@zenstackhq/runtime 0.6.0-pre.2 → 1.0.0-alpha.20

package/enhancements/policy/handler.js

@@ -0,0 +1,278 @@
+"use strict";
+/* eslint-disable @typescript-eslint/no-explicit-any */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PolicyProxyHandler = void 0;
+const runtime_1 = require("@prisma/client/runtime");
+const util_1 = require("util");
+const logger_1 = require("./logger");
+const policy_utils_1 = require("./policy-utils");
+/**
+ * Prisma proxy handler for injecting access policy check.
+ */
+class PolicyProxyHandler {
+    constructor(prisma, policy, modelMeta, model, user) {
+        this.prisma = prisma;
+        this.policy = policy;
+        this.modelMeta = modelMeta;
+        this.model = model;
+        this.user = user;
+        this.logger = new logger_1.Logger(prisma);
+        this.utils = new policy_utils_1.PolicyUtil(this.prisma, this.modelMeta, this.policy, this.user);
+    }
+    get modelClient() {
+        return this.prisma[this.model];
+    }
+    findUnique(args) {
+        var _a;
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!args) {
+                throw new runtime_1.PrismaClientValidationError('query argument is required');
+            }
+            if (!args.where) {
+                throw new runtime_1.PrismaClientValidationError('where field is required in query argument');
+            }
+            const entities = yield this.utils.readWithCheck(this.model, args);
+            return (_a = entities[0]) !== null && _a !== void 0 ? _a : null;
+        });
+    }
+    findUniqueOrThrow(args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const entity = yield this.findUnique(args);
+            if (!entity) {
+                throw this.utils.notFound(this.model);
+            }
+            return entity;
+        });
+    }
+    findFirst(args) {
+        var _a;
+        return __awaiter(this, void 0, void 0, function* () {
+            const entities = yield this.utils.readWithCheck(this.model, args);
+            return (_a = entities[0]) !== null && _a !== void 0 ? _a : null;
+        });
+    }
+    findFirstOrThrow(args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const entity = yield this.findFirst(args);
+            if (!entity) {
+                throw this.utils.notFound(this.model);
+            }
+            return entity;
+        });
+    }
+    findMany(args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return this.utils.readWithCheck(this.model, args);
+        });
+    }
+    create(args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!args) {
+                throw new runtime_1.PrismaClientValidationError('query argument is required');
+            }
+            if (!args.data) {
+                throw new runtime_1.PrismaClientValidationError('data field is required in query argument');
+            }
+            yield this.tryReject('create');
+            const origArgs = args;
+            args = this.utils.clone(args);
+            // use a transaction to wrap the write so it can be reverted if the created
+            // entity fails access policies
+            const result = yield this.utils.processWrite(this.model, 'create', args, (dbOps, writeArgs) => dbOps.create(writeArgs));
+            if (!this.utils.getEntityId(this.model, result)) {
+                throw this.utils.unknownError(`unexpected error: create didn't return an id`);
+            }
+            return this.checkReadback(origArgs, this.utils.getEntityId(this.model, result), 'create', 'create');
+        });
+    }
+    createMany(args, skipDuplicates) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!args) {
+                throw new runtime_1.PrismaClientValidationError('query argument is required');
+            }
+            if (!args.data) {
+                throw new runtime_1.PrismaClientValidationError('data field is required and must be an array');
+            }
+            yield this.tryReject('create');
+            args = this.utils.clone(args);
