oso-oso 0.22.0 → 0.25.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 328999aba2d62f777db79b812e762b2546e49a80
-  data.tar.gz: ad1803fa38712d1272d494300dafbab11d4e322a
+  metadata.gz: c65ea3a330a9a56b2ac4e58594e379409f6a4617
+  data.tar.gz: 51cbba24a5b9f529df29a059f1cfe0230c50d36a
 SHA512:
-  metadata.gz: 2706c6fd40a1fe5e33e2b48fddfb4814031b75f5c62e7bb832b2ecc2707e3111d6b6cfa749863743b4c3424d90daca69dc5662d1fd83577b2fb95656eb3c54a4
-  data.tar.gz: e274ad60e2dcaed817e46f38f55362b87bad70f6d67b3cdaad838762459d0172e9e37cf6aa23e4256536bb6e807c54aefce8b97f817cbbad4b68d1ab097cf5a2
+  metadata.gz: 324927c416971e4a1b8baa5eebb19b1c155b0f66607277ca416482d1e2e588ed44efe8a05824cf939fe85bb13b8bbf400769c1f979b0bdf5865b8630123c4d53
+  data.tar.gz: 4437ddc46fbcf28ade62f9537fcdb180cea4b7ceb11c065bb94ed9e3868c61276dbd9e9e107d7d61a4dc25e40d7ef52551bdb493a36b7a27f63e9a2c70dc157f

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    oso-oso (0.22.0)
+    oso-oso (0.25.0)
       ffi (~> 1.0)
 
 GEM
@@ -21,14 +21,14 @@ GEM
     arel (9.0.0)
     ast (2.4.2)
     backport (1.2.0)
-    benchmark (0.1.1)
+    benchmark (0.2.0)
     byebug (11.1.3)
     coderay (1.1.3)
     concurrent-ruby (1.1.9)
     diff-lcs (1.4.4)
     e2mmap (0.1.0)
     ffi (1.15.4)
-    i18n (1.8.10)
+    i18n (1.8.11)
       concurrent-ruby (~> 1.0)
     jaro_winkler (1.5.4)
     maruku (0.7.3)
@@ -49,7 +49,7 @@ GEM
     rainbow (3.0.0)
     rake (12.3.3)
     regexp_parser (2.1.1)
-    reverse_markdown (2.0.0)
+    reverse_markdown (2.1.1)
       nokogiri
     rexml (3.2.5)
     rspec (3.10.0)
@@ -64,7 +64,7 @@ GEM
     rspec-mocks (3.10.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.10.0)
-    rspec-support (3.10.2)
+    rspec-support (3.10.3)
     rubocop (0.89.1)
       parallel (~> 1.10)
       parser (>= 2.7.1.1)
@@ -97,12 +97,13 @@ GEM
     tilt (2.0.10)
     tzinfo (1.2.9)
       thread_safe (~> 0.1)
-    unicode-display_width (1.7.0)
+    unicode-display_width (1.8.0)
     yard (0.9.26)
 
 PLATFORMS
   ruby
   x86_64-darwin-20
+  x86_64-linux
 
 DEPENDENCIES
   activerecord

data/Makefile

@@ -7,7 +7,7 @@ install:
 	bundle install
 
 test: install rust
-	bundle exec rake spec
+	POLAR_IGNORE_NO_ALLOW_WARNING=1 bundle exec rake spec
 
 lint: install
 	bundle exec rubocop

data/lib/oso/oso.rb

@@ -181,27 +181,17 @@ module Oso
     # @param resource_cls The resource being accessed.
     #
     # @return A query for resources accessible to the actor.
-    def authorized_query(actor, action, resource_cls) # rubocop:disable Metrics/MethodLength
-      resource = Polar::Variable.new 'resource'
-
-      results = query_rule(
-        'allow',
-        actor,
-        action,
-        resource,
-        bindings: { 'resource' => type_constraint(resource, resource_cls) },
-        accept_expression: true
-      )
-
-      results = results.each_with_object([]) do |result, out|
-        result.each do |key, val|
-          out.push({ 'bindings' => { key => host.to_polar(val) } })
+    def authorized_query(actor, action, resource_cls)
+      if host.use_new_data_filtering?
+
+        unless host.types[resource_cls].build_query == ::Oso::Polar::Host::DEFAULT_BUILD_QUERY
+          warn 'Warning: redundant data filtering configuration detected'
         end
-      end
 
-      ::Oso::Polar::DataFiltering::FilterPlan
-        .parse(self, results, get_class_name(resource_cls))
-        .build_query
+        new_authorized_query(actor, action, resource_cls)
+      else
+        old_authorized_query(actor, action, resource_cls)
+      end
     end
 
     # Determine the resources of type +resource_cls+ that +actor+
@@ -213,10 +203,15 @@ module Oso
     #
     # @return A list of resources accessible to the actor.
     def authorized_resources(actor, action, resource_cls)
-      q = authorized_query actor, action, resource_cls
-      return [] if q.nil?
-
-      host.types[get_class_name resource_cls].exec_query[q]
+      q = authorized_query(actor, action, resource_cls)
+
+      if host.use_new_data_filtering?
+        host.adapter.execute_query q
+      elsif q.nil?
+        []
+      else
+        host.types[resource_cls].exec_query[q]
+      end
     end
 
