@zenstackhq/runtime 1.0.0-beta.2 → 1.0.0-beta.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (83) hide show
  1. package/browser/index.d.mts +13 -0
  2. package/browser/index.d.ts +13 -0
  3. package/browser/index.js +70 -0
  4. package/browser/index.js.map +1 -0
  5. package/browser/index.mjs +32 -0
  6. package/browser/index.mjs.map +1 -0
  7. package/constants.d.ts +58 -13
  8. package/constants.js +60 -14
  9. package/constants.js.map +1 -1
  10. package/enhancements/enhance.d.ts +18 -0
  11. package/enhancements/enhance.js +42 -0
  12. package/enhancements/enhance.js.map +1 -0
  13. package/enhancements/index.d.ts +5 -0
  14. package/enhancements/index.js +5 -0
  15. package/enhancements/index.js.map +1 -1
  16. package/enhancements/model-data-visitor.d.ts +16 -0
  17. package/enhancements/model-data-visitor.js +41 -0
  18. package/enhancements/model-data-visitor.js.map +1 -0
  19. package/enhancements/model-meta.d.ts +6 -1
  20. package/enhancements/model-meta.js +23 -2
  21. package/enhancements/model-meta.js.map +1 -1
  22. package/enhancements/nested-write-vistor.d.ts +21 -16
  23. package/enhancements/nested-write-vistor.js +73 -34
  24. package/enhancements/nested-write-vistor.js.map +1 -1
  25. package/enhancements/omit.d.ts +1 -1
  26. package/enhancements/policy/handler.d.ts +36 -20
  27. package/enhancements/policy/handler.js +824 -159
  28. package/enhancements/policy/handler.js.map +1 -1
  29. package/enhancements/policy/index.d.ts +6 -2
  30. package/enhancements/policy/index.js +53 -3
  31. package/enhancements/policy/index.js.map +1 -1
  32. package/enhancements/policy/logger.js +1 -1
  33. package/enhancements/policy/logger.js.map +1 -1
  34. package/enhancements/policy/policy-utils.d.ts +106 -46
  35. package/enhancements/policy/policy-utils.js +744 -624
  36. package/enhancements/policy/policy-utils.js.map +1 -1
  37. package/enhancements/policy/promise.d.ts +5 -0
  38. package/enhancements/policy/promise.js +42 -0
  39. package/enhancements/policy/promise.js.map +1 -0
  40. package/enhancements/preset.d.ts +3 -8
  41. package/enhancements/preset.js +2 -4
  42. package/enhancements/preset.js.map +1 -1
  43. package/enhancements/proxy.d.ts +3 -1
  44. package/enhancements/proxy.js +45 -28
  45. package/enhancements/proxy.js.map +1 -1
  46. package/enhancements/types.d.ts +25 -8
  47. package/enhancements/types.js +1 -0
  48. package/enhancements/types.js.map +1 -1
  49. package/enhancements/utils.d.ts +4 -0
  50. package/enhancements/utils.js +60 -10
  51. package/enhancements/utils.js.map +1 -1
  52. package/enhancements/where-visitor.d.ts +33 -0
  53. package/enhancements/where-visitor.js +87 -0
  54. package/enhancements/where-visitor.js.map +1 -0
  55. package/error.js +9 -3
  56. package/error.js.map +1 -1
  57. package/index.d.ts +3 -2
  58. package/index.js +3 -2
  59. package/index.js.map +1 -1
  60. package/package.json +33 -9
  61. package/types.d.ts +24 -14
  62. package/types.js +2 -0
  63. package/types.js.map +1 -1
  64. package/validation.d.ts +5 -0
  65. package/validation.js +13 -1
  66. package/validation.js.map +1 -1
  67. package/version.d.ts +5 -0
  68. package/version.js +34 -1
  69. package/version.js.map +1 -1
  70. package/zod/index.d.ts +3 -0
  71. package/zod/index.js +5 -0
  72. package/zod/input.d.ts +1 -0
  73. package/zod/input.js +8 -0
  74. package/zod/models.d.ts +1 -0
  75. package/zod/models.js +8 -0
  76. package/zod/objects.d.ts +1 -0
  77. package/zod/objects.js +8 -0
  78. package/serialization-utils.d.ts +0 -1
  79. package/serialization-utils.js +0 -22
  80. package/serialization-utils.js.map +0 -1
  81. package/zod.d.ts +0 -10
  82. package/zod.js +0 -17
  83. package/zod.js.map +0 -1
package/enhancements/policy/policy-utils.js CHANGED
@@ -14,631 +14,692 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
14
14
  };
15
15
  Object.defineProperty(exports, "__esModule", { value: true });
16
16
  exports.PolicyUtil = void 0;
17
- const cuid2_1 = require("@paralleldrive/cuid2");
18
17
  const deepcopy_1 = __importDefault(require("deepcopy"));
19
18
  const lower_case_first_1 = require("lower-case-first");
20
- const pluralize_1 = __importDefault(require("pluralize"));
19
+ const upper_case_first_1 = require("upper-case-first");
21
20
  const zod_validation_error_1 = require("zod-validation-error");
22
21
  const constants_1 = require("../../constants");
23
22
  const version_1 = require("../../version");
24
23
  const model_meta_1 = require("../model-meta");
25
- const nested_write_vistor_1 = require("../nested-write-vistor");
26
24
  const utils_1 = require("../utils");
27
25
  const logger_1 = require("./logger");
28
26
  /**
29
27
  * Access policy enforcement utilities
30
28
  */
31
29
  class PolicyUtil {
32
- constructor(db, modelMeta, policy, user, logPrismaQuery) {
30
+ constructor(db, modelMeta, policy, zodSchemas, user, shouldLogQuery = false) {
33
31
  this.db = db;
34
32
  this.modelMeta = modelMeta;
35
33
  this.policy = policy;
34
+ this.zodSchemas = zodSchemas;
36
35
  this.user = user;
37
- this.logPrismaQuery = logPrismaQuery;
36
+ this.shouldLogQuery = shouldLogQuery;
38
37
  this.logger = new logger_1.Logger(db);
39
38
  }
39
+ //#region Logical operators
40
40
  /**
41
41
  * Creates a conjunction of a list of query conditions.
