_reader :name
+  attr_accessor :accesses
+
+  def self.symbol = self.to_s.sub(/Decl/, "").downcase.to_sym
+
+  def initialize(name, accesses = [])
+    @name = name
+    @accesses = accesses
+  end
+
+  def dump
+    puts "#{name}"
+    indent { accesses.each(&:dump) }
+  end
+end
+
+class Access
+  attr_accessor *Spec::FIELDS
+
+  def initialize(roles, table, fields, where)
+    @roles = roles
+    @table = table
+    @fields = fields
+    @where = where
+  end
+
+  def dump
+    puts "access:"
+    indent {
+      Spec::FIELDS.each { |f|
+        value = self.send(f) or next
+        puts "#{f}: #{value}"
+      }
+    }
+  end
+end
+

data/lib/mikras_utils/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MikrasUtils
-  VERSION = "0.3.3"
+  VERSION = "0.4.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mikras_utils
 version: !ruby/object:Gem::Version
-  version: 0.3.3
+  version: 0.4.0
 platform: ruby
 authors:
 - Claus Rasmussen
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-08-13 00:00:00.000000000 Z
+date: 2025-01-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pg_conn
@@ -72,6 +72,7 @@ email:
 executables:
 - mikras_utils
 - mkacl
+- rls
 extensions: []
 extra_rdoc_files: []
 files:
@@ -84,7 +85,9 @@ files:
 - build
 - exe/mikras_utils
 - exe/mkacl
+- exe/rls
 - lib/mikras_utils.rb
+- lib/mikras_utils/mikras.rb
 - lib/mikras_utils/mkacl.rb
 - lib/mikras_utils/mkacl/analyzer.rb
 - lib/mikras_utils/mkacl/generator.rb
@@ -93,8 +96,13 @@ files:
 - lib/mikras_utils/mkacl/generators/insert_triggers.rb
 - lib/mikras_utils/mkacl/generators/role_functions.rb
 - lib/mikras_utils/mkacl/generators/rules.rb
+- lib/mikras_utils/mkacl/generators/seeds.rb
 - lib/mikras_utils/mkacl/parser.rb
+- lib/mikras_utils/mkacl/simple_symtab.rb
 - lib/mikras_utils/mkacl/spec.rb
+- lib/mikras_utils/rls/analyzer.rb
+- lib/mikras_utils/rls/parser.rb
+- lib/mikras_utils/rls/spec.rb
 - lib/mikras_utils/version.rb
 - sig/mikras_utils.rbs
 - tests/acl.fox