@objectstack/plugin-security 9.9.1 → 9.11.0

package/dist/index.mjs

@@ -1019,7 +1019,19 @@ var PermissionEvaluator = class {
 var RLS_DENY_FILTER = Object.freeze({
   id: "__rls_deny__:00000000-0000-0000-0000-000000000000"
 });
+function isSupportedRlsExpression(expression) {
+  if (!expression) return false;
+  const e = expression.trim();
+  if (/^\s*1\s*=\s*1\s*$/.test(e)) return true;
+  if (/^\s*\w+\s*=\s*current_user\.\w+\s*$/.test(e)) return true;
+  if (/^\s*\w+\s*=\s*'[^']*'\s*$/.test(e)) return true;
+  if (/^\s*\w+\s+IN\s+\(\s*current_user\.\w+\s*\)\s*$/i.test(e)) return true;
+  return false;
+}
 var RLSCompiler = class {
+  setLogger(logger) {
+    this.logger = logger;
+  }
   /**
    * Compile RLS policies into a query filter for the given user context.
    * Multiple policies for the same object/operation are OR-combined (any match allows access).
@@ -1039,14 +1051,28 @@ var RLSCompiler = class {
       id: executionContext?.userId,
       organization_id: executionContext?.tenantId,
       roles: executionContext?.roles,
-      org_user_ids: executionContext?.org_user_ids
+      org_user_ids: executionContext?.org_user_ids,
+      // Unique identifier — safe for ownership predicates (see RLSUserContext).
+      email: executionContext?.email
     };
+    const membership = executionContext?.rlsMembership;
+    if (membership && typeof membership === "object") {
+      for (const [key, value] of Object.entries(membership)) {
+        if (Array.isArray(value) && userCtx[key] === void 0) {
+          userCtx[key] = value;
+        }
+      }
+    }
     const filters = [];
     for (const policy of policies) {
       if (!policy.using) continue;
       const filter = this.compileExpression(policy.using, userCtx);
       if (filter) {
         filters.push(filter);
+      } else if (!isSupportedRlsExpression(policy.using)) {
+        this.logger?.warn?.(
+          `[RLS] policy '${policy.name ?? "(unnamed)"}' on '${policy.object ?? "?"}' has an uncompilable predicate and was DROPPED (no enforcement): ${policy.using}`
+        );
       }
     }
     if (filters.length === 0) {
@@ -1057,14 +1083,24 @@ var RLSCompiler = class {
   }
   /**
    * Compile a single RLS expression into a query filter.
-   * 
-   * Supports simple expressions like:
-   * - "field_name = current_user.property"
-   * - "field_name IN (current_user.array_property)"
-   * - "field_name = 'literal_value'"
+   *
+   * This reference compiler recognizes exactly four forms — anything else
+   * returns `null` and (via {@link compileFilter}) fails closed:
+   * - `field = current_user.property`     → `{ field: <value> }`
+   * - `field = 'literal_value'`           → `{ field: 'literal_value' }`
+   * - `field IN (current_user.array)`     → `{ field: { $in: [...] } }`
+   *   (the array may be a §7.3.1 pre-resolved membership set)
+   * - `1 = 1`                             → `{}` (always-true / no restriction)
+   *
+   * There is intentionally no support for subqueries, `LIKE`/`ILIKE`,
+   * regex, `ANY`/`ALL`, `AND`/`OR`/`NOT`, or `NULL` checks — express those
+   * needs as a `current_user.*` property the runtime pre-resolves instead.