42
42
  */
43
43
  and(...conditions) {
44
- if (conditions.includes(false)) {
45
- // always false
46
- return { [constants_1.GUARD_FIELD_NAME]: false };
47
- }
48
- const filtered = conditions.filter((c) => typeof c === 'object' && !!c && Object.keys(c).length > 0);
49
- if (filtered.length === 0) {
50
- return undefined;
51
- }
52
- else if (filtered.length === 1) {
53
- return filtered[0];
54
- }
55
- else {
56
- return { AND: filtered };
57
- }
44
+ return this.reduce({ AND: conditions });
58
45
  }
59
46
  /**
60
47
  * Creates a disjunction of a list of query conditions.
61
48
  */
62
49
  or(...conditions) {
63
- if (conditions.includes(true)) {
64
- // always true
65
- return { [constants_1.GUARD_FIELD_NAME]: true };
50
+ return this.reduce({ OR: conditions });
51
+ }
52
+ /**
53
+ * Creates a negation of a query condition.
54
+ */
55
+ not(condition) {
56
+ if (condition === undefined) {
57
+ return this.makeTrue();
66
58
  }
67
- const filtered = conditions.filter((c) => typeof c === 'object' && !!c);
68
- if (filtered.length === 0) {
69
- return undefined;
59
+ else if (typeof condition === 'boolean') {
60
+ return this.reduce(!condition);
61
+ }
62
+ else {
63
+ return this.reduce({ NOT: condition });
70
64
  }
71
- else if (filtered.length === 1) {
72
- return filtered[0];
65
+ }
66
+ // Static True/False conditions
67
+ // https://www.prisma.io/docs/concepts/components/prisma-client/null-and-undefined#the-effect-of-null-and-undefined-on-conditionals
68
+ isTrue(condition) {
69
+ if (condition === null || condition === undefined) {
70
+ return false;
73
71
  }
74
72
  else {
75
- return { OR: filtered };
73
+ return ((typeof condition === 'object' && Object.keys(condition).length === 0) ||
74
+ ('AND' in condition && Array.isArray(condition.AND) && condition.AND.length === 0));
76
75
  }
77
76
  }
78
- /**
79
- * Creates a negation of a query condition.
80
- */
81
- not(condition) {
82
- if (typeof condition === 'boolean') {
83
- return !condition;
77
+ isFalse(condition) {
78
+ if (condition === null || condition === undefined) {
79
+ return false;
84
80
  }
85
81
  else {
86
- return { NOT: condition };
82
+ return 'OR' in condition && Array.isArray(condition.OR) && condition.OR.length === 0;
83
+ }
84
+ }
85
+ makeTrue() {
86
+ return { AND: [] };
87
+ }
88
+ makeFalse() {
89
+ return { OR: [] };
90
+ }
91
+ reduce(condition) {
92
+ if (condition === true || condition === undefined) {
93
+ return this.makeTrue();
94
+ }
95
+ if (condition === false) {
96
+ return this.makeFalse();
97
+ }
98
+ if ('AND' in condition && Array.isArray(condition.AND)) {
99
+ const children = condition.AND.map((c) => this.reduce(c)).filter((c) => c !== undefined && !this.isTrue(c));
100
+ if (children.length === 0) {
101
+ return this.makeTrue();
102
+ }
103
+ else if (children.some((c) => this.isFalse(c))) {
104
+ return this.makeFalse();
105
+ }
106
+ else if (children.length === 1) {
107
+ return children[0];
108
+ }
109
+ else {
110
+ return { AND: children };
111
+ }
112
+ }
113
+ if ('OR' in condition && Array.isArray(condition.OR)) {
114
+ const children = condition.OR.map((c) => this.reduce(c)).filter((c) => c !== undefined && !this.isFalse(c));
115
+ if (children.length === 0) {
116
+ return this.makeFalse();
117
+ }
118
+ else if (children.some((c) => this.isTrue(c))) {
119
+ return this.makeTrue();
120
+ }
121
+ else if (children.length === 1) {
122
+ return children[0];
123
+ }
124
+ else {
125
+ return { OR: children };
126
+ }
87
127
  }
128
+ if ('NOT' in condition && condition.NOT !== null && typeof condition.NOT === 'object') {
129
+ const child = this.reduce(condition.NOT);
130
+ if (this.isTrue(child)) {
131
+ return this.makeFalse();
132
+ }
133
+ else if (this.isFalse(child)) {
134
+ return this.makeTrue();
135
+ }
136
+ else {
137
+ return { NOT: child };
138
+ }
139
+ }
140
+ return condition;
88
141
  }
142
+ //#endregion
143
+ //# Auth guard
89
144
  /**
90
145
  * Gets pregenerated authorization guard object for a given model and operation.
