@zenstackhq/runtime 0.6.0-pre.2 → 1.0.0-alpha.101

package/enhancements/policy/policy-utils.js

@@ -0,0 +1,755 @@
+"use strict";
+/* eslint-disable @typescript-eslint/no-explicit-any */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PolicyUtil = void 0;
+const runtime_1 = require("@prisma/client/runtime");
+const sdk_1 = require("@zenstackhq/sdk");
+const change_case_1 = require("change-case");
+const cuid_1 = __importDefault(require("cuid"));
+const deepcopy_1 = __importDefault(require("deepcopy"));
+const zod_validation_error_1 = require("zod-validation-error");
+const version_1 = require("../../version");
+const model_meta_1 = require("../model-meta");
+const nested_write_vistor_1 = require("../nested-write-vistor");
+const utils_1 = require("../utils");
+const logger_1 = require("./logger");
+const pluralize_1 = __importDefault(require("pluralize"));
+/**
+ * Access policy enforcement utilities
+ */
+class PolicyUtil {
+    constructor(db, modelMeta, policy, user) {
+        this.db = db;
+        this.modelMeta = modelMeta;
+        this.policy = policy;
+        this.user = user;
+        this.logger = new logger_1.Logger(db);
+    }
+    /**
+     * Creates a conjunction of a list of query conditions.
+     */
+    and(...conditions) {
+        if (conditions.includes(false)) {
+            // always false
+            return { [sdk_1.GUARD_FIELD_NAME]: false };
+        }
+        const filtered = conditions.filter((c) => typeof c === 'object' && !!c && Object.keys(c).length > 0);
+        if (filtered.length === 0) {
+            return undefined;
+        }
+        else if (filtered.length === 1) {
+            return filtered[0];
+        }
+        else {
+            return { AND: filtered };
+        }
+    }
+    /**
+     * Creates a disjunction of a list of query conditions.
+     */
+    or(...conditions) {
+        if (conditions.includes(true)) {
+            // always true
+            return { [sdk_1.GUARD_FIELD_NAME]: true };
+        }
+        const filtered = conditions.filter((c) => typeof c === 'object' && !!c);
+        if (filtered.length === 0) {
+            return undefined;
+        }
+        else if (filtered.length === 1) {
+            return filtered[0];
+        }
+        else {
+            return { OR: filtered };
+        }
+    }
+    /**
+     * Creates a negation of a query condition.
+     */
+    not(condition) {
+        if (typeof condition === 'boolean') {
+            return !condition;
+        }
+        else {
+            return { NOT: condition };
+        }
+    }
+    /**
+     * Gets pregenerated authorization guard object for a given model and operation.
+     *
+     * @returns true if operation is unconditionally allowed, false if unconditionally denied,
+     * otherwise returns a guard object
+     */
+    getAuthGuard(model, operation, preValue) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const guard = this.policy.guard[(0, change_case_1.camelCase)(model)];
+            if (!guard) {
+                throw this.unknownError(`unable to load policy guard for ${model}`);
+            }
+            const provider = guard[operation];
+            if (typeof provider === 'boolean') {
+                return provider;
+            }
+            if (!provider) {
+                throw this.unknownError(`zenstack: unable to load authorization guard for ${model}`);
+            }
+            return provider({ user: this.user, preValue });
+        });
+    }
+    getPreValueSelect(model) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const guard = this.policy.guard[(0, change_case_1.camelCase)(model)];
+            if (!guard) {
+                throw this.unknownError(`unable to load policy guard for ${model}`);
+            }
+            return guard.preValueSelect;
+        });
+    }
+    getModelSchema(model) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return this.policy.schema[(0, change_case_1.camelCase)(model)];
+        });
+    }
+    /**
+     * Injects model auth guard as where clause.
