npm - @zenstackhq/plugin-policy - Versions diffs - 3.1.0 → 3.2.0 - Mend

@zenstackhq/plugin-policy 3.1.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.cjs CHANGED Viewed

@@ -927,6 +927,7 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
   get kysely() {
     return this.client.$qb;
   }
+  // #region main entry point
   async handle(node, proceed) {
     if (!this.isCrudQueryNode(node)) {
       throw createRejectedByPolicyError(void 0, import_orm4.RejectedByPolicyReason.OTHER, "non-CRUD queries are not allowed");
@@ -937,19 +938,10 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
     const { mutationModel } = this.getMutationModel(node);
     this.tryRejectNonexistentModel(mutationModel);
     if (import_kysely3.InsertQueryNode.is(node)) {
-      const isManyToManyJoinTable = this.isManyToManyJoinTable(mutationModel);
-      let needCheckPreCreate = true;
-      if (!isManyToManyJoinTable) {
-        const constCondition = this.tryGetConstantPolicy(mutationModel, "create");
-        if (constCondition === true) {
-          needCheckPreCreate = false;
-        } else if (constCondition === false) {
-          throw createRejectedByPolicyError(mutationModel, import_orm4.RejectedByPolicyReason.NO_ACCESS);
-        }
-      }
-      if (needCheckPreCreate) {
-        await this.enforcePreCreatePolicy(node, mutationModel, isManyToManyJoinTable, proceed);
-      }
+      await this.preCreateCheck(mutationModel, node, proceed);
+    }
+    if (import_kysely3.UpdateQueryNode.is(node)) {
+      await this.preUpdateCheck(mutationModel, node, proceed);
     }
     const hasPostUpdatePolicies = import_kysely3.UpdateQueryNode.is(node) && this.hasPostUpdatePolicies(mutationModel);
     let beforeUpdateInfo;
@@ -1008,94 +1000,85 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
       return readBackResult;
     }
   }
-  // correction to kysely mutation result may be needed because we might have added
-  // returning clause to the query and caused changes to the result shape
-  postProcessMutationResult(result, node) {
-    if (node.returning) {
-      return result;
-    } else {
-      return {
-        ...result,
-        rows: [],
-        numAffectedRows: result.numAffectedRows ?? BigInt(result.rows.length)
-      };
+  async preCreateCheck(mutationModel, node, proceed) {
+    const isManyToManyJoinTable = this.isManyToManyJoinTable(mutationModel);
+    let needCheckPreCreate = true;
+    if (!isManyToManyJoinTable) {
+      const constCondition = this.tryGetConstantPolicy(mutationModel, "create");
+      if (constCondition === true) {
+        needCheckPreCreate = false;
+      } else if (constCondition === false) {
+        throw createRejectedByPolicyError(mutationModel, import_orm4.RejectedByPolicyReason.NO_ACCESS);
+      }
     }
-  }
-  hasPostUpdatePolicies(model) {
-    const policies = this.getModelPolicies(model, "post-update");
-    return policies.length > 0;
-  }
-  async loadBeforeUpdateEntities(model, where, proceed) {
-    const beforeUpdateAccessFields = this.getFieldsAccessForBeforeUpdatePolicies(model);
-    if (!beforeUpdateAccessFields || beforeUpdateAccessFields.length === 0) {
-      return void 0;
+    if (needCheckPreCreate) {
+      await this.enforcePreCreatePolicy(node, mutationModel, isManyToManyJoinTable, proceed);
     }
-    const policyFilter = this.buildPolicyFilter(model, model, "update");
-    const combinedFilter = where ? conjunction(this.dialect, [
-      where.where,
-      policyFilter
-    ]) : policyFilter;
-    const query = {
-      kind: "SelectQueryNode",
-      from: import_kysely3.FromNode.create([
-        import_kysely3.TableNode.create(model)
-      ]),
-      where: import_kysely3.WhereNode.create(combinedFilter),
