oso-oso 0.21.0 → 0.24.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a9fbbff1209cf44803895d162562cb6d9c8a4c37
-  data.tar.gz: 8196f85296430d4c85a283bfec132c05a86e1433
+  metadata.gz: 719c88b2531d9c6d1e638928e6be3abba68b67d0
+  data.tar.gz: 327124db69d3aa57ff06a1089c24124d60175c26
 SHA512:
-  metadata.gz: 2d49aec9759922b92b874f981709a57b6c04afc1b30762302c6020a37bde144d0b56b0343482f7f18ed96f3c3d298a0e493967fbbf8939fb91cc7dc493417e54
-  data.tar.gz: 867123b379ef0ff554f9c433d317826e6b6e3b84a26008fe97e56f83d588737064ba71b61f4c5848969b7c6f6a0fd2cef9e8a488f238a86a152dcef7b452844e
+  metadata.gz: 4af7eba0a1bcac195ae51719991191ea78d4c0437bf7aacad7f09fce54d848559178485e098b5a9b150353c3feececd415533e7f311592e38cd6df8d263772c1
+  data.tar.gz: 57bca613ce91ddf645d7cafb89641286c1c41f1aec70cb4c9378b3157b8cd4291315e08083f19add35dad38325e423539831ffdcce2bc610bd685d328d2703e1

data/.gitignore

@@ -7,7 +7,7 @@
 /spec/reports/
 /tmp/
 vendor
-active_record_test.db
+*test.db
 
 # rspec failure tracking
 .rspec_status

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    oso-oso (0.21.0)
+    oso-oso (0.24.0)
       ffi (~> 1.0)
 
 GEM
@@ -21,14 +21,14 @@ GEM
     arel (9.0.0)
     ast (2.4.2)
     backport (1.2.0)
-    benchmark (0.1.1)
+    benchmark (0.2.0)
     byebug (11.1.3)
     coderay (1.1.3)
     concurrent-ruby (1.1.9)
     diff-lcs (1.4.4)
     e2mmap (0.1.0)
     ffi (1.15.4)
-    i18n (1.8.10)
+    i18n (1.8.11)
       concurrent-ruby (~> 1.0)
     jaro_winkler (1.5.4)
     maruku (0.7.3)
@@ -49,7 +49,7 @@ GEM
     rainbow (3.0.0)
     rake (12.3.3)
     regexp_parser (2.1.1)
-    reverse_markdown (2.0.0)
+    reverse_markdown (2.1.1)
       nokogiri
     rexml (3.2.5)
     rspec (3.10.0)
@@ -64,7 +64,7 @@ GEM
     rspec-mocks (3.10.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.10.0)
-    rspec-support (3.10.2)
+    rspec-support (3.10.3)
     rubocop (0.89.1)
       parallel (~> 1.10)
       parser (>= 2.7.1.1)
@@ -97,12 +97,13 @@ GEM
     tilt (2.0.10)
     tzinfo (1.2.9)
       thread_safe (~> 0.1)
-    unicode-display_width (1.7.0)
+    unicode-display_width (1.8.0)
     yard (0.9.26)
 
 PLATFORMS
   ruby
   x86_64-darwin-20
+  x86_64-linux
 
 DEPENDENCIES
   activerecord

data/Makefile

@@ -7,7 +7,7 @@ install:
 	bundle install
 
 test: install rust
-	bundle exec rake spec
+	POLAR_IGNORE_NO_ALLOW_WARNING=1 bundle exec rake spec
 
 lint: install
 	bundle exec rubocop

data/lib/oso/oso.rb

@@ -181,27 +181,17 @@ module Oso
     # @param resource_cls The resource being accessed.
     #
     # @return A query for resources accessible to the actor.
-    def authorized_query(actor, action, resource_cls) # rubocop:disable Metrics/MethodLength
-      resource = Polar::Variable.new 'resource'
-
-      results = query_rule(
-        'allow',
-        actor,
-        action,
-        resource,
-        bindings: { 'resource' => type_constraint(resource, resource_cls) },
-        accept_expression: true
-      )
-
-      results = results.each_with_object([]) do |result, out|
-        result.each do |key, val|
-          out.push({ 'bindings' => { key => host.to_polar(val) } })
+    def authorized_query(actor, action, resource_cls)
+      if host.use_new_data_filtering?
+
+        unless host.types[resource_cls].build_query == ::Oso::Polar::Host::DEFAULT_BUILD_QUERY
+          warn 'Warning: redundant data filtering configuration detected'
         end
-      end
 