+     */
+    injectAuthGuard(args, model, operation) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (args.where) {
+                // inject into relation fields:
+                //   to-many: some/none/every
+                //   to-one: direct-conditions/is/isNot
+                yield this.injectGuardForFields(model, args.where, operation);
+            }
+            const guard = yield this.getAuthGuard(model, operation);
+            args.where = this.and(args.where, guard);
+        });
+    }
+    injectGuardForFields(model, payload, operation) {
+        return __awaiter(this, void 0, void 0, function* () {
+            for (const [field, subPayload] of Object.entries(payload)) {
+                if (!subPayload) {
+                    continue;
+                }
+                const fieldInfo = yield (0, model_meta_1.resolveField)(this.modelMeta, model, field);
+                if (!fieldInfo || !fieldInfo.isDataModel) {
+                    continue;
+                }
+                if (fieldInfo.isArray) {
+                    yield this.injectGuardForToManyField(fieldInfo, subPayload, operation);
+                }
+                else {
+                    yield this.injectGuardForToOneField(fieldInfo, subPayload, operation);
+                }
+            }
+        });
+    }
+    injectGuardForToManyField(fieldInfo, payload, operation) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const guard = yield this.getAuthGuard(fieldInfo.type, operation);
+            if (payload.some) {
+                yield this.injectGuardForFields(fieldInfo.type, payload.some, operation);
+                // turn "some" into: { some: { AND: [guard, payload.some] } }
+                payload.some = this.and(payload.some, guard);
+            }
+            if (payload.none) {
+                yield this.injectGuardForFields(fieldInfo.type, payload.none, operation);
+                // turn none into: { none: { AND: [guard, payload.none] } }
+                payload.none = this.and(payload.none, guard);
+            }
+            if (payload.every &&
+                typeof payload.every === 'object' &&
+                // ignore empty every clause
+                Object.keys(payload.every).length > 0) {
+                yield this.injectGuardForFields(fieldInfo.type, payload.every, operation);
+                // turn "every" into: { none: { AND: [guard, { NOT: payload.every }] } }
+                if (!payload.none) {
+                    payload.none = {};
+                }
+                payload.none = this.and(payload.none, guard, this.not(payload.every));
+                delete payload.every;
+            }
+        });
+    }
+    injectGuardForToOneField(fieldInfo, payload, operation) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const guard = yield this.getAuthGuard(fieldInfo.type, operation);
+            if (payload.is || payload.isNot) {
+                if (payload.is) {
+                    yield this.injectGuardForFields(fieldInfo.type, payload.is, operation);
+                    // turn "is" into: { is: { AND: [ originalIs, guard ] }
+                    payload.is = this.and(payload.is, guard);
+                }
+                if (payload.isNot) {
+                    yield this.injectGuardForFields(fieldInfo.type, payload.isNot, operation);
+                    // turn "isNot" into: { isNot: { AND: [ originalIsNot, { NOT: guard } ] } }
+                    payload.isNot = this.and(payload.isNot, this.not(guard));
+                    delete payload.isNot;
+                }
+            }
+            else {
+                yield this.injectGuardForFields(fieldInfo.type, payload, operation);
+                // turn direct conditions into: { is: { AND: [ originalConditions, guard ] } }
+                const combined = this.and((0, deepcopy_1.default)(payload), guard);
+                Object.keys(payload).forEach((key) => delete payload[key]);
+                payload.is = combined;
+            }
+        });
+    }
+    /**
+     * Read model entities w.r.t the given query args. The result list
+     * are guaranteed to fully satisfy 'read' policy rules recursively.
+     *
+     * For to-many relations involved, items not satisfying policy are
+     * silently trimmed. For to-one relation, if relation data fails policy
+     * an error is thrown.
