@lunora/server 0.0.0 → 1.0.0-alpha.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +105 -0
- package/README.md +134 -9
- package/__assets__/package-og.svg +14 -0
- package/dist/data-model.d.mts +416 -0
- package/dist/data-model.d.ts +416 -0
- package/dist/data-model.mjs +1 -0
- package/dist/drizzle.d.mts +1 -0
- package/dist/drizzle.d.ts +1 -0
- package/dist/drizzle.mjs +1 -0
- package/dist/index.d.mts +1985 -0
- package/dist/index.d.ts +1985 -0
- package/dist/index.mjs +28 -0
- package/dist/packem_shared/LunoraEnvError-DjFkpkSP.mjs +187 -0
- package/dist/packem_shared/LunoraError-DN7Zhhvu.mjs +54 -0
- package/dist/packem_shared/PRESENCE_DEFAULT_TTL_MS-D8viLY1S.mjs +114 -0
- package/dist/packem_shared/asBucketStorage-Cnxd9y2q.mjs +11 -0
- package/dist/packem_shared/bindOrm-Ce57S3N9.mjs +128 -0
- package/dist/packem_shared/buildRlsReadRegistry-1jexWrb3.mjs +107 -0
- package/dist/packem_shared/composePluginMiddleware-Ck5_TUO8.mjs +100 -0
- package/dist/packem_shared/createPolicyDsl-De67zPDS.mjs +29 -0
- package/dist/packem_shared/createSecrets-TsIP9lOa.mjs +55 -0
- package/dist/packem_shared/defineAggregateIndex-ZdyU78gh.mjs +291 -0
- package/dist/packem_shared/defineMigration-CAJLr6fx.mjs +8 -0
- package/dist/packem_shared/defineMutator-EIXAWhs9.mjs +11 -0
- package/dist/packem_shared/defineShape-CJ27Wx7o.mjs +17 -0
- package/dist/packem_shared/defineStorageRule-qu0mpilX.mjs +20 -0
- package/dist/packem_shared/functions-Di9FUNkf.mjs +5 -0
- package/dist/packem_shared/httpAction-FLwfsePg.mjs +340 -0
- package/dist/packem_shared/initLunora-lxwHTEV3.mjs +100 -0
- package/dist/packem_shared/mask-BV_jNzsN.mjs +211 -0
- package/dist/packem_shared/onConnect-CIPXKPyw.mjs +13 -0
- package/dist/packem_shared/policy-tag-DvpVH2tv.mjs +13 -0
- package/dist/packem_shared/protectPublic-BjFkQ_Or.mjs +15 -0
- package/dist/packem_shared/rls-2Jhd0uev.mjs +569 -0
- package/dist/packem_shared/run-middleware-CYQOuoV6.mjs +18 -0
- package/dist/packem_shared/storageRules-Cje6Woea.mjs +88 -0
- package/dist/packem_shared/types.d-BDY0FYHK.d.ts +135 -0
- package/dist/packem_shared/types.d-DmvyEMD6.d.mts +135 -0
- package/dist/rls/testing.d.mts +63 -0
- package/dist/rls/testing.d.ts +63 -0
- package/dist/rls/testing.mjs +49 -0
- package/dist/types.d.mts +1157 -0
- package/dist/types.d.ts +1157 -0
- package/dist/types.mjs +31 -0
- package/package.json +59 -17
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
import { WhereOf } from "../data-model.js";
|
|
2
|
+
/** Structural mirror of `@lunora/do`'s `WhereInput`. */
|
|
3
|
+
interface WhereInput {
|
|
4
|
+
[field: string]: unknown;
|
|
5
|
+
AND?: WhereInput[];
|
|
6
|
+
NOT?: WhereInput;
|
|
7
|
+
OR?: WhereInput[];
|
|
8
|
+
}
|
|
9
|
+
/** Operations a policy can gate. `read` covers `get`/`findMany`/`query`/`count`. */
|
|
10
|
+
type PolicyOperation = "delete" | "insert" | "read" | "update";
|
|
11
|
+
/**
|
|
12
|
+
* A policy's `when` decision:
|
|
13
|
+
*
|
|
14
|
+
* - `WhereInput`: a row-shape predicate. On reads it is AND-merged into every
|
|
15
|
+
* query against the table — the row is invisible unless it matches. On writes
|
|
16
|
+
* it is evaluated against the candidate document (`insert`) or the pre-write
|
|
17
|
+
* row (`update`/`delete`); a mismatch denies the write with
|
|
18
|
+
* `LunoraError("FORBIDDEN")`. Same operator set as the SQL compiler
|
|
19
|
+
* (`eq`/`ne`/`in`/`notIn`/`lt`/`lte`/`gt`/`gte`/`isNull`/`contains` +
|
|
20
|
+
* `AND`/`OR`/`NOT`).
