oso-oso 0.15.1 → 0.21.0

data/lib/oso/polar/ffi/polar.rb

@@ -14,17 +14,22 @@ module Oso
           ffi_lib FFI::LIB_PATH
 
           attach_function :new, :polar_new, [], FFI::Polar
-          attach_function :enable_roles, :polar_enable_roles, [FFI::Polar], :int32
-          attach_function :validate_roles_config, :polar_validate_roles_config, [FFI::Polar, :string], :int32
-          attach_function :load, :polar_load, [FFI::Polar, :string, :string], :int32
+          attach_function :load, :polar_load, [FFI::Polar, :string], :int32
           attach_function :clear_rules, :polar_clear_rules, [FFI::Polar], :int32
           attach_function :next_inline_query, :polar_next_inline_query, [FFI::Polar, :uint32], FFI::Query
           attach_function :new_id, :polar_get_external_id, [FFI::Polar], :uint64
           attach_function :new_query_from_str, :polar_new_query, [FFI::Polar, :string, :uint32], FFI::Query
           attach_function :new_query_from_term, :polar_new_query_from_term, [FFI::Polar, :string, :uint32], FFI::Query
           attach_function :register_constant, :polar_register_constant, [FFI::Polar, :string, :string], :int32
+          attach_function :register_mro, :polar_register_mro, [FFI::Polar, :string, :string], :int32
           attach_function :next_message, :polar_next_polar_message, [FFI::Polar], FFI::Message
           attach_function :free, :polar_free, [FFI::Polar], :int32
+          attach_function(
+            :build_filter_plan,
+            :polar_build_filter_plan,
+            [FFI::Polar, :string, :string, :string, :string],
+            :string
+          )
         end
         private_constant :Rust
 
@@ -37,25 +42,20 @@ module Oso
           polar
         end
 
-        # @raise [FFI::Error] if the FFI call returns an error.
-        def enable_roles
-          result = Rust.enable_roles(self)
-          process_messages
-          handle_error if result.zero?
-        end
-
-        # @raise [FFI::Error] if the FFI call returns an error.
-        def validate_roles_config(config)
-          result = Rust.validate_roles_config(self, JSON.dump(config))
+        def build_filter_plan(types, partials, variable, class_tag)
+          types = JSON.dump(types)
+          partials = JSON.dump(partials)
+          plan = Rust.build_filter_plan(self, types, partials, variable, class_tag)
           process_messages
-          handle_error if result.zero?
+          handle_error if plan.nil?
+          # TODO(gw) more error checking?
+          JSON.parse plan
         end
 
-        # @param src [String]
-        # @param filename [String]
+        # @param sources [Array<Source>]
         # @raise [FFI::Error] if the FFI call returns an error.
-        def load(src, filename: nil)
-          loaded = Rust.load(self, src, filename)
+        def load(sources)
+          loaded = Rust.load(self, JSON.dump(sources))
           process_messages
           handle_error if loaded.zero?
         end
@@ -117,6 +117,14 @@ module Oso
           handle_error if registered.zero?
         end
 
+        # @param name [String]
+        # @param mro [Array<Integer>]
+        # @raise [FFI::Error] if the FFI call returns an error.
+        def register_mro(name, mro)
+          registered = Rust.register_mro(self, name, JSON.dump(mro))
+          handle_error if registered.zero?
+        end
+
         def next_message
           Rust.next_message(self)
         end

data/lib/oso/polar/ffi/query.rb

@@ -21,6 +21,7 @@ module Oso
           attach_function :next_message, :polar_next_query_message, [FFI::Query], FFI::Message
           attach_function :source, :polar_query_source_info, [FFI::Query], FFI::Source
           attach_function :free, :query_free, [FFI::Query], :int32
+          attach_function :bind, :polar_bind, [FFI::Query, :string, :string], :int32
         end
         private_constant :Rust
 
@@ -49,8 +50,7 @@ module Oso
           handle_error if res.zero?
         end
 
-        # @param result [Boolean]
-        # @param call_id [Integer]
+        # @param message [String]
         # @raise [FFI::Error] if the FFI call returns an error.
         def application_error(message)
           res = Rust.application_error(self, message)
@@ -67,6 +67,11 @@ module Oso
           ::Oso::Polar::QueryEvent.new(JSON.parse(event.to_s))
         end
 