+     */
+    readWithCheck(model, args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            args = this.clone(args);
+            if (args.where) {
+                // query args will be used with findMany, so we need to
+                // translate unique constraint filters into a flat filter
+                // e.g.: { a_b: { a: '1', b: '1' } } => { a: '1', b: '1' }
+                yield this.flattenGeneratedUniqueField(model, args.where);
+            }
+            yield this.injectAuthGuard(args, model, 'read');
+            // recursively inject read guard conditions into the query args
+            yield this.injectNestedReadConditions(model, args);
+            this.logger.info(`Reading with validation for ${model}: ${(0, utils_1.formatObject)(args)}`);
+            const result = yield this.db[model].findMany(args);
+            yield Promise.all(result.map((item) => this.postProcessForRead(item, model, args, 'read')));
+            return result;
+        });
+    }
+    // flatten unique constraint filters
+    flattenGeneratedUniqueField(model, args) {
+        var _a;
+        return __awaiter(this, void 0, void 0, function* () {
+            // e.g.: { a_b: { a: '1', b: '1' } } => { a: '1', b: '1' }
+            const uniqueConstraints = (_a = this.modelMeta.uniqueConstraints) === null || _a === void 0 ? void 0 : _a[(0, change_case_1.camelCase)(model)];
+            let flattened = false;
+            if (uniqueConstraints) {
+                for (const [field, value] of Object.entries(args)) {
+                    if (uniqueConstraints[field] && typeof value === 'object') {
+                        for (const [f, v] of Object.entries(value)) {
+                            args[f] = v;
+                        }
+                        delete args[field];
+                        flattened = true;
+                    }
+                }
+            }
+            if (flattened) {
+                this.logger.info(`Filter flattened: ${JSON.stringify(args)}`);
+            }
+        });
+    }
+    injectNestedReadConditions(model, args) {
+        var _a, _b;
+        return __awaiter(this, void 0, void 0, function* () {
+            const injectTarget = (_a = args.select) !== null && _a !== void 0 ? _a : args.include;
+            if (!injectTarget) {
+                return;
+            }
+            const idFields = this.getIdFields(model);
+            for (const field of (0, utils_1.getModelFields)(injectTarget)) {
+                const fieldInfo = (0, model_meta_1.resolveField)(this.modelMeta, model, field);
+                if (!fieldInfo || !fieldInfo.isDataModel) {
+                    // only care about relation fields
+                    continue;
+                }
+                if (fieldInfo.isArray) {
+                    if (typeof injectTarget[field] !== 'object') {
+                        injectTarget[field] = {};
+                    }
+                    // inject extra condition for to-many relation
+                    yield this.injectAuthGuard(injectTarget[field], fieldInfo.type, 'read');
+                }
+                else {
+                    // there's no way of injecting condition for to-one relation, so if there's
+                    // "select" clause we make sure 'id' fields are selected and check them against
+                    // query result; nothing needs to be done for "include" clause because all
+                    // fields are already selected
+                    if ((_b = injectTarget[field]) === null || _b === void 0 ? void 0 : _b.select) {
+                        for (const idField of idFields) {
+                            if (injectTarget[field].select[idField.name] !== true) {
+                                injectTarget[field].select[idField.name] = true;
+                            }
+                        }
+                    }
+                }
+                // recurse
+                yield this.injectNestedReadConditions(fieldInfo.type, injectTarget[field]);
+            }
+        });
+    }
+    /**
+     * Post processing checks for read model entities. Validates to-one relations
+     * (which can't be trimmed at query time) and removes fields that should be
+     * omitted.
+     */
+    postProcessForRead(entityData, model, args, operation) {
+        var _a;
+        return __awaiter(this, void 0, void 0, function* () {
+            const ids = this.getEntityIds(model, entityData);
+            if (Object.keys(ids).length === 0) {
+                return;
+            }
+            // strip auxiliary fields
+            for (const auxField of sdk_1.AUXILIARY_FIELDS) {
+                if (auxField in entityData) {
+                    delete entityData[auxField];
+                }
+            }
+            const injectTarget = (_a = args.select) !== null && _a !== void 0 ? _a : args.include;
+            if (!injectTarget) {
+                return;
+            }
+            // to-one relation data cannot be trimmed by injected guards, we have to
+            // post-check them
+            for (const field of (0, utils_1.getModelFields)(injectTarget)) {
+                if (!(entityData === null || entityData === void 0 ? void 0 : entityData[field])) {
+                    continue;
+                }
+                const fieldInfo = (0, model_meta_1.resolveField)(this.modelMeta, model, field);
+                if (!fieldInfo || !fieldInfo.isDataModel || fieldInfo.isArray) {
+                    continue;
+                }
+                const ids = this.getEntityIds(fieldInfo.type, entityData[field]);
+                if (Object.keys(ids).length === 0) {
+                    continue;
+                }
+                this.logger.info(`Validating read of to-one relation: ${fieldInfo.type}#${(0, utils_1.formatObject)(ids)}`);
+                yield this.checkPolicyForFilter(fieldInfo.type, ids, operation, this.db);
+                // recurse
+                yield this.postProcessForRead(entityData[field], fieldInfo.type, injectTarget[field], operation);
+            }
+        });
+    }
+    /**
+     * Process Prisma write actions.