91
146
  *
92
147
  * @returns true if operation is unconditionally allowed, false if unconditionally denied,
93
148
  * otherwise returns a guard object
94
149
  */
95
- getAuthGuard(model, operation, preValue) {
96
- return __awaiter(this, void 0, void 0, function* () {
97
- const guard = this.policy.guard[(0, lower_case_first_1.lowerCaseFirst)(model)];
98
- if (!guard) {
99
- throw this.unknownError(`unable to load policy guard for ${model}`);
100
- }
101
- const provider = guard[operation];
102
- if (typeof provider === 'boolean') {
103
- return provider;
104
- }
105
- if (!provider) {
106
- throw this.unknownError(`zenstack: unable to load authorization guard for ${model}`);
107
- }
108
- return provider({ user: this.user, preValue });
109
- });
150
+ getAuthGuard(db, model, operation, preValue) {
151
+ const guard = this.policy.guard[(0, lower_case_first_1.lowerCaseFirst)(model)];
152
+ if (!guard) {
153
+ throw this.unknownError(`unable to load policy guard for ${model}`);
154
+ }
155
+ const provider = guard[operation];
156
+ if (typeof provider === 'boolean') {
157
+ return this.reduce(provider);
158
+ }
159
+ if (!provider) {
160
+ throw this.unknownError(`zenstack: unable to load authorization guard for ${model}`);
161
+ }
162
+ const r = provider({ user: this.user, preValue }, db);
163
+ return this.reduce(r);
110
164
  }
111
- getPreValueSelect(model) {
112
- return __awaiter(this, void 0, void 0, function* () {
113
- const guard = this.policy.guard[(0, lower_case_first_1.lowerCaseFirst)(model)];
114
- if (!guard) {
115
- throw this.unknownError(`unable to load policy guard for ${model}`);
116
- }
117
- return guard.preValueSelect;
118
- });
165
+ /**
166
+ * Get field-level auth guard
167
+ */
168
+ getFieldUpdateAuthGuard(db, model, field) {
169
+ const guard = this.policy.guard[(0, lower_case_first_1.lowerCaseFirst)(model)];
170
+ if (!guard) {
171
+ throw this.unknownError(`unable to load policy guard for ${model}`);
172
+ }
173
+ const provider = guard[`${constants_1.FIELD_LEVEL_UPDATE_GUARD_PREFIX}${field}`];
174
+ if (typeof provider === 'boolean') {
175
+ return this.reduce(provider);
176
+ }
177
+ if (!provider) {
178
+ return this.makeTrue();
179
+ }
180
+ const r = provider({ user: this.user }, db);
181
+ return this.reduce(r);
119
182
  }
120
- getModelSchema(model) {
121
- return __awaiter(this, void 0, void 0, function* () {
122
- return this.policy.schema[(0, lower_case_first_1.lowerCaseFirst)(model)];
123
- });
183
+ /**
184
+ * Checks if the given model has a policy guard for the given operation.
185
+ */
186
+ hasAuthGuard(model, operation) {
187
+ const guard = this.policy.guard[(0, lower_case_first_1.lowerCaseFirst)(model)];
188
+ if (!guard) {
189
+ return false;
190
+ }
191
+ const provider = guard[operation];
192
+ return typeof provider !== 'boolean' || provider !== true;
193
+ }
194
+ /**
195
+ * Checks model creation policy based on static analysis to the input args.
196
+ *
197
+ * @returns boolean if static analysis is enough to determine the result, undefined if not
198
+ */
199
+ checkInputGuard(model, args, operation) {
200
+ const guard = this.policy.guard[(0, lower_case_first_1.lowerCaseFirst)(model)];
201
+ if (!guard) {
202
+ return undefined;
203
+ }
204
+ const provider = guard[`${operation}_input`];
205
+ if (typeof provider === 'boolean') {
206
+ return provider;
207
+ }
208
+ if (!provider) {
209
+ return undefined;
210
+ }
211
+ return provider(args, { user: this.user });
124
212
  }
125
213
  /**
126
214
  * Injects model auth guard as where clause.
