@zenstackhq/runtime 0.6.0-pre.2 → 1.0.0-alpha.100
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/constants.d.ts +4 -0
- package/constants.js +8 -0
- package/constants.js.map +1 -0
- package/enhancements/index.d.ts +4 -0
- package/enhancements/index.js +21 -0
- package/enhancements/index.js.map +1 -0
- package/enhancements/model-meta.d.ts +9 -0
- package/enhancements/model-meta.js +25 -0
- package/enhancements/model-meta.js.map +1 -0
- package/enhancements/nested-write-vistor.d.ts +70 -0
- package/enhancements/nested-write-vistor.js +173 -0
- package/enhancements/nested-write-vistor.js.map +1 -0
- package/enhancements/omit.d.ts +5 -0
- package/enhancements/omit.js +60 -0
- package/enhancements/omit.js.map +1 -0
- package/enhancements/password.d.ts +5 -0
- package/enhancements/password.js +66 -0
- package/enhancements/password.js.map +1 -0
- package/enhancements/policy/handler.d.ts +36 -0
- package/enhancements/policy/handler.js +281 -0
- package/enhancements/policy/handler.js.map +1 -0
- package/enhancements/policy/index.d.ts +17 -0
- package/enhancements/policy/index.js +31 -0
- package/enhancements/policy/index.js.map +1 -0
- package/{lib/proxy → enhancements/policy}/logger.d.ts +3 -0
- package/{lib/proxy → enhancements/policy}/logger.js +4 -0
- package/enhancements/policy/logger.js.map +1 -0
- package/enhancements/policy/policy-utils.d.ts +94 -0
- package/enhancements/policy/policy-utils.js +755 -0
- package/enhancements/policy/policy-utils.js.map +1 -0
- package/enhancements/preset.d.ts +16 -0
- package/enhancements/preset.js +24 -0
- package/enhancements/preset.js.map +1 -0
- package/enhancements/proxy.d.ts +75 -0
- package/enhancements/proxy.js +196 -0
- package/enhancements/proxy.js.map +1 -0
- package/enhancements/types.d.ts +33 -0
- package/{lib/config.js → enhancements/types.js} +1 -1
- package/enhancements/types.js.map +1 -0
- package/enhancements/utils.d.ts +17 -0
- package/enhancements/utils.js +59 -0
- package/enhancements/utils.js.map +1 -0
- package/error.d.ts +11 -0
- package/error.js +17 -0
- package/error.js.map +1 -0
- package/index.d.ts +5 -0
- package/{lib/index.js → index.js} +3 -4
- package/index.js.map +1 -0
- package/package.json +8 -8
- package/serialization-utils.js.map +1 -0
- package/types.d.ts +101 -0
- package/types.js +16 -0
- package/types.js.map +1 -0
- package/{lib/validation.d.ts → validation.d.ts} +7 -0
- package/{lib/validation.js → validation.js} +15 -1
- package/validation.js.map +1 -0
- package/version.js +19 -0
- package/version.js.map +1 -0
- package/zod.d.ts +10 -0
- package/zod.js +17 -0
- package/zod.js.map +1 -0
- package/client/index.d.ts +0 -3
- package/client/index.js +0 -11
- package/lib/config.d.ts +0 -14
- package/lib/config.js.map +0 -1
- package/lib/constants.d.ts +0 -12
- package/lib/constants.js +0 -16
- package/lib/constants.js.map +0 -1
- package/lib/handler/data/crud.d.ts +0 -17
- package/lib/handler/data/crud.js +0 -255
- package/lib/handler/data/crud.js.map +0 -1
- package/lib/handler/data/handler.d.ts +0 -20
- package/lib/handler/data/handler.js +0 -150
- package/lib/handler/data/handler.js.map +0 -1
- package/lib/handler/data/nested-write-vistor.d.ts +0 -31
- package/lib/handler/data/nested-write-vistor.js +0 -67
- package/lib/handler/data/nested-write-vistor.js.map +0 -1
- package/lib/handler/data/policy-utils.d.ts +0 -73
- package/lib/handler/data/policy-utils.js +0 -447
- package/lib/handler/data/policy-utils.js.map +0 -1
- package/lib/handler/index.d.ts +0 -1
- package/lib/handler/index.js +0 -9
- package/lib/handler/index.js.map +0 -1
- package/lib/handler/types.d.ts +0 -28
- package/lib/handler/types.js +0 -36
- package/lib/handler/types.js.map +0 -1
- package/lib/index.d.ts +0 -6
- package/lib/index.js.map +0 -1
- package/lib/policy.d.ts +0 -11
- package/lib/policy.js +0 -10
- package/lib/policy.js.map +0 -1
- package/lib/proxy/handler.d.ts +0 -37
- package/lib/proxy/handler.js +0 -333
- package/lib/proxy/handler.js.map +0 -1
- package/lib/proxy/logger.js.map +0 -1
- package/lib/proxy/nested-write-vistor.d.ts +0 -30
- package/lib/proxy/nested-write-vistor.js +0 -69
- package/lib/proxy/nested-write-vistor.js.map +0 -1
- package/lib/proxy/policy-utils.d.ts +0 -78
- package/lib/proxy/policy-utils.js +0 -508
- package/lib/proxy/policy-utils.js.map +0 -1
- package/lib/request-handler.d.ts +0 -21
- package/lib/request-handler.js +0 -37
- package/lib/request-handler.js.map +0 -1
- package/lib/request.d.ts +0 -37
- package/lib/request.js +0 -164
- package/lib/request.js.map +0 -1
- package/lib/serialization-utils.js.map +0 -1
- package/lib/service.d.ts +0 -32
- package/lib/service.js +0 -184
- package/lib/service.js.map +0 -1