-      ::Oso::Polar::DataFiltering::FilterPlan
-        .parse(self, results, get_class_name(resource_cls))
-        .build_query
+        new_authorized_query(actor, action, resource_cls)
+      else
+        old_authorized_query(actor, action, resource_cls)
+      end
     end
 
     # Determine the resources of type +resource_cls+ that +actor+
@@ -213,10 +203,29 @@ module Oso
     #
     # @return A list of resources accessible to the actor.
     def authorized_resources(actor, action, resource_cls)
-      q = authorized_query actor, action, resource_cls
-      return [] if q.nil?
+      q = authorized_query(actor, action, resource_cls)
+
+      if host.use_new_data_filtering?
+        host.adapter.execute_query q
+      elsif q.nil?
+        []
+      else
+        host.types[resource_cls].exec_query[q]
+      end
+    end
+
+    # Register default values for data filtering query functions.
+    # These can be overridden by passing specific implementations to
+    # `register_class` or by defining `build_query`, `exec_query` and
+    # `combine_query` methods on the class object.
+    def set_data_filtering_query_defaults(build_query: nil, exec_query: nil, combine_query: nil)
+      host.build_query = build_query if build_query
+      host.exec_query = exec_query if exec_query
+      host.combine_query = combine_query if combine_query
+    end
 
-      host.types[get_class_name resource_cls].exec_query[q]
+    def data_filtering_adapter=(adapter)
+      host.adapter = adapter
     end
   end
 end

data/lib/oso/polar/data/adapter/active_record_adapter.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module Oso
+  module Polar
+    module Data
+      class Adapter
+        # Example data filtering adapter for ActiveRecord
+        class ActiveRecordAdapter < Adapter
+          def build_query(filter) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+            types = filter.types
+            query = filter.relations.reduce(filter.model.all) do |q, rel|
+              rec = types[rel.left].fields[rel.name]
+              q.joins(
+                "INNER JOIN #{rel.right.table_name} ON " \
+                "#{rel.left.table_name}.#{rec.my_field} = " \
+                "#{rel.right.table_name}.#{rec.other_field}"
+              )
+            end
+
+            filter.conditions.map do |conjs|
+              conjs.reduce(query) do |q, conj|
+                q.where(*sqlize(conj))
+              end
+            end.reduce(:or).distinct
+          end
+
+          def execute_query(query)
+            query.to_a
+          end
+
+          OPS = {
+            'Eq' => '=', 'In' => 'IN', 'Nin' => 'NOT IN', 'Neq' => '!='
+          }.freeze
+
+          private
+
+          def sqlize(cond)
+            args = []
+            lhs = add_side cond.left, args
+            rhs = add_side cond.right, args
+            args.unshift "#{lhs} #{OPS[cond.cmp]} #{rhs}"
+          end
+
+          def add_side(side, args)
+            if side.is_a? ::Oso::Polar::Data::Filter::Projection
+              "#{side.source.table_name}.#{side.field || side.source.primary_key}"
+            else
+              args.push side
+              '?'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/oso/polar/data/adapter.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Oso
+  module Polar
+    module Data
+      # Abstract data adapter
+      #
+      # An Adapter has to implement two methods.
+      class Adapter
+        # Make a query object from a filter
+        def build_query(_filter)
+          raise "build_query not implemented for #{self}"
+        end
+
+        # Make a list of objects from a query
+        def execute_query(_query)
+          raise "execute_query not implemented for #{self}"
+        end
+      end
+    end
+  end
+end