127
215
  */
128
- injectAuthGuard(args, model, operation) {
129
- return __awaiter(this, void 0, void 0, function* () {
130
- if (args.where) {
131
- // inject into relation fields:
132
- // to-many: some/none/every
133
- // to-one: direct-conditions/is/isNot
134
- yield this.injectGuardForFields(model, args.where, operation);
135
- }
136
- const guard = yield this.getAuthGuard(model, operation);
137
- args.where = this.and(args.where, guard);
138
- });
216
+ injectAuthGuard(db, args, model, operation) {
217
+ let guard = this.getAuthGuard(db, model, operation);
218
+ if (this.isFalse(guard)) {
219
+ args.where = this.makeFalse();
220
+ return false;
221
+ }
222
+ if (operation === 'update' && args) {
223
+ // merge field-level policy guards
224
+ const fieldUpdateGuard = this.getFieldUpdateGuards(db, model, args);
225
+ if (fieldUpdateGuard.rejectedByField) {
226
+ // rejected
227
+ args.where = this.makeFalse();
228
+ return false;
229
+ }
230
+ else if (fieldUpdateGuard.guard) {
231
+ // merge
232
+ guard = this.and(guard, fieldUpdateGuard.guard);
233
+ }
234
+ }
235
+ if (args.where) {
236
+ // inject into relation fields:
237
+ // to-many: some/none/every
238
+ // to-one: direct-conditions/is/isNot
239
+ this.injectGuardForRelationFields(db, model, args.where, operation);
240
+ }
241
+ args.where = this.and(args.where, guard);
242
+ return true;
139
243
  }
140
- injectGuardForFields(model, payload, operation) {
141
- return __awaiter(this, void 0, void 0, function* () {
142
- for (const [field, subPayload] of Object.entries(payload)) {
143
- if (!subPayload) {
144
- continue;
145
- }
146
- const fieldInfo = yield (0, model_meta_1.resolveField)(this.modelMeta, model, field);
147
- if (!fieldInfo || !fieldInfo.isDataModel) {
148
- continue;
149
- }
150
- if (fieldInfo.isArray) {
151
- yield this.injectGuardForToManyField(fieldInfo, subPayload, operation);
152
- }
153
- else {
154
- yield this.injectGuardForToOneField(fieldInfo, subPayload, operation);
155
- }
244
+ injectGuardForRelationFields(db, model, payload, operation) {
245
+ for (const [field, subPayload] of Object.entries(payload)) {
246
+ if (!subPayload) {
247
+ continue;
156
248
  }
157
- });
249
+ const fieldInfo = (0, model_meta_1.resolveField)(this.modelMeta, model, field);
250
+ if (!fieldInfo || !fieldInfo.isDataModel) {
251
+ continue;
252
+ }
253
+ if (fieldInfo.isArray) {
254
+ this.injectGuardForToManyField(db, fieldInfo, subPayload, operation);
255
+ }
256
+ else {
257
+ this.injectGuardForToOneField(db, fieldInfo, subPayload, operation);
258
+ }
259
+ }
158
260
  }
159
- injectGuardForToManyField(fieldInfo, payload, operation) {
160
- return __awaiter(this, void 0, void 0, function* () {
161
- const guard = yield this.getAuthGuard(fieldInfo.type, operation);
162
- if (payload.some) {
163
- yield this.injectGuardForFields(fieldInfo.type, payload.some, operation);
164
- // turn "some" into: { some: { AND: [guard, payload.some] } }
165
- payload.some = this.and(payload.some, guard);
166
- }
167
- if (payload.none) {
168
- yield this.injectGuardForFields(fieldInfo.type, payload.none, operation);
169
- // turn none into: { none: { AND: [guard, payload.none] } }
170
- payload.none = this.and(payload.none, guard);
171
- }
172
- if (payload.every &&
173
- typeof payload.every === 'object' &&
174
- // ignore empty every clause
175
- Object.keys(payload.every).length > 0) {
176
- yield this.injectGuardForFields(fieldInfo.type, payload.every, operation);
177
- // turn "every" into: { none: { AND: [guard, { NOT: payload.every }] } }
178
- if (!payload.none) {
179
- payload.none = {};
180
- }
181
- payload.none = this.and(payload.none, guard, this.not(payload.every));
182
- delete payload.every;
261
+ injectGuardForToManyField(db, fieldInfo, payload, operation) {
262
+ const guard = this.getAuthGuard(db, fieldInfo.type, operation);
263
+ if (payload.some) {
264
+ this.injectGuardForRelationFields(db, fieldInfo.type, payload.some, operation);
265
+ // turn "some" into: { some: { AND: [guard, payload.some] } }
266
+ payload.some = this.and(payload.some, guard);
267
+ }
268
+ if (payload.none) {
269
+ this.injectGuardForRelationFields(db, fieldInfo.type, payload.none, operation);
270
+ // turn none into: { none: { AND: [guard, payload.none] } }
271
+ payload.none = this.and(payload.none, guard);
272
+ }
273
+ if (payload.every &&
274
+ typeof payload.every === 'object' &&
275
+ // ignore empty every clause
276
+ Object.keys(payload.every).length > 0) {
277
+ this.injectGuardForRelationFields(db, fieldInfo.type, payload.every, operation);
278
+ // turn "every" into: { none: { AND: [guard, { NOT: payload.every }] } }
279
+ if (!payload.none) {
280
+ payload.none = {};
183
281
  }
184
- });
282
+ payload.none = this.and(payload.none, guard, this.not(payload.every));
283
+ delete payload.every;
284
+ }
185
285
  }
186
- injectGuardForToOneField(fieldInfo, payload, operation) {
187
- return __awaiter(this, void 0, void 0, function* () {
188
- const guard = yield this.getAuthGuard(fieldInfo.type, operation);
189
- if (payload.is || payload.isNot) {
190
- if (payload.is) {
191
- yield this.injectGuardForFields(fieldInfo.type, payload.is, operation);
192
- // turn "is" into: { is: { AND: [ originalIs, guard ] }
193
- payload.is = this.and(payload.is, guard);
194
- }
195
- if (payload.isNot) {
196
- yield this.injectGuardForFields(fieldInfo.type, payload.isNot, operation);
197
- // turn "isNot" into: { isNot: { AND: [ originalIsNot, { NOT: guard } ] } }
198
- payload.isNot = this.and(payload.isNot, this.not(guard));
199
- delete payload.isNot;
200
- }
286
+ injectGuardForToOneField(db, fieldInfo, payload, operation) {
287
+ const guard = this.getAuthGuard(db, fieldInfo.type, operation);
288
+ if (payload.is || payload.isNot) {
289
+ if (payload.is) {
290
+ this.injectGuardForRelationFields(db, fieldInfo.type, payload.is, operation);
291
+ // turn "is" into: { is: { AND: [ originalIs, guard ] }
292
+ payload.is = this.and(payload.is, guard);
201
293
  }
202
- else {
203
- yield this.injectGuardForFields(fieldInfo.type, payload, operation);
204
- // turn direct conditions into: { is: { AND: [ originalConditions, guard ] } }
205
- const combined = this.and((0, deepcopy_1.default)(payload), guard);
206
- Object.keys(payload).forEach((key) => delete payload[key]);
207
- payload.is = combined;
294
+ if (payload.isNot) {
295
+ this.injectGuardForRelationFields(db, fieldInfo.type, payload.isNot, operation);
296
+ // turn "isNot" into: { isNot: { AND: [ originalIsNot, { NOT: guard } ] } }
297
+ payload.isNot = this.and(payload.isNot, this.not(guard));
298
+ delete payload.isNot;
208
299
  }
209
- });
300
+ }
301
+ else {
302
+ this.injectGuardForRelationFields(db, fieldInfo.type, payload, operation);
303
+ // turn direct conditions into: { is: { AND: [ originalConditions, guard ] } }
304
+ const combined = this.and((0, deepcopy_1.default)(payload), guard);
305
+ Object.keys(payload).forEach((key) => delete payload[key]);
306
+ payload.is = combined;
307
+ }
210
308
  }
211
309
  /**
212
- * Read model entities w.r.t the given query args. The result list
213
- * are guaranteed to fully satisfy 'read' policy rules recursively.