    */
   compileExpression(expression, userCtx) {
     if (!expression) return null;
+    if (/^\s*1\s*=\s*1\s*$/.test(expression)) {
+      return {};
+    }
     const eqMatch = expression.match(/^\s*(\w+)\s*=\s*current_user\.(\w+)\s*$/);
     if (eqMatch) {
       const [, field, prop] = eqMatch;
@@ -1212,11 +1248,91 @@ function isPermissionDeniedError(e) {
 }
 
 // src/bootstrap-platform-admin.ts
+import { SystemUserId as SystemUserId2 } from "@objectstack/spec/system";
+
+// src/claim-seed-ownership.ts
 import { SystemUserId } from "@objectstack/spec/system";
 var SYSTEM_CTX = { isSystem: true };
+function hasOwnerField(schema) {
+  const fields = schema?.fields;
+  if (!fields) return false;
+  if (Array.isArray(fields)) {
+    return fields.some((f) => f?.name === "owner_id");
+  }
+  return Object.prototype.hasOwnProperty.call(fields, "owner_id");
+}
+async function claimSeedOwnership(ql, adminUserId, options = {}) {
+  const logger = options.logger;
+  if (!adminUserId || adminUserId === SystemUserId.SYSTEM) return [];
+  if (!ql || typeof ql.update !== "function" || typeof ql.find !== "function") {
+    return [];
+  }
+  const registry = ql.registry;
+  if (!registry || typeof registry.getAllObjects !== "function") {
+    logger?.warn?.("[security] claimSeedOwnership: registry unavailable");
+    return [];
+  }
+  const schemas = registry.getAllObjects();
+  const results = [];
+  for (const schema of schemas) {
+    if (!schema?.name) continue;
+    if (schema.managedBy) continue;
+    if (schema.name.startsWith("sys_")) continue;
+    if (!hasOwnerField(schema)) continue;
+    try {
+      const seen = /* @__PURE__ */ new Set();
+      const ids = [];
+      for (const where of [{ owner_id: null }, { owner_id: SystemUserId.SYSTEM }]) {
+        const rows = await ql.find(
+          schema.name,
+          { where, limit: 1e4, fields: ["id"] },
+          { context: SYSTEM_CTX }
+        );
+        const list = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
+        for (const r of list) {
+          if (r?.id && !seen.has(r.id)) {
+            seen.add(r.id);
+            ids.push(r.id);
+          }
+        }
+      }
+      if (ids.length === 0) continue;
+      let updated = 0;
+      for (const id of ids) {
+        try {
+          await ql.update(
+            schema.name,
+            { id, owner_id: adminUserId },
+            { context: SYSTEM_CTX }
+          );
+          updated += 1;
+        } catch (e) {
+          logger?.warn?.(`[security] claimSeedOwnership failed for ${schema.name}:${id}`, {
+            error: e.message
+          });
+        }
+      }
+      if (updated > 0) results.push({ object: schema.name, count: updated });
+    } catch (e) {
+      logger?.warn?.(`[security] claimSeedOwnership scan failed for ${schema.name}`, {
+        error: e.message
+      });
+    }
+  }
+  if (results.length > 0) {
+    const total = results.reduce((s, r) => s + r.count, 0);
+    logger?.info?.(`[security] handed ${total} seeded record(s) to first admin ${adminUserId}`, {
+      breakdown: results
+    });
+  }
+  return results;
+}
+
+// src/bootstrap-platform-admin.ts
+var SYSTEM_CTX2 = { isSystem: true };
 async function tryFind(ql, object, where, limit = 100) {
   try {
-    const rows = await ql.find(object, { where, limit }, { context: SYSTEM_CTX });
+    const rows = await ql.find(object, { where, limit }, { context: SYSTEM_CTX2 });
     return Array.isArray(rows) ? rows : [];
   } catch {
     return [];
@@ -1224,7 +1340,7 @@ async function tryFind(ql, object, where, limit = 100) {
 }
 async function tryInsert(ql, object, data) {
   try {
-    return await ql.insert(object, data, { context: SYSTEM_CTX });
+    return await ql.insert(object, data, { context: SYSTEM_CTX2 });
   } catch {
     return null;
   }
@@ -1252,6 +1368,9 @@ async function bootstrapPlatformAdmin(ql, bootstrapPermissionSets, options = {})
       id,
       name: ps.name,
       label: ps.label ?? ps.name,
+      // `description` is not part of the typed PermissionSet shape (name/label
+      // only); read it defensively so a runtime-provided description still
+      // persists without tripping the dts typecheck.