+            // use a transaction to wrap the write so it can be reverted if any created
+            // entity fails access policies
+            const result = yield this.utils.processWrite(this.model, 'create', args, (dbOps, writeArgs) => dbOps.createMany(writeArgs, skipDuplicates));
+            return result;
+        });
+    }
+    update(args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!args) {
+                throw new runtime_1.PrismaClientValidationError('query argument is required');
+            }
+            if (!args.where) {
+                throw new runtime_1.PrismaClientValidationError('where field is required in query argument');
+            }
+            if (!args.data) {
+                throw new runtime_1.PrismaClientValidationError('data field is required in query argument');
+            }
+            yield this.tryReject('update');
+            const origArgs = args;
+            args = this.utils.clone(args);
+            // use a transaction to wrap the write so it can be reverted if any nested
+            // create fails access policies
+            const result = yield this.utils.processWrite(this.model, 'update', args, (dbOps, writeArgs) => dbOps.update(writeArgs));
+            if (!this.utils.getEntityId(this.model, result)) {
+                throw this.utils.unknownError(`unexpected error: update didn't return an id`);
+            }
+            return this.checkReadback(origArgs, this.utils.getEntityId(this.model, result), 'update', 'update');
+        });
+    }
+    updateMany(args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!args) {
+                throw new runtime_1.PrismaClientValidationError('query argument is required');
+            }
+            if (!args.data) {
+                throw new runtime_1.PrismaClientValidationError('data field is required in query argument');
+            }
+            yield this.tryReject('update');
+            args = this.utils.clone(args);
+            // use a transaction to wrap the write so it can be reverted if any nested
+            // create fails access policies
+            const result = yield this.utils.processWrite(this.model, 'updateMany', args, (dbOps, writeArgs) => dbOps.updateMany(writeArgs));
+            return result;
+        });
+    }
+    upsert(args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!args) {
+                throw new runtime_1.PrismaClientValidationError('query argument is required');
+            }
+            if (!args.where) {
+                throw new runtime_1.PrismaClientValidationError('where field is required in query argument');
+            }
+            if (!args.create) {
+                throw new runtime_1.PrismaClientValidationError('create field is required in query argument');
+            }
+            if (!args.update) {
+                throw new runtime_1.PrismaClientValidationError('update field is required in query argument');
+            }
+            const origArgs = args;
+            args = this.utils.clone(args);
+            yield this.tryReject('create');
+            yield this.tryReject('update');
+            // use a transaction to wrap the write so it can be reverted if any nested
+            // create fails access policies
+            const result = yield this.utils.processWrite(this.model, 'upsert', args, (dbOps, writeArgs) => dbOps.upsert(writeArgs));
+            if (!this.utils.getEntityId(this.model, result)) {
+                throw this.utils.unknownError(`unexpected error: upsert didn't return an id`);
+            }
+            return this.checkReadback(origArgs, this.utils.getEntityId(this.model, result), 'upsert', 'update');
+        });
+    }
+    delete(args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!args) {
+                throw new runtime_1.PrismaClientValidationError('query argument is required');
+            }
+            if (!args.where) {