- package/lib/types.d.ts +0 -185
- package/lib/types.js +0 -71
- package/lib/types.js.map +0 -1
- package/lib/validation.js.map +0 -1
- package/lib/version.js +0 -9
- package/lib/version.js.map +0 -1
- package/server/index.d.ts +0 -16
- package/server/index.js +0 -6
- package/types/index.d.ts +0 -1
- package/types/index.js +0 -3
- /package/{lib/serialization-utils.d.ts → serialization-utils.d.ts} +0 -0
- /package/{lib/serialization-utils.js → serialization-utils.js} +0 -0
- /package/{lib/version.d.ts → version.d.ts} +0 -0
|
@@ -0,0 +1,281 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/* eslint-disable @typescript-eslint/no-explicit-any */
|
|
3
|
+
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
4
|
+
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
5
|
+
return new (P || (P = Promise))(function (resolve, reject) {
|
|
6
|
+
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
|
7
|
+
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
|
8
|
+
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
|
|
9
|
+
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
10
|
+
});
|
|
11
|
+
};
|
|
12
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
13
|
+
exports.PolicyProxyHandler = void 0;
|
|
14
|
+
const runtime_1 = require("@prisma/client/runtime");
|
|
15
|
+
const sdk_1 = require("@zenstackhq/sdk");
|
|
16
|
+
const utils_1 = require("../utils");
|
|
17
|
+
const logger_1 = require("./logger");
|
|
18
|
+
const policy_utils_1 = require("./policy-utils");
|
|
19
|
+
/**
|
|
20
|
+
* Prisma proxy handler for injecting access policy check.
|
|
21
|
+
*/
|
|
22
|
+
class PolicyProxyHandler {
|
|
23
|
+
constructor(prisma, policy, modelMeta, model, user) {
|
|
24
|
+
this.prisma = prisma;
|
|
25
|
+
this.policy = policy;
|
|
26
|
+
this.modelMeta = modelMeta;
|
|
27
|
+
this.model = model;
|
|
28
|
+
this.user = user;
|
|
29
|
+
this.logger = new logger_1.Logger(prisma);
|
|
30
|
+
this.utils = new policy_utils_1.PolicyUtil(this.prisma, this.modelMeta, this.policy, this.user);
|
|
31
|
+
}
|
|
32
|
+
get modelClient() {
|
|
33
|
+
return this.prisma[this.model];
|
|
34
|
+
}
|
|
35
|
+
findUnique(args) {
|
|
36
|
+
var _a;
|
|
37
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
38
|
+
if (!args) {
|
|
39
|
+
throw new runtime_1.PrismaClientValidationError('query argument is required');
|
|
40
|
+
}
|
|
41
|
+
if (!args.where) {
|
|
42
|
+
throw new runtime_1.PrismaClientValidationError('where field is required in query argument');
|
|
43
|
+
}
|
|
44
|
+
const entities = yield this.utils.readWithCheck(this.model, args);
|
|
45
|
+
return (_a = entities[0]) !== null && _a !== void 0 ? _a : null;
|
|
46
|
+
});
|
|
47
|
+
}
|
|
48
|
+
findUniqueOrThrow(args) {
|
|
49
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
50
|
+
const entity = yield this.findUnique(args);
|
|
51
|
+
if (!entity) {
|
|
52
|
+
throw this.utils.notFound(this.model);
|
|
53
|
+
}
|
|
54
|
+
return entity;
|
|
55
|
+
});
|
|
56
|
+
}
|
|
57
|
+
findFirst(args) {
|
|
58
|
+
var _a;
|
|
59
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
60
|
+
const entities = yield this.utils.readWithCheck(this.model, args);
|
|
61
|
+
return (_a = entities[0]) !== null && _a !== void 0 ? _a : null;
|
|
62
|
+
});
|
|
63
|
+
}
|
|
64
|
+
findFirstOrThrow(args) {
|
|
65
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
66
|
+
const entity = yield this.findFirst(args);
|
|
67
|
+
if (!entity) {
|
|
68
|
+
throw this.utils.notFound(this.model);
|
|
69
|
+
}
|
|
70
|
+
return entity;
|
|
71
|
+
});
|
|
72
|
+
}
|
|
73
|
+
findMany(args) {
|
|
74
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
75
|
+
return this.utils.readWithCheck(this.model, args);
|
|
76
|
+
});
|
|
77
|
+
}
|
|
78
|
+
create(args) {
|
|
79
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
80
|
+
if (!args) {
|
|
81
|
+
throw new runtime_1.PrismaClientValidationError('query argument is required');
|
|
82
|
+
}
|
|
83
|
+
if (!args.data) {
|
|
84
|
+
throw new runtime_1.PrismaClientValidationError('data field is required in query argument');
|
|
85
|
+
}
|
|
86
|
+
yield this.tryReject('create');
|
|
87
|
+
const origArgs = args;
|
|
88
|
+
args = this.utils.clone(args);
|
|
89
|
+
// use a transaction to wrap the write so it can be reverted if the created
|
|
90
|
+
// entity fails access policies
|
|
91
|
+
const result = yield this.utils.processWrite(this.model, 'create', args, (dbOps, writeArgs) => dbOps.create(writeArgs));
|
|
92
|
+
const ids = this.utils.getEntityIds(this.model, result);
|
|
93
|
+
if (Object.keys(ids).length === 0) {
|
|
94
|
+
throw this.utils.unknownError(`unexpected error: create didn't return an id`);