|
|
21
|
+
* - `true`: unrestricted. On reads no predicate is merged; on writes the row is
|
|
22
|
+
* allowed.
|
|
23
|
+
* - `false`: deny. On reads the table is forced to match zero rows (a sentinel
|
|
24
|
+
* predicate); on writes the operation throws `LunoraError("FORBIDDEN")`.
|
|
25
|
+
*
|
|
26
|
+
* Returning `undefined` opts this specific policy out (rare; useful when
|
|
27
|
+
* branching on `ctx.auth.roles`).
|
|
28
|
+
*/
|
|
29
|
+
type PolicyDecision = WhereInput | boolean | undefined;
|
|
30
|
+
/**
|
|
31
|
+
* Relation-aware twin of {@link PolicyDecision}, parameterized over the
|
|
32
|
+
* generated `DataModel` (`DM`) + `Relations` (`REL`) maps and a table `T`. A
|
|
33
|
+
* read policy may now return a Prisma-style relation predicate (the
|
|
34
|
+
* `@lunora/do` pre-resolver resolves it via a semijoin), so the typed
|
|
35
|
+
* authoring surface accepts `WhereOf<DM, REL, T>` — column predicates **and**
|
|
36
|
+
* `is`/`isNot`/`some`/`none`/`every` over `T`'s declared relations — in
|
|
37
|
+
* addition to the `boolean`/`undefined` decisions. Used by the project-bound
|
|
38
|
+
* `definePolicy` from `createPolicyDsl`.
|
|
39
|
+
*/
|
|
40
|
+
type PolicyDecisionOf<DM, REL extends Record<keyof DM, object>, T extends keyof DM> = WhereOf<DM, REL, T> | boolean | undefined;
|
|
41
|
+
/**
|
|
42
|
+
* Relation-aware input for a project-bound `definePolicy` (see
|
|
43
|
+
* `createPolicyDsl`). `table` is constrained to a real table name and
|
|
44
|
+
* `when`'s return type is the table-specific {@link PolicyDecisionOf} — so an
|
|
45
|
+
* unknown table, a stray column, or a relation predicate naming a relation the
|
|
46
|
+
* table does not declare is a compile error rather than a silent runtime deny.
|
|
47
|
+
*/
|
|
48
|
+
interface TypedDefinePolicyInput<DM, REL extends Record<keyof DM, object>, T extends keyof DM, Context = unknown> {
|
|
49
|
+
on: PolicyOperation;
|
|
50
|
+
table: T;
|
|
51
|
+
when: (context: PolicyContext<Context>) => PolicyDecisionOf<DM, REL, T>;
|
|
52
|
+
}
|
|
53
|
+
/**
|
|
54
|
+
* Context handed to a policy. `auth.roles` is the per-request role list,
|
|
55
|
+
* sourced from the identity resolver (better-auth claims today). `auth.can`
|
|
56
|
+
* answers whether any of those roles grants a permission (see
|
|
57
|
+
* {@link Permission} / {@link RlsOptions}). `row` is present only on write
|
|
58
|
+
* policies (`insert`/`update`/`delete`) — for `update` and `delete` it is the
|
|
59
|
+
* pre-write row; for `insert` it is the candidate document. `ctx` is the full
|
|
60
|
+
* procedure context the middleware closed over.
|
|
61
|
+
*/
|
|
62
|
+
interface PolicyContext<Context = unknown> {
|
|
63
|
+
readonly auth: {
|
|
64
|
+
/**
|
|
65
|
+
* `true` when any of the request's `roles` grants `permission` (passed
|
|
66
|
+
* by {@link Permission} object or its `name`). Always `false` when no
|
|
67
|
+
* roles were handed to the middleware (`rls(policies, { roles })`), or
|
|
68
|
+
* when none of the request's roles lists the permission.