+        def bind(name, value)
+          res = Rust.bind(self, name, JSON.dump(value))
+          handle_error if res.zero?
+        end
+
         def next_message
           Rust.next_message(self)
         end

data/lib/oso/polar/host.rb

@@ -34,14 +34,31 @@ module Oso
       end
     end
 
+    # For holding type metadata: name, fields, etc.
+    class UserType
+      attr_reader :name, :klass, :id, :fields, :build_query, :combine_query, :exec_query
+
+      def initialize(name:, klass:, id:, fields:, build_query:, combine_query:, exec_query:) # rubocop:disable Metrics/ParameterLists
+        @name = name
+        @klass = klass
+        @id = id
+        # accept symbol keys
+        @fields = fields.each_with_object({}) { |kv, o| o[kv[0].to_s] = kv[1] }
+        @build_query = build_query
+        @combine_query = combine_query
+        @exec_query = exec_query
+      end
+    end
+
     # Translate between Polar and the host language (Ruby).
     class Host # rubocop:disable Metrics/ClassLength
+      # @return [Hash<String, UserType>]
+      attr_reader :types
+
       protected
 
       # @return [FFI::Polar]
       attr_reader :ffi_polar
-      # @return [Hash<String, Class>]
-      attr_reader :classes
       # @return [Hash<Integer, Object>]
       attr_reader :instances
       # @return [Boolean]
@@ -53,42 +70,60 @@ module Oso
 
       def initialize(ffi_polar)
         @ffi_polar = ffi_polar
-        @classes = {}
+        @types = {}
         @instances = {}
         @accept_expression = false
       end
 
       def initialize_copy(other)
         @ffi_polar = other.ffi_polar
-        @classes = other.classes.dup
+        @types = other.types.dup
         @instances = other.instances.dup
       end
 
-      # Fetch a Ruby class from the {#classes} cache.
+      # Fetch a Ruby class from the {#types} cache.
       #
       # @param name [String]
       # @return [Class]
       # @raise [UnregisteredClassError] if the class has not been registered.
       def get_class(name)
-        raise UnregisteredClassError, name unless classes.key? name
+        raise UnregisteredClassError, name unless types.key? name
 
-        classes[name].get
+        types[name].klass.get
       end
 
-      # Store a Ruby class in the {#classes} cache.
+      # Store a Ruby class in the {#types} cache.
       #
       # @param cls [Class] the class to cache.
       # @param name [String] the name to cache the class as.
       # @return [String] the name the class is cached as.
       # @raise [DuplicateClassAliasError] if attempting to register a class
       # under a previously-registered name.
-      def cache_class(cls, name:)
-        raise DuplicateClassAliasError.new name: name, old: get_class(name), new: cls if classes.key? name
+      def cache_class(cls, name:, fields:, build_query:, combine_query:, exec_query:) # rubocop:disable Metrics/ParameterLists, Metrics/MethodLength
+        raise DuplicateClassAliasError.new name: name, old: get_class(name), new: cls if types.key? name
 
-        classes[name] = PolarClass.new(cls)
+        types[name] = types[cls] = UserType.new(
+          name: name,
+          klass: PolarClass.new(cls),
+          id: cache_instance(cls),
+          fields: fields || {},
+          combine_query: combine_query,
+          exec_query: exec_query,
+          build_query: build_query
+        )
         name
       end
 
+      def register_mros # rubocop:disable Metrics/AbcSize
+        types.values.uniq.each do |typ|
+          mro = []
+          typ.klass.get.ancestors.each do |a|
+            mro.push(types[a].id) if types.key?(a)
+          end
+          ffi_polar.register_mro(typ.name, mro)
+        end
+      end
+
       # Check if an instance exists in the {#instances} cache.
       #
       # @param id [Integer]
@@ -160,7 +195,7 @@ module Oso
 
       # Compare two values
       #
-      # @param op [String] operation to perform.
+      # @param operation [String] operation to perform.
       # @param args [Array<Object>] left and right args to operation.
       # @raise [PolarRuntimeError] if operation fails or is unsupported.
       # @return [Boolean]
@@ -190,6 +225,10 @@ module Oso
         left_index && right_index && left_index < right_index
       end
 