|
|
95
|
+
}
|
|
96
|
+
return this.checkReadback(origArgs, ids, 'create', 'create');
|
|
97
|
+
});
|
|
98
|
+
}
|
|
99
|
+
createMany(args, skipDuplicates) {
|
|
100
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
101
|
+
if (!args) {
|
|
102
|
+
throw new runtime_1.PrismaClientValidationError('query argument is required');
|
|
103
|
+
}
|
|
104
|
+
if (!args.data) {
|
|
105
|
+
throw new runtime_1.PrismaClientValidationError('data field is required and must be an array');
|
|
106
|
+
}
|
|
107
|
+
yield this.tryReject('create');
|
|
108
|
+
args = this.utils.clone(args);
|
|
109
|
+
// use a transaction to wrap the write so it can be reverted if any created
|
|
110
|
+
// entity fails access policies
|
|
111
|
+
const result = yield this.utils.processWrite(this.model, 'create', args, (dbOps, writeArgs) => dbOps.createMany(writeArgs, skipDuplicates));
|
|
112
|
+
return result;
|
|
113
|
+
});
|
|
114
|
+
}
|
|
115
|
+
update(args) {
|
|
116
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
117
|
+
if (!args) {
|
|
118
|
+
throw new runtime_1.PrismaClientValidationError('query argument is required');
|
|
119
|
+
}
|
|
120
|
+
if (!args.where) {
|
|
121
|
+
throw new runtime_1.PrismaClientValidationError('where field is required in query argument');
|
|
122
|
+
}
|
|
123
|
+
if (!args.data) {
|
|
124
|
+
throw new runtime_1.PrismaClientValidationError('data field is required in query argument');
|
|
125
|
+
}
|
|
126
|
+
yield this.tryReject('update');
|
|
127
|
+
const origArgs = args;
|
|
128
|
+
args = this.utils.clone(args);
|
|
129
|
+
// use a transaction to wrap the write so it can be reverted if any nested
|
|
130
|
+
// create fails access policies
|
|
131
|
+
const result = yield this.utils.processWrite(this.model, 'update', args, (dbOps, writeArgs) => dbOps.update(writeArgs));
|
|
132
|
+
const ids = this.utils.getEntityIds(this.model, result);
|
|
133
|
+
if (Object.keys(ids).length === 0) {
|
|
134
|
+
throw this.utils.unknownError(`unexpected error: update didn't return an id`);
|
|
135
|
+
}
|
|
136
|
+
return this.checkReadback(origArgs, ids, 'update', 'update');
|
|
137
|
+
});
|
|
138
|
+
}
|
|
139
|
+
updateMany(args) {
|
|
140
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
141
|
+
if (!args) {
|
|
142
|
+
throw new runtime_1.PrismaClientValidationError('query argument is required');
|
|
143
|
+
}
|
|
144
|
+
if (!args.data) {
|
|
145
|
+
throw new runtime_1.PrismaClientValidationError('data field is required in query argument');
|
|
146
|
+
}
|
|
147
|
+
yield this.tryReject('update');
|
|
148
|
+
args = this.utils.clone(args);
|
|
149
|
+
// use a transaction to wrap the write so it can be reverted if any nested
|
|
150
|
+
// create fails access policies
|
|
151
|
+
const result = yield this.utils.processWrite(this.model, 'updateMany', args, (dbOps, writeArgs) => dbOps.updateMany(writeArgs));
|
|
152
|
+
return result;
|
|
153
|
+
});
|
|
154
|
+
}
|
|
155
|
+
upsert(args) {
|
|
156
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
157
|
+
if (!args) {
|
|
158
|
+
throw new runtime_1.PrismaClientValidationError('query argument is required');
|
|
159
|
+
}
|
|
160
|
+
if (!args.where) {
|
|
161
|
+
throw new runtime_1.PrismaClientValidationError('where field is required in query argument');
|
|
162
|
+
}
|
|
163
|
+
if (!args.create) {
|
|
164
|
+
throw new runtime_1.PrismaClientValidationError('create field is required in query argument');
|
|
165
|
+
}
|
|
166
|
+
if (!args.update) {
|
|
167
|
+
throw new runtime_1.PrismaClientValidationError('update field is required in query argument');
|
|
168
|
+
}
|
|
169
|
+
const origArgs = args;
|
|
170
|
+
args = this.utils.clone(args);
|
|
171
|
+
yield this.tryReject('create');
|
|
172
|
+
yield this.tryReject('update');
|
|
173
|
+
// use a transaction to wrap the write so it can be reverted if any nested
|
|
174
|
+
// create fails access policies
|
|
175
|
+
const result = yield this.utils.processWrite(this.model, 'upsert', args, (dbOps, writeArgs) => dbOps.upsert(writeArgs));
|
|
176
|
+
const ids = this.utils.getEntityIds(this.model, result);
|
|
177
|
+
if (Object.keys(ids).length === 0) {
|
|
178
|
+
throw this.utils.unknownError(`unexpected error: upsert didn't return an id`);
|
|
179
|
+
}
|
|
180
|
+
return this.checkReadback(origArgs, ids, 'upsert', 'update');
|
|
181
|
+
});
|
|
182
|
+
}
|
|
183
|
+
delete(args) {
|
|
184
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
185
|
+
if (!args) {
|
|
186
|
+
throw new runtime_1.PrismaClientValidationError('query argument is required');
|
|
187
|
+
}
|
|
188
|
+
if (!args.where) {
|
|
189
|
+
throw new runtime_1.PrismaClientValidationError('where field is required in query argument');