       description: ps.description ?? null,
       object_permissions: JSON.stringify(ps.objects ?? {}),
       field_permissions: JSON.stringify(ps.fields ?? {}),
@@ -1281,12 +1400,12 @@ async function bootstrapPlatformAdmin(ql, bootstrapPermissionSets, options = {})
     { permission_set_id: adminPsId },
     50
   );
-  if (existingAdminLinks.some((r) => !r.organization_id && r.user_id !== SystemUserId.SYSTEM)) {
+  if (existingAdminLinks.some((r) => !r.organization_id && r.user_id !== SystemUserId2.SYSTEM)) {
     return { seeded: seededCount, adminPromoted: false, reason: "already_have_admin" };
   }
   const allUsers = await tryFind(ql, "sys_user", {}, 50);
   const humanUsers = allUsers.filter(
-    (u) => u.id !== SystemUserId.SYSTEM && u.role !== "system"
+    (u) => u.id !== SystemUserId2.SYSTEM && u.role !== "system"
   );
   if (humanUsers.length === 0) {
     logger?.info?.("[security] no human users yet \u2014 first sign-up will be promoted to platform admin");
@@ -1310,11 +1429,18 @@ async function bootstrapPlatformAdmin(ql, bootstrapPermissionSets, options = {})
     return { seeded: seededCount, adminPromoted: false, reason: "insert_failed" };
   }
   logger?.info?.(`[security] first user promoted to platform admin: ${target.email ?? target.id}`);
-  return { seeded: seededCount, adminPromoted: true };
+  let ownershipClaimed = 0;
+  try {
+    const claims = await claimSeedOwnership(ql, target.id, { logger });
+    ownershipClaimed = claims.reduce((s, c) => s + c.count, 0);
+  } catch (e) {
+    logger?.warn?.("[security] seed ownership handoff failed", { error: e.message });
+  }
+  return { seeded: seededCount, adminPromoted: true, ownershipClaimed };
 }
 
 // src/auto-org-admin-grant.ts
-var SYSTEM_CTX2 = { isSystem: true };
+var SYSTEM_CTX3 = { isSystem: true };
 var PERMISSION_SET_NAME = "organization_admin";
 function genId2(prefix) {
   const rand = Math.random().toString(36).slice(2, 10);
@@ -1323,7 +1449,7 @@ function genId2(prefix) {
 }
 async function tryFind2(ql, object, where, limit = 50) {
   try {
-    const rows = await ql.find(object, { where, limit }, { context: SYSTEM_CTX2 });
+    const rows = await ql.find(object, { where, limit }, { context: SYSTEM_CTX3 });
     return Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
   } catch {
     return [];
@@ -1331,14 +1457,14 @@ async function tryFind2(ql, object, where, limit = 50) {
 }
 async function tryInsert2(ql, object, data) {
   try {
-    return await ql.insert(object, data, { context: SYSTEM_CTX2 });
+    return await ql.insert(object, data, { context: SYSTEM_CTX3 });
   } catch {
     return null;
   }
 }
 async function tryDelete(ql, object, id) {
   try {
-    await ql.delete(object, id, { context: SYSTEM_CTX2 });
+    await ql.delete(object, id, { context: SYSTEM_CTX3 });
     return true;
   } catch {
     return false;
@@ -2567,9 +2693,11 @@ var SecurityPlugin = class {
      */
     this.metadata = null;
     this.ql = null;
+    /** ADR-0055: cache the resolved master-detail relation per controlled_by_parent object. */
+    this.cbpRelCache = /* @__PURE__ */ new Map();
     this.logger = {};
     this.bootstrapPermissionSets = options.defaultPermissionSets ?? securityDefaultPermissionSets;
-    this.fallbackPermissionSet = options.fallbackPermissionSet === void 0 ? "member_default" : options.fallbackPermissionSet;
+    this.fallbackPermissionSet = options.fallbackPermissionSet === void 0 ? this.bootstrapPermissionSets.find((p) => p.isDefault)?.name ?? "member_default" : options.fallbackPermissionSet;
   }
   async init(ctx) {
     ctx.logger.info("Initializing Security Plugin...");
@@ -2636,6 +2764,7 @@ var SecurityPlugin = class {
     this.metadata = metadata;
     this.ql = ql;
     this.logger = ctx.logger;
+    this.rlsCompiler.setLogger?.(ctx.logger);
     try {
       const orgScoping = ctx.getService("org-scoping");
       this.orgScopingEnabled = !!orgScoping;
@@ -2685,6 +2814,16 @@ var SecurityPlugin = class {
       if (opCtx.context?.isSystem) {
         return next();
       }
+      const formGrant = opCtx.context?.publicFormGrant;
+      if (formGrant && typeof formGrant === "object" && formGrant.object) {
+        const grantObject = formGrant.object;
+        const allowed = opCtx.object === grantObject && ["insert", "find", "findOne", "count"].includes(opCtx.operation);