214
- *
215
- * For to-many relations involved, items not satisfying policy are
216
- * silently trimmed. For to-one relation, if relation data fails policy
217
- * an error is thrown.
310
+ * Injects auth guard for read operations.
218
311
  */
219
- readWithCheck(model, args) {
220
- return __awaiter(this, void 0, void 0, function* () {
221
- args = this.clone(args);
222
- if (args.where) {
223
- // query args will be used with findMany, so we need to
224
- // translate unique constraint filters into a flat filter
225
- // e.g.: { a_b: { a: '1', b: '1' } } => { a: '1', b: '1' }
226
- yield this.flattenGeneratedUniqueField(model, args.where);
227
- }
228
- yield this.injectAuthGuard(args, model, 'read');
229
- // recursively inject read guard conditions into the query args
230
- yield this.injectNestedReadConditions(model, args);
231
- if (this.shouldLogQuery) {
232
- this.logger.info(`[withPolicy] \`findMany\`:\n${(0, utils_1.formatObject)(args)}`);
312
+ injectForRead(db, model, args) {
313
+ const injected = {};
314
+ if (!this.injectAuthGuard(db, injected, model, 'read')) {
315
+ return false;
316
+ }
317
+ if (args.where) {
318
+ // inject into relation fields:
319
+ // to-many: some/none/every
320
+ // to-one: direct-conditions/is/isNot
321
+ this.injectGuardForRelationFields(db, model, args.where, 'read');
322
+ }
323
+ if (injected.where && Object.keys(injected.where).length > 0 && !this.isTrue(injected.where)) {
324
+ if (!args.where) {
325
+ args.where = injected.where;
233
326
  }
234
- const result = yield this.db[model].findMany(args);
235
- yield this.postProcessForRead(result, model, args, 'read');
236
- return result;
237
- });
327
+ else {
328
+ this.mergeWhereClause(args.where, injected.where);
329
+ }
330
+ }
331
+ // recursively inject read guard conditions into nested select, include, and _count
332
+ const hoistedConditions = this.injectNestedReadConditions(db, model, args);
333
+ // the injection process may generate conditions that need to be hoisted to the toplevel,
334
+ // if so, merge it with the existing where
335
+ if (hoistedConditions.length > 0) {
336
+ if (!args.where) {
337
+ args.where = this.and(...hoistedConditions);
338
+ }
339
+ else {
340
+ this.mergeWhereClause(args.where, this.and(...hoistedConditions));
341
+ }
342
+ }
343
+ return true;
238
344
  }
239
345
  // flatten unique constraint filters
240
346
  flattenGeneratedUniqueField(model, args) {
241
347
  var _a;
242
- return __awaiter(this, void 0, void 0, function* () {
243
- // e.g.: { a_b: { a: '1', b: '1' } } => { a: '1', b: '1' }
244
- const uniqueConstraints = (_a = this.modelMeta.uniqueConstraints) === null || _a === void 0 ? void 0 : _a[(0, lower_case_first_1.lowerCaseFirst)(model)];
245
- let flattened = false;
246
- if (uniqueConstraints && Object.keys(uniqueConstraints).length > 0) {
247
- for (const [field, value] of Object.entries(args)) {
248
- if (uniqueConstraints[field] && typeof value === 'object') {
249
- for (const [f, v] of Object.entries(value)) {
250
- args[f] = v;
251
- }
252
- delete args[field];
253
- flattened = true;
348
+ // e.g.: { a_b: { a: '1', b: '1' } } => { a: '1', b: '1' }
349
+ const uniqueConstraints = (_a = this.modelMeta.uniqueConstraints) === null || _a === void 0 ? void 0 : _a[(0, lower_case_first_1.lowerCaseFirst)(model)];
350
+ if (uniqueConstraints && Object.keys(uniqueConstraints).length > 0) {
351
+ for (const [field, value] of Object.entries(args)) {
352
+ if (uniqueConstraints[field] &&
353
+ uniqueConstraints[field].fields.length > 1 &&
354
+ typeof value === 'object') {
355
+ // multi-field unique constraint, flatten it
356
+ delete args[field];
357
+ for (const [f, v] of Object.entries(value)) {
358
+ args[f] = v;
254
359
  }
255
360
  }
256
361
  }
257
- if (flattened) {
258
- // DEBUG
259
- // this.logger.info(`Filter flattened: ${JSON.stringify(args)}`);
260
- }
261
- });
362
+ }
262
363
  }
263
- injectNestedReadConditions(model, args) {
364
+ /**
365
+ * Gets unique constraints for the given model.