+      def subclass?(left_tag:, right_tag:)
+        get_class(left_tag) <= get_class(right_tag)
+      end
+
       # Check if instance is an instance of class.
       #
       # @param instance [Hash<String, Object>]
@@ -201,6 +240,32 @@ module Oso
         instance.is_a? cls
       end
 
+      def serialize_types # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+        polar_types = {}
+        types.values.uniq.each do |typ|
+          tag = typ.name
+          fields = typ.fields
+          field_types = {}
+          fields.each do |k, v|
+            field_types[k] =
+              if v.is_a? ::Oso::Polar::DataFiltering::Relation
+                {
+                  'Relation' => {
+                    'kind' => v.kind,
+                    'other_class_tag' => v.other_type,
+                    'my_field' => v.my_field,
+                    'other_field' => v.other_field
+                  }
+                }
+              else
+                { 'Base' => { 'class_tag' => types[v].name } }
+              end
+          end
+          polar_types[tag] = field_types
+        end
+        polar_types
+      end
+
       # Turn a Ruby value into a Polar term that's ready to be sent across the
       # FFI boundary.
       #
@@ -242,7 +307,9 @@ module Oso
                     { 'Pattern' => { 'Instance' => { 'tag' => value.tag, 'fields' => dict['Dictionary'] } } }
                   end
                 else
-                  { 'ExternalInstance' => { 'instance_id' => cache_instance(value), 'repr' => nil } }
+                  instance_id = nil
+                  instance_id = types[value].id if value.is_a?(Class) && types.key?(value)
+                  { 'ExternalInstance' => { 'instance_id' => cache_instance(value, id: instance_id), 'repr' => nil } }
                 end
         { 'value' => value }
       end

data/lib/oso/polar/polar.rb

@@ -27,6 +27,35 @@ def print_error(error)
   warn error.message
 end
 
+# Polar source string with optional filename.
+class Source
+  # @return [String]
+  attr_reader :src, :filename
+
+  # @param src [String]
+  # @param filename [String]
+  def initialize(src, filename: nil)
+    @src = src
+    @filename = filename
+  end
+
+  def to_json(*_args)
+    { src: src, filename: filename }.to_json
+  end
+end
+
+def filename_to_source(filename)
+  raise Oso::Polar::PolarFileExtensionError, filename unless File.extname(filename) == '.polar'
+
+  src = File.open(filename, &:read)
+
+  raise Oso::Polar::NullByteInPolarFileError if src.chomp("\0").include?("\0")
+
+  Source.new(src, filename: filename)
+rescue Errno::ENOENT
+  raise Oso::Polar::PolarFileNotFoundError, filename
+end
+
 module Oso
   module Polar
     # Create and manage an instance of the Polar runtime.
@@ -34,11 +63,10 @@ module Oso
       # @return [Host]
       attr_reader :host
 
-      def initialize # rubocop:disable Metrics/MethodLength
+      def initialize
         @ffi_polar = FFI::Polar.create
         @host = Host.new(ffi_polar)
         @ffi_polar.enrich_message = @host.method(:enrich_message)
-        @polar_roles_enabled = false
 
         # Register global constants.
         register_constant nil, name: 'nil'
@@ -52,40 +80,24 @@ module Oso
         register_class String
       end
 
-      def enable_roles # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
-        return if polar_roles_enabled
-
-        roles_helper = Class.new do
-          def self.join(separator, left, right)
-            [left, right].join(separator)
-          end
-        end
-        register_constant(roles_helper, name: '__oso_internal_roles_helpers__')
-        ffi_polar.enable_roles
-        self.polar_roles_enabled = true
-
-        # validate config
-        validation_query_results = []
-        loop do
-          query = ffi_polar.next_inline_query
-          break if query.nil?
-
-          new_host = host.dup
-          new_host.accept_expression = true
-          results = Query.new(query, host: new_host).to_a
-          raise InlineQueryFailedError, query.source if results.empty?
+      def ffi
+        @ffi_polar
+      end
 
-          validation_query_results.push results
-        end
+      # get the (maybe user-supplied) name of a class.
+      # kind of a hack because of class autoreloading.
+      def get_class_name(klass) # rubocop:disable Metrics/AbcSize
+        if host.types.key? klass
+          host.types[klass].name
+        elsif host.types.key? klass.name
+          host.types[klass.name].name
+        else
+          rec = host.types.values.find { |v| v.klass.get == klass }
+          raise "Unknown class `#{klass}`" if rec.nil?
 