+                throw new runtime_1.PrismaClientValidationError('where field is required in query argument');
+            }
+            yield this.tryReject('delete');
+            // ensures the item under deletion passes policy check
+            yield this.utils.checkPolicyForFilter(this.model, args.where, 'delete', this.prisma);
+            // read the entity under deletion with respect to read policies
+            let readResult;
+            try {
+                const items = yield this.utils.readWithCheck(this.model, args);
+                readResult = items[0];
+            }
+            catch (err) {
+                // not readable
+                readResult = undefined;
+            }
+            // conduct the deletion
+            this.logger.info(`Conducting delete ${this.model}:\n${(0, util_1.format)(args)}`);
+            yield this.modelClient.delete(args);
+            if (!readResult) {
+                throw this.utils.deniedByPolicy(this.model, 'delete', 'result not readable');
+            }
+            else {
+                return readResult;
+            }
+        });
+    }
+    deleteMany(args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            yield this.tryReject('delete');
+            // inject policy conditions
+            args = args !== null && args !== void 0 ? args : {};
+            yield this.utils.injectAuthGuard(args, this.model, 'delete');
+            // conduct the deletion
+            this.logger.info(`Conducting deleteMany ${this.model}:\n${(0, util_1.format)(args)}`);
+            return this.modelClient.deleteMany(args);
+        });
+    }
+    aggregate(args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!args) {
+                throw new runtime_1.PrismaClientValidationError('query argument is required');
+            }
+            yield this.tryReject('read');
+            // inject policy conditions
+            yield this.utils.injectAuthGuard(args, this.model, 'read');
+            return this.modelClient.aggregate(args);
+        });
+    }
+    groupBy(args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!args) {
+                throw new runtime_1.PrismaClientValidationError('query argument is required');
+            }
+            yield this.tryReject('read');
+            // inject policy conditions
+            yield this.utils.injectAuthGuard(args, this.model, 'read');
+            return this.modelClient.groupBy(args);
+        });
+    }
+    count(args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            yield this.tryReject('read');
+            // inject policy conditions
+            args = args !== null && args !== void 0 ? args : {};
+            yield this.utils.injectAuthGuard(args, this.model, 'read');
+            return this.modelClient.count(args);
+        });
+    }
+    tryReject(operation) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const guard = yield this.utils.getAuthGuard(this.model, operation);
+            if (guard === false) {
+                throw this.utils.deniedByPolicy(this.model, operation);
+            }
+        });
+    }
+    checkReadback(origArgs, id, action, operation) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const idField = this.utils.getIdField(this.model);
+            const readArgs = { select: origArgs.select, include: origArgs.include, where: { [idField.name]: id } };
+            const result = yield this.utils.readWithCheck(this.model, readArgs);
+            if (result.length === 0) {
+                this.logger.warn(`${action} result cannot be read back`);
+                throw this.utils.deniedByPolicy(this.model, operation, 'result not readable');
+            }
+            else if (result.length > 1) {
+                throw this.utils.unknownError('write unexpected resulted in multiple readback entities');
+            }
+            return result[0];
+        });
+    }
+}
+exports.PolicyProxyHandler = PolicyProxyHandler;
+//# sourceMappingURL=handler.js.map