     # Register default values for data filtering query functions.
@@ -228,5 +223,9 @@ module Oso
       host.exec_query = exec_query if exec_query
       host.combine_query = combine_query if combine_query
     end
+
+    def data_filtering_adapter=(adapter)
+      host.adapter = adapter
+    end
   end
 end

data/lib/oso/polar/data/adapter/active_record_adapter.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module Oso
+  module Polar
+    module Data
+      class Adapter
+        # Example data filtering adapter for ActiveRecord
+        class ActiveRecordAdapter < Adapter
+          def build_query(filter) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+            types = filter.types
+            query = filter.relations.reduce(filter.model.all) do |q, rel|
+              rec = types[rel.left].fields[rel.name]
+              q.joins(
+                "INNER JOIN #{rel.right.table_name} ON " \
+                "#{rel.left.table_name}.#{rec.my_field} = " \
+                "#{rel.right.table_name}.#{rec.other_field}"
+              )
+            end
+
+            filter.conditions.map do |conjs|
+              conjs.reduce(query) do |q, conj|
+                q.where(*sqlize(conj))
+              end
+            end.reduce(:or).distinct
+          end
+
+          def execute_query(query)
+            query.to_a
+          end
+
+          OPS = {
+            'Eq' => '=', 'In' => 'IN', 'Nin' => 'NOT IN', 'Neq' => '!=',
+            'Lt' => '<', 'Gt' => '>', 'Leq' => '<=', 'Geq' => '>='
+          }.freeze
+
+          private
+
+          def sqlize(cond)
+            args = []
+            lhs = add_side cond.left, args
+            rhs = add_side cond.right, args
+            args.unshift "#{lhs} #{OPS[cond.cmp]} #{rhs}"
+          end
+
+          def add_side(side, args)
+            if side.is_a? ::Oso::Polar::Data::Filter::Projection
+              "#{side.source.table_name}.#{side.field || side.source.primary_key}"
+            else
+              args.push side
+              '?'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/oso/polar/data/adapter.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Oso
+  module Polar
+    module Data
+      # Abstract data adapter
+      #
+      # An Adapter has to implement two methods.
+      class Adapter
+        # Make a query object from a filter
+        def build_query(_filter)
+          raise "build_query not implemented for #{self}"
+        end
+
+        # Make a list of objects from a query
+        def execute_query(_query)
+          raise "execute_query not implemented for #{self}"
+        end
+      end
+    end
+  end
+end

data/lib/oso/polar/data/filter.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module Oso
+  module Polar
+    # Data filtering interface for Ruby
+    module Data
+      # Abstract data filter used by the Adapter API.
+      class Filter
+        attr_reader :model, :relations, :conditions, :types
+
+        def initialize(model:, relations:, conditions:, types:)
+          @model = model
+          @relations = relations
+          @conditions = conditions
+          @types = types
+        end
+
+        def self.parse(polar, blob)
+          types = polar.host.types
+          model = types[blob['root']].klass.get
+          relations = blob['relations'].map do |rel|
+            Relation.parse(polar, *rel)
+          end
+          conditions = blob['conditions'].map do |disj|
+            disj.map { |conj| Condition.parse(polar, *conj) }
+          end
+          new(model: model, relations: relations, conditions: conditions, types: types)
+        end
+
+        Projection = Struct.new(:source, :field)
+
+        Relation = Struct.new(:left, :name, :right) do
+          def self.parse(polar, left, name, right)
+            Relation.new(polar.name_to_class(left), name, polar.name_to_class(right))
+          end
+        end
+
+        Condition = Struct.new(:left, :cmp, :right) do
+          def self.parse(polar, left, cmp, right)
+            Condition.new(parse_side(polar, left), cmp, parse_side(polar, right))
+          end
+
+          def self.parse_side(polar, side)
+            key = side.keys.first
+            val = side[key]
+            case key
+            when 'Field'
+              Projection.new(polar.name_to_class(val[0]), val[1])
+            when 'Immediate'
+              polar.host.to_ruby('value' => [[val.keys.first, val.values.first]])
+            else
+              raise key
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/oso/polar/data.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require_relative 'data/adapter'
+require_relative 'data/filter'

data/lib/oso/polar/data_filtering.rb

@@ -85,12 +85,17 @@ module Oso
 
             yrefs, nrefs = xrefs.partition { |r| %w[In Eq].include? r.kind }
             [[yrefs, 'In'], [nrefs, 'Nin']].each do |refs, kind|
-              next unless refs.any?
-
               refs.group_by { |f| f.value.result_id }.each do |rid, fils|
-                value = results[rid].map { |r| fils.map { |f| GETATTR[r, f.value.field] } }
-                field = fils.map(&:field)
-                rest.push(Filter.new(kind: kind, value: value, field: field))
+                if fils.length > 1
+                  value = results[rid].map { |r| fils.map { |f| GETATTR[r, f.value.field] } }
+                  field = fils.map(&:field)
+                  rest.push(Filter.new(kind: kind, value: value, field: field))
+                else
+                  fil = fils[0]
+                  field = fil.value.field
+                  value = results[rid].map { |r| field.nil? ? r : r.send(field) }
+                  rest.push(Filter.new(kind: kind, field: fil.field, value: value))
+                end
               end
             end
             rest

data/lib/oso/polar/errors.rb

@@ -23,11 +23,9 @@ module Oso
 
     # Errors from across the FFI boundary.
 
-    class SerializationError < PolarRuntimeError; end
     class UnsupportedError < PolarRuntimeError; end
     class PolarTypeError < PolarRuntimeError; end
     class StackOverflowError < PolarRuntimeError; end
-    class FileLoadingError < PolarRuntimeError; end
 
