mikras_utils 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5db4dc4f784bd24e9a739b4de231f2a52c6927e1b5cc4da48256bdfe318b27f3
-  data.tar.gz: 15eb9d1dc3052833d5b8481c0043d3cb32610960ae8b781c63f5ea9f6a827d5a
+  metadata.gz: 3edb2b02216445f08fca3238457e20448bcb24c1dc27238ba4429dcc6814f25f
+  data.tar.gz: e8265ca5326412c5a793f5f056f7908c8c1e0e08945f8e309cd2cbad5347bc2e
 SHA512:
-  metadata.gz: db57c96600c9fcd448dfd72a62e3008f59da9d91b14d1aed60c56032b68bec8e78643da77f1c2f42779466ab0a7cc4c69f5aa176b1f2fe8881eadaf990336fdb
-  data.tar.gz: 3c9acdf983bdadeb7891bfa5211107a7a77e7c66001b1c78bdb470712ee7f727dbb98b8061a1cbf9af0516a249aa2767ad72b6f415492bd5bd7e7b8c4f881322
+  metadata.gz: 7eb69399a73f5a046b3ebcb9a356246ddf0b4dfbb72b13c141e2021d0f01750df3778a74c529e75e3e412925b4079038cdee7f767708410ee25e6ed14f48b1b4
+  data.tar.gz: 1db226b915c8ac98a5efbcde084e50d7547763489f07dbf4e6ee7291adaa5d4d69bd1ba921233fc3cf51a0a9d8671de61f8cc12f1159a830a5461b01cde45363

data/exe/mkacl

@@ -22,9 +22,12 @@ SPEC = %(
     pollution)
 
   ROLES
-    The following roles are recognized: LA, TA, KON, AKK.  ADM is excluded
-    because it is now a RBAC fole. PUP and NON is excluded because they are not
-    implemented in Mikras
+    The following roles are recognized: RES, LA, TA, KON, AKK, CLA, CTA, ELA,
+    and ETA
+
+    Sagsys also defines the ADM role that is excluded because it is now a RBAC
+    fole, and PUP and NON that are excluded because they are not implemented in
+    Mikras
 
   OPTIONS
     -i,interactive
@@ -34,6 +37,10 @@ SPEC = %(
       Generate only the given modules. LIST is a comma-separated list of
       modules. The following modules are currently aavailable: id_functions,
       insert_triggers, rules, acl_functions, and role_functions
+
+    -W,no-warn
+      Do not emit warnings about tables in the application schema that are not
+      defined in the spec file
 )
 
 require 'yaml'
@@ -48,12 +55,17 @@ username ||= database || ENV['PRICK_USERNAME']
 database ||= ENV['PRICK_DATABASE']
 conn = PgConn.new database, username
 
+if opts.generate?
+  modules = opts.generate.split(',').map(&:to_sym)
+  modules.each { |m| MkAcl::Generator::MODULES.include?(m) or ShellOpts.error("Unknown module - #{m}") }
+else
+  modules = MkAcl::Generator::MODULES
+end
+
 spec = MkAcl::Parser.parse(file)
-MkAcl::Analyzer.analyze(spec, conn)
+MkAcl::Analyzer.analyze(spec, conn, warn: !opts.no_warn?)
 #spec.dump
-#puts
 #exit
-
-modules = opts.generate? ? opts.generate.split(',').map(&:to_sym) : MkAcl::Generator::MODULES
 MkAcl::Generator.generate(spec, conn, modules, interactive: opts.interactive?)
 
+

data/lib/mikras_utils/mkacl/analyzer.rb

@@ -4,9 +4,14 @@ module MkAcl
     attr_reader :spec
     attr_reader :conn
 
-    def initialize(spec, conn)
+    # Tables in the application schema that are not defined in the SPEC file
+    def uncovered_tables = @uncovered_tables.to_a
+
+    def initialize(spec, conn, warn: true)
       @spec = spec
       @conn = conn
+      @warn = warn
+      @uncovered_tables = Set.new
     end
 
     def analyze
@@ -17,15 +22,32 @@ module MkAcl
           schema_name || '.' || table_name,
           ref_schema_name || '.' || ref_table_name
         from meta.links
+        where schema_name = '#{spec.app_schema}' 
+          and ref_schema_name = '#{spec.app_schema}'
       )
 
       # Link up tables
       for child_table_name, parent_table_name, child_table_uid, parent_table_uid in links
+        if !spec.key?(child_table_name)
+          @uncovered_tables << child_table_name
+          next
+        elsif !spec.key?(parent_table_name)
+          @uncovered_tables << parent_table_name
+          next
+        end
+          
         spec[child_table_name].parents << spec[parent_table_name] if spec[parent_table_name]
       end
 