|
|
69
|
+
*/
|
|
70
|
+
readonly can: (permission: Permission | string) => boolean;
|
|
71
|
+
readonly identity?: Record<string, unknown> | null;
|
|
72
|
+
readonly roles: ReadonlyArray<string>;
|
|
73
|
+
readonly userId: null | string;
|
|
74
|
+
};
|
|
75
|
+
readonly ctx: Context;
|
|
76
|
+
readonly row?: Record<string, unknown>;
|
|
77
|
+
}
|
|
78
|
+
/** A registered policy as stored in the policy table. */
|
|
79
|
+
interface Policy<Context = unknown> {
|
|
80
|
+
readonly on: PolicyOperation;
|
|
81
|
+
readonly table: string;
|
|
82
|
+
readonly when: (context: PolicyContext<Context>) => PolicyDecision;
|
|
83
|
+
}
|
|
84
|
+
/**
|
|
85
|
+
* Input accepted by `definePolicy`. The branded result is the same
|
|
86
|
+
* shape; we keep the input/output split so callers can read JSDoc on the
|
|
87
|
+
* constructor without the type re-exposing `Policy` internals.
|
|
88
|
+
*/
|
|
89
|
+
interface DefinePolicyInput<Context = unknown> {
|
|
90
|
+
on: PolicyOperation;
|
|
91
|
+
/** Logical table name the policy applies to. */
|
|
92
|
+
table: string;
|
|
93
|
+
/**
|
|
94
|
+
* Decision function. Returning a `WhereInput` (read only) AND-merges the
|
|
95
|
+
* predicate; `true` allows; `false` denies; `undefined` skips this policy.
|
|
96
|
+
*
|
|
97
|
+
* NOTE: `count()` is **unsupported** on a policy-restricted table — the
|
|
98
|
+
* reader throws `LunoraError("COUNT_RLS_UNSUPPORTED")` (422). This mirrors
|
|
99
|
+
* kitcn's documented behavior.
|
|
100
|
+
*/
|
|
101
|
+
when: (context: PolicyContext<Context>) => PolicyDecision;
|
|
102
|
+
}
|
|
103
|
+
/**
|
|
104
|
+
* A named, abstract capability a policy can check with `ctx.auth.can(...)`,
|
|
105
|
+
* instead of branching on raw role strings. Declare one with
|
|
106
|
+
* `definePermission`; grant it to a role via {@link Role.permissions};
|
|
107
|
+
* register the roles with the middleware via {@link RlsOptions.roles}.
|
|
108
|
+
*/
|
|
109
|
+
interface Permission {
|
|
110
|
+
readonly description?: string;
|
|
111
|
+
readonly name: string;
|
|
112
|
+
}
|
|
113
|
+
/**
|
|
114
|
+
* A role declaration. Roles are string labels attached to the request's
|
|
115
|
+
* identity (via better-auth claims today). `permissions` lists the
|
|
116
|
+
* capabilities the role grants — at request time the middleware unions the
|
|
117
|
+
* permissions of every role in `ctx.auth.roles` so a policy can ask
|
|
118
|
+
* `ctx.auth.can(permission)` rather than enumerate roles.
|
|
119
|
+
*/
|
|
120
|
+
interface Role {
|
|
121
|
+
readonly description?: string;
|
|
122
|
+
readonly name: string;
|
|
123
|
+
/** Permissions this role grants — by {@link Permission} object or bare name. */
|
|
124
|
+
readonly permissions?: ReadonlyArray<Permission | string>;
|
|
125
|
+
}
|
|
126
|
+
/**
|
|
127
|
+
* Options for the `rls(policies, options)` middleware. `roles` registers the
|
|
128
|
+
* role→permission grants that back `ctx.auth.can(...)`; a role not listed here
|
|
129
|
+
* grants no permissions (so `can` is conservative — it fails closed for
|
|
130
|
+
* unknown roles).