     # Errors originating from this side of the FFI boundary.
 
@@ -96,10 +94,6 @@ module Oso
       class UnrecognizedToken < ParseError; end
     end
 
-    # Generic Polar API exception.
-    class ApiError < Error; end
-    class ParameterError < ApiError; end
-
     class ValidationError < Error; end
 
     UNEXPECTED_EXPRESSION_MESSAGE = <<~MSG

data/lib/oso/polar/expression.rb

@@ -4,7 +4,7 @@ module Oso
   module Polar
     # Polar expression.
     class Expression
-      attr_reader :operator, :args
+      attr_accessor :operator, :args
 
       # @param operator [String]
       # @param args [Array<Object>]

data/lib/oso/polar/ffi/error.rb

@@ -6,29 +6,13 @@ module Oso
   module Polar
     module FFI
       # Wrapper class for Error FFI pointer + operations.
-      class Error < ::FFI::AutoPointer
-        def to_s
-          @to_s ||= read_string.force_encoding('UTF-8')
-        end
-
-        Rust = Module.new do
-          extend ::FFI::Library
-          ffi_lib FFI::LIB_PATH
-
-          attach_function :get, :polar_get_error, [], Error
-          attach_function :free, :string_free, [Error], :int32
-        end
-        private_constant :Rust
-
+      class Error
         # Check for an FFI error and convert it into a Ruby exception.
         #
         # @return [::Oso::Polar::Error] if there's an FFI error.
         # @return [::Oso::Polar::FFIErrorNotFound] if there isn't one.
-        def self.get(enrich_message) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
-          error = Rust.get
-          return ::Oso::Polar::FFIErrorNotFound if error.null?
-
-          error = JSON.parse(error.to_s)
+        def self.get(error_str, enrich_message) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+          error = JSON.parse(error_str.to_s)
           msg = error['formatted']
           kind, body = error['kind'].first
 
@@ -54,8 +38,6 @@ module Oso
             runtime_error(subkind, msg: msg, details: details)
           when 'Operational'
             operational_error(subkind, msg: msg, details: details)
-          when 'Parameter'
-            api_error(subkind, msg: msg, details: details)
           when 'Validation'
             validation_error(msg, details: details)
           end
@@ -92,18 +74,14 @@ module Oso
         # @param msg [String]
         # @param details [Hash<String, Object>]
         # @return [::Oso::Polar::PolarRuntimeError] the object converted into the expected format.
-        private_class_method def self.runtime_error(kind, msg:, details:) # rubocop:disable Metrics/MethodLength
+        private_class_method def self.runtime_error(kind, msg:, details:)
           case kind
-          when 'Serialization'
-            ::Oso::Polar::SerializationError.new(msg, details: details)
           when 'Unsupported'
             ::Oso::Polar::UnsupportedError.new(msg, details: details)
           when 'TypeError'
             ::Oso::Polar::PolarTypeError.new(msg, details: details)
           when 'StackOverflow'
             ::Oso::Polar::StackOverflowError.new(msg, details: details)
-          when 'FileLoading'
-            ::Oso::Polar::FileLoadingError.new(msg, details: details)
           else
             ::Oso::Polar::PolarRuntimeError.new(msg, details: details)
           end
@@ -124,21 +102,6 @@ module Oso
           end
         end
 
-        # Map FFI API errors into Ruby exceptions.
-        #
-        # @param kind [String]
-        # @param msg [String]
-        # @param details [Hash<String, Object>]
-        # @return [::Oso::Polar::ApiError] the object converted into the expected format.
-        private_class_method def self.api_error(kind, msg:, details:)
-          case kind
-          when 'Parameter'
-            ::Oso::Polar::ParameterError.new(msg, details: details)
-          else
-            ::Oso::Polar::ApiError.new(msg, details: details)
-          end
-        end
-
         # Map FFI Validation errors into Ruby exceptions.
         #
         # @param msg [String]

data/lib/oso/polar/ffi/polar.rb

@@ -6,7 +6,7 @@ module Oso
   module Polar
     module FFI
       # Wrapper class for Polar FFI pointer + operations.
-      class Polar < ::FFI::AutoPointer
+      class Polar < ::FFI::AutoPointer # rubocop:disable Metrics/ClassLength
         attr_accessor :enrich_message
 