366
+ */
367
+ getUniqueConstraints(model) {
264
368
  var _a, _b;
265
- return __awaiter(this, void 0, void 0, function* () {
266
- const injectTarget = (_a = args.select) !== null && _a !== void 0 ? _a : args.include;
267
- if (!injectTarget) {
268
- return;
369
+ return (_b = (_a = this.modelMeta.uniqueConstraints) === null || _a === void 0 ? void 0 : _a[(0, lower_case_first_1.lowerCaseFirst)(model)]) !== null && _b !== void 0 ? _b : {};
370
+ }
371
+ /**
372
+ * Builds a reversed query for the given nested path.
373
+ */
374
+ buildReversedQuery(context) {
375
+ let result, currQuery;
376
+ let currField;
377
+ for (let i = context.nestingPath.length - 1; i >= 0; i--) {
378
+ const { field, model, where } = context.nestingPath[i];
379
+ // never modify the original where because it's shared in the structure
380
+ const visitWhere = Object.assign({}, where);
381
+ if (model && where) {
382
+ // make sure composite unique condition is flattened
383
+ this.flattenGeneratedUniqueField(model, visitWhere);
269
384
  }
270
- const idFields = this.getIdFields(model);
271
- for (const field of (0, utils_1.getModelFields)(injectTarget)) {
272
- const fieldInfo = (0, model_meta_1.resolveField)(this.modelMeta, model, field);
273
- if (!fieldInfo || !fieldInfo.isDataModel) {
274
- // only care about relation fields
275
- continue;
385
+ if (!result) {
386
+ // first segment (bottom), just use its where clause
387
+ result = currQuery = Object.assign({}, visitWhere);
388
+ currField = field;
389
+ }
390
+ else {
391
+ if (!currField) {
392
+ throw this.unknownError(`missing field in nested path`);
276
393
  }
277
- if (fieldInfo.isArray) {
278
- if (typeof injectTarget[field] !== 'object') {
279
- injectTarget[field] = {};
280
- }
281
- // inject extra condition for to-many relation
282
- yield this.injectAuthGuard(injectTarget[field], fieldInfo.type, 'read');
394
+ if (!currField.backLink) {
395
+ throw this.unknownError(`field ${currField.type}.${currField.name} doesn't have a backLink`);
396
+ }
397
+ const backLinkField = this.getModelField(currField.type, currField.backLink);
398
+ if (backLinkField === null || backLinkField === void 0 ? void 0 : backLinkField.isArray) {
399
+ // many-side of relationship, wrap with "some" query
400
+ currQuery[currField.backLink] = { some: Object.assign({}, visitWhere) };
283
401
  }
284
402
  else {
285
- // there's no way of injecting condition for to-one relation, so if there's
286
- // "select" clause we make sure 'id' fields are selected and check them against
287
- // query result; nothing needs to be done for "include" clause because all
288
- // fields are already selected
289
- if ((_b = injectTarget[field]) === null || _b === void 0 ? void 0 : _b.select) {
290
- for (const idField of idFields) {
291
- if (injectTarget[field].select[idField.name] !== true) {
292
- injectTarget[field].select[idField.name] = true;
293
- }
403
+ if (where && backLinkField.isRelationOwner && backLinkField.foreignKeyMapping) {
404
+ for (const [r, fk] of Object.entries(backLinkField.foreignKeyMapping)) {
405
+ currQuery[fk] = visitWhere[r];
294
406
  }
407
+ if (i > 0) {
408
+ currQuery[currField.backLink] = {};
409
+ }
410
+ }
411
+ else {
412
+ currQuery[currField.backLink] = Object.assign({}, visitWhere);
295
413
  }
296
414
  }
297
- // recurse
298
- yield this.injectNestedReadConditions(fieldInfo.type, injectTarget[field]);
415
+ currQuery = currQuery[currField.backLink];
416
+ currField = field;
299
417
  }
300
- });
418
+ }
419
+ return result;
301
420
  }
302
- /**
303
- * Post processing checks for read model entities. Validates to-one relations
304
- * (which can't be trimmed at query time) and removes fields that should be
305
- * omitted.