|
|
190
|
+
}
|
|
191
|
+
yield this.tryReject('delete');
|
|
192
|
+
// ensures the item under deletion passes policy check
|
|
193
|
+
yield this.utils.checkPolicyForFilter(this.model, args.where, 'delete', this.prisma);
|
|
194
|
+
// read the entity under deletion with respect to read policies
|
|
195
|
+
let readResult;
|
|
196
|
+
try {
|
|
197
|
+
const items = yield this.utils.readWithCheck(this.model, args);
|
|
198
|
+
readResult = items[0];
|
|
199
|
+
}
|
|
200
|
+
catch (err) {
|
|
201
|
+
// not readable
|
|
202
|
+
readResult = undefined;
|
|
203
|
+
}
|
|
204
|
+
// conduct the deletion
|
|
205
|
+
this.logger.info(`Conducting delete ${this.model}:\n${(0, utils_1.formatObject)(args)}`);
|
|
206
|
+
yield this.modelClient.delete(args);
|
|
207
|
+
if (!readResult) {
|
|
208
|
+
throw this.utils.deniedByPolicy(this.model, 'delete', 'result is not allowed to be read back', sdk_1.CrudFailureReason.RESULT_NOT_READABLE);
|
|
209
|
+
}
|
|
210
|
+
else {
|
|
211
|
+
return readResult;
|
|
212
|
+
}
|
|
213
|
+
});
|
|
214
|
+
}
|
|
215
|
+
deleteMany(args) {
|
|
216
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
217
|
+
yield this.tryReject('delete');
|
|
218
|
+
// inject policy conditions
|
|
219
|
+
args = args !== null && args !== void 0 ? args : {};
|
|
220
|
+
yield this.utils.injectAuthGuard(args, this.model, 'delete');
|
|
221
|
+
// conduct the deletion
|
|
222
|
+
this.logger.info(`Conducting deleteMany ${this.model}:\n${(0, utils_1.formatObject)(args)}`);
|
|
223
|
+
return this.modelClient.deleteMany(args);
|
|
224
|
+
});
|
|
225
|
+
}
|
|
226
|
+
aggregate(args) {
|
|
227
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
228
|
+
if (!args) {
|
|
229
|
+
throw new runtime_1.PrismaClientValidationError('query argument is required');
|
|
230
|
+
}
|
|
231
|
+
yield this.tryReject('read');
|
|
232
|
+
// inject policy conditions
|
|
233
|
+
yield this.utils.injectAuthGuard(args, this.model, 'read');
|
|
234
|
+
return this.modelClient.aggregate(args);
|
|
235
|
+
});
|
|
236
|
+
}
|
|
237
|
+
groupBy(args) {
|
|
238
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
239
|
+
if (!args) {
|
|
240
|
+
throw new runtime_1.PrismaClientValidationError('query argument is required');
|
|
241
|
+
}
|
|
242
|
+
yield this.tryReject('read');
|
|
243
|
+
// inject policy conditions
|
|
244
|
+
yield this.utils.injectAuthGuard(args, this.model, 'read');
|
|
245
|
+
return this.modelClient.groupBy(args);
|
|
246
|
+
});
|
|
247
|
+
}
|
|
248
|
+
count(args) {
|
|
249
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
250
|
+
yield this.tryReject('read');
|
|
251
|
+
// inject policy conditions
|
|
252
|
+
args = args !== null && args !== void 0 ? args : {};
|
|
253
|
+
yield this.utils.injectAuthGuard(args, this.model, 'read');
|
|
254
|
+
return this.modelClient.count(args);
|
|
255
|
+
});
|
|
256
|
+
}
|
|
257
|
+
tryReject(operation) {
|
|
258
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
259
|
+
const guard = yield this.utils.getAuthGuard(this.model, operation);
|
|
260
|
+
if (guard === false) {
|
|
261
|
+
throw this.utils.deniedByPolicy(this.model, operation);
|
|
262
|
+
}
|
|
263
|
+
});
|
|
264
|
+
}
|
|
265
|
+
checkReadback(origArgs, ids, action, operation) {
|
|
266
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
267
|
+
const readArgs = { select: origArgs.select, include: origArgs.include, where: ids };
|
|
268
|
+
const result = yield this.utils.readWithCheck(this.model, readArgs);
|
|
269
|
+
if (result.length === 0) {
|
|
270
|
+
this.logger.warn(`${action} result cannot be read back`);
|
|
271
|
+
throw this.utils.deniedByPolicy(this.model, operation, 'result is not allowed to be read back', sdk_1.CrudFailureReason.RESULT_NOT_READABLE);
|
|
272
|
+
}
|
|
273
|
+
else if (result.length > 1) {
|
|
274
|
+
throw this.utils.unknownError('write unexpected resulted in multiple readback entities');
|
|
275
|
+
}
|
|
276
|
+
return result[0];
|
|
277
|
+
});
|
|
278
|
+
}
|
|
279
|
+
}
|
|
280
|
+
exports.PolicyProxyHandler = PolicyProxyHandler;
|
|
281
|
+