         Rust = Module.new do
@@ -14,21 +14,28 @@ module Oso
           ffi_lib FFI::LIB_PATH
 
           attach_function :new, :polar_new, [], FFI::Polar
-          attach_function :load, :polar_load, [FFI::Polar, :string], :int32
-          attach_function :clear_rules, :polar_clear_rules, [FFI::Polar], :int32
+          attach_function :load, :polar_load, [FFI::Polar, :string], CResultVoid
+          attach_function :clear_rules, :polar_clear_rules, [FFI::Polar], CResultVoid
           attach_function :next_inline_query, :polar_next_inline_query, [FFI::Polar, :uint32], FFI::Query
           attach_function :new_id, :polar_get_external_id, [FFI::Polar], :uint64
-          attach_function :new_query_from_str, :polar_new_query, [FFI::Polar, :string, :uint32], FFI::Query
-          attach_function :new_query_from_term, :polar_new_query_from_term, [FFI::Polar, :string, :uint32], FFI::Query
-          attach_function :register_constant, :polar_register_constant, [FFI::Polar, :string, :string], :int32
-          attach_function :register_mro, :polar_register_mro, [FFI::Polar, :string, :string], :int32
-          attach_function :next_message, :polar_next_polar_message, [FFI::Polar], FFI::Message
+          attach_function :new_query_from_str, :polar_new_query, [FFI::Polar, :string, :uint32], CResultQuery
+          attach_function :new_query_from_term, :polar_new_query_from_term, [FFI::Polar, :string, :uint32], CResultQuery
+          attach_function :register_constant, :polar_register_constant, [FFI::Polar, :string, :string], CResultVoid
+          attach_function :register_mro, :polar_register_mro, [FFI::Polar, :string, :string], CResultVoid
+          attach_function :next_message, :polar_next_polar_message, [FFI::Polar], CResultString
           attach_function :free, :polar_free, [FFI::Polar], :int32
+          attach_function :result_free, :result_free, [:pointer], :int32
           attach_function(
             :build_filter_plan,
             :polar_build_filter_plan,
             [FFI::Polar, :string, :string, :string, :string],
-            :string
+            CResultString
+          )
+          attach_function(
+            :build_data_filter,
+            :polar_build_data_filter,
+            [FFI::Polar, :string, :string, :string, :string],
+            CResultString
           )
         end
         private_constant :Rust
@@ -36,10 +43,7 @@ module Oso
         # @return [FFI::Polar]
         # @raise [FFI::Error] if the FFI call returns an error.
         def self.create
-          polar = Rust.new
-          handle_error if polar.null?
-
-          polar
+          Rust.new
         end
 
         def build_filter_plan(types, partials, variable, class_tag)
@@ -47,9 +51,19 @@ module Oso
           partials = JSON.dump(partials)
           plan = Rust.build_filter_plan(self, types, partials, variable, class_tag)
           process_messages
-          handle_error if plan.nil?
+          plan = check_result plan
+          # TODO(gw) more error checking?
+          JSON.parse plan.to_s
+        end
+
+        def build_data_filter(types, partials, variable, class_tag)
+          types = JSON.dump(types)
+          partials = JSON.dump(partials)
+          plan = Rust.build_data_filter(self, types, partials, variable, class_tag)
+          process_messages
+          plan = check_result plan
           # TODO(gw) more error checking?
-          JSON.parse plan
+          JSON.parse plan.to_s
         end
 
         # @param sources [Array<Source>]
@@ -57,14 +71,14 @@ module Oso
         def load(sources)
           loaded = Rust.load(self, JSON.dump(sources))
           process_messages
-          handle_error if loaded.zero?
+          check_result loaded
         end
 
         # @raise [FFI::Error] if the FFI call returns an error.
         def clear_rules
           cleared = Rust.clear_rules(self)
           process_messages
-          handle_error if cleared.zero?
+          check_result cleared
         end
 
         # @return [FFI::Query] if there are remaining inline queries.
@@ -79,12 +93,7 @@ module Oso
         # @return [Integer]
         # @raise [FFI::Error] if the FFI call returns an error.
         def new_id
-          id = Rust.new_id(self)
-          # TODO(gj): I don't think this error check is correct. If getting a new ID fails on the
-          # Rust side, it'll probably surface as a panic (e.g., the KB lock is poisoned).
-          handle_error if id.zero?
-
-          id
+          Rust.new_id(self)
         end
 
         # @param str [String] Query string.
@@ -93,9 +102,7 @@ module Oso
         def new_query_from_str(str)
           query = Rust.new_query_from_str(self, str, 0)
           process_messages
-          handle_error if query.null?
-
-          query
+          check_result query
         end
 
         # @param term [Hash<String, Object>]
@@ -104,9 +111,7 @@ module Oso
         def new_query_from_term(term)
           query = Rust.new_query_from_term(self, JSON.dump(term), 0)
           process_messages
-          handle_error if query.null?
-
-          query
+          check_result query
         end
 
         # @param name [String]
@@ -114,7 +119,7 @@ module Oso
         # @raise [FFI::Error] if the FFI call returns an error.
         def register_constant(value, name:)
           registered = Rust.register_constant(self, name, JSON.dump(value))
-          handle_error if registered.zero?
+          check_result registered
         end
 
         # @param name [String]
@@ -122,11 +127,24 @@ module Oso
         # @raise [FFI::Error] if the FFI call returns an error.
         def register_mro(name, mro)
           registered = Rust.register_mro(self, name, JSON.dump(mro))
-          handle_error if registered.zero?
+          check_result registered
         end
 
         def next_message
-          Rust.next_message(self)
+          check_result Rust.next_message(self)
+        end
+
+        def process_message(message, enrich_message)
+          message = JSON.parse(message.to_s)
+          kind = message['kind']
+          msg = enrich_message.call(message['msg'])
+
+          case kind
+          when 'Print'
+            puts(msg)
+          when 'Warning'
+            warn(format('[warning] %<msg>s', msg: msg))
+          end
         end
 
         def process_messages
@@ -134,12 +152,19 @@ module Oso
             message = next_message
             break if message.null?
 