|
|
131
|
+
*/
|
|
132
|
+
interface RlsOptions {
|
|
133
|
+
readonly roles?: ReadonlyArray<Role>;
|
|
134
|
+
}
|
|
135
|
+
export { DefinePolicyInput as D, PolicyOperation as P, Role as R, TypedDefinePolicyInput as T, WhereInput as W, Policy as a, Permission as b, RlsOptions as c, PolicyContext as d, PolicyDecision as e, PolicyDecisionOf as f };
|
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
import { WhereOf } from "../data-model.mjs";
|
|
2
|
+
/** Structural mirror of `@lunora/do`'s `WhereInput`. */
|
|
3
|
+
interface WhereInput {
|
|
4
|
+
[field: string]: unknown;
|
|
5
|
+
AND?: WhereInput[];
|
|
6
|
+
NOT?: WhereInput;
|
|
7
|
+
OR?: WhereInput[];
|
|
8
|
+
}
|
|
9
|
+
/** Operations a policy can gate. `read` covers `get`/`findMany`/`query`/`count`. */
|
|
10
|
+
type PolicyOperation = "delete" | "insert" | "read" | "update";
|
|
11
|
+
/**
|
|
12
|
+
* A policy's `when` decision:
|
|
13
|
+
*
|
|
14
|
+
* - `WhereInput`: a row-shape predicate. On reads it is AND-merged into every
|
|
15
|
+
* query against the table — the row is invisible unless it matches. On writes
|
|
16
|
+
* it is evaluated against the candidate document (`insert`) or the pre-write
|
|
17
|
+
* row (`update`/`delete`); a mismatch denies the write with
|
|
18
|
+
* `LunoraError("FORBIDDEN")`. Same operator set as the SQL compiler
|
|
19
|
+
* (`eq`/`ne`/`in`/`notIn`/`lt`/`lte`/`gt`/`gte`/`isNull`/`contains` +
|
|
20
|
+
* `AND`/`OR`/`NOT`).
|
|
21
|
+
* - `true`: unrestricted. On reads no predicate is merged; on writes the row is
|
|
22
|
+
* allowed.
|
|
23
|
+
* - `false`: deny. On reads the table is forced to match zero rows (a sentinel
|
|
24
|
+
* predicate); on writes the operation throws `LunoraError("FORBIDDEN")`.
|
|
25
|
+
*
|
|
26
|
+
* Returning `undefined` opts this specific policy out (rare; useful when
|
|
27
|
+
* branching on `ctx.auth.roles`).
|
|
28
|
+
*/
|
|
29
|
+
type PolicyDecision = WhereInput | boolean | undefined;
|
|
30
|
+
/**
|
|
31
|
+
* Relation-aware twin of {@link PolicyDecision}, parameterized over the
|
|
32
|
+
* generated `DataModel` (`DM`) + `Relations` (`REL`) maps and a table `T`. A
|
|
33
|
+
* read policy may now return a Prisma-style relation predicate (the
|
|
34
|
+
* `@lunora/do` pre-resolver resolves it via a semijoin), so the typed
|
|
35
|
+
* authoring surface accepts `WhereOf<DM, REL, T>` — column predicates **and**
|
|
36
|
+
* `is`/`isNot`/`some`/`none`/`every` over `T`'s declared relations — in
|
|
37
|
+
* addition to the `boolean`/`undefined` decisions. Used by the project-bound
|
|
38
|
+
* `definePolicy` from `createPolicyDsl`.
|
|
39
|
+
*/
|
|
40
|
+
type PolicyDecisionOf<DM, REL extends Record<keyof DM, object>, T extends keyof DM> = WhereOf<DM, REL, T> | boolean | undefined;
|
|
41
|
+
/**
|
|
42
|
+
* Relation-aware input for a project-bound `definePolicy` (see
|
|
43
|
+
* `createPolicyDsl`). `table` is constrained to a real table name and
|
|
44
|
+
* `when`'s return type is the table-specific {@link PolicyDecisionOf} — so an
|
|
45
|
+
* unknown table, a stray column, or a relation predicate naming a relation the
|
|
46
|
+
* table does not declare is a compile error rather than a silent runtime deny.
|
|
47
|
+
*/
|
|
48
|
+
interface TypedDefinePolicyInput<DM, REL extends Record<keyof DM, object>, T extends keyof DM, Context = unknown> {
|
|
49
|
+
on: PolicyOperation;
|
|
50
|
+
table: T;
|
|
51
|
+
when: (context: PolicyContext<Context>) => PolicyDecisionOf<DM, REL, T>;
|
|
52
|
+
}
|
|
53
|
+
/**
|
|
54
|
+
* Context handed to a policy. `auth.roles` is the per-request role list,
|
|
55
|
+
* sourced from the identity resolver (better-auth claims today). `auth.can`
|
|
56
|
+
* answers whether any of those roles grants a permission (see
|
|
57
|
+
* {@link Permission} / {@link RlsOptions}). `row` is present only on write
|
|
58
|
+
* policies (`insert`/`update`/`delete`) — for `update` and `delete` it is the
|
|
59
|
+
* pre-write row; for `insert` it is the candidate document. `ctx` is the full
|
|
60
|
+
* procedure context the middleware closed over.