+#     if warn && !@uncovered_tables.empty?
+#       puts "Warning: Uncovered tables"
+#       indent { puts uncovered_tables }
+#     end
+
       # Assign domains
-      spec.tables.each { |table| resolve_domain(table) }
+      spec.tables.each { |table| 
+        resolve_domain(table) 
+      }
 
       # Check that no table has more than one parent. FIXME
       spec.tables.each { |table|
@@ -35,11 +57,15 @@ module MkAcl
       spec
     end
 
-    def self.analyze(spec, conn) self.new(spec, conn).analyze end
+    def self.analyze(spec, conn, **opts) self.new(spec, conn, **opts).analyze end
 
   private
+    def find_tables
+      
+    end
+
     def resolve_domain(table)
-      table.domain ||= resolve_domain(table.parents.first)
+      table.domain ||= table.parents.first && resolve_domain(table.parents.first)
     end
   end
 end

data/lib/mikras_utils/mkacl/generators/id_functions.rb

@@ -7,11 +7,32 @@ module MkAcl
       attr_reader :generator
       forward_to :generator, :conn, :spec, :app_schema, :acl_schema
 
+      # Map from domain table to list of [table, path, links] tuples. The
+      # entries describes the SQL link chain from the table to the given domain
+      # table (cases or events)
+      attr_reader :chains
+
       def initialize(generator)
         @generator = generator
+        @chains = {}
       end
 
+      # TODO: ACL checks so that a user can't get IDs of other users' records
       def generate
+        # Find chains
+        @chains = conn.multimap %(
+          select
+            dst_table_name as "key",
+            src_table_name as "table_name",
+            path as "tables",
+            links
+          from
+            meta.chains
+          where src_schema_name = '#{app_schema}'
+            and dst_schema_name = '#{app_schema}'
+            and dst_table_name in ('cases', 'events')
+        )
+
         generate_per_table_id_functions
         generate_general_id_functions
         generate_general_id_of_record_functions
@@ -20,33 +41,42 @@ module MkAcl
       def self.generate(generator) self.new(generator).generate end
 
     private
-      # Generate a case_id_of_RECORD and event_id_of_RECORD, and a
-      # domain_id_of_RECORD function for each table that returns the associated
-      # case_id/event_id for a given record. Some examples:
+#     # SQL sequence of spec file tables
+#     def table_seq() @table_seq ||= spec.tables.map(&:uid).join(', ') end
+
+      # Generate a set of per-table functions that returns the associated
+      # case_id/event_id for the given record. The Functions are generated for
+      # each table in the spec file
       #
-      #   case_id_of_event(id integer)
-      #   event_id_of_noncompliance(id integer)
-      #   domain_id_of_noncompliance(id integer)
+      # The geneated functions are 
       #
-      # Returns null if not found. Note that the record has to exists because
-      # we access it to read the foreign keys
+      #   case_id_of_RECORD(id integer)
+      #   event_id_of_RECORD(id integer)
+      #   domain_id_of_RECORD(id integer)
+      #
+      # and the record variants
       #
-      # The functions are used to find the roles IDs (case or event) when
-      # inserting a record. The role ids are written into the various acl_*
-      # fields by a trigger
+      #   case_id_of_RECORD(r record)
+      #   event_id_of_RECORD(r record)
+      #   domain_id_of_RECORD(r record)
       #
-      # The alternative would be to cascade case and event keys in all records.
-      # Cascading keys are usually dereferred because it only gives a minor
-      # speed-up in most queries but in this case it optimizes away a recursive
-      # join up the hierarchy from the current table to the events or cases
-      # table. It may be a better solution
+      # 'RECORD' is substituted with the record name of a table. Record names
+      # are the singular name of a table. TODO: Make it plural again
+      #
+      # The domain functions returns event_id if related to an event and
+      # case_id if not. It is meant to return the most specialized domin id for
+      # a record. TODO Is it used?
+      #
+      # Returns null if not found. Note that the record has to exists because
+      # we access it to read the foreign keys
       #
-      # IDEA: Make the implementations also take a record type instead of an
-      # id. This is useful in triggers because we already have the first record
-      # in the acl chain
       def generate_per_table_id_functions
+        # Generate functions by domain
         for domain in %w(case event)
-          # Create identity functions (makes some stuff easier)
+
+          # Create the identity functions first. The identity functions are
+          # case_id_of_case() and event_id_of_event(). This makes some stuff
+          # easier later on
           table = "#{domain}s"
           id_field = "#{domain}_id"
           signature = "#{acl_schema}.#{id_field}_of_#{domain}(_id integer)"
@@ -54,24 +84,14 @@ module MkAcl
             drop function if exists #{signature} cascade;
             create function #{signature} returns integer as $$
               select _id;
-            $$ language sql;
+            $$ language sql
+              set search_path to ''; -- intentionally empty
           ).align
           puts
 