306
- */
307
- postProcessForRead(data, model, args, operation) {
421
+ injectNestedReadConditions(db, model, args) {
308
422
  var _a;
309
- return __awaiter(this, void 0, void 0, function* () {
310
- for (const entityData of (0, utils_1.enumerate)(data)) {
311
- if (typeof entityData !== 'object' || !entityData) {
312
- continue;
313
- }
314
- // strip auxiliary fields
315
- for (const auxField of constants_1.AUXILIARY_FIELDS) {
316
- if (auxField in entityData) {
317
- delete entityData[auxField];
423
+ const injectTarget = (_a = args.select) !== null && _a !== void 0 ? _a : args.include;
424
+ if (!injectTarget) {
425
+ return [];
426
+ }
427
+ if (injectTarget._count !== undefined) {
428
+ // _count needs to respect read policies of related models
429
+ if (injectTarget._count === true) {
430
+ // include count for all relations, expand to all fields
431
+ // so that we can inject guard conditions for each of them
432
+ injectTarget._count = { select: {} };
433
+ const modelFields = (0, model_meta_1.getFields)(this.modelMeta, model);
434
+ if (modelFields) {
435
+ for (const [k, v] of Object.entries(modelFields)) {
436
+ if (v.isDataModel && v.isArray) {
437
+ // create an entry for to-many relation
438
+ injectTarget._count.select[k] = {};
439
+ }
318
440
  }
319
441
  }
320
- const injectTarget = (_a = args.select) !== null && _a !== void 0 ? _a : args.include;
321
- if (!injectTarget) {
442
+ }
443
+ // inject conditions for each relation
444
+ for (const field of Object.keys(injectTarget._count.select)) {
445
+ if (typeof injectTarget._count.select[field] !== 'object') {
446
+ injectTarget._count.select[field] = {};
447
+ }
448
+ const fieldInfo = (0, model_meta_1.resolveField)(this.modelMeta, model, field);
449
+ if (!fieldInfo) {
322
450
  continue;
323
451
  }
324
- // recurse into nested entities
325
- for (const field of Object.keys(injectTarget)) {
326
- const fieldData = entityData[field];
327
- if (typeof fieldData !== 'object' || !fieldData) {
328
- continue;
329
- }
330
- const fieldInfo = (0, model_meta_1.resolveField)(this.modelMeta, model, field);
331
- if (fieldInfo) {
332
- if (fieldInfo.isDataModel && !fieldInfo.isArray) {
333
- // to-one relation data cannot be trimmed by injected guards, we have to
334
- // post-check them
335
- const ids = this.getEntityIds(fieldInfo.type, fieldData);
336
- if (Object.keys(ids).length !== 0) {
337
- // if (this.logger.enabled('info')) {
338
- // this.logger.info(
339
- // `Validating read of to-one relation: ${fieldInfo.type}#${formatObject(ids)}`
340
- // );
341
- // }
342
- yield this.checkPolicyForFilter(fieldInfo.type, ids, operation, this.db);
343
- }
344
- }
345
- // recurse
346
- yield this.postProcessForRead(fieldData, fieldInfo.type, injectTarget[field], operation);
347
- }
452
+ // inject into the "where" clause inside select
453
+ this.injectAuthGuard(db, injectTarget._count.select[field], fieldInfo.type, 'read');
454
+ }
455
+ }
456
+ // collect filter conditions that should be hoisted to the toplevel
457
+ const hoistedConditions = [];
458
+ for (const field of (0, utils_1.getModelFields)(injectTarget)) {
459
+ const fieldInfo = (0, model_meta_1.resolveField)(this.modelMeta, model, field);
460
+ if (!fieldInfo || !fieldInfo.isDataModel) {
461
+ // only care about relation fields
462
+ continue;
463
+ }
464
+ let hoisted;
465
+ if (fieldInfo.isArray ||
466
+ // Injecting where at include/select level for nullable to-one relation is supported since Prisma 4.8.0
467
+ // https://github.com/prisma/prisma/discussions/20350
468
+ fieldInfo.isOptional) {
469
+ if (typeof injectTarget[field] !== 'object') {
470
+ injectTarget[field] = {};
471
+ }
472
+ // inject extra condition for to-many or nullable to-one relation
473
+ this.injectAuthGuard(db, injectTarget[field], fieldInfo.type, 'read');
474
+ // recurse
475
+ const subHoisted = this.injectNestedReadConditions(db, fieldInfo.type, injectTarget[field]);
476
+ if (subHoisted.length > 0) {
477
+ // we can convert it to a where at this level
478
+ injectTarget[field].where = this.and(injectTarget[field].where, ...subHoisted);
348
479
  }
349
480
  }
350
- });
481
+ else {
482
+ // hoist non-nullable to-one filter to the parent level
483
+ hoisted = this.getAuthGuard(db, fieldInfo.type, 'read');
484
+ // recurse
485
+ const subHoisted = this.injectNestedReadConditions(db, fieldInfo.type, injectTarget[field]);
486
+ if (subHoisted.length > 0) {
487
+ hoisted = this.and(hoisted, ...subHoisted);
488
+ }
489
+ }
490
+ if (hoisted && !this.isTrue(hoisted)) {
491
+ hoistedConditions.push({ [field]: hoisted });
492
+ }
493
+ }
494
+ return hoistedConditions;
351
495
  }
352
496
  /**
353
- * Process Prisma write actions.
497
+ * Given a model and a unique filter, checks the operation is allowed by policies and field validations.
498
+ * Rejects with an error if not allowed.