|
|
61
|
+
*/
|
|
62
|
+
interface PolicyContext<Context = unknown> {
|
|
63
|
+
readonly auth: {
|
|
64
|
+
/**
|
|
65
|
+
* `true` when any of the request's `roles` grants `permission` (passed
|
|
66
|
+
* by {@link Permission} object or its `name`). Always `false` when no
|
|
67
|
+
* roles were handed to the middleware (`rls(policies, { roles })`), or
|
|
68
|
+
* when none of the request's roles lists the permission.
|
|
69
|
+
*/
|
|
70
|
+
readonly can: (permission: Permission | string) => boolean;
|
|
71
|
+
readonly identity?: Record<string, unknown> | null;
|
|
72
|
+
readonly roles: ReadonlyArray<string>;
|
|
73
|
+
readonly userId: null | string;
|
|
74
|
+
};
|
|
75
|
+
readonly ctx: Context;
|
|
76
|
+
readonly row?: Record<string, unknown>;
|
|
77
|
+
}
|
|
78
|
+
/** A registered policy as stored in the policy table. */
|
|
79
|
+
interface Policy<Context = unknown> {
|
|
80
|
+
readonly on: PolicyOperation;
|
|
81
|
+
readonly table: string;
|
|
82
|
+
readonly when: (context: PolicyContext<Context>) => PolicyDecision;
|
|
83
|
+
}
|
|
84
|
+
/**
|
|
85
|
+
* Input accepted by `definePolicy`. The branded result is the same
|
|
86
|
+
* shape; we keep the input/output split so callers can read JSDoc on the
|
|
87
|
+
* constructor without the type re-exposing `Policy` internals.
|
|
88
|
+
*/
|
|
89
|
+
interface DefinePolicyInput<Context = unknown> {
|
|
90
|
+
on: PolicyOperation;
|
|
91
|
+
/** Logical table name the policy applies to. */
|
|
92
|
+
table: string;
|
|
93
|
+
/**
|
|
94
|
+
* Decision function. Returning a `WhereInput` (read only) AND-merges the
|
|
95
|
+
* predicate; `true` allows; `false` denies; `undefined` skips this policy.
|
|
96
|
+
*
|
|
97
|
+
* NOTE: `count()` is **unsupported** on a policy-restricted table — the
|
|
98
|
+
* reader throws `LunoraError("COUNT_RLS_UNSUPPORTED")` (422). This mirrors
|
|
99
|
+
* kitcn's documented behavior.
|
|
100
|
+
*/
|
|
101
|
+
when: (context: PolicyContext<Context>) => PolicyDecision;
|
|
102
|
+
}
|
|
103
|
+
/**
|
|
104
|
+
* A named, abstract capability a policy can check with `ctx.auth.can(...)`,
|
|
105
|
+
* instead of branching on raw role strings. Declare one with
|
|
106
|
+
* `definePermission`; grant it to a role via {@link Role.permissions};
|
|
107
|
+
* register the roles with the middleware via {@link RlsOptions.roles}.
|
|
108
|
+
*/
|
|
109
|
+
interface Permission {
|
|
110
|
+
readonly description?: string;
|
|
111
|
+
readonly name: string;
|
|
112
|
+
}
|
|
113
|
+
/**
|
|
114
|
+
* A role declaration. Roles are string labels attached to the request's
|
|
115
|
+
* identity (via better-auth claims today). `permissions` lists the
|
|
116
|
+
* capabilities the role grants — at request time the middleware unions the
|
|
117
|
+
* permissions of every role in `ctx.auth.roles` so a policy can ask
|
|
118
|
+
* `ctx.auth.can(permission)` rather than enumerate roles.
|
|
119
|
+
*/
|
|
120
|
+
interface Role {
|
|
121
|
+
readonly description?: string;
|
|
122
|
+
readonly name: string;
|
|
123
|
+
/** Permissions this role grants — by {@link Permission} object or bare name. */
|
|
124
|
+
readonly permissions?: ReadonlyArray<Permission | string>;
|
|
125
|
+
}
|
|
126
|
+
/**
|
|
127
|
+
* Options for the `rls(policies, options)` middleware. `roles` registers the
|
|
128
|
+
* role→permission grants that back `ctx.auth.can(...)`; a role not listed here
|
|
129
|
+
* grants no permissions (so `can` is conservative — it fails closed for
|
|
130
|
+
* unknown roles).