data/lib/oso/polar/data/filter.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module Oso
+  module Polar
+    # Data filtering interface for Ruby
+    module Data
+      # Abstract data filter used by the Adapter API.
+      class Filter
+        attr_reader :model, :relations, :conditions, :types
+
+        def initialize(model:, relations:, conditions:, types:)
+          @model = model
+          @relations = relations
+          @conditions = conditions
+          @types = types
+        end
+
+        def self.parse(polar, blob)
+          types = polar.host.types
+          model = types[blob['root']].klass.get
+          relations = blob['relations'].map do |rel|
+            Relation.parse(polar, *rel)
+          end
+          conditions = blob['conditions'].map do |disj|
+            disj.map { |conj| Condition.parse(polar, *conj) }
+          end
+          new(model: model, relations: relations, conditions: conditions, types: types)
+        end
+
+        Projection = Struct.new(:source, :field)
+
+        Relation = Struct.new(:left, :name, :right) do
+          def self.parse(polar, left, name, right)
+            Relation.new(polar.name_to_class(left), name, polar.name_to_class(right))
+          end
+        end
+
+        Condition = Struct.new(:left, :cmp, :right) do
+          def self.parse(polar, left, cmp, right)
+            Condition.new(parse_side(polar, left), cmp, parse_side(polar, right))
+          end
+
+          def self.parse_side(polar, side)
+            key = side.keys.first
+            val = side[key]
+            case key
+            when 'Field'
+              Projection.new(polar.name_to_class(val[0]), val[1])
+            when 'Immediate'
+              polar.host.to_ruby('value' => [[val.keys.first, val.values.first]])
+            else
+              raise key
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/oso/polar/data.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require_relative 'data/adapter'
+require_relative 'data/filter'

data/lib/oso/polar/data_filtering.rb

@@ -4,6 +4,7 @@ module Oso
   module Polar
     # Data filtering interface for Ruby
     module DataFiltering
+      GETATTR = ->(x, attr) { attr.nil? ? x : x.send(attr) }
       # Represents a set of filter sequences that should allow the host
       # to obtain the records satisfying a query.
       class FilterPlan
@@ -29,7 +30,7 @@ module Oso
           result_sets.each_with_object([]) do |rs, qb|
             rs.resolve_order.each_with_object({}) do |i, set_results|
               req = rs.requests[i]
-              cs = req.constraints.each { |c| c.ground set_results }
+              cs = req.ground(set_results)
               typ = @polar.host.types[req.class_tag]
               q = typ.build_query[cs]
               if i != rs.result_id
@@ -68,6 +69,7 @@ module Oso
           attr_reader :constraints, :class_tag
 
           def self.parse(polar, parsed_json)
+            @polar = polar
             constraints = parsed_json['constraints'].map do |con|
               Filter.parse polar, con
             end
@@ -76,6 +78,29 @@ module Oso
             new(constraints: constraints, class_tag: class_tag)
           end
 
+          def ground(results) # rubocop:disable Metrics/MethodLength, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/PerceivedComplexity
+            xrefs, rest = constraints.partition do |c|
+              c.value.is_a?(Ref) and !c.value.result_id.nil?
+            end
+
+            yrefs, nrefs = xrefs.partition { |r| %w[In Eq].include? r.kind }
+            [[yrefs, 'In'], [nrefs, 'Nin']].each do |refs, kind|
+              refs.group_by { |f| f.value.result_id }.each do |rid, fils|
+                if fils.length > 1
+                  value = results[rid].map { |r| fils.map { |f| GETATTR[r, f.value.field] } }
+                  field = fils.map(&:field)
+                  rest.push(Filter.new(kind: kind, value: value, field: field))
+                else
+                  fil = fils[0]
+                  field = fil.value.field
+                  value = results[rid].map { |r| field.nil? ? r : r.send(field) }
+                  rest.push(Filter.new(kind: kind, field: fil.field, value: value))
+                end
+              end
+            end
+            rest
+          end
+
           def initialize(constraints:, class_tag:)
             @constraints = constraints
             @class_tag = class_tag
@@ -127,6 +152,7 @@ module Oso
           'Eq' => ->(a, b) { a == b },
           'In' => ->(a, b) { b.include? a },
           'Neq' => ->(a, b) { a != b },
+          'Nin' => ->(a, b) { !b.include?(a) },
           'Contains' => ->(a, b) { a.include? b }
         }.freeze
 
@@ -138,8 +164,6 @@ module Oso
           @kind = kind
           @field = field
           @value = value
-          @check = CHECKS[kind]
-          raise "Unknown constraint kind `#{kind}`" if @check.nil?
         end
 
         def ground(results)
@@ -150,10 +174,16 @@ module Oso
           @value = value.map { |v| v.send ref.field } unless ref.field.nil?
         end
 