-          # Create remaining funktions
-          functions = conn.tuples %(
-            select
-              start_table as "table_uid",
-              path as "tables",
-              links
-            from
-              acl.paths
-            where 
-              stop_table = '#{app_schema}.#{table}'
-          )
-
-          for table_uid, tables, links in functions
-            table_name = table_uid.split(".").last
+          # Create functions
+          domain_table = Prick::Inflector.pluralize(domain)
+          for table_name, tables, links in chains[domain_table]
             record_name = Prick::Inflector.singularize(table_name)
             id_arg = "_#{id_field}"
             signature = "#{acl_schema}.#{id_field}_of_#{record_name}(#{id_arg} integer)"
@@ -92,25 +112,35 @@ module MkAcl
               }
               puts ";"
             }
-            puts "$$ language sql;"
+            puts %(
+              $$ language sql
+                set search_path to ''; -- intentionally empty
+            ).align
             puts
-
           end
         end
 
-        for table_uid in functions.map(&:first)
-          table_name = table_uid.split(".").last
-          record_name = Prick::Inflector.singularize(table_name)
-          signature = "#{acl_schema}.domain_id_of_#{record_name}(_id integer)"
-          case_function = "#{acl_schema}.case_id_of_#{record_name}"
-          event_function = "#{acl_schema}.event_id_of_#{record_name}"
-          puts %(
-            drop function if exists #{signature} cascade;
-            create function #{signature} returns integer as $$
-              select coalesce(#{event_function}(_id), #{case_function}(_id));
-            $$ language sql;
-          ).align
-          puts
+        # Tables that references events and cases
+        event_tables = chains['events'].map(&:first)
+
+        # Tables that references only cases 
+        case_tables = chains['cases'].map(&:first) - event_tables
+
+        # Create domain functions
+        for domain, tables in { case: case_tables, event: event_tables }
+          for table_name in tables
+            record_name = Prick::Inflector.singularize(table_name)
+            signature = "#{acl_schema}.domain_id_of_#{record_name}(_id integer)"
+            domain_function = "#{acl_schema}.#{domain}_id_of_#{record_name}"
+            puts %(
+              drop function if exists #{signature} cascade;
+              create function #{signature} returns integer as $$
+                select #{domain_function}(_id);
+              $$ language sql
+                set search_path to ''; -- intentionally empty
+            ).align
+            puts
+          end
         end
       end
 
@@ -125,7 +155,7 @@ module MkAcl
       #
       def generate_general_id_functions
         for domain in %w(case event)
-          domain_table = "#{domain}s"
+          domain_table = Prick::Inflector.pluralize(domain)
           field = "#{domain}_id"
           signature = "#{acl_schema}.#{field}_of(_table varchar, _id integer)"
 
@@ -136,14 +166,8 @@ module MkAcl
           ).align
           indent(2) {
             puts "case _table"
-            tables = conn.values %(
-              select start_table 
-              from acl.paths 
-              where stop_table = '#{app_schema}.#{domain}'
-            ).align
             indent {
-              for table_uid in tables
-                table_name = table_uid.split(".").last
+              for table_name in chains[domain_table].map(&:first)
                 record_name = Prick::Inflector.singularize(table_name)
                 function_name = "#{field}_of_#{record_name}"
                 puts "when '#{table_name}' then #{acl_schema}.#{function_name}(_id)"
@@ -171,12 +195,12 @@ module MkAcl
 