-      selections: [
-        ...beforeUpdateAccessFields.map((f) => import_kysely3.SelectionNode.create(import_kysely3.ColumnNode.create(f)))
-      ]
-    };
-    const result = await proceed(query);
-    return {
-      fields: beforeUpdateAccessFields,
-      rows: result.rows
-    };
   }
-  getFieldsAccessForBeforeUpdatePolicies(model) {
-    const policies = this.getModelPolicies(model, "post-update");
-    if (policies.length === 0) {
-      return void 0;
+  async preUpdateCheck(mutationModel, node, proceed) {
+    const fieldsToUpdate = node.updates?.map((u) => import_kysely3.ColumnNode.is(u.column) ? u.column.column.name : void 0).filter((f) => !!f) ?? [];
+    const fieldUpdatePolicies = fieldsToUpdate.map((f) => this.buildFieldPolicyFilter(mutationModel, f, "update"));
+    const fieldLevelFilter = conjunction(this.dialect, fieldUpdatePolicies);
+    if (isTrueNode(fieldLevelFilter)) {
+      return;
     }
-    const fields = /* @__PURE__ */ new Set();
-    const fieldCollector = new class extends import_orm4.SchemaUtils.ExpressionVisitor {
-      visitMember(e) {
-        if (isBeforeInvocation(e.receiver)) {
-          (0, import_common_helpers3.invariant)(e.members.length === 1, "before() can only be followed by a scalar field access");
-          fields.add(e.members[0]);
-        }
-        super.visitMember(e);
-      }
-    }();
-    for (const policy of policies) {
-      fieldCollector.visit(policy.condition);
-    }
-    if (fields.size === 0) {
-      return void 0;
+    const modelLevelFilter = this.buildPolicyFilter(mutationModel, void 0, "update");
+    const updateFilter = conjunction(this.dialect, [
+      modelLevelFilter,
+      node.where?.where ?? trueNode(this.dialect)
+    ]);
+    const preUpdateCheckQuery = (0, import_kysely3.expressionBuilder)().selectFrom(mutationModel).select((eb) => eb.fn.coalesce(eb.fn.sum(eb.cast(new import_kysely3.ExpressionWrapper(logicalNot(this.dialect, fieldLevelFilter)), "integer")), eb.lit(0)).as("$filteredCount")).where(() => new import_kysely3.ExpressionWrapper(updateFilter));
+    const preUpdateResult = await proceed(preUpdateCheckQuery.toOperationNode());
+    if (preUpdateResult.rows[0].$filteredCount > 0) {
+      throw createRejectedByPolicyError(mutationModel, import_orm4.RejectedByPolicyReason.NO_ACCESS, "some rows cannot be updated due to field policies");
     }
-    import_orm4.QueryUtils.requireIdFields(this.client.$schema, model).forEach((f) => fields.add(f));
-    return Array.from(fields).sort();
   }
-  // #region overrides
+  // #endregion
+  // #region Transformations
   transformSelectQuery(node) {
     if (!node.from) {
       return super.transformSelectQuery(node);
     }
-    let whereNode = this.transformNode(node.where);
-    const policyFilter = this.createPolicyFilterForFrom(node.from);
-    if (policyFilter) {
-      whereNode = import_kysely3.WhereNode.create(whereNode?.where ? conjunction(this.dialect, [
-        whereNode.where,
-        policyFilter
-      ]) : policyFilter);
-    }
-    const baseResult = super.transformSelectQuery({
-      ...node,
-      where: void 0
+    this.tryRejectNonexistingTables(node.from.froms);
+    let result = super.transformSelectQuery(node);
+    const hasFieldLevelPolicies = node.from.froms.some((table) => {
+      const extractedTable = this.extractTableName(table);
+      if (extractedTable) {
+        return this.hasFieldLevelPolicies(extractedTable.model, "read");
+      } else {
+        return false;
+      }
     });
-    return {
-      ...baseResult,
-      where: whereNode
-    };
+    if (hasFieldLevelPolicies) {
+      const updatedFroms = [];
+      for (const table of result.from.froms) {
+        const extractedTable = this.extractTableName(table);