//# sourceMappingURL=handler.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../../src/enhancements/policy/handler.ts"],"names":[],"mappings":";AAAA,uDAAuD;;;;;;;;;;;;AAEvD,oDAAqE;AACrE,yCAAoD;AAIpD,oCAAwC;AACxC,qCAAkC;AAClC,iDAA4C;AAE5C;;GAEG;AACH,MAAa,kBAAkB;IAI3B,YACqB,MAAgB,EAChB,MAAiB,EACjB,SAAoB,EACpB,KAAa,EACb,IAAe;QAJf,WAAM,GAAN,MAAM,CAAU;QAChB,WAAM,GAAN,MAAM,CAAW;QACjB,cAAS,GAAT,SAAS,CAAW;QACpB,UAAK,GAAL,KAAK,CAAQ;QACb,SAAI,GAAJ,IAAI,CAAW;QAEhC,IAAI,CAAC,MAAM,GAAG,IAAI,eAAM,CAAC,MAAM,CAAC,CAAC;QACjC,IAAI,CAAC,KAAK,GAAG,IAAI,yBAAU,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IACrF,CAAC;IAED,IAAY,WAAW;QACnB,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAEK,UAAU,CAAC,IAAS;;;YACtB,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YACD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE;gBACb,MAAM,IAAI,qCAA2B,CAAC,2CAA2C,CAAC,CAAC;aACtF;YAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAClE,OAAO,MAAA,QAAQ,CAAC,CAAC,CAAC,mCAAI,IAAI,CAAC;;KAC9B;IAEK,iBAAiB,CAAC,IAAS;;YAC7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;YAC3C,IAAI,CAAC,MAAM,EAAE;gBACT,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;aACzC;YACD,OAAO,MAAM,CAAC;QAClB,CAAC;KAAA;IAEK,SAAS,CAAC,IAAS;;;YACrB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAClE,OAAO,MAAA,QAAQ,CAAC,CAAC,CAAC,mCAAI,IAAI,CAAC;;KAC9B;IAEK,gBAAgB,CAAC,IAAS;;YAC5B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAC1C,IAAI,CAAC,MAAM,EAAE;gBACT,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;aACzC;YACD,OAAO,MAAM,CAAC;QAClB,CAAC;KAAA;IAEK,QAAQ,CAAC,IAAS;;YACpB,OAAO,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACtD,CAAC;KAAA;IAEK,MAAM,CAAC,IAAS;;YAClB,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YACD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;gBACZ,MAAM,IAAI,qCAA2B,CAAC,0CAA0C,CAAC,CAAC;aACrF;YAED,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAE/B,MAAM,QAAQ,GAAG,IAAI,CAAC;YACtB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAE9B,2EAA2E;YAC3E,+BAA+B;YAC/B,MAAM,MAAM,GAAQ,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,CAC/F,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAC1B,CAAC;YAEF,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YACxD,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE;gBAC/B,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,8CAA8C,CAAC,CAAC;aACjF;YAED,OAAO,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACjE,CAAC;KAAA;IAEK,UAAU,CAAC,IAAS,EAAE,cAAwB;;YAChD,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YACD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;gBACZ,MAAM,IAAI,qCAA2B,CAAC,6CAA6C,CAAC,CAAC;aACxF;YAED,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAE/B,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAE9B,2EAA2E;YAC3E,+BAA+B;YAC/B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,CAC1F,KAAK,CAAC,UAAU,CAAC,SAAS,EAAE,cAAc,CAAC,CAC9C,CAAC;YAEF,OAAO,MAAqB,CAAC;QACjC,CAAC;KAAA;IAEK,MAAM,CAAC,IAAS;;YAClB,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YACD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE;gBACb,MAAM,IAAI,qCAA2B,CAAC,2CAA2C,CAAC,CAAC;aACtF;YACD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;gBACZ,MAAM,IAAI,qCAA2B,CAAC,0CAA0C,CAAC,CAAC;aACrF;YAED,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAE/B,MAAM,QAAQ,GAAG,IAAI,CAAC;YACtB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAE9B,0EAA0E;YAC1E,+BAA+B;YAC/B,MAAM,MAAM,GAAQ,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,CAC/F,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAC1B,CAAC;YAEF,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YACxD,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE;gBAC/B,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,8CAA8C,CAAC,CAAC;aACjF;YACD,OAAO,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACjE,CAAC;KAAA;IAEK,UAAU,CAAC,IAAS;;YACtB,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YACD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;gBACZ,MAAM,IAAI,qCAA2B,CAAC,0CAA0C,CAAC,CAAC;aACrF;YAED,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAE/B,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAE9B,0EAA0E;YAC1E,+BAA+B;YAC/B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,CAC9F,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,CAC9B,CAAC;YAEF,OAAO,MAAqB,CAAC;QACjC,CAAC;KAAA;IAEK,MAAM,CAAC,IAAS;;YAClB,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YACD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE;gBACb,MAAM,IAAI,qCAA2B,CAAC,2CAA2C,CAAC,CAAC;aACtF;YACD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;gBACd,MAAM,IAAI,qCAA2B,CAAC,4CAA4C,CAAC,CAAC;aACvF;YACD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;gBACd,MAAM,IAAI,qCAA2B,CAAC,4CAA4C,CAAC,CAAC;aACvF;YAED,MAAM,QAAQ,GAAG,IAAI,CAAC;YACtB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAE9B,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAC/B,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAE/B,0EAA0E;YAC1E,+BAA+B;YAC/B,MAAM,MAAM,GAAQ,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,CAC/F,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAC1B,CAAC;YAEF,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YACxD,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE;gBAC/B,