|
|
131
|
+
*/
|
|
132
|
+
interface RlsOptions {
|
|
133
|
+
readonly roles?: ReadonlyArray<Role>;
|
|
134
|
+
}
|
|
135
|
+
export { DefinePolicyInput as D, PolicyOperation as P, Role as R, TypedDefinePolicyInput as T, WhereInput as W, Policy as a, Permission as b, RlsOptions as c, PolicyContext as d, PolicyDecision as e, PolicyDecisionOf as f };
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
import { P as PolicyOperation, R as Role, a as Policy } from "../packem_shared/types.d-DmvyEMD6.mjs";
|
|
2
|
+
import "../data-model.mjs";
|
|
3
|
+
/**
|
|
4
|
+
* The slice of a request identity a policy reads. Mirrors the
|
|
5
|
+
* `PolicyContext.auth` shape the middleware builds at request time — every
|
|
6
|
+
* field is optional and defaults the same way the middleware defaults it
|
|
7
|
+
* (`userId`/`identity` → `null`, `roles` → `[]`).
|
|
8
|
+
*/
|
|
9
|
+
interface TestIdentity {
|
|
10
|
+
/** Raw identity claims a policy may branch on (`auth.identity.email`, …). */
|
|
11
|
+
identity?: Record<string, unknown> | null;
|
|
12
|
+
/** Role labels the request carries; resolved to permissions via the harness `roles` registry. */
|
|
13
|
+
roles?: ReadonlyArray<string>;
|
|
14
|
+
/** The caller id (`auth.userId`); `null`/omitted is the anonymous caller. */
|
|
15
|
+
userId?: null | string;
|
|
16
|
+
}
|
|
17
|
+
/** Options for {@link expectPolicy}. */
|
|
18
|
+
interface ExpectPolicyOptions<Context = unknown> {
|
|
19
|
+
/**
|
|
20
|
+
* The procedure context a policy reads via `ctx` (e.g. `ctx.orgId`). Held
|
|
21
|
+
* for the whole harness; pass a fresh `expectPolicy(..., { ctx })` for a
|
|
22
|
+
* different context. Defaults to an empty object.
|
|
23
|
+
*/
|
|
24
|
+
ctx?: Context;
|
|
25
|
+
/**
|
|
26
|
+
* Role→permission grants backing `auth.can(...)` — the same registry passed
|
|
27
|
+
* to `rls(policies, { roles })`. A role not listed here grants nothing, so
|
|
28
|
+
* `can(...)` fails closed exactly as it does in production.
|
|
29
|
+
*/
|
|
30
|
+
roles?: ReadonlyArray<Role>;
|
|
31
|
+
}
|
|
32
|
+
/** A harness bound to one identity; answers can/cannot for an `(op, table, row)`. */
|
|
33
|
+
interface BoundPolicyAssertion {
|
|
34
|
+
/**
|
|
35
|
+
* Would this identity be **allowed** the operation on `row`?
|
|
36
|
+
*
|
|
37
|
+
* - `read` — is `row` visible? `true` when the table has no read policy (unrestricted), or when the effective read `baseWhere` matches `row`.
|
|
38
|
+
* - `insert` — is the candidate `row` allowed by the insert policies?
|
|
39
|
+
* - `update` / `delete` — is the pre-write `row` allowed? For `update` pass `nextRow` to also assert the post-image (WITH CHECK) — a policy can't be satisfied by the old row while the patch reassigns it to another tenant.
|
|
40
|
+
*
|
|
41
|
+
* A table with **no** policy in the list is unguarded → always `true`
|
|
42
|
+
* (mirrors the middleware passing such tables through unwrapped). A table
|
|
43
|
+
* that participates but declares no policy for the write `op` denies
|
|
44
|
+
* (default-DENY), exactly as the middleware does.
|
|
45
|
+
*/
|
|
46
|
+
can: (op: PolicyOperation, table: string, row?: Record<string, unknown>, nextRow?: Record<string, unknown>) => boolean;
|
|
47
|
+
/** Negation of {@link BoundPolicyAssertion.can} — reads more naturally in a denial test. */
|
|
48
|
+
cannot: (op: PolicyOperation, table: string, row?: Record<string, unknown>, nextRow?: Record<string, unknown>) => boolean;
|
|
49
|
+
}
|
|
50
|
+
/** A harness over a policy set; `.as(identity)` binds an identity to assert against. */
|
|
51
|
+
interface PolicyAssertion {
|
|
52
|
+
/** Bind an identity (or `null`/omitted for the anonymous caller) and assert against it. */
|
|
53
|
+
as: (identity?: TestIdentity | null) => BoundPolicyAssertion;
|
|
54
|
+
}
|
|
55
|
+
/**
|
|
56
|
+
* Build an in-process assertion harness over a policy set. Reuses the `rls()`
|
|
57
|
+
* middleware's own evaluation primitives, so an assertion is faithful to
|
|
58
|
+
* request-time behaviour by construction.