-            message.process(enrich_message)
+            process_message(message, enrich_message)
           end
         end
 
-        def handle_error
-          raise FFI::Error.get(enrich_message)
+        def check_result(res)
+          result = res[:result]
+          error = res[:error]
+          Rust.result_free(res)
+
+          raise 'internal error: both result and error pointers are not null' if !error.null? && !result.zero?
+          raise FFI::Error.get(error, enrich_message) unless error.null?
+
+          result
         end
       end
     end

data/lib/oso/polar/ffi/query.rb

@@ -13,15 +13,16 @@ module Oso
           extend ::FFI::Library
           ffi_lib FFI::LIB_PATH
 
-          attach_function :debug_command, :polar_debug_command, [FFI::Query, :string], :int32
-          attach_function :call_result, :polar_call_result, [FFI::Query, :uint64, :string], :int32
-          attach_function :question_result, :polar_question_result, [FFI::Query, :uint64, :int32], :int32
-          attach_function :application_error, :polar_application_error, [FFI::Query, :string], :int32
-          attach_function :next_event, :polar_next_query_event, [FFI::Query], FFI::QueryEvent
-          attach_function :next_message, :polar_next_query_message, [FFI::Query], FFI::Message
-          attach_function :source, :polar_query_source_info, [FFI::Query], FFI::Source
+          attach_function :debug_command, :polar_debug_command, [FFI::Query, :string], CResultVoid
+          attach_function :call_result, :polar_call_result, [FFI::Query, :uint64, :string], CResultVoid
+          attach_function :question_result, :polar_question_result, [FFI::Query, :uint64, :int32], CResultVoid
+          attach_function :application_error, :polar_application_error, [FFI::Query, :string], CResultVoid
+          attach_function :next_event, :polar_next_query_event, [FFI::Query], CResultString
+          attach_function :next_message, :polar_next_query_message, [FFI::Query], CResultString
+          attach_function :source, :polar_query_source_info, [FFI::Query], CResultString
           attach_function :free, :query_free, [FFI::Query], :int32
-          attach_function :bind, :polar_bind, [FFI::Query, :string, :string], :int32
+          attach_function :result_free, :result_free, [:pointer], :int32
+          attach_function :bind, :polar_bind, [FFI::Query, :string, :string], CResultVoid
         end
         private_constant :Rust
 
@@ -30,15 +31,15 @@ module Oso
         def debug_command(cmd)
           res = Rust.debug_command(self, cmd)
           process_messages
-          handle_error if res.zero?
+          check_result res
         end
 
-        # @param result [String]
+        # @param value [Object]
         # @param call_id [Integer]
         # @raise [FFI::Error] if the FFI call returns an error.
-        def call_result(result, call_id:)
-          res = Rust.call_result(self, call_id, result)
-          handle_error if res.zero?
+        def call_result(value, call_id:)
+          res = Rust.call_result(self, call_id, JSON.dump(value))
+          check_result res
         end
 
         # @param result [Boolean]
@@ -47,14 +48,14 @@ module Oso
         def question_result(result, call_id:)
           result = result ? 1 : 0
           res = Rust.question_result(self, call_id, result)
-          handle_error if res.zero?
+          check_result res
         end
 
         # @param message [String]
         # @raise [FFI::Error] if the FFI call returns an error.
         def application_error(message)
           res = Rust.application_error(self, message)
-          handle_error if res.zero?
+          check_result res
         end
 
         # @return [::Oso::Polar::QueryEvent]
@@ -62,18 +63,32 @@ module Oso
         def next_event
           event = Rust.next_event(self)
           process_messages
-          handle_error if event.null?
+          event = check_result event
 
           ::Oso::Polar::QueryEvent.new(JSON.parse(event.to_s))
         end
 
         def bind(name, value)
           res = Rust.bind(self, name, JSON.dump(value))
-          handle_error if res.zero?
+          check_result res
         end
 
         def next_message
-          Rust.next_message(self)
+          check_result Rust.next_message(self)
+        end
+
+        def process_message(message, enrich_message)
+          message = JSON.parse(message.to_s)
+          kind = message['kind']
+          msg = message['msg']
+          msg = enrich_message.call(msg)
+
+          case kind
+          when 'Print'
+            puts(msg)
+          when 'Warning'
+            warn(format('[warning] %<msg>s', msg: msg))
+          end
         end
 
         def process_messages
@@ -81,7 +96,7 @@ module Oso
             message = next_message
             break if message.null?
 
-            message.process(enrich_message)
+            process_message(message, enrich_message)
           end
         end
 