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,8CAA8C,CAAC,CAAC;aACjF;YAED,OAAO,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACjE,CAAC;KAAA;IAEK,MAAM,CAAC,IAAS;;YAClB,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YACD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE;gBACb,MAAM,IAAI,qCAA2B,CAAC,2CAA2C,CAAC,CAAC;aACtF;YAED,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAE/B,sDAAsD;YACtD,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;YAErF,+DAA+D;YAC/D,IAAI,UAAe,CAAC;YACpB,IAAI;gBACA,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;gBAC/D,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;aACzB;YAAC,OAAO,GAAG,EAAE;gBACV,eAAe;gBACf,UAAU,GAAG,SAAS,CAAC;aAC1B;YAED,uBAAuB;YACvB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,qBAAqB,IAAI,CAAC,KAAK,MAAM,IAAA,oBAAY,EAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC5E,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAEpC,IAAI,CAAC,UAAU,EAAE;gBACb,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAC3B,IAAI,CAAC,KAAK,EACV,QAAQ,EACR,uCAAuC,EACvC,uBAAiB,CAAC,mBAAmB,CACxC,CAAC;aACL;iBAAM;gBACH,OAAO,UAAU,CAAC;aACrB;QACL,CAAC;KAAA;IAEK,UAAU,CAAC,IAAS;;YACtB,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAE/B,2BAA2B;YAC3B,IAAI,GAAG,IAAI,aAAJ,IAAI,cAAJ,IAAI,GAAI,EAAE,CAAC;YAClB,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YAE7D,uBAAuB;YACvB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,IAAI,CAAC,KAAK,MAAM,IAAA,oBAAY,EAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAChF,OAAO,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAC7C,CAAC;KAAA;IAEK,SAAS,CAAC,IAAS;;YACrB,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YAED,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YAE7B,2BAA2B;YAC3B,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAC3D,OAAO,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC5C,CAAC;KAAA;IAEK,OAAO,CAAC,IAAS;;YACnB,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YAED,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YAE7B,2BAA2B;YAC3B,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAE3D,OAAO,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1C,CAAC;KAAA;IAEK,KAAK,CAAC,IAAS;;YACjB,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YAE7B,2BAA2B;YAC3B,IAAI,GAAG,IAAI,aAAJ,IAAI,cAAJ,IAAI,GAAI,EAAE,CAAC;YAClB,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAC3D,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACxC,CAAC;KAAA;IAEK,SAAS,CAAC,SAA8B;;YAC1C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;YACnE,IAAI,KAAK,KAAK,KAAK,EAAE;gBACjB,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;aAC1D;QACL,CAAC;KAAA;IAEa,aAAa,CACvB,QAAa,EACb,GAA4B,EAC5B,MAAc,EACd,SAA8B;;YAE9B,MAAM,QAAQ,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;YACpF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YACpE,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE;gBACrB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,6BAA6B,CAAC,CAAC;gBACzD,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAC3B,IAAI,CAAC,KAAK,EACV,SAAS,EACT,uCAAuC,EACvC,uBAAiB,CAAC,mBAAmB,CACxC,CAAC;aACL;iBAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE;gBAC1B,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,yDAAyD,CAAC,CAAC;aAC5F;YACD,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;QACrB,CAAC;KAAA;CACJ;AA7SD,gDA6SC"}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import { AuthUser } from '../../types';
|
|
2
|
+
import { ModelMeta, PolicyDef } from '../types';
|
|
3
|
+
/**
|
|
4
|
+
* Context for evaluating access policies
|
|
5
|
+
*/
|
|
6
|
+
export type WithPolicyContext = {
|
|
7
|
+
user?: AuthUser;
|
|
8
|
+
};
|
|
9
|
+
/**
|
|
10
|
+
* Gets an enhanced Prisma client with access policy check.
|
|
11
|
+
*
|
|
12
|
+
* @param prisma The original Prisma client
|
|
13
|
+
* @param context The policy evaluation context
|
|
14
|
+
* @param policy The policy definition, will be loaded from default location if not provided
|
|
15
|
+
* @param modelMeta The model metadata, will be loaded from default location if not provided
|
|
16
|
+
*/
|
|
17
|
+
export declare function withPolicy<DbClient extends object>(prisma: DbClient, context?: WithPolicyContext, policy?: PolicyDef, modelMeta?: ModelMeta): DbClient;
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/* eslint-disable @typescript-eslint/no-explicit-any */
|
|
3
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
4
|
+
exports.withPolicy = void 0;
|
|
5
|
+
const model_meta_1 = require("../model-meta");
|
|
6
|
+
const proxy_1 = require("../proxy");
|
|
7
|
+
const handler_1 = require("./handler");
|
|
8
|
+
/**
|
|
9
|
+
* Gets an enhanced Prisma client with access policy check.