       # General domain-id-of-record functions
       #
-      #   case_id_of(record)
-      #   event_id_of(record)
-      #   domain_id_of(record)
+      #   case_id_of(r record)
+      #   event_id_of(r record)
+      #   domain_id_of(r record)
       #
       # Returns the case or event id associated with the given record. The
-      # record should be an ACL table record
+      # record should be an ACL table record type
       #
       # Very useful in before insert triggers because it takes a record (eg.
       # NEW) instead of an ID
@@ -188,9 +212,8 @@ module MkAcl
             column_name,
             ref_table_name
           from
-            acl.links
-          where
-            schema_name = '#{app_schema}'
+            meta.links
+          where schema_name = '#{app_schema}'
         )).group_by(&:table_name)
 
         for domain in %w(case event)
@@ -210,9 +233,14 @@ module MkAcl
             ).align
             indent {
               indent {
+                
+                
                 for table in spec.tables
                   next if domain == "event" && table.domain == "case"
-                  link = links[table.name]&.first
+#                 puts "------------------------"
+#                 p table.name
+#                 p links.keys
+                  link = links[table.name]&.first or next
                   if table.name == "cases"
                     puts "when '#{table.uid}' then return _r.id;"
                   elsif domain == "event" && table.name == "events"
@@ -222,7 +250,7 @@ module MkAcl
                   elsif link.ref_table_name == "events" && table.domain == "event"
                     puts "when '#{table.uid}' then return _r.#{link.column_name};"
                   else
-                    ref_record = spec[link.ref_table_name].record_name
+                    ref_record = spec[link.ref_table_name]&.record_name or next
                     id_of_function = "#{acl_schema}.#{domain_id_field}_of_#{ref_record}"
                     puts "when '#{table.uid}' then return #{id_of_function}(_r.#{link.column_name});"
                   end
@@ -235,7 +263,7 @@ module MkAcl
           }
           puts %(
             $$ language plpgsql
-              set search_path to '';
+              set search_path to ''; -- intentionally ''
           ).align
           puts
         end
@@ -253,7 +281,8 @@ module MkAcl
 
               return _id;
             end;
-          $$ language plpgsql;
+          $$ language plpgsql
+            set search_path to ''; -- intentionally ''
         ).align
         puts
       end

data/lib/mikras_utils/mkacl/spec.rb

@@ -1,11 +1,21 @@
 
 module MkAcl
   class Spec
-    attr_reader :file # Only for informational purposes
+    # Source SPEC file. Only for informational purposes
+    attr_reader :file 
+
+    # Application schema that contains the ACL controlled tables
     attr_reader :app_schema
+
+    # Schema for generated functions to keep the application schema
+    # (relatively) clean
     attr_reader :acl_schema
+
+    # List of tables. Initialized by Table::initialize through #attach_table
     attr_reader :tables
 
+    # Spec acts as a hash from table name to Table object. Initialized by
+    # Table::initialize through #attach_table
     forward_to :@table_hash, :[], :key?, :keys, :values
 
     def initialize(file, app_schema, acl_schema)
@@ -65,7 +75,7 @@ module MkAcl
     end
 
     def to_s() = name
-    def inspect() "<<#{name}>>" end
+    def inspect() "<#{self.class}#name #{name.inspect}>" end
 
     def dump
       puts "#{name}:"

data/lib/mikras_utils/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MikrasUtils
-  VERSION = "0.1.0"
+  VERSION = "0.1.1"
 end

data/tests/acl.fox

@@ -137,7 +137,7 @@ case_roles
     case: *case3
     role: AKK
 
-case_users
+case_role_users
   - case_role: *case1_res
     user: *hdj
   - case_role: *case1_la

data/tests/acl.spec

@@ -23,7 +23,7 @@ cases:
 case_roles: # TODO: RBAC
   select: internal KON AKK
 
-case_users:
+case_role_users:
   insert: CLA admin
   select: internal
   delete: CLA admin

data/tests/acl.sql

@@ -77,7 +77,7 @@ create view closures as
 
 \echo ACL_CLOSURES
 --select * from closures;
-
+/*
 drop view if exists paths cascade;
 create view paths as
   with 
@@ -129,4 +129,4 @@ create view paths as
 
 \echo ACL_PATHS
 --select * from paths;
-
+*/

data/tests/acl_portal-tables.sql

@@ -12,7 +12,7 @@ create table acl_portal.attach_acls (
   unique (child_table, child_field, parent_table, parent_id, acls)
 );
 
--- Acts as a materialized view. A user's record is updated whenever case_users
+-- Acts as a materialized view. A user's record is updated whenever case_role_users
 -- or event_users are changed
 drop table if exists acl_portal.user_acls cascade;
 create table acl_portal.user_acls (

data/tests/acl_portal-views.sql

@@ -44,7 +44,7 @@ create view acl_portal.domain_users as
         cr.id as "domain_role_id", 
         cu.user_id,
         cr.role
-      from app_portal.case_users cu
+      from app_portal.case_role_users cu
       join app_portal.case_roles cr on cr.id = cu.case_role_id
       join app_portal.cases c on c.id = cr.case_id
       where (not c.closed or cr.role in ('CLA', 'ELA'))

data/tests/app_portal-tables.sql

@@ -45,7 +45,7 @@ create table case_roles (
   unique (case_id, "role")
 );
 