@@ -89,13 +104,24 @@ module Oso
         # @raise [FFI::Error] if the FFI call returns an error.
         def source
           res = Rust.source(self)
-          handle_error if res.null?
+          res = check_result res
 
           res.to_s
         end
 
-        def handle_error
-          raise FFI::Error.get(enrich_message)
+        # Unwrap the result by (a) extracting the pointers for
+        # result and error, (b) freeing the result pointers, and then
+        # (c) either returning the result pointer, or constructing and
+        # raising the error.
+        def check_result(res)
+          result = res[:result]
+          error = res[:error]
+          Rust.result_free(res)
+
+          raise 'internal error: both result and error pointers are not null' if !error.null? && !result.zero?
+          raise FFI::Error.get(error, enrich_message) unless error.null?
+
+          result
         end
       end
     end

data/lib/oso/polar/ffi/{source.rb → rust_string.rb}

@@ -1,10 +1,16 @@
 # frozen_string_literal: true
 
+require 'json'
+
 module Oso
   module Polar
     module FFI
-      # Wrapper class for Source FFI pointer.
-      class Source < ::FFI::AutoPointer
+      # Wrapper class for Rust strings.
+      #
+      # Since we force all strings to go through this
+      # the `AutoPointer` class will handle
+      # actually freeing the string when deleting it
+      class RustString < ::FFI::AutoPointer
         # @return [String]
         def to_s
           @to_s ||= read_string.force_encoding('UTF-8')
@@ -14,7 +20,7 @@ module Oso
           extend ::FFI::Library
           ffi_lib FFI::LIB_PATH
 
-          attach_function :free, :string_free, [Message], :int32
+          attach_function :free, :string_free, [RustString], :int32
         end
 
         private_constant :Rust

data/lib/oso/polar/ffi.rb

@@ -4,6 +4,7 @@ require 'ffi'
 
 module Oso
   module Polar
+    # FFI classes shared between all ffi/*.rb modules
     module FFI
       LIB = "#{::FFI::Platform::LIBPREFIX}polar.#{::FFI::Platform::LIBSUFFIX}"
       RELEASE_PATH = File.expand_path(File.join(__dir__, "../../../ext/oso-oso/lib/#{LIB}"))
@@ -18,41 +19,50 @@ module Oso
 
       # Wrapper class for Polar FFI pointer + operations.
       class Polar < ::FFI::AutoPointer
+        def zero?
+          null?
+        end
+
         def self.release(ptr)
           Rust.free(ptr) unless ptr.null?
         end
       end
       # Wrapper class for Query FFI pointer + operations.
       class Query < ::FFI::AutoPointer
-        def self.release(ptr)
-          Rust.free(ptr) unless ptr.null?
+        def zero?
+          null?
         end
-      end
-      # Wrapper class for QueryEvent FFI pointer + operations.
-      class QueryEvent < ::FFI::AutoPointer
+
         def self.release(ptr)
           Rust.free(ptr) unless ptr.null?
         end
       end
-      # Wrapper class for Error FFI pointer + operations.
-      class Error < ::FFI::AutoPointer
-        def self.release(ptr)
-          Rust.free(ptr) unless ptr.null?
+
+      # Wrapper class for Rust strings FFI pointer + operations.
+      class RustString < ::FFI::AutoPointer
+        def zero?
+          null?
         end
-      end
-      # Wrapper class for Message FFI pointer + operations.
-      class Message < ::FFI::AutoPointer
+
         def self.release(ptr)
           Rust.free(ptr) unless ptr.null?
         end
       end
 
-      # Wrapper class for Source FFI pointer.
-      class Source < ::FFI::AutoPointer
-        def self.release(ptr)
-          Rust.free(ptr) unless ptr.null?
-        end
+      # Helper method to generate a Result type for different
+      # inner types
+      def self.result(result_klass)
+        Class.new(::FFI::Struct) do
+          layout :result, result_klass, :error, RustString
+        end.by_ref
       end
+
+      # Defines the result type version of
+      # each of these structs
+      # result(T) => { result: T, error: string }
+      CResultVoid = result(:int)
+      CResultString = result(RustString)
+      CResultQuery = result(Query)
     end
     private_constant :FFI
   end
@@ -60,7 +70,5 @@ end
 
 require 'oso/polar/ffi/polar'
 require 'oso/polar/ffi/query'
-require 'oso/polar/ffi/query_event'
 require 'oso/polar/ffi/error'
-require 'oso/polar/ffi/message'
-require 'oso/polar/ffi/source'
+require 'oso/polar/ffi/rust_string'

data/lib/oso/polar/host.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_relative 'data'
+
 module Oso
   module Polar
     # Ruby code reloaders (i.e. the one used by rails) swap out the value of
@@ -67,7 +69,7 @@ module Oso
       public
 
       attr_writer :accept_expression
-      attr_accessor :build_query, :combine_query, :exec_query
+      attr_accessor :build_query, :combine_query, :exec_query, :adapter
 
       DEFAULT_COMBINE_QUERY = proc { raise 'implement combine_query to use data filtering' }
       DEFAULT_BUILD_QUERY = proc { raise 'implement build_query to use data filtering' }
@@ -95,9 +97,10 @@ module Oso
       # @return [Class]
       # @raise [UnregisteredClassError] if the class has not been registered.
       def get_class(name)
-        raise UnregisteredClassError, name unless types.key? name
+        typ = types[name]
+        raise UnregisteredClassError, name if typ.nil?
 