+     */
+    processWrite(model, action, args, writeAction) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // record model types for which new entities are created
+            // so we can post-check if they satisfy 'create' policies
+            const createdModels = new Set();
+            // record model entities that are updated, together with their
+            // values before update, so we can post-check if they satisfy
+            //     model => { ids, entity value }
+            const updatedModels = new Map();
+            function addUpdatedEntity(model, ids, entity) {
+                let modelEntities = updatedModels.get(model);
+                if (!modelEntities) {
+                    modelEntities = [];
+                    updatedModels.set(model, modelEntities);
+                }
+                modelEntities.push({ ids, value: entity });
+            }
+            const idFields = this.getIdFields(model);
+            if (args.select) {
+                // make sure id fields are selected, we need it to
+                // read back the updated entity
+                for (const idField of idFields) {
+                    if (!args.select[idField.name]) {
+                        args.select[idField.name] = true;
+                    }
+                }
+            }
+            // use a transaction to conduct write, so in case any create or nested create
+            // fails access policies, we can roll back the entire operation
+            const transactionId = (0, cuid_1.default)();
+            // args processor for create
+            const processCreate = (model, args) => __awaiter(this, void 0, void 0, function* () {
+                const guard = yield this.getAuthGuard(model, 'create');
+                const schema = yield this.getModelSchema(model);
+                if (guard === false) {
+                    throw this.deniedByPolicy(model, 'create');
+                }
+                else if (guard !== true || schema) {
+                    // mark the create with a transaction tag so we can check them later
+                    args[sdk_1.TRANSACTION_FIELD_NAME] = `${transactionId}:create`;
+                    createdModels.add(model);
+                }
+            });
+            // build a reversed query for fetching entities affected by nested updates
+            const buildReversedQuery = (context) => __awaiter(this, void 0, void 0, function* () {
+                let result, currQuery;
+                let currField;
+                for (let i = context.nestingPath.length - 1; i >= 0; i--) {
+                    const { field, where, unique } = context.nestingPath[i];
+                    if (!result) {
+                        // first segment (bottom), just use its where clause
+                        result = currQuery = Object.assign({}, where);
+                        currField = field;
+                    }
+                    else {
+                        if (!currField) {
+                            throw this.unknownError(`missing field in nested path`);
+                        }
+                        if (!currField.backLink) {
+                            throw this.unknownError(`field ${currField.type}.${currField.name} doesn't have a backLink`);
+                        }
+                        currQuery[currField.backLink] = Object.assign({}, where);
+                        currQuery = currQuery[currField.backLink];
+                        currField = field;
+                    }
+                    if (unique) {
+                        // hit a unique filter, no need to traverse further up
+                        break;
+                    }
+                }
+                return result;
+            });
+            // args processor for update/upsert
+            const processUpdate = (model, where, context) => __awaiter(this, void 0, void 0, function* () {
+                const preGuard = yield this.getAuthGuard(model, 'update');
+                if (preGuard === false) {
+                    throw this.deniedByPolicy(model, 'update');
+                }
+                else if (preGuard !== true) {
+                    if (this.isToOneRelation(context.field)) {
+                        // To-one relation field is complicated because there's no way to
+                        // filter it during update (args doesn't carry a 'where' clause).
+                        //
+                        // We need to recursively walk up its hierarcy in the query args
+                        // to construct a reversed query to identify the nested entity
+                        // under update, and then check if it satisfies policy.
+                        //
+                        // E.g.:
+                        // A - B - C
+                        //
+                        // update A with:
+                        // {
+                        //   where: { id: 'aId' },
+                        //   data: {
+                        //     b: {
+                        //       c: { value: 1 }
+                        //     }
+                        //   }
+                        // }
+                        //
+                        // To check if the update to 'c' field is permitted, we
+                        // reverse the query stack into a filter for C model, like:
+                        // {
+                        //   where: {
+                        //     b: { a: { id: 'aId' } }
+                        //   }
+                        // }
+                        // , and with this we can filter out the C entity that's going
+                        // to be nestedly updated, and check if it's allowed.
+                        //
+                        // The same logic applies to nested delete.