|
|
59
|
+
* @param policies the policy list, typically from `definePolicies([...])`.
|
|
60
|
+
* @param options role registry + procedure `ctx` (see {@link ExpectPolicyOptions}).
|
|
61
|
+
*/
|
|
62
|
+
declare const expectPolicy: <Context = unknown>(policies: ReadonlyArray<Policy<Context>>, options?: ExpectPolicyOptions<Context>) => PolicyAssertion;
|
|
63
|
+
export { BoundPolicyAssertion, ExpectPolicyOptions, PolicyAssertion, TestIdentity, expectPolicy };
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
import { P as PolicyOperation, R as Role, a as Policy } from "../packem_shared/types.d-BDY0FYHK.js";
|
|
2
|
+
import "../data-model.js";
|
|
3
|
+
/**
|
|
4
|
+
* The slice of a request identity a policy reads. Mirrors the
|
|
5
|
+
* `PolicyContext.auth` shape the middleware builds at request time — every
|
|
6
|
+
* field is optional and defaults the same way the middleware defaults it
|
|
7
|
+
* (`userId`/`identity` → `null`, `roles` → `[]`).
|
|
8
|
+
*/
|
|
9
|
+
interface TestIdentity {
|
|
10
|
+
/** Raw identity claims a policy may branch on (`auth.identity.email`, …). */
|
|
11
|
+
identity?: Record<string, unknown> | null;
|
|
12
|
+
/** Role labels the request carries; resolved to permissions via the harness `roles` registry. */
|
|
13
|
+
roles?: ReadonlyArray<string>;
|
|
14
|
+
/** The caller id (`auth.userId`); `null`/omitted is the anonymous caller. */
|
|
15
|
+
userId?: null | string;
|
|
16
|
+
}
|
|
17
|
+
/** Options for {@link expectPolicy}. */
|
|
18
|
+
interface ExpectPolicyOptions<Context = unknown> {
|
|
19
|
+
/**
|
|
20
|
+
* The procedure context a policy reads via `ctx` (e.g. `ctx.orgId`). Held
|
|
21
|
+
* for the whole harness; pass a fresh `expectPolicy(..., { ctx })` for a
|
|
22
|
+
* different context. Defaults to an empty object.
|
|
23
|
+
*/
|
|
24
|
+
ctx?: Context;
|
|
25
|
+
/**
|
|
26
|
+
* Role→permission grants backing `auth.can(...)` — the same registry passed
|
|
27
|
+
* to `rls(policies, { roles })`. A role not listed here grants nothing, so
|
|
28
|
+
* `can(...)` fails closed exactly as it does in production.
|
|
29
|
+
*/
|
|
30
|
+
roles?: ReadonlyArray<Role>;
|
|
31
|
+
}
|
|
32
|
+
/** A harness bound to one identity; answers can/cannot for an `(op, table, row)`. */
|
|
33
|
+
interface BoundPolicyAssertion {
|
|
34
|
+
/**
|
|
35
|
+
* Would this identity be **allowed** the operation on `row`?
|
|
36
|
+
*
|
|
37
|
+
* - `read` — is `row` visible? `true` when the table has no read policy (unrestricted), or when the effective read `baseWhere` matches `row`.
|
|
38
|
+
* - `insert` — is the candidate `row` allowed by the insert policies?
|
|
39
|
+
* - `update` / `delete` — is the pre-write `row` allowed? For `update` pass `nextRow` to also assert the post-image (WITH CHECK) — a policy can't be satisfied by the old row while the patch reassigns it to another tenant.
|
|
40
|
+
*
|
|
41
|
+
* A table with **no** policy in the list is unguarded → always `true`
|
|
42
|
+
* (mirrors the middleware passing such tables through unwrapped). A table
|
|
43
|
+
* that participates but declares no policy for the write `op` denies
|
|
44
|
+
* (default-DENY), exactly as the middleware does.