-        def check(item)
+        def check(item) # rubocop:disable Metrics/AbcSize
           val = value.is_a?(Field) ? item.send(value.field) : value
-          item = field.nil? ? item : item.send(field)
-          @check[item, val]
+          item = if field.nil?
+                   item
+                 elsif field.is_a? Array
+                   field.map { |f| GETATTR[item, f] }
+                 else
+                   item.send field
+                 end
+          CHECKS[@kind][item, val]
         end
 
         def self.parse(polar, constraint) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength

data/lib/oso/polar/errors.rb

@@ -23,11 +23,9 @@ module Oso
 
     # Errors from across the FFI boundary.
 
-    class SerializationError < PolarRuntimeError; end
     class UnsupportedError < PolarRuntimeError; end
     class PolarTypeError < PolarRuntimeError; end
     class StackOverflowError < PolarRuntimeError; end
-    class FileLoadingError < PolarRuntimeError; end
 
     # Errors originating from this side of the FFI boundary.
 
@@ -96,10 +94,6 @@ module Oso
       class UnrecognizedToken < ParseError; end
     end
 
-    # Generic Polar API exception.
-    class ApiError < Error; end
-    class ParameterError < ApiError; end
-
     class ValidationError < Error; end
 
     UNEXPECTED_EXPRESSION_MESSAGE = <<~MSG

data/lib/oso/polar/expression.rb

@@ -4,7 +4,7 @@ module Oso
   module Polar
     # Polar expression.
     class Expression
-      attr_reader :operator, :args
+      attr_accessor :operator, :args
 
       # @param operator [String]
       # @param args [Array<Object>]

data/lib/oso/polar/ffi/error.rb

@@ -6,29 +6,13 @@ module Oso
   module Polar
     module FFI
       # Wrapper class for Error FFI pointer + operations.
-      class Error < ::FFI::AutoPointer
-        def to_s
-          @to_s ||= read_string.force_encoding('UTF-8')
-        end
-
-        Rust = Module.new do
-          extend ::FFI::Library
-          ffi_lib FFI::LIB_PATH
-
-          attach_function :get, :polar_get_error, [], Error
-          attach_function :free, :string_free, [Error], :int32
-        end
-        private_constant :Rust
-
+      class Error
         # Check for an FFI error and convert it into a Ruby exception.
         #
         # @return [::Oso::Polar::Error] if there's an FFI error.
         # @return [::Oso::Polar::FFIErrorNotFound] if there isn't one.
-        def self.get(enrich_message) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
-          error = Rust.get
-          return ::Oso::Polar::FFIErrorNotFound if error.null?
-
-          error = JSON.parse(error.to_s)
+        def self.get(error_str, enrich_message) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+          error = JSON.parse(error_str.to_s)
           msg = error['formatted']
           kind, body = error['kind'].first
 
@@ -54,8 +38,6 @@ module Oso
             runtime_error(subkind, msg: msg, details: details)
           when 'Operational'
             operational_error(subkind, msg: msg, details: details)
-          when 'Parameter'
-            api_error(subkind, msg: msg, details: details)
           when 'Validation'
             validation_error(msg, details: details)
           end
@@ -92,18 +74,14 @@ module Oso
         # @param msg [String]
         # @param details [Hash<String, Object>]
         # @return [::Oso::Polar::PolarRuntimeError] the object converted into the expected format.
-        private_class_method def self.runtime_error(kind, msg:, details:) # rubocop:disable Metrics/MethodLength
+        private_class_method def self.runtime_error(kind, msg:, details:)
           case kind
-          when 'Serialization'
-            ::Oso::Polar::SerializationError.new(msg, details: details)
           when 'Unsupported'
             ::Oso::Polar::UnsupportedError.new(msg, details: details)
           when 'TypeError'
             ::Oso::Polar::PolarTypeError.new(msg, details: details)
           when 'StackOverflow'
             ::Oso::Polar::StackOverflowError.new(msg, details: details)
-          when 'FileLoading'
-            ::Oso::Polar::FileLoadingError.new(msg, details: details)
           else
             ::Oso::Polar::PolarRuntimeError.new(msg, details: details)
           end
@@ -124,21 +102,6 @@ module Oso
           end
         end
 
-        # Map FFI API errors into Ruby exceptions.
-        #
-        # @param kind [String]
-        # @param msg [String]
-        # @param details [Hash<String, Object>]
-        # @return [::Oso::Polar::ApiError] the object converted into the expected format.
-        private_class_method def self.api_error(kind, msg:, details:)
-          case kind
-          when 'Parameter'
-            ::Oso::Polar::ParameterError.new(msg, details: details)
-          else
-            ::Oso::Polar::ApiError.new(msg, details: details)
-          end
-        end
-
         # Map FFI Validation errors into Ruby exceptions.
         #
         # @param msg [String]