+                        const subQuery = yield buildReversedQuery(context);
+                        yield this.checkPolicyForFilter(model, subQuery, 'update', this.db);
+                    }
+                    else {
+                        if (!where) {
+                            throw this.unknownError(`Missing 'where' parameter`);
+                        }
+                        yield this.checkPolicyForFilter(model, where, 'update', this.db);
+                    }
+                }
+                yield preparePostUpdateCheck(model, context);
+            });
+            // args processor for updateMany
+            const processUpdateMany = (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                const guard = yield this.getAuthGuard(model, 'update');
+                if (guard === false) {
+                    throw this.deniedByPolicy(model, 'update');
+                }
+                else if (guard !== true) {
+                    // inject policy filter
+                    yield this.injectAuthGuard(args, model, 'update');
+                }
+                yield preparePostUpdateCheck(model, context);
+            });
+            // for models with post-update rules, we need to read and store
+            // entity values before the update for post-update check
+            const preparePostUpdateCheck = (model, context) => __awaiter(this, void 0, void 0, function* () {
+                const postGuard = yield this.getAuthGuard(model, 'postUpdate');
+                const schema = yield this.getModelSchema(model);
+                // post-update check is needed if there's post-update rule or validation schema
+                if (postGuard !== true || schema) {
+                    // fetch preValue selection (analyzed from the post-update rules)
+                    const preValueSelect = yield this.getPreValueSelect(model);
+                    const filter = yield buildReversedQuery(context);
+                    // query args will be used with findMany, so we need to
+                    // translate unique constraint filters into a flat filter
+                    // e.g.: { a_b: { a: '1', b: '1' } } => { a: '1', b: '1' }
+                    yield this.flattenGeneratedUniqueField(model, filter);
+                    const idFields = this.getIdFields(model);
+                    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+                    const select = Object.assign({}, preValueSelect);
+                    for (const idField of idFields) {
+                        select[idField.name] = true;
+                    }
+                    const query = { where: filter, select };
+                    this.logger.info(`fetching pre-update entities for ${model}: ${(0, utils_1.formatObject)(query)})}`);
+                    const entities = yield this.db[model].findMany(query);
+                    entities.forEach((entity) => {
+                        addUpdatedEntity(model, this.getEntityIds(model, entity), entity);
+                    });
+                }
+            });
+            // args processor for delete
+            const processDelete = (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                const guard = yield this.getAuthGuard(model, 'delete');
+                if (guard === false) {
+                    throw this.deniedByPolicy(model, 'delete');
+                }
+                else if (guard !== true) {
+                    if (this.isToOneRelation(context.field)) {
+                        // see comments in processUpdate
+                        const subQuery = yield buildReversedQuery(context);
+                        yield this.checkPolicyForFilter(model, subQuery, 'delete', this.db);
+                    }
+                    else {
+                        yield this.checkPolicyForFilter(model, args, 'delete', this.db);
+                    }
+                }
+            });
+            // process relation updates: connect, connectOrCreate, and disconnect
+            const processRelationUpdate = (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                var _a;
+                if ((_a = context.field) === null || _a === void 0 ? void 0 : _a.backLink) {
+                    // fetch the backlink field of the model being connected
+                    const backLinkField = (0, model_meta_1.resolveField)(this.modelMeta, model, context.field.backLink);
+                    if (backLinkField.isRelationOwner) {
+                        // the target side of relation owns the relation,
+                        // mark it as updated
+                        yield processUpdate(model, args, context);
+                    }
+                }
+            });
+            // use a visitor to process args before conducting the write action
+            const visitor = new nested_write_vistor_1.NestedWriteVisitor(this.modelMeta, {
+                create: (model, args) => __awaiter(this, void 0, void 0, function* () {
+                    for (const oneArgs of (0, utils_1.enumerate)(args)) {
+                        yield processCreate(model, oneArgs);
+                    }
+                }),
+                connectOrCreate: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                    for (const oneArgs of (0, utils_1.enumerate)(args)) {
+                        if (oneArgs.create) {