-create table case_users (
+create table case_role_users (
   id integer generated by default as identity primary key,
   case_role_id integer not null references case_roles(id),
   user_id integer not null references auth.roles(id),

data/tests/app_portal-triggers.sql

@@ -3,7 +3,7 @@
 -- Triggers that maintains acl_portal.user_acls.
 -- 
 
--- Call acl_portal.update_user_acl on any change to either case_users or
+-- Call acl_portal.update_user_acl on any change to either case_role_users or
 -- event_users. Note that this function is both cross-table and cross
 -- insert/delete
 create function domain_users_aiud() returns trigger as $$
@@ -13,7 +13,7 @@ create function domain_users_aiud() returns trigger as $$
   end;
 $$ language plpgsql;
 
-create trigger case_users_aiud_trg after insert or update or delete on app_portal.case_users
+create trigger case_role_users_aiud_trg after insert or update or delete on app_portal.case_role_users
   for each row execute function domain_users_aiud()
 ;
 

data/tests/app_portal-views.sql

@@ -2,6 +2,8 @@
 
 set search_path to app_portal;
 
+/*
+
 -- Union of case_roles and event_roles
 drop view if exists acl_portal.domain_roles cascade;
 create view acl_portal.domain_roles as
@@ -22,14 +24,14 @@ create view acl_portal.domain_roles as
     app_portal.event_roles
 ;
 
--- Union of case_users and event_users
+-- Union of case_role_users and event_users
 drop view if exists acl_portal.domain_users cascade;
 create view acl_portal.domain_users as 
   select
     case_role_id as "domain_role_id",
     user_id
   from
-    app_portal.case_users
+    app_portal.case_role_users
 
   union all
     
@@ -39,8 +41,10 @@ create view acl_portal.domain_users as
   from
     app_portal.event_users
 ;
+*/
 
--- Combines cases, case_roles, and case_users and also computes the virtual CLA
+/*
+-- Combines cases, case_roles, and case_role_users and also computes the virtual CLA
 -- and CTA roles from the event ELA and ETA roles and assigns the CLA role to
 -- RES users. Only ACL roles are included
 drop view if exists case_role_users cascade;
@@ -55,7 +59,7 @@ create view case_role_users as
         cr.role
       from app_portal.role_kinds rk
       join app_portal.case_roles cr on cr.role = rk.kind
-      join app_portal.case_users cu on cu.case_role_id = cr.id
+      join app_portal.case_role_users cu on cu.case_role_id = cr.id
       where rk.acl
     ),
     -- RES user is also CLA
@@ -95,7 +99,8 @@ create view case_role_users as
   select * from eta_ela_roles
   order by case_id, user_id -- FIXME: Yt
 ;
-
+*/
+/*
 -- Combines case_role_users with event_roles and event_users. It is the set of
 -- roles (case or event) that is associated with an event. Users that are no
 -- longer associated with the case are excluded
@@ -200,4 +205,4 @@ create view agg_name.domain_role_users as
     username
 order by domain_id, username
 ;
-    
+*/

data/tests/fox.sql

@@ -15,7 +15,7 @@ insert into acl_portal.attach_acls (parent_table, parent_id, child_table, child_
   select 
     'case_roles' as "parent_table",
     id as "parent_id",
-    'case_users' as "child_table",
+    'case_role_users' as "child_table",
     'case_role_id' as "child_id",
     array[2] -- hdj
   from
@@ -28,7 +28,7 @@ insert into acl_portal.attach_acls (parent_table, parent_id, child_table, child_
 delete from auth.users;
 insert into auth.users select * from auth.roles;
 
-select acl_portal.update_acls();
+--select acl_portal.update_acls();
 select acl_portal.update_user_acls();
 
 /*

data/tests/sys_portal.sql

@@ -60,7 +60,7 @@ create view acl_users as
         cr.id as "role_id"
       from
         auth.roles u
-        join app_portal.case_users cu on cu.user_id = u.id
+        join app_portal.case_role_users cu on cu.user_id = u.id
         join app_portal.case_roles cr on cr.id = cu.case_role_id
         join app_portal.cases c on c.id = cr.case_id
       where

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mikras_utils
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Claus Rasmussen
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-07-05 00:00:00.000000000 Z
+date: 2024-07-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pg_conn