-        types[name].klass.get
+        typ.klass.get
       end
 
       # Store a Ruby class in the {#types} cache.
@@ -317,7 +320,18 @@ module Oso
                 else
                   instance_id = nil
                   instance_id = types[value].id if value.is_a?(Class) && types.key?(value)
-                  { 'ExternalInstance' => { 'instance_id' => cache_instance(value, id: instance_id), 'repr' => nil } }
+
+                  # only pass class_repr for registered types
+                  class_repr = nil
+                  class_repr = value.class.to_s if types.key?(value.class)
+
+                  {
+                    'ExternalInstance' => {
+                      'instance_id' => cache_instance(value, id: instance_id),
+                      'repr' => nil,
+                      'class_repr' => class_repr
+                    }
+                  }
                 end
         { 'value' => value }
       end
@@ -337,21 +351,25 @@ module Oso
           value
         when 'Number'
           num = value.values.first
-          if value.key? 'Float'
+          case value.keys.first
+          when 'Float'
             case num
             when 'Infinity'
-              return Float::INFINITY
+              Float::INFINITY
             when '-Infinity'
-              return -Float::INFINITY
+              -Float::INFINITY
             when 'NaN'
-              return Float::NAN
+              Float::NAN
             else
               unless value['Float'].is_a? Float # rubocop:disable Metrics/BlockNesting
                 raise PolarRuntimeError, "Expected a floating point number, got \"#{value['Float']}\""
               end
+
+              num
             end
+          else
+            num
           end
-          num
         when 'List'
           value.map { |el| to_ruby(el) }
         when 'Dictionary'
@@ -389,6 +407,10 @@ module Oso
           get_instance(Regexp.last_match[1].to_i).to_s
         end
       end
+
+      def use_new_data_filtering?
+        !adapter.nil?
+      end
     end
   end
 end

data/lib/oso/polar/polar.rb

@@ -84,20 +84,8 @@ module Oso
         @ffi_polar
       end
 
-      # get the (maybe user-supplied) name of a class.
-      # kind of a hack because of class autoreloading.
-      def get_class_name(klass) # rubocop:disable Metrics/AbcSize
-        if host.types.key? klass
-          host.types[klass].name
-        elsif host.types.key? klass.name
-          host.types[klass.name].name
-        else
-          rec = host.types.values.find { |v| v.klass.get == klass }
-          raise "Unknown class `#{klass}`" if rec.nil?
-
-          host.types[klass] = rec
-          rec.name
-        end
+      def name_to_class(class_name)
+        host.types[class_name].klass.get
       end
 
       # Clear all rules and rule sources from the current Polar instance
@@ -259,10 +247,89 @@ module Oso
 
       private
 
+      # new/old data filtering core API shared logic
+      def partial_query(actor, action, resource_cls) # rubocop:disable Metrics/MethodLength
+        var_name = 'resource'
+        resource = Variable.new var_name
+
+        partials = query_rule(
+          'allow',
+          actor,
+          action,
+          resource,
+          bindings: { var_name => type_constraint(resource, resource_cls) },
+          accept_expression: true
+        )
+
+        partials.each_with_object([]) do |result, out|
+          result.each do |key, val|
+            out.push prefilter_isas(key, val)
+          end
+        end
+      end
+
+      def new_authorized_query(actor, action, resource_class)
+        partials = partial_query(actor, action, resource_class)
+        types = host.serialize_types
+        class_name = class_to_name resource_class
+        plan = ffi.build_data_filter(types, partials, 'resource', class_name)
+        filter = ::Oso::Polar::Data::Filter.parse(self, plan)
+        host.adapter.build_query filter
+      end
+
+      def old_authorized_query(actor, action, resource_cls)
+        results = partial_query(actor, action, resource_cls)
+        ::Oso::Polar::DataFiltering::FilterPlan
+          .parse(self, results, class_to_name(resource_cls))
+          .build_query
+      end
+
+      # handle Isa constraints in a partial query
+      def prefilter_isas(key, val) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+        # this will usually be the case! sometimes not, if it's an instance.
+        if val.is_a?(Expression) && val.operator == 'And'
+          # get the isas
+          isas, othas = val.args.partition do |expr|
+            expr.operator == 'Isa' &&
+              expr.args[1].is_a?(Pattern) &&
+              expr.args[1].fields.empty?
+          end
+
+          # drop all the isas we can verify now, keep everything else
+          othas += isas.reject do |isa|
+            isa.args[0].is_a? name_to_class isa.args[1].tag
+          end
+
+          # TODO(gw) check the rest of them instead of just adding them?
+          val.args = othas
+        end
+        val = host.to_polar val
+        { 'bindings' => { key => val } }
+      end
+
+      # get the (maybe user-supplied) name of a class.
+      # kind of a hack because of class autoreloading.
+      def class_to_name(klass) # rubocop:disable Metrics/AbcSize
+        if (rec = host.types[klass]) || (rec = host.types[klass.name])
+          rec.name
+        elsif (rec = host.types.values.find { |v| v.klass.get == klass })
+          host.types[klass] = rec
+          rec.name
+        else
+          raise NameError, "Unknown class `#{klass}`"
+        end
+      end
+
+      def try_class_to_name(klass)
+        class_to_name klass
+      rescue NameError
+        nil
+      end
+
       def type_constraint(var, cls)
         Expression.new(
           'And',
-          [Expression.new('Isa', [var, Pattern.new(get_class_name(cls), {})])]
+          [Expression.new('Isa', [var, Pattern.new(class_to_name(cls), {})])]
         )
       end
 

data/lib/oso/polar/query.rb

@@ -94,8 +94,7 @@ module Oso
                  else
                    instance.__send__(attribute, *args, **kwargs)
                  end
-        result = JSON.dump(host.to_polar(result))
-        call_result(result, call_id: call_id)
+        call_result(host.to_polar(result), call_id: call_id)
       rescue ArgumentError, NoMethodError => e
         application_error(e.message)
         call_result(nil, call_id: call_id)
@@ -143,7 +142,7 @@ module Oso
           calls[call_id] = value.lazy
         end
 