|
|
10
|
+
*
|
|
11
|
+
* @param prisma The original Prisma client
|
|
12
|
+
* @param context The policy evaluation context
|
|
13
|
+
* @param policy The policy definition, will be loaded from default location if not provided
|
|
14
|
+
* @param modelMeta The model metadata, will be loaded from default location if not provided
|
|
15
|
+
*/
|
|
16
|
+
function withPolicy(prisma, context, policy, modelMeta) {
|
|
17
|
+
const _policy = policy !== null && policy !== void 0 ? policy : getDefaultPolicy();
|
|
18
|
+
const _modelMeta = modelMeta !== null && modelMeta !== void 0 ? modelMeta : (0, model_meta_1.getDefaultModelMeta)();
|
|
19
|
+
return (0, proxy_1.makeProxy)(prisma, _modelMeta, (_prisma, model) => new handler_1.PolicyProxyHandler(_prisma, _policy, _modelMeta, model, context === null || context === void 0 ? void 0 : context.user), 'policy');
|
|
20
|
+
}
|
|
21
|
+
exports.withPolicy = withPolicy;
|
|
22
|
+
function getDefaultPolicy() {
|
|
23
|
+
try {
|
|
24
|
+
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
|
25
|
+
return require('.zenstack/policy').default;
|
|
26
|
+
}
|
|
27
|
+
catch (_a) {
|
|
28
|
+
throw new Error('Policy definition cannot be loaded from default location');
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/enhancements/policy/index.ts"],"names":[],"mappings":";AAAA,uDAAuD;;;AAGvD,8CAAoD;AACpD,oCAAqC;AAErC,uCAA+C;AAS/C;;;;;;;GAOG;AACH,SAAgB,UAAU,CACtB,MAAgB,EAChB,OAA2B,EAC3B,MAAkB,EAClB,SAAqB;IAErB,MAAM,OAAO,GAAG,MAAM,aAAN,MAAM,cAAN,MAAM,GAAI,gBAAgB,EAAE,CAAC;IAC7C,MAAM,UAAU,GAAG,SAAS,aAAT,SAAS,cAAT,SAAS,GAAI,IAAA,gCAAmB,GAAE,CAAC;IACtD,OAAO,IAAA,iBAAS,EACZ,MAAM,EACN,UAAU,EACV,CAAC,OAAO,EAAE,KAAK,EAAE,EAAE,CACf,IAAI,4BAAkB,CAAC,OAA2B,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,IAAI,CAAC,EAClG,QAAQ,CACX,CAAC;AACN,CAAC;AAfD,gCAeC;AAED,SAAS,gBAAgB;IACrB,IAAI;QACA,8DAA8D;QAC9D,OAAO,OAAO,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC;KAC9C;IAAC,WAAM;QACJ,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;KAC/E;AACL,CAAC"}
|
|
@@ -1,6 +1,10 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
+
/* eslint-disable @typescript-eslint/no-explicit-any */
|
|
2
3
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
4
|
exports.Logger = void 0;
|
|
5
|
+
/**
|
|
6
|
+
* A logger that uses an existing Prisma client to emit.
|
|
7
|
+
*/
|
|
4
8
|
class Logger {
|
|
5
9
|
constructor(prisma) {
|
|
6
10
|
this.prisma = prisma;
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../../src/enhancements/policy/logger.ts"],"names":[],"mappings":";AAAA,uDAAuD;;;AAIvD;;GAEG;AACH,MAAa,MAAM;IACf,YAA6B,MAAW;QAAX,WAAM,GAAN,MAAM,CAAK;IAAG,CAAC;IAE5C,IAAY,OAAO;QACf,MAAM,MAAM,GAAI,IAAI,CAAC,MAAc,CAAC,SAAS,EAAE,CAAC;QAChD,OAAO,MAAM,CAAC,CAAC,CAAE,MAAM,CAAC,UAA2B,CAAC,CAAC,CAAC,SAAS,CAAC;IACpE,CAAC;IAEM,GAAG,CAAC,KAAgC,EAAE,OAAe;;QACxD,MAAA,IAAI,CAAC,OAAO,0CAAE,IAAI,CAAC,KAAK,EAAE;YACtB,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,OAAO;YACP,MAAM,EAAE,UAAU;SACrB,CAAC,CAAC;IACP,CAAC;IAED;;OAEG;IACI,IAAI,CAAC,OAAe;QACvB,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,CAAC;IAED;;OAEG;IACI,IAAI,CAAC,OAAe;QACvB,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,OAAe;QACxB,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC/B,CAAC;CACJ;AApCD,wBAoCC"}
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
import { PrismaClientKnownRequestError, PrismaClientUnknownRequestError } from '@prisma/client/runtime';
|
|
2
|
+
import { CrudFailureReason } from '@zenstackhq/sdk';
|
|
3
|
+
import { AuthUser, DbClientContract, DbOperations, FieldInfo, PolicyOperationKind, PrismaWriteActionType } from '../../types';
|
|
4
|
+
import { ModelMeta, PolicyDef } from '../types';
|
|
5
|
+
/**
|
|
6
|
+
* Access policy enforcement utilities
|
|
7
|
+
*/
|
|
8
|
+
export declare class PolicyUtil {
|
|
9
|
+
private readonly db;
|
|
10
|
+
private readonly modelMeta;
|
|
11
|
+
private readonly policy;
|
|
12
|
+
private readonly user?;
|
|
13
|
+
private readonly logger;
|
|
14
|
+
constructor(db: DbClientContract, modelMeta: ModelMeta, policy: PolicyDef, user?: AuthUser | undefined);
|
|
15
|
+
/**
|
|
16
|
+
* Creates a conjunction of a list of query conditions.