-        # turn bindings back into polar
-        validation_query_results = validation_query_results.map do |results|
-          results.map do |result|
-            { 'bindings' => result.transform_values { |v| host.to_polar(v) } }
-          end
+          host.types[klass] = rec
+          rec.name
         end
-
-        ffi_polar.validate_roles_config(validation_query_results)
       end
 
       # Clear all rules and rule sources from the current Polar instance
@@ -93,23 +105,47 @@ module Oso
       # @return [self] for chaining.
       def clear_rules
         ffi_polar.clear_rules
-        ffi_polar.enable_roles if polar_roles_enabled
         self
       end
 
-      # Load a Polar policy file.
+      # Load Polar policy files.
       #
-      # @param name [String]
-      # @raise [PolarFileExtensionError] if provided filename has invalid extension.
-      # @raise [PolarFileNotFoundError] if provided filename does not exist.
+      # @param filenames [Array<String>]
+      # @raise [PolarFileExtensionError] if any filename has an invalid extension.
+      # @raise [PolarFileNotFoundError] if any filename does not exist.
+      # @raise [NullByteInPolarFileError] if any file contains a non-terminating null byte.
+      # @raise [Error] if any of the FFI calls raise one.
+      # @raise [InlineQueryFailedError] on the first failed inline query.
       # @return [self] for chaining.
-      def load_file(name)
-        raise PolarFileExtensionError, name unless File.extname(name) == '.polar'
+      def load_files(filenames = [])
+        return if filenames.empty?
 
-        file_data = File.open(name, &:read)
-        load_str(file_data, filename: name)
-      rescue Errno::ENOENT
-        raise PolarFileNotFoundError, name
+        sources = filenames.map { |f| filename_to_source f }
+        load_sources(sources)
+        self
+      end
+
+      # Load a Polar policy file.
+      #
+      # @param filename [String]
+      # @raise [PolarFileExtensionError] if filename has an invalid extension.
+      # @raise [PolarFileNotFoundError] if filename does not exist.
+      # @raise [NullByteInPolarFileError] if file contains a non-terminating null byte.
+      # @raise [Error] if any of the FFI calls raise one.
+      # @raise [InlineQueryFailedError] on the first failed inline query.
+      # @return [self] for chaining.
+      #
+      # @deprecated {#load_file} has been deprecated in favor of {#load_files}
+      #   as of the 0.20 release. Please see changelog for migration
+      #   instructions:
+      #   https://docs.osohq.com/project/changelogs/2021-09-15.html
+      def load_file(filename)
+        warn <<~WARNING
+          `Oso#load_file` has been deprecated in favor of `Oso#load_files` as of the 0.20 release.
+
+          Please see changelog for migration instructions: https://docs.osohq.com/project/changelogs/2021-09-15.html
+        WARNING
+        load_files([filename])
       end
 
       # Load a Polar string into the KB.
@@ -117,26 +153,13 @@ module Oso
       # @param str [String] Polar string to load.
       # @param filename [String] Name of Polar source file.
       # @raise [NullByteInPolarFileError] if str includes a non-terminating null byte.
-      # @raise [InlineQueryFailedError] on the first failed inline query.
       # @raise [Error] if any of the FFI calls raise one.
+      # @raise [InlineQueryFailedError] on the first failed inline query.
       # @return [self] for chaining.
-      def load_str(str, filename: nil) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+      def load_str(str, filename: nil)
         raise NullByteInPolarFileError if str.chomp("\0").include?("\0")
 
-        ffi_polar.load(str, filename: filename)
-        loop do
-          next_query = ffi_polar.next_inline_query
-          break if next_query.nil?
-
-          raise InlineQueryFailedError, next_query.source if Query.new(next_query, host: host).first.nil?
-        end
-
-        # If roles are enabled, re-validate config when new rules are loaded.
-        if polar_roles_enabled
-          self.polar_roles_enabled = false
-          enable_roles
-        end
-
+        load_sources([Source.new(str, filename: filename)])
         self
       end
 