package/enhancements/policy/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../../src/enhancements/policy/handler.ts"],"names":[],"mappings":";AAAA,uDAAuD;;;;;;;;;;;;AAEvD,oDAAqE;AACrE,+BAA8B;AAI9B,qCAAkC;AAClC,iDAA4C;AAE5C;;GAEG;AACH,MAAa,kBAAkB;IAI3B,YACqB,MAAgB,EAChB,MAAiB,EACjB,SAAoB,EACpB,KAAa,EACb,IAAe;QAJf,WAAM,GAAN,MAAM,CAAU;QAChB,WAAM,GAAN,MAAM,CAAW;QACjB,cAAS,GAAT,SAAS,CAAW;QACpB,UAAK,GAAL,KAAK,CAAQ;QACb,SAAI,GAAJ,IAAI,CAAW;QAEhC,IAAI,CAAC,MAAM,GAAG,IAAI,eAAM,CAAC,MAAM,CAAC,CAAC;QACjC,IAAI,CAAC,KAAK,GAAG,IAAI,yBAAU,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IACrF,CAAC;IAED,IAAY,WAAW;QACnB,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAEK,UAAU,CAAC,IAAS;;;YACtB,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YACD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE;gBACb,MAAM,IAAI,qCAA2B,CAAC,2CAA2C,CAAC,CAAC;aACtF;YAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAClE,OAAO,MAAA,QAAQ,CAAC,CAAC,CAAC,mCAAI,IAAI,CAAC;;KAC9B;IAEK,iBAAiB,CAAC,IAAS;;YAC7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;YAC3C,IAAI,CAAC,MAAM,EAAE;gBACT,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;aACzC;YACD,OAAO,MAAM,CAAC;QAClB,CAAC;KAAA;IAEK,SAAS,CAAC,IAAS;;;YACrB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAClE,OAAO,MAAA,QAAQ,CAAC,CAAC,CAAC,mCAAI,IAAI,CAAC;;KAC9B;IAEK,gBAAgB,CAAC,IAAS;;YAC5B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAC1C,IAAI,CAAC,MAAM,EAAE;gBACT,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;aACzC;YACD,OAAO,MAAM,CAAC;QAClB,CAAC;KAAA;IAEK,QAAQ,CAAC,IAAS;;YACpB,OAAO,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACtD,CAAC;KAAA;IAEK,MAAM,CAAC,IAAS;;YAClB,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YACD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;gBACZ,MAAM,IAAI,qCAA2B,CAAC,0CAA0C,CAAC,CAAC;aACrF;YAED,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAE/B,MAAM,QAAQ,GAAG,IAAI,CAAC;YACtB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAE9B,2EAA2E;YAC3E,+BAA+B;YAC/B,MAAM,MAAM,GAAQ,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,CAC/F,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAC1B,CAAC;YAEF,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE;gBAC7C,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,8CAA8C,CAAC,CAAC;aACjF;YAED,OAAO,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACxG,CAAC;KAAA;IAEK,UAAU,CAAC,IAAS,EAAE,cAAwB;;YAChD,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YACD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;gBACZ,MAAM,IAAI,qCAA2B,CAAC,6CAA6C,CAAC,CAAC;aACxF;YAED,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAE/B,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAE9B,2EAA2E;YAC3E,+BAA+B;YAC/B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,CAC1F,KAAK,CAAC,UAAU,CAAC,SAAS,EAAE,cAAc,CAAC,CAC9C,CAAC;YAEF,OAAO,MAAqB,CAAC;QACjC,CAAC;KAAA;IAEK,MAAM,CAAC,IAAS;;YAClB,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YACD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE;gBACb,MAAM,IAAI,qCAA2B,CAAC,2CAA2C,CAAC,CAAC;aACtF;YACD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;gBACZ,MAAM,IAAI,qCAA2B,CAAC,0CAA0C,CAAC,CAAC;aACrF;YAED,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAE/B,MAAM,QAAQ,GAAG,IAAI,CAAC;YACtB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAE9B,0EAA0E;YAC1E,+BAA+B;YAC/B,MAAM,MAAM,GAAQ,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,CAC/F,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAC1B,CAAC;YAEF,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE;gBAC7C,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,8CAA8C,CAAC,CAAC;aACjF;YACD,OAAO,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACxG,CAAC;KAAA;IAEK,UAAU,CAAC,IAAS;;YACtB,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YACD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;gBACZ,MAAM,IAAI,qCAA2B,CAAC,0CAA0C,CAAC,CAAC;aACrF;YAED,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAE/B,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAE9B,0EAA0E;YAC1E,+BAA+B;YAC/B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,CAC9F,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,CAC9B,CAAC;YAEF,OAAO,MAAqB,CAAC;QACjC,CAAC;KAAA;IAEK,MAAM,CAAC,IAAS;;YAClB,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YACD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE;gBACb,MAAM,IAAI,qCAA2B,CAAC,2CAA2C,CAAC,CAAC;aACtF;YACD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;gBACd,MAAM,IAAI,qCAA2B,CAAC,4CAA4C,CAAC,CAAC;aACvF;YACD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;gBACd,MAAM,IAAI,qCAA2B,CAAC,4CAA4C,CAAC,CAAC;aACvF;YAED,MAAM,QAAQ,GAAG,IAAI,CAAC;YACtB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAE9B,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAC/B,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAE/B,0EAA0E;YAC1E,+BAA+B;YAC/B,MAAM,MAAM,GAAQ,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,CAC/F,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAC1B,CAAC;YAEF,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE;gBAC7C,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,8CAA8C,CAAC,CAAC;aACjF;YAED,OAAO,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACxG,CAAC;KAAA;IAEK,MAAM,CAAC,IAAS;;YAClB,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YACD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE;gBACb,MAAM,IAAI,qCAA2B,CAAC,2CAA2C,CAAC,CAAC;aACtF;YAED,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAE/B,sDAAsD;YACtD,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;YAErF,+DAA+D;YAC/D,IAAI,UAAe,CAAC;YACpB,IAAI;gBACA,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;gBAC/D,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;aACzB;YAAC,OAAO,GAAG,EAAE;gBACV,eAAe;gBACf,UAAU,GAAG,SAAS,CAAC;aAC1B;YAED,uBAAuB;YACvB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,qBAAqB,IAAI,CAAC,KAAK,MAAM,IAAA,aAAM,EAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACtE,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAEpC,IAAI,CAAC,UAAU,EAAE;gBACb,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,qBAAqB,CAAC,CAAC;aAChF;iBAAM;gBACH,OAAO,UAAU,CAAC;aACrB;QACL,CAAC;KAAA;IAEK,UAAU,CAAC,IAAS;;YACtB,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAE/B,2BAA2B;YAC3B,IAAI,GAAG,IAAI,aAAJ,IAAI,cAAJ,IAAI,GAAI,EAAE,CAAC;YAClB,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YAE7D,uBAAuB;YACvB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,IAAI,CAAC,KAAK,MAAM,IAAA,aAAM,EAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC1E,OAAO,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAC7C,CAAC;KAAA;IAEK,SAAS,CAAC,IAAS;;YACrB,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YAED,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YAE7B,2BAA2B;YAC3B,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAC3D,OAAO,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC5C,CAAC;KAAA;IAEK,OAAO,CAAC,IAAS;;YACnB,IAAI,CAAC,IAAI,EAAE;gBACP,MAAM,IAAI,qCAA2B,CAAC,4BAA4B,CAAC,CAAC;aACvE;YAED,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YAE7B,2BAA2B;YAC3B,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAE3D,OAAO,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1C,CAAC;KAAA;IAEK,KAAK,CAAC,IAAS;;YACjB,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YAE7B,2BAA2B;YAC3B,IAAI,GAAG,IAAI,aAAJ,IAAI,cAAJ,IAAI,GAAI,EAAE,CAAC;YAClB,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAC3D,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACxC,CAAC;KAAA;IAEK,SAAS,CAAC,SAA8B;;YAC1C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;YACnE,IAAI,KAAK,KAAK,KAAK,EAAE;gBACjB,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;aAC1D;QACL,CAAC;KAAA;IAEa,aAAa,CAAC,QAAa,EAAE,EAAO,EAAE,MAAc,EAAE,SAA8B;;YAC9F,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAClD,MAAM,QAAQ,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE,KAAK,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC;YACvG,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YACpE,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE;gBACrB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,6BAA6B,CAAC,CAAC;gBACzD,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,EAAE,SAAS,EAAE,qBAAqB,CAAC,CAAC;aACjF;iBAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE;gBAC1B,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,yDAAyD,CAAC,CAAC;aAC5F;YACD,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;QACrB,CAAC;KAAA;CACJ;AA5RD,gDA4RC"}