+        if (allowed) return next();
+        throw new PermissionDeniedError(
+          `[Security] Access denied: public-form grant permits only create/read-back on '${grantObject}', not '${opCtx.operation}' on '${opCtx.object}'`,
+          { operation: opCtx.operation, object: opCtx.object }
+        );
+      }
       const roles = opCtx.context?.roles ?? [];
       const explicitPermissionSets = opCtx.context?.permissions ?? [];
       if (roles.length === 0 && explicitPermissionSets.length === 0 && !opCtx.context?.userId) {
@@ -2749,6 +2888,15 @@ var SecurityPlugin = class {
           }
         }
       }
+      if ((opCtx.operation === "insert" || opCtx.operation === "update" || opCtx.operation === "delete") && permissionSets.length > 0 && !!opCtx.context?.userId && this.ql) {
+        await this.assertControlledByParentWrite(
+          permissionSets,
+          opCtx.object,
+          opCtx.operation,
+          opCtx,
+          opCtx.context
+        );
+      }
       if ((opCtx.operation === "insert" || opCtx.operation === "update") && opCtx.data && permissionSets.length > 0) {
         const fieldPerms = this.permissionEvaluator.getFieldPermissions(
           opCtx.object,
@@ -2783,18 +2931,22 @@ var SecurityPlugin = class {
         }
       }
       if (opCtx.ast) {
+        const extra = [];
         const rlsFilter = await this.computeRlsFilter(
           permissionSets,
           opCtx.object,
           opCtx.operation,
           opCtx.context
         );
-        if (rlsFilter) {
-          if (opCtx.ast.where) {
-            opCtx.ast.where = { $and: [opCtx.ast.where, rlsFilter] };
-          } else {
-            opCtx.ast.where = rlsFilter;
-          }
+        if (rlsFilter) extra.push(rlsFilter);
+        const cbpFilter = await this.computeControlledByParentFilter(
+          permissionSets,
+          opCtx.object,
+          opCtx.context
+        );
+        if (cbpFilter) extra.push(cbpFilter);
+        if (extra.length) {
+          opCtx.ast.where = opCtx.ast.where ? { $and: [opCtx.ast.where, ...extra] } : extra.length === 1 ? extra[0] : { $and: extra };
         }
       }
       await next();
@@ -2990,6 +3142,122 @@ var SecurityPlugin = class {
     }
     return rlsFilter;
   }
+  /**
+   * Resolve a controlled_by_parent object's master-detail relation (the FK field
+   * key + the master object name), or null. Prefers a required `master_detail`
+   * field; falls back to any `master_detail`, then a required `lookup`. Cached.
+   */
+  resolveCbpRelation(object) {
+    if (this.cbpRelCache.has(object)) return this.cbpRelCache.get(object) ?? null;
+    let rel = null;
+    const schema = typeof this.ql?.getSchema === "function" ? this.ql.getSchema(object) : null;
+    const fields = schema?.fields;
+    const entries = Array.isArray(fields) ? fields.map((f) => [f?.name, f]) : fields && typeof fields === "object" ? Object.entries(fields) : [];
+    const ref = (f) => f?.reference ?? f?.reference_to ?? f?.referenceTo;
+    const pick = (pred) => entries.find(([, f]) => pred(f) && ref(f));
+    const found = pick((f) => f?.type === "master_detail" && f?.required) ?? pick((f) => f?.type === "master_detail") ?? pick((f) => f?.type === "lookup" && f?.required);
+    if (found) rel = { fk: String(found[0]), master: String(ref(found[1])) };
+    this.cbpRelCache.set(object, rel);
+    return rel;
+  }
+  /**
+   * ADR-0055 — master-detail "controlled by parent" READ derivation.
+   *
+   * For an object whose `sharingModel` is `controlled_by_parent`, access is
+   * derived from the master: return a filter `masterFK IN (<master ids this user
+   * can read>)`. The id set is resolved by running the MASTER's own read RLS
+   * (reused via `computeRlsFilter`) under a system context — no middleware
+   * re-entry, so no recursion. An empty set yields `{ masterFK: { $in: [] } }`,
+   * which matches no rows (fail closed). A misconfigured object (no
+   * master_detail/lookup to derive from) denies all reads (defense-in-depth;
+   * spec validation should prevent authoring it). Returns null when the object is
+   * not controlled_by_parent.
+   *
+   * v1 scope (ADR-0055): single level — the master's OWN controlled_by_parent is
+   * not traversed transitively; master accessibility is the master's RLS filter
+   * (sharing-service grants on the master are not folded in).