|
|
45
|
+
*/
|
|
46
|
+
can: (op: PolicyOperation, table: string, row?: Record<string, unknown>, nextRow?: Record<string, unknown>) => boolean;
|
|
47
|
+
/** Negation of {@link BoundPolicyAssertion.can} — reads more naturally in a denial test. */
|
|
48
|
+
cannot: (op: PolicyOperation, table: string, row?: Record<string, unknown>, nextRow?: Record<string, unknown>) => boolean;
|
|
49
|
+
}
|
|
50
|
+
/** A harness over a policy set; `.as(identity)` binds an identity to assert against. */
|
|
51
|
+
interface PolicyAssertion {
|
|
52
|
+
/** Bind an identity (or `null`/omitted for the anonymous caller) and assert against it. */
|
|
53
|
+
as: (identity?: TestIdentity | null) => BoundPolicyAssertion;
|
|
54
|
+
}
|
|
55
|
+
/**
|
|
56
|
+
* Build an in-process assertion harness over a policy set. Reuses the `rls()`
|
|
57
|
+
* middleware's own evaluation primitives, so an assertion is faithful to
|
|
58
|
+
* request-time behaviour by construction.
|
|
59
|
+
* @param policies the policy list, typically from `definePolicies([...])`.
|
|
60
|
+
* @param options role registry + procedure `ctx` (see {@link ExpectPolicyOptions}).
|
|
61
|
+
*/
|
|
62
|
+
declare const expectPolicy: <Context = unknown>(policies: ReadonlyArray<Policy<Context>>, options?: ExpectPolicyOptions<Context>) => PolicyAssertion;
|
|
63
|
+
export { BoundPolicyAssertion, ExpectPolicyOptions, PolicyAssertion, TestIdentity, expectPolicy };
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
import { indexRolePermissions, computeReadBaseWhere, matchesWhere, evaluateWrite, permissionName } from '../packem_shared/rls-2Jhd0uev.mjs';
|
|
2
|
+
|
|
3
|
+
const expectPolicy = (policies, options = {}) => {
|
|
4
|
+
const rolePermissions = indexRolePermissions(options.roles);
|
|
5
|
+
const context = options.ctx ?? {};
|
|
6
|
+
return {
|
|
7
|
+
as: (identity) => {
|
|
8
|
+
const auth = identity ?? {};
|
|
9
|
+
const roles = auth.roles ?? [];
|
|
10
|
+
const granted = /* @__PURE__ */ new Set();
|
|
11
|
+
for (const roleName of roles) {
|
|
12
|
+
for (const name of rolePermissions.get(roleName) ?? []) {
|
|
13
|
+
granted.add(name);
|
|
14
|
+
}
|
|
15
|
+
}
|
|
16
|
+
const baseContext = {
|
|
17
|
+
auth: {
|
|
18
|
+
can: (permission) => granted.has(permissionName(permission)),
|
|
19
|
+
// eslint-disable-next-line unicorn/no-null -- PolicyContext.auth.identity is a public `… | null` type, mirroring the middleware
|
|
20
|
+
identity: auth.identity ?? null,
|
|
21
|
+
roles,
|
|
22
|
+
// eslint-disable-next-line unicorn/no-null -- PolicyContext.auth.userId is a public `null | string` type, mirroring the middleware
|
|
23
|
+
userId: auth.userId ?? null
|
|
24
|
+
},
|
|
25
|
+
ctx: context
|
|
26
|
+
};
|
|
27
|
+
const can = (op, table, row, nextRow) => {
|
|
28
|
+
const tablePolicies = policies.filter((policy) => policy.table === table);
|
|
29
|
+
if (tablePolicies.length === 0) {
|
|
30
|
+
return true;
|
|
31
|
+
}
|
|
32
|
+
if (op === "read") {
|
|
33
|
+
if (!tablePolicies.some((policy) => policy.on === "read")) {
|
|
34
|
+
return true;
|
|
35
|
+
}
|
|
36
|
+
const baseWhere = computeReadBaseWhere(tablePolicies, baseContext);
|
|
37
|
+
return baseWhere === void 0 || matchesWhere(row ?? {}, baseWhere);
|
|
38
|
+
}
|
|
39
|
+
return evaluateWrite(tablePolicies, op, { ...baseContext, row }, nextRow);
|
|
40
|
+
};
|
|
41
|
+
return {
|
|
42
|
+
can,
|
|
43
|
+
cannot: (op, table, row, nextRow) => !can(op, table, row, nextRow)
|
|
44
|
+
};
|
|
45
|
+
}
|
|
46
|
+
};
|
|
47
|
+
};
|
|
48
|
+
|
|
49
|
+
export { expectPolicy };
|