package/enhancements/policy/index.d.ts

@@ -0,0 +1,17 @@
+import { AuthUser } from '../../types';
+import { ModelMeta, PolicyDef } from '../types';
+/**
+ * Context for evaluating access policies
+ */
+export type WithPolicyContext = {
+    user?: AuthUser;
+};
+/**
+ * Gets an enhanced Prisma client with access policy check.
+ *
+ * @param prisma The original Prisma client
+ * @param context The policy evaluation context
+ * @param policy The policy definition, will be loaded from default location if not provided
+ * @param modelMeta The model metadata, will be loaded from default location if not provided
+ */
+export declare function withPolicy<DbClient extends object>(prisma: DbClient, context?: WithPolicyContext, policy?: PolicyDef, modelMeta?: ModelMeta): DbClient;

package/enhancements/policy/index.js

@@ -0,0 +1,31 @@
+"use strict";
+/* eslint-disable @typescript-eslint/no-explicit-any */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.withPolicy = void 0;
+const model_meta_1 = require("../model-meta");
+const proxy_1 = require("../proxy");
+const handler_1 = require("./handler");
+/**
+ * Gets an enhanced Prisma client with access policy check.
+ *
+ * @param prisma The original Prisma client
+ * @param context The policy evaluation context
+ * @param policy The policy definition, will be loaded from default location if not provided
+ * @param modelMeta The model metadata, will be loaded from default location if not provided
+ */
+function withPolicy(prisma, context, policy, modelMeta) {
+    const _policy = policy !== null && policy !== void 0 ? policy : getDefaultPolicy();
+    const _modelMeta = modelMeta !== null && modelMeta !== void 0 ? modelMeta : (0, model_meta_1.getDefaultModelMeta)();
+    return (0, proxy_1.makeProxy)(prisma, _modelMeta, (_prisma, model) => new handler_1.PolicyProxyHandler(_prisma, _policy, _modelMeta, model, context === null || context === void 0 ? void 0 : context.user), 'policy');
+}
+exports.withPolicy = withPolicy;
+function getDefaultPolicy() {
+    try {
+        // eslint-disable-next-line @typescript-eslint/no-var-requires
+        return require('.zenstack/policy').default;
+    }
+    catch (_a) {
+        throw new Error('Policy definition cannot be loaded from default location');
+    }
+}
+//# sourceMappingURL=index.js.map

package/enhancements/policy/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/enhancements/policy/index.ts"],"names":[],"mappings":";AAAA,uDAAuD;;;AAGvD,8CAAoD;AACpD,oCAAqC;AAErC,uCAA+C;AAS/C;;;;;;;GAOG;AACH,SAAgB,UAAU,CACtB,MAAgB,EAChB,OAA2B,EAC3B,MAAkB,EAClB,SAAqB;IAErB,MAAM,OAAO,GAAG,MAAM,aAAN,MAAM,cAAN,MAAM,GAAI,gBAAgB,EAAE,CAAC;IAC7C,MAAM,UAAU,GAAG,SAAS,aAAT,SAAS,cAAT,SAAS,GAAI,IAAA,gCAAmB,GAAE,CAAC;IACtD,OAAO,IAAA,iBAAS,EACZ,MAAM,EACN,UAAU,EACV,CAAC,OAAO,EAAE,KAAK,EAAE,EAAE,CACf,IAAI,4BAAkB,CAAC,OAA2B,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,IAAI,CAAC,EAClG,QAAQ,CACX,CAAC;AACN,CAAC;AAfD,gCAeC;AAED,SAAS,gBAAgB;IACrB,IAAI;QACA,8DAA8D;QAC9D,OAAO,OAAO,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC;KAC9C;IAAC,WAAM;QACJ,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;KAC/E;AACL,CAAC"}

package/{lib/proxy → enhancements/policy}/logger.d.ts

@@ -1,3 +1,6 @@
+/**
+ * A logger that uses an existing Prisma client to emit.
+ */
 export declare class Logger {
     private readonly prisma;
     constructor(prisma: any);

package/{lib/proxy → enhancements/policy}/logger.js

@@ -1,6 +1,10 @@
 "use strict";
+/* eslint-disable @typescript-eslint/no-explicit-any */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Logger = void 0;
+/**
+ * A logger that uses an existing Prisma client to emit.
+ */
 class Logger {
     constructor(prisma) {
         this.prisma = prisma;

package/enhancements/policy/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../../src/enhancements/policy/logger.ts"],"names":[],"mappings":";AAAA,uDAAuD;;;AAIvD;;GAEG;AACH,MAAa,MAAM;IACf,YAA6B,MAAW;QAAX,WAAM,GAAN,MAAM,CAAK;IAAG,CAAC;IAE5C,IAAY,OAAO;QACf,MAAM,MAAM,GAAI,IAAI,CAAC,MAAc,CAAC,SAAS,EAAE,CAAC;QAChD,OAAO,MAAM,CAAC,CAAC,CAAE,MAAM,CAAC,UAA2B,CAAC,CAAC,CAAC,SAAS,CAAC;IACpE,CAAC;IAEM,GAAG,CAAC,KAAgC,EAAE,OAAe;;QACxD,MAAA,IAAI,CAAC,OAAO,0CAAE,IAAI,CAAC,KAAK,EAAE;YACtB,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,OAAO;YACP,MAAM,EAAE,UAAU;SACrB,CAAC,CAAC;IACP,CAAC;IAED;;OAEG;IACI,IAAI,CAAC,OAAe;QACvB,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,CAAC;IAED;;OAEG;IACI,IAAI,CAAC,OAAe;QACvB,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,OAAe;QACxB,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC/B,CAAC;CACJ;AApCD,wBAoCC"}