+   */
+  async computeControlledByParentFilter(permissionSets, object, context) {
+    if (!this.ql || !context?.userId) return null;
+    const schema = typeof this.ql.getSchema === "function" ? this.ql.getSchema(object) : null;
+    const sharingModel = schema?.sharingModel ?? schema?.security?.sharingModel;
+    if (sharingModel !== "controlled_by_parent") return null;
+    const rel = this.resolveCbpRelation(object);
+    if (!rel) return { ...RLS_DENY_FILTER };
+    const masterFilter = await this.computeRlsFilter(permissionSets, rel.master, "find", context);
+    let masterIds = [];
+    try {
+      const rows = await this.ql.find(rel.master, {
+        where: masterFilter ?? {},
+        fields: ["id"],
+        context: { isSystem: true }
+      });
+      masterIds = (Array.isArray(rows) ? rows : []).map((r) => r?.id).filter((id) => id != null);
+    } catch {
+      masterIds = [];
+    }
+    return { [rel.fk]: { $in: masterIds } };
+  }
+  /**
+   * ADR-0055 — master-detail "controlled by parent" WRITE enforcement.
+   *
+   * A by-id write (insert/update/delete) to a controlled_by_parent detail
+   * requires EDIT access to its master: the caller must hold CRUD `update` on the
+   * master object AND the master row must be visible under the master's write RLS.
+   * This is the write-side companion to the read derivation — the RLS read filter
+   * never applies to a by-id write (the #1994 class), so without this a member
+   * could mutate a detail under a master they cannot edit. Throws on denial;
+   * no-op when the object is not controlled_by_parent.
+   *
+   * v1 scope: single-id writes. Bulk writes flow through the AST and are already
+   * scoped by the controlled-by-parent READ filter (to readable masters).
+   */
+  async assertControlledByParentWrite(permissionSets, object, operation, opCtx, context) {
+    const schema = typeof this.ql?.getSchema === "function" ? this.ql.getSchema(object) : null;
+    const sharingModel = schema?.sharingModel ?? schema?.security?.sharingModel;
+    if (sharingModel !== "controlled_by_parent") return;
+    const deny = (reason, recordId) => {
+      throw new PermissionDeniedError(
+        `[Security] Access denied: ${operation} on '${object}' requires edit access to its master record (${reason})`,
+        { operation, object, recordId }
+      );
+    };
+    const rel = this.resolveCbpRelation(object);
+    if (!rel) deny("controlled_by_parent declared but no master_detail relation");
+    let masterId;
+    if (operation === "insert") {
+      const data = opCtx.data;
+      masterId = data && typeof data === "object" && !Array.isArray(data) ? data[rel.fk] : void 0;
+    } else {
+      const targetId = this.extractSingleId(opCtx);
+      if (targetId == null) return;
+      let row = null;
+      try {
+        row = await this.ql.findOne(object, { where: { id: targetId }, context: { isSystem: true } });
+      } catch {
+        row = null;
+      }
+      if (!row) deny("target record not found", targetId);
+      masterId = row[rel.fk];
+    }
+    if (masterId == null) deny("detail record has no master reference");
+    if (!this.permissionEvaluator.checkObjectPermission("update", rel.master, permissionSets)) {
+      deny(`no edit permission on master '${rel.master}'`, masterId);
+    }
+    const masterWriteFilter = await this.computeRlsFilter(permissionSets, rel.master, "update", context);
+    if (masterWriteFilter) {
+      let visible = null;
+      try {
+        visible = await this.ql.findOne(rel.master, {
+          where: { $and: [{ id: masterId }, masterWriteFilter] },
+          context
+        });
+      } catch {
+        visible = null;
+      }
+      if (!visible) deny(`master '${rel.master}' not editable by this user (row-level security)`, masterId);
+    }
+  }
   /**
    * Collect all RLS policies from permission sets applicable to the given object/operation.
    */
@@ -3060,6 +3328,20 @@ var SecurityPlugin = class {
     return m ? m[1] : null;
   }
 };
+
+// src/app-default-profile.ts
+function appDefaultProfileName(permissions) {
+  if (!Array.isArray(permissions)) return void 0;
+  for (const p of permissions) {
+    if (p && typeof p === "object") {
+      const ps = p;
+      if (ps.isDefault === true && ps.isProfile !== false && typeof ps.name === "string" && ps.name.length > 0) {
+        return ps.name;
+      }
+    }
+  }
+  return void 0;
+}
 export {
   FieldMasker,
   PermissionDeniedError,
@@ -3069,7 +3351,10 @@ export {
   SECURITY_PLUGIN_ID,
   SECURITY_PLUGIN_VERSION,
   SecurityPlugin,
+  appDefaultProfileName,
   backfillOrgAdminGrants,
+  bootstrapPlatformAdmin,
+  claimSeedOwnership,
   isPermissionDeniedError,
   reconcileOrgAdminGrant,
   securityDefaultPermissionSets,