-        result = JSON.dump(next_call_result(call_id))
+        result = next_call_result(call_id)
         call_result(result, call_id: call_id)
       rescue StopIteration
         call_result(nil, call_id: call_id)
@@ -245,12 +244,32 @@ module Oso
 
       def handle_relationship(call_id, instance, rel) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
         typ = host.types[rel.other_type]
-        constraint = ::Oso::Polar::DataFiltering::Filter.new(
-          kind: 'Eq',
-          field: rel.other_field,
-          value: instance.send(rel.my_field)
-        )
-        res = typ.exec_query[typ.build_query[[constraint]]]
+
+        if host.use_new_data_filtering?
+          cls = typ.klass.get
+
+          condition = ::Oso::Polar::Data::Filter::Condition.new(
+            ::Oso::Polar::Data::Filter::Projection.new(cls, rel.other_field),
+            'Eq',
+            instance.send(rel.my_field)
+          )
+
+          filter = ::Oso::Polar::Data::Filter.new(
+            model: cls,
+            relations: [],
+            conditions: [[condition]],
+            types: host.types
+          )
+
+          res = host.adapter.execute_query host.adapter.build_query(filter)
+        else
+          constraint = ::Oso::Polar::DataFiltering::Filter.new(
+            kind: 'Eq',
+            field: rel.other_field,
+            value: instance.send(rel.my_field)
+          )
+          res = typ.exec_query[typ.build_query[[constraint]]]
+        end
 
         if rel.kind == 'one'
           raise "multiple parents: #{res}" unless res.length == 1
@@ -258,8 +277,7 @@ module Oso
           res = res[0]
         end
 
-        res = JSON.dump host.to_polar res
-        call_result(res, call_id: call_id)
+        call_result(host.to_polar(res), call_id: call_id)
       end
     end
   end

data/lib/oso/polar.rb

@@ -11,6 +11,7 @@ require 'oso/polar/query'
 require 'oso/polar/query_event'
 require 'oso/polar/variable'
 require 'oso/polar/data_filtering'
+require 'oso/polar/data'
 
 module Oso
   # Top-level namespace for Polar language library.

data/lib/oso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Oso
-  VERSION = '0.22.0'
+  VERSION = '0.25.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: oso-oso
 version: !ruby/object:Gem::Version
-  version: 0.22.0
+  version: 0.25.0
 platform: ruby
 authors:
 - Oso Security, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-10-19 00:00:00.000000000 Z
+date: 2021-12-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
@@ -162,16 +162,18 @@ files:
 - lib/oso/errors.rb
 - lib/oso/oso.rb
 - lib/oso/polar.rb
+- lib/oso/polar/data.rb
+- lib/oso/polar/data/adapter.rb
+- lib/oso/polar/data/adapter/active_record_adapter.rb
+- lib/oso/polar/data/filter.rb
 - lib/oso/polar/data_filtering.rb
 - lib/oso/polar/errors.rb
 - lib/oso/polar/expression.rb
 - lib/oso/polar/ffi.rb
 - lib/oso/polar/ffi/error.rb
-- lib/oso/polar/ffi/message.rb
 - lib/oso/polar/ffi/polar.rb
 - lib/oso/polar/ffi/query.rb
-- lib/oso/polar/ffi/query_event.rb
-- lib/oso/polar/ffi/source.rb
+- lib/oso/polar/ffi/rust_string.rb
 - lib/oso/polar/host.rb
 - lib/oso/polar/pattern.rb
 - lib/oso/polar/polar.rb

data/lib/oso/polar/ffi/message.rb

@@ -1,40 +0,0 @@
-# frozen_string_literal: true
-
-require 'json'
-
-module Oso
-  module Polar
-    module FFI
-      # Wrapper class for Message FFI pointer + operations.
-      class Message < ::FFI::AutoPointer
-        # @return [String]
-        def to_s
-          @to_s ||= read_string.force_encoding('UTF-8')
-        end
-
-        Rust = Module.new do
-          extend ::FFI::Library
-          ffi_lib FFI::LIB_PATH
-
-          attach_function :free, :string_free, [Message], :int32
-        end
-
-        def process(enrich_message)
-          message = JSON.parse(to_s)
-          kind = message['kind']
-          msg = message['msg']
-          msg = enrich_message.call(msg)
-
-          case kind
-          when 'Print'
-            puts(msg)
-          when 'Warning'
-            warn(format('[warning] %<msg>s', msg: msg))
-          end
-        end
-
-        private_constant :Rust
-      end
-    end
-  end
-end

data/lib/oso/polar/ffi/query_event.rb

@@ -1,23 +0,0 @@
-# frozen_string_literal: true
-
-module Oso
-  module Polar
-    module FFI
-      # Wrapper class for QueryEvent FFI pointer + operations.
-      class QueryEvent < ::FFI::AutoPointer
-        # @return [String]
-        def to_s
-          @to_s ||= read_string.force_encoding('UTF-8')
-        end
-
-        Rust = Module.new do
-          extend ::FFI::Library
-          ffi_lib FFI::LIB_PATH
-
-          attach_function :free, :string_free, [FFI::QueryEvent], :int32
-        end
-        private_constant :Rust
-      end
-    end
-  end
-end