+        if (extractedTable?.model && import_orm4.QueryUtils.getModel(this.client.$schema, extractedTable.model)) {
+          const { query } = this.createSelectAllFieldsWithPolicies(extractedTable.model, extractedTable.alias, "read");
+          updatedFroms.push(query);
+        } else {
+          updatedFroms.push(table);
+        }
+      }
+      result = {
+        ...result,
+        from: import_kysely3.FromNode.create(updatedFroms)
+      };
+    } else {
+      let whereNode = result.where;
+      const policyFilter = this.createPolicyFilterForFrom(result.from);
+      if (policyFilter && !isTrueNode(policyFilter)) {
+        whereNode = import_kysely3.WhereNode.create(whereNode?.where ? conjunction(this.dialect, [
+          whereNode.where,
+          policyFilter
+        ]) : policyFilter);
+      }
+      result = {
+        ...result,
+        where: whereNode
+      };
+    }
+    return result;
   }
   transformJoin(node) {
     const table = this.extractTableName(node.table);
@@ -1103,20 +1086,17 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
       return super.transformJoin(node);
     }
     this.tryRejectNonexistentModel(table.model);
-    const filter = this.buildPolicyFilter(table.model, table.alias, "read");
-    const nestedSelect = {
-      kind: "SelectQueryNode",
-      from: import_kysely3.FromNode.create([
-        node.table
-      ]),
-      selections: [
-        import_kysely3.SelectionNode.createSelectAll()
-      ],
-      where: import_kysely3.WhereNode.create(filter)
-    };
+    if (!import_orm4.QueryUtils.getModel(this.client.$schema, table.model)) {
+      return super.transformJoin(node);
+    }
+    const result = super.transformJoin(node);
+    const { hasPolicies, query: nestedQuery } = this.createSelectAllFieldsWithPolicies(table.model, table.alias, "read");
+    if (!hasPolicies) {
+      return result;
+    }
     return {
-      ...node,
-      table: import_kysely3.AliasNode.create(import_kysely3.ParensNode.create(nestedSelect), import_kysely3.IdentifierNode.create(table.alias ?? table.model))
+      ...result,
+      table: nestedQuery
     };
   }
   transformInsertQuery(node) {
@@ -1160,6 +1140,7 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
     const { mutationModel, alias } = this.getMutationModel(node);
     let filter = this.buildPolicyFilter(mutationModel, alias, "update");
     if (node.from) {
+      this.tryRejectNonexistingTables(node.from.froms);
       const joinFilter = this.createPolicyFilterForFrom(node.from);
       if (joinFilter) {
         filter = conjunction(this.dialect, [
@@ -1187,6 +1168,7 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
     const { mutationModel, alias } = this.getMutationModel(node);
     let filter = this.buildPolicyFilter(mutationModel, alias, "delete");
     if (node.using) {
+      this.tryRejectNonexistingTables(node.using.tables);
       const joinFilter = this.createPolicyFilterForTables(node.using.tables);
       if (joinFilter) {
         filter = conjunction(this.dialect, [
@@ -1204,6 +1186,139 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
     };
   }
   // #endregion
+  // #region post-update
+  async loadBeforeUpdateEntities(model, where, proceed) {
+    const beforeUpdateAccessFields = this.getFieldsAccessForBeforeUpdatePolicies(model);
+    if (!beforeUpdateAccessFields || beforeUpdateAccessFields.length === 0) {
+      return void 0;
+    }
+    const policyFilter = this.buildPolicyFilter(model, model, "update");
+    const combinedFilter = where ? conjunction(this.dialect, [
+      where.where,
+      policyFilter
+    ]) : policyFilter;
+    const query = {
+      kind: "SelectQueryNode",