+                            yield processCreate(model, oneArgs.create);
+                        }
+                        if (oneArgs.where) {
+                            yield processRelationUpdate(model, oneArgs.where, context);
+                        }
+                    }
+                }),
+                connect: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                    for (const oneArgs of (0, utils_1.enumerate)(args)) {
+                        yield processRelationUpdate(model, oneArgs, context);
+                    }
+                }),
+                disconnect: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                    for (const oneArgs of (0, utils_1.enumerate)(args)) {
+                        yield processRelationUpdate(model, oneArgs, context);
+                    }
+                }),
+                update: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                    for (const oneArgs of (0, utils_1.enumerate)(args)) {
+                        yield processUpdate(model, oneArgs.where, context);
+                    }
+                }),
+                updateMany: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                    for (const oneArgs of (0, utils_1.enumerate)(args)) {
+                        yield processUpdateMany(model, oneArgs, context);
+                    }
+                }),
+                upsert: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                    for (const oneArgs of (0, utils_1.enumerate)(args)) {
+                        if (oneArgs.create) {
+                            yield processCreate(model, oneArgs.create);
+                        }
+                        if (oneArgs.update) {
+                            yield processUpdate(model, oneArgs.where, context);
+                        }
+                    }
+                }),
+                delete: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                    for (const oneArgs of (0, utils_1.enumerate)(args)) {
+                        yield processDelete(model, oneArgs, context);
+                    }
+                }),
+                deleteMany: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                    const guard = yield this.getAuthGuard(model, 'delete');
+                    if (guard === false) {
+                        throw this.deniedByPolicy(model, 'delete');
+                    }
+                    else if (guard !== true) {
+                        if (Array.isArray(args)) {
+                            context.parent.deleteMany = args.map((oneArgs) => this.and(oneArgs, guard));
+                        }
+                        else {
+                            context.parent.deleteMany = this.and(args, guard);
+                        }
+                    }
+                }),
+            });
+            yield visitor.visit(model, action, args);
+            if (createdModels.size === 0 && updatedModels.size === 0) {
+                // no post-check needed, we can proceed with the write without transaction
+                return yield writeAction(this.db[model], args);
+            }
+            else {
+                return yield this.transaction(this.db, (tx) => __awaiter(this, void 0, void 0, function* () {
+                    // proceed with the update (with args processed)
+                    const result = yield writeAction(tx[model], args);
+                    if (createdModels.size > 0) {
+                        // do post-check on created entities
+                        yield Promise.all([...createdModels].map((model) => this.checkPolicyForFilter(model, { [sdk_1.TRANSACTION_FIELD_NAME]: `${transactionId}:create` }, 'create', tx)));
+                    }
+                    if (updatedModels.size > 0) {
+                        // do post-check on updated entities
+                        yield Promise.all([...updatedModels.entries()]
+                            .map(([model, modelEntities]) => modelEntities.map(({ ids, value: preValue }) => __awaiter(this, void 0, void 0, function* () { return this.checkPostUpdate(model, ids, tx, preValue); })))
+                            .flat());
+                    }
+                    return result;
+                }));
+            }
+        });
+    }
+    transaction(db, action) {
+        if (db.__zenstack_tx) {
+            // already in transaction, don't nest
+            return action(db);
+        }
+        else {
+            return db.$transaction((tx) => action(tx));
+        }
+    }
+    deniedByPolicy(model, operation, extra, reason) {
+        return new runtime_1.PrismaClientKnownRequestError(`denied by policy: ${model} entities failed '${operation}' check${extra ? ', ' + extra : ''}`, { clientVersion: (0, version_1.getVersion)(), code: 'P2004', meta: { reason } });
+    }
+    notFound(model) {
+        return new runtime_1.PrismaClientKnownRequestError(`entity not found for model ${model}`, {
+            clientVersion: (0, version_1.getVersion)(),
+            code: 'P2025',
+        });
+    }
+    unknownError(message) {
+        return new runtime_1.PrismaClientUnknownRequestError(message, {
+            clientVersion: (0, version_1.getVersion)(),
+        });
+    }
+    /**
+     * Given a filter, check if applying access policy filtering will result
+     * in data being trimmed, and if so, throw an error.