|
|
17
|
+
*/
|
|
18
|
+
and(...conditions: (boolean | object)[]): any;
|
|
19
|
+
/**
|
|
20
|
+
* Creates a disjunction of a list of query conditions.
|
|
21
|
+
*/
|
|
22
|
+
or(...conditions: (boolean | object)[]): any;
|
|
23
|
+
/**
|
|
24
|
+
* Creates a negation of a query condition.
|
|
25
|
+
*/
|
|
26
|
+
not(condition: object | boolean): any;
|
|
27
|
+
/**
|
|
28
|
+
* Gets pregenerated authorization guard object for a given model and operation.
|
|
29
|
+
*
|
|
30
|
+
* @returns true if operation is unconditionally allowed, false if unconditionally denied,
|
|
31
|
+
* otherwise returns a guard object
|
|
32
|
+
*/
|
|
33
|
+
getAuthGuard(model: string, operation: PolicyOperationKind, preValue?: any): Promise<boolean | object>;
|
|
34
|
+
private getPreValueSelect;
|
|
35
|
+
private getModelSchema;
|
|
36
|
+
/**
|
|
37
|
+
* Injects model auth guard as where clause.
|
|
38
|
+
*/
|
|
39
|
+
injectAuthGuard(args: any, model: string, operation: PolicyOperationKind): Promise<void>;
|
|
40
|
+
injectGuardForFields(model: string, payload: any, operation: PolicyOperationKind): Promise<void>;
|
|
41
|
+
injectGuardForToManyField(fieldInfo: FieldInfo, payload: {
|
|
42
|
+
some?: any;
|
|
43
|
+
every?: any;
|
|
44
|
+
none?: any;
|
|
45
|
+
}, operation: PolicyOperationKind): Promise<void>;
|
|
46
|
+
injectGuardForToOneField(fieldInfo: FieldInfo, payload: {
|
|
47
|
+
is?: any;
|
|
48
|
+
isNot?: any;
|
|
49
|
+
} & Record<string, any>, operation: PolicyOperationKind): Promise<void>;
|
|
50
|
+
/**
|
|
51
|
+
* Read model entities w.r.t the given query args. The result list
|
|
52
|
+
* are guaranteed to fully satisfy 'read' policy rules recursively.
|
|
53
|
+
*
|
|
54
|
+
* For to-many relations involved, items not satisfying policy are
|
|
55
|
+
* silently trimmed. For to-one relation, if relation data fails policy
|
|
56
|
+
* an error is thrown.
|
|
57
|
+
*/
|
|
58
|
+
readWithCheck(model: string, args: any): Promise<unknown[]>;
|
|
59
|
+
flattenGeneratedUniqueField(model: string, args: any): Promise<void>;
|
|
60
|
+
private injectNestedReadConditions;
|
|
61
|
+
/**
|
|
62
|
+
* Post processing checks for read model entities. Validates to-one relations
|
|
63
|
+
* (which can't be trimmed at query time) and removes fields that should be
|
|
64
|
+
* omitted.
|
|
65
|
+
*/
|
|
66
|
+
postProcessForRead(entityData: any, model: string, args: any, operation: PolicyOperationKind): Promise<void>;
|
|
67
|
+
/**
|
|
68
|
+
* Process Prisma write actions.
|
|
69
|
+
*/
|
|
70
|
+
processWrite(model: string, action: PrismaWriteActionType, args: any, writeAction: (dbOps: DbOperations, writeArgs: any) => Promise<unknown>): Promise<any>;
|
|
71
|
+
private transaction;
|
|
72
|
+
deniedByPolicy(model: string, operation: PolicyOperationKind, extra?: string, reason?: CrudFailureReason): PrismaClientKnownRequestError;
|
|
73
|
+
notFound(model: string): PrismaClientKnownRequestError;
|
|
74
|
+
unknownError(message: string): PrismaClientUnknownRequestError;
|
|
75
|
+
/**
|
|
76
|
+
* Given a filter, check if applying access policy filtering will result
|
|
77
|
+
* in data being trimmed, and if so, throw an error.
|
|
78
|
+
*/
|
|
79
|
+
checkPolicyForFilter(model: string, filter: any, operation: PolicyOperationKind, db: Record<string, DbOperations>): Promise<void>;
|
|
80
|
+
private checkPostUpdate;
|
|
81
|
+
private isToOneRelation;
|
|
82
|
+
/**
|
|
83
|
+
* Clones an object and makes sure it's not empty.
|
|
84
|
+
*/
|
|
85
|
+
clone(value: unknown): {};
|
|
86
|
+
/**
|
|
87
|
+
* Gets "id" field for a given model.
|
|
88
|
+
*/
|
|
89
|
+
getIdFields(model: string): FieldInfo[];
|
|
90
|
+
/**
|
|
91
|
+
* Gets id field value from an entity.
|
|
92
|
+
*/
|
|
93
|
+
getEntityIds(model: string, entityData: any): Record<string, unknown>;
|
|
94
|
+
}
|