package/enhancements/policy/policy-utils.d.ts

@@ -0,0 +1,78 @@
+import { PrismaClientKnownRequestError, PrismaClientUnknownRequestError } from '@prisma/client/runtime';
+import { AuthUser, DbClientContract, DbOperations, FieldInfo, PolicyOperationKind, PrismaWriteActionType } from '../../types';
+import { ModelMeta, PolicyDef } from '../types';
+/**
+ * Access policy enforcement utilities
+ */
+export declare class PolicyUtil {
+    private readonly db;
+    private readonly modelMeta;
+    private readonly policy;
+    private readonly user?;
+    private readonly logger;
+    constructor(db: DbClientContract, modelMeta: ModelMeta, policy: PolicyDef, user?: AuthUser | undefined);
+    /**
+     * Creates a conjunction of a list of query conditions.
+     */
+    and(...conditions: (boolean | object)[]): any;
+    /**
+     * Creates a disjunction of a list of query conditions.
+     */
+    or(...conditions: (boolean | object)[]): any;
+    /**
+     * Gets pregenerated authorization guard object for a given model and operation.
+     *
+     * @returns true if operation is unconditionally allowed, false if unconditionally denied,
+     * otherwise returns a guard object
+     */
+    getAuthGuard(model: string, operation: PolicyOperationKind, preValue?: any): Promise<boolean | object>;
+    private getPreValueSelect;
+    private getModelSchema;
+    /**
+     * Injects model auth guard as where clause.
+     */
+    injectAuthGuard(args: any, model: string, operation: PolicyOperationKind): Promise<void>;
+    /**
+     * Read model entities w.r.t the given query args. The result list
+     * are guaranteed to fully satisfy 'read' policy rules recursively.
+     *
+     * For to-many relations involved, items not satisfying policy are
+     * silently trimmed. For to-one relation, if relation data fails policy
+     * an error is thrown.
+     */
+    readWithCheck(model: string, args: any): Promise<unknown[]>;
+    private injectNestedReadConditions;
+    /**
+     * Post processing checks for read model entities. Validates to-one relations
+     * (which can't be trimmed at query time) and removes fields that should be
+     * omitted.
+     */
+    postProcessForRead(entityData: any, model: string, args: any, operation: PolicyOperationKind): Promise<void>;
+    /**
+     * Process Prisma write actions.
+     */
+    processWrite(model: string, action: PrismaWriteActionType, args: any, writeAction: (dbOps: DbOperations, writeArgs: any) => Promise<unknown>): Promise<any>;
+    private transaction;
+    deniedByPolicy(model: string, operation: PolicyOperationKind, extra?: string): PrismaClientKnownRequestError;
+    notFound(model: string): PrismaClientKnownRequestError;
+    unknownError(message: string): PrismaClientUnknownRequestError;
+    /**
+     * Given a filter, check if applying access policy filtering will result
+     * in data being trimmed, and if so, throw an error.
+     */
+    checkPolicyForFilter(model: string, filter: any, operation: PolicyOperationKind, db: Record<string, DbOperations>): Promise<void>;
+    private checkPostUpdate;
+    private isToOneRelation;
+    /**
+     * Clones an object and makes sure it's not empty.
+     */
+    clone(value: unknown): {};
+    /**
+     * Gets "id" field for a given model.
+     */
+    getIdField(model: string): FieldInfo;
+    /**
+     * Gets id field value from an entity.
+     */
+    getEntityId(model: string, entityData: any): any;
+}