+     */
+    checkPolicyForFilter(model, filter, operation, db) {
+        return __awaiter(this, void 0, void 0, function* () {
+            this.logger.info(`Checking policy for ${model}#${JSON.stringify(filter)} for ${operation}`);
+            const queryFilter = (0, deepcopy_1.default)(filter);
+            // query args will be used with findMany, so we need to
+            // translate unique constraint filters into a flat filter
+            // e.g.: { a_b: { a: '1', b: '1' } } => { a: '1', b: '1' }
+            yield this.flattenGeneratedUniqueField(model, queryFilter);
+            const count = (yield db[model].count({ where: queryFilter }));
+            const guard = yield this.getAuthGuard(model, operation);
+            // build a query condition with policy injected
+            const guardedQuery = { where: this.and(queryFilter, guard) };
+            const schema = (operation === 'create' || operation === 'update') && (yield this.getModelSchema(model));
+            if (schema) {
+                // we've got schemas, so have to fetch entities and validate them
+                const entities = yield db[model].findMany(guardedQuery);
+                if (entities.length < count) {
+                    this.logger.info(`entity ${model} failed policy check for operation ${operation}`);
+                    throw this.deniedByPolicy(model, operation, `${count - entities.length} ${(0, pluralize_1.default)('entity', count - entities.length)} failed policy check`);
+                }
+                // TODO: push down schema check to the database
+                const schemaCheckErrors = entities.map((entity) => schema.safeParse(entity)).filter((r) => !r.success);
+                if (schemaCheckErrors.length > 0) {
+                    const error = schemaCheckErrors.map((r) => !r.success && (0, zod_validation_error_1.fromZodError)(r.error).message).join(', ');
+                    this.logger.info(`entity ${model} failed schema check for operation ${operation}: ${error}`);
+                    throw this.deniedByPolicy(model, operation, `entities failed schema check: [${error}]`);
+                }
+            }
+            else {
+                // count entities with policy injected and see if any of them are filtered out
+                const guardedCount = (yield db[model].count(guardedQuery));
+                if (guardedCount < count) {
+                    this.logger.info(`entity ${model} failed policy check for operation ${operation}`);
+                    throw this.deniedByPolicy(model, operation, `${count - guardedCount} ${(0, pluralize_1.default)('entity', count - guardedCount)} failed policy check`);
+                }
+            }
+        });
+    }
+    checkPostUpdate(model, ids, db, preValue) {
+        return __awaiter(this, void 0, void 0, function* () {
+            this.logger.info(`Checking post-update policy for ${model}#${ids}, preValue: ${(0, utils_1.formatObject)(preValue)}`);
+            const guard = yield this.getAuthGuard(model, 'postUpdate', preValue);
+            // build a query condition with policy injected
+            const guardedQuery = { where: this.and(ids, guard) };
+            // query with policy injected
+            const entity = yield db[model].findFirst(guardedQuery);
+            // see if we get fewer items with policy, if so, reject with an throw
+            if (!entity) {
+                this.logger.info(`entity ${model} failed policy check for operation postUpdate`);
+                throw this.deniedByPolicy(model, 'postUpdate');
+            }
+            // TODO: push down schema check to the database
+            const schema = yield this.getModelSchema(model);
+            if (schema) {
+                const schemaCheckResult = schema.safeParse(entity);
+                if (!schemaCheckResult.success) {
+                    const error = (0, zod_validation_error_1.fromZodError)(schemaCheckResult.error).message;
+                    this.logger.info(`entity ${model} failed schema check for operation postUpdate: ${error}`);
+                    throw this.deniedByPolicy(model, 'postUpdate', `entity failed schema check: ${error}`);
+                }
+            }
+        });
+    }
+    isToOneRelation(field) {
+        return !!field && field.isDataModel && !field.isArray;
+    }
+    /**
+     * Clones an object and makes sure it's not empty.
+     */
+    clone(value) {
+        return value ? (0, deepcopy_1.default)(value) : {};
+    }
+    /**
+     * Gets "id" field for a given model.
+     */
+    getIdFields(model) {
+        const fields = this.modelMeta.fields[(0, change_case_1.camelCase)(model)];
+        if (!fields) {
+            throw this.unknownError(`Unable to load fields for ${model}`);
+        }
+        const result = Object.values(fields).filter((f) => f.isId);
+        if (result.length === 0) {
+            throw this.unknownError(`model ${model} does not have an id field`);
+        }
+        return result;
+    }
+    /**
+     * Gets id field value from an entity.
+     */
+    getEntityIds(model, entityData) {
+        const idFields = this.getIdFields(model);
+        const result = {};
+        for (const idField of idFields) {
+            result[idField.name] = entityData[idField.name];
+        }
+        return result;
+    }
+}
+exports.PolicyUtil = PolicyUtil;
+//# sourceMappingURL=policy-utils.js.map