+      from: import_kysely3.FromNode.create([
+        import_kysely3.TableNode.create(model)
+      ]),
+      where: import_kysely3.WhereNode.create(combinedFilter),
+      selections: [
+        ...beforeUpdateAccessFields.map((f) => import_kysely3.SelectionNode.create(import_kysely3.ColumnNode.create(f)))
+      ]
+    };
+    const result = await proceed(query);
+    return {
+      fields: beforeUpdateAccessFields,
+      rows: result.rows
+    };
+  }
+  getFieldsAccessForBeforeUpdatePolicies(model) {
+    const policies = this.getModelPolicies(model, "post-update");
+    if (policies.length === 0) {
+      return void 0;
+    }
+    const fields = /* @__PURE__ */ new Set();
+    const fieldCollector = new class extends import_orm4.SchemaUtils.ExpressionVisitor {
+      visitMember(e) {
+        if (isBeforeInvocation(e.receiver)) {
+          (0, import_common_helpers3.invariant)(e.members.length === 1, "before() can only be followed by a scalar field access");
+          fields.add(e.members[0]);
+        }
+        super.visitMember(e);
+      }
+    }();
+    for (const policy of policies) {
+      fieldCollector.visit(policy.condition);
+    }
+    if (fields.size === 0) {
+      return void 0;
+    }
+    import_orm4.QueryUtils.requireIdFields(this.client.$schema, model).forEach((f) => fields.add(f));
+    return Array.from(fields).sort();
+  }
+  hasPostUpdatePolicies(model) {
+    const policies = this.getModelPolicies(model, "post-update");
+    return policies.length > 0;
+  }
+  // #endregion
+  // #region field-level policies
+  createSelectAllFieldsWithPolicies(model, alias, operation) {
+    let hasPolicies = false;
+    const modelDef = import_orm4.QueryUtils.requireModel(this.client.$schema, model);
+    let selections = [];
+    for (const fieldDef of Object.values(modelDef.fields).filter(
+      // exclude relation/computed/inherited fields
+      (f) => !f.relation && !f.computed && !f.originModel
+    )) {
+      const { hasPolicies: fieldHasPolicies, selection } = this.createFieldSelectionWithPolicy(model, fieldDef.name, operation);
+      hasPolicies = hasPolicies || fieldHasPolicies;
+      selections.push(selection);
+    }
+    if (!hasPolicies) {
+      selections = [
+        import_kysely3.SelectionNode.create(import_kysely3.SelectAllNode.create())
+      ];
+    }
+    const modelPolicyFilter = this.buildPolicyFilter(model, alias, operation);
+    if (!isTrueNode(modelPolicyFilter)) {
+      hasPolicies = true;
+    }
+    const nestedQuery = {
+      kind: "SelectQueryNode",
+      from: import_kysely3.FromNode.create([
+        import_kysely3.TableNode.create(model)
+      ]),
+      where: isTrueNode(modelPolicyFilter) ? void 0 : import_kysely3.WhereNode.create(modelPolicyFilter),
+      selections
+    };
+    return {
+      hasPolicies,
+      query: import_kysely3.AliasNode.create(import_kysely3.ParensNode.create(nestedQuery), import_kysely3.IdentifierNode.create(alias ?? model))
+    };
+  }
+  createFieldSelectionWithPolicy(model, field, operation) {
+    const filter = this.buildFieldPolicyFilter(model, field, operation);
+    if (isTrueNode(filter)) {
+      return {
+        hasPolicies: false,
+        selection: import_kysely3.SelectionNode.create(import_kysely3.ColumnNode.create(field))
+      };
+    }
+    const eb = (0, import_kysely3.expressionBuilder)();
+    const selection = eb.case().when(new import_kysely3.ExpressionWrapper(filter)).then(eb.ref(field)).else(null).end().as(field).toOperationNode();
+    return {
+      hasPolicies: true,
+      selection: import_kysely3.SelectionNode.create(selection)
+    };
+  }
+  hasFieldLevelPolicies(model, operation) {
+    const modelDef = import_orm4.QueryUtils.getModel(this.client.$schema, model);