@@ -150,17 +173,16 @@ module Oso
       #   @param query [Predicate]
       #   @return [Enumerator] of resulting bindings
       #   @raise [Error] if the FFI call raises one.
-      def query(query)
-        new_host = host.dup
+      def query(query, host: self.host.dup, bindings: {})
         case query
         when String
           ffi_query = ffi_polar.new_query_from_str(query)
         when Predicate
-          ffi_query = ffi_polar.new_query_from_term(new_host.to_polar(query))
+          ffi_query = ffi_polar.new_query_from_term(host.to_polar(query))
         else
           raise InvalidQueryTypeError
         end
-        Query.new(ffi_query, host: new_host)
+        Query.new(ffi_query, host: host, bindings: bindings)
       end
 
       # Query for a rule.
@@ -169,20 +191,43 @@ module Oso
       # @param args [Array<Object>]
       # @return [Enumerator] of resulting bindings
       # @raise [Error] if the FFI call raises one.
-      def query_rule(name, *args)
-        query(Predicate.new(name, args: args))
+      def query_rule(name, *args, accept_expression: false, bindings: {})
+        host = self.host.dup
+        host.accept_expression = accept_expression
+        query(Predicate.new(name, args: args), host: host, bindings: bindings)
+      end
+
+      # Query for a rule, returning true if it has any results.
+      #
+      # @param name [String]
+      # @param args [Array<Object>]
+      # @return [Boolean] indicating whether the query found at least one result.
+      # @raise [Error] if the FFI call raises one.
+      def query_rule_once(name, *args)
+        query_rule(name, *args).any?
       end
 
       # Register a Ruby class with Polar.
       #
       # @param cls [Class] the class to register.
       # @param name [String] the name to register the class as. Defaults to the name of the class.
+      # @param fields [Hash] a map from field names on instances of +cls+ to types, or Relation objects.
+      # @param build_query [Proc] a method to produce a query for +cls+ objects, given a list of Filters.
+      # @param exec_query [Proc] a method to execute a query produced by +build_query+
+      # @param combine_query [Proc] a method to merge two queries produced by +build_query+
       # @raise [DuplicateClassAliasError] if attempting to register a class
       # under a previously-registered name.
       # @raise [FFI::Error] if the FFI call returns an error.
       # @return [self] for chaining.
-      def register_class(cls, name: nil)
-        name = host.cache_class(cls, name: name || cls.name)
+      def register_class(cls, name: nil, fields: nil, combine_query: nil, build_query: nil, exec_query: nil) # rubocop:disable Metrics/ParameterLists
+        name = host.cache_class(
+          cls,
+          name: name || cls.name,
+          fields: fields,
+          build_query: build_query || maybe_mtd(cls, :build_query),
+          combine_query: combine_query || maybe_mtd(cls, :combine_query),
+          exec_query: exec_query || maybe_mtd(cls, :exec_query)
+        )
         register_constant(cls, name: name)
       end
 
@@ -202,7 +247,7 @@ module Oso
       # @param files [Array<String>]
       # @raise [Error] if the FFI call raises one.
       def repl(files = [])
-        files.map { |f| load_file(f) }
+        load_files(files)
         prompt = "#{FG_BLUE}query>#{RESET} "
         # Try loading the readline module from the Ruby stdlib. If we get a
         # LoadError, fall back to the standard REPL with no readline support.
@@ -214,9 +259,36 @@ module Oso
 
       private
 
+      def type_constraint(var, cls)
+        Expression.new(
+          'And',
+          [Expression.new('Isa', [var, Pattern.new(get_class_name(cls), {})])]
+        )
+      end
+
+      def maybe_mtd(cls, mtd)
+        cls.respond_to?(mtd) && cls.method(mtd) || nil
+      end
+
       # @return [FFI::Polar]
       attr_reader :ffi_polar
-      attr_accessor :polar_roles_enabled
+
+      # Register MROs, load Polar code, and check inline queries.
+      # @param sources [Array<Source>] Polar sources to load.
+      def load_sources(sources)
+        host.register_mros
+        ffi_polar.load(sources)
+        check_inline_queries
+      end
+
+      def check_inline_queries
+        loop do
+          next_query = ffi_polar.next_inline_query
+          break if next_query.nil?
+
+          raise InlineQueryFailedError, next_query.source if Query.new(next_query, host: host).none?
+        end
+      end
 
       # The R and L in REPL for systems where readline is available.
       def repl_readline(prompt)