+    if (!modelDef) {
+      return false;
+    }
+    return Object.keys(modelDef.fields).some((field) => this.getFieldPolicies(model, field, operation).length > 0);
+  }
+  buildFieldPolicyFilter(model, field, operation) {
+    const policies = this.getFieldPolicies(model, field, operation);
+    const allows = policies.filter((policy) => policy.kind === "allow").map((policy) => this.compilePolicyCondition(model, model, operation, policy));
+    const denies = policies.filter((policy) => policy.kind === "deny").map((policy) => this.compilePolicyCondition(model, model, operation, policy));
+    let combinedPolicy;
+    if (allows.length === 0) {
+      combinedPolicy = trueNode(this.dialect);
+    } else {
+      combinedPolicy = disjunction(this.dialect, allows);
+    }
+    if (denies.length !== 0) {
+      const combinedDenies = conjunction(this.dialect, denies.map((d) => buildIsFalse(d, this.dialect)));
+      combinedPolicy = conjunction(this.dialect, [
+        combinedPolicy,
+        combinedDenies
+      ]);
+    }
+    return combinedPolicy;
+  }
+  // #endregion
   // #region helpers
   onlyReturningId(node) {
     if (!node.returning) {
@@ -1495,7 +1610,6 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
       const extractResult = this.extractTableName(table);
       if (extractResult) {
         const { model, alias } = extractResult;
-        this.tryRejectNonexistentModel(model);
         const filter = this.buildPolicyFilter(model, alias, "read");
         return acc ? conjunction(this.dialect, [
           acc,
@@ -1531,6 +1645,23 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
     }
     return result;
   }
+  getFieldPolicies(model, field, operation) {
+    const fieldDef = import_orm4.QueryUtils.requireField(this.client.$schema, model, field);
+    const result = [];
+    const extractOperations = /* @__PURE__ */ __name((expr2) => {
+      (0, import_common_helpers3.invariant)(import_schema4.ExpressionUtils.isLiteral(expr2), "expecting a literal");
+      (0, import_common_helpers3.invariant)(typeof expr2.value === "string", "expecting a string literal");
+      return expr2.value.split(",").filter((v) => !!v).map((v) => v.trim());
+    }, "extractOperations");
+    if (fieldDef.attributes) {
+      result.push(...fieldDef.attributes.filter((attr) => attr.name === "@allow" || attr.name === "@deny").map((attr) => ({
+        kind: attr.name === "@allow" ? "allow" : "deny",
+        operations: extractOperations(attr.args[0].value),
+        condition: attr.args[1].value
+      })).filter((policy) => policy.operations.includes("all") || policy.operations.includes(operation)));
+    }
+    return result;
+  }
   resolveManyToManyJoinTable(tableName) {
     for (const model of Object.values(this.client.$schema.models)) {
       for (const field of Object.values(model.fields)) {
@@ -1588,6 +1719,27 @@ var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
       throw createRejectedByPolicyError(model, import_orm4.RejectedByPolicyReason.NO_ACCESS);
     }
   }
+  tryRejectNonexistingTables(tables) {
+    for (const table of tables) {
+      const extractResult = this.extractTableName(table);
+      if (extractResult) {
+        this.tryRejectNonexistentModel(extractResult.model);
+      }
+    }
+  }
+  // correction to kysely mutation result may be needed because we might have added
+  // returning clause to the query and caused changes to the result shape
+  postProcessMutationResult(result, node) {
+    if (node.returning) {
+      return result;
+    } else {
+      return {
+        ...result,
+        rows: [],
+        numAffectedRows: result.numAffectedRows ?? BigInt(result.rows.length)
+      };
+    }
+  }
 };
 // src/functions.ts