354
499
  */
355
- processWrite(model, action, args, writeAction) {
500
+ checkPolicyForUnique(model, uniqueFilter, operation, db, args, preValue) {
356
501
  return __awaiter(this, void 0, void 0, function* () {
357
- // record model types for which new entities are created
358
- // so we can post-check if they satisfy 'create' policies
359
- const createdModels = new Set();
360
- // record model entities that are updated, together with their
361
- // values before update, so we can post-check if they satisfy
362
- // model => { ids, entity value }
363
- const updatedModels = new Map();
364
- function addUpdatedEntity(model, ids, entity) {
365
- let modelEntities = updatedModels.get(model);
366
- if (!modelEntities) {
367
- modelEntities = [];
368
- updatedModels.set(model, modelEntities);
369
- }
370
- modelEntities.push({ ids, value: entity });
371
- }
372
- const idFields = this.getIdFields(model);
373
- if (args.select) {
374
- // make sure id fields are selected, we need it to
375
- // read back the updated entity
376
- for (const idField of idFields) {
377
- if (!args.select[idField.name]) {
378
- args.select[idField.name] = true;
379
- }
380
- }
502
+ let guard = this.getAuthGuard(db, model, operation, preValue);
503
+ if (this.isFalse(guard)) {
504
+ throw this.deniedByPolicy(model, operation, `entity ${(0, utils_1.formatObject)(uniqueFilter)} failed policy check`);
381
505
  }
382
- // use a transaction to conduct write, so in case any create or nested create
383
- // fails access policies, we can roll back the entire operation
384
- const transactionId = (0, cuid2_1.createId)();
385
- // args processor for create
386
- const processCreate = (model, args) => __awaiter(this, void 0, void 0, function* () {
387
- const guard = yield this.getAuthGuard(model, 'create');
388
- const schema = yield this.getModelSchema(model);
389
- if (guard === false) {
390
- throw this.deniedByPolicy(model, 'create');
506
+ if (operation === 'update' && args) {
507
+ // merge field-level policy guards
508
+ const fieldUpdateGuard = this.getFieldUpdateGuards(db, model, args);
509
+ if (fieldUpdateGuard.rejectedByField) {
510
+ // rejected
511
+ throw this.deniedByPolicy(model, 'update', `entity ${(0, utils_1.formatObject)(uniqueFilter)} failed update policy check for field "${fieldUpdateGuard.rejectedByField}"`);
391
512
  }
392
- else if (guard !== true || schema) {
393
- // mark the create with a transaction tag so we can check them later
394
- args[constants_1.TRANSACTION_FIELD_NAME] = `${transactionId}:create`;
395
- createdModels.add(model);
513
+ else if (fieldUpdateGuard.guard) {
514
+ // merge
515
+ guard = this.and(guard, fieldUpdateGuard.guard);
396
516
  }
397
- });
398
- // build a reversed query for fetching entities affected by nested updates
399
- const buildReversedQuery = (context) => __awaiter(this, void 0, void 0, function* () {
400
- let result, currQuery;
401
- let currField;
402
- for (let i = context.nestingPath.length - 1; i >= 0; i--) {
403
- const { field, where, unique } = context.nestingPath[i];
404
- if (!result) {
405
- // first segment (bottom), just use its where clause
406
- result = currQuery = Object.assign({}, where);
407
- currField = field;
408
- }
409
- else {
410
- if (!currField) {
411
- throw this.unknownError(`missing field in nested path`);
412
- }
413
- if (!currField.backLink) {
414
- throw this.unknownError(`field ${currField.type}.${currField.name} doesn't have a backLink`);
415
- }
416
- currQuery[currField.backLink] = Object.assign({}, where);
417
- currQuery = currQuery[currField.backLink];
418
- currField = field;
419
- }
420
- if (unique) {
421
- // hit a unique filter, no need to traverse further up
422
- break;
423
- }
424
- }
425
- return result;
426
- });
427
- // args processor for update/upsert
428
- const processUpdate = (model, where, context) => __awaiter(this, void 0, void 0, function* () {
429
- const preGuard = yield this.getAuthGuard(model, 'update');
430
- if (preGuard === false) {
431
- throw this.deniedByPolicy(model, 'update');
432
- }
433
- else if (preGuard !== true) {
434
- if (this.isToOneRelation(context.field)) {
435
- // To-one relation field is complicated because there's no way to
436
- // filter it during update (args doesn't carry a 'where' clause).
437
- //
438
- // We need to recursively walk up its hierarcy in the query args
439
- // to construct a reversed query to identify the nested entity
440
- // under update, and then check if it satisfies policy.
441
- //
442
- // E.g.:
443
- // A - B - C
444
- //
445
- // update A with:
446
- // {
447
- // where: { id: 'aId' },
448
- // data: {
449
- // b: {
450
- // c: { value: 1 }
451
- // }
452
- // }
453
- // }
454
- //
455
- // To check if the update to 'c' field is permitted, we
456
- // reverse the query stack into a filter for C model, like:
457
- // {
458
- // where: {
459
- // b: { a: { id: 'aId' } }
460
- // }
461
- // }
462
- // , and with this we can filter out the C entity that's going
463
- // to be nestedly updated, and check if it's allowed.
464
- //
465
- // The same logic applies to nested delete.
466
- const subQuery = yield buildReversedQuery(context);
467
- yield this.checkPolicyForFilter(model, subQuery, 'update', this.db);
468
- }
469
- else {
470
- if (!where) {
471
- throw this.unknownError(`Missing 'where' parameter`);
472
- }
473
- yield this.checkPolicyForFilter(model, where, 'update', this.db);
474
- }
475
- }
476
- yield preparePostUpdateCheck(model, context);
477
- });
478
- // args processor for updateMany
479
- const processUpdateMany = (model, args, context) => __awaiter(this, void 0, void 0, function* () {
480
- const guard = yield this.getAuthGuard(model, 'update');
481
- if (guard === false) {
482
- throw this.deniedByPolicy(model, 'update');
483
- }
484
- else if (guard !== true) {
485
- // inject policy filter
486
- yield this.injectAuthGuard(args, model, 'update');
487
- }
488
- yield preparePostUpdateCheck(model, context);
489
- });
490
- // for models with post-update rules, we need to read and store
491
- // entity values before the update for post-update check
492
- const preparePostUpdateCheck = (model, context) => __awaiter(this, void 0, void 0, function* () {
493
- const postGuard = yield this.getAuthGuard(model, 'postUpdate');
494
- const schema = yield this.getModelSchema(model);
495
- // post-update check is needed if there's post-update rule or validation schema
496
- if (postGuard !== true || schema) {
497
- // fetch preValue selection (analyzed from the post-update rules)
498
- const preValueSelect = yield this.getPreValueSelect(model);
499
- const filter = yield buildReversedQuery(context);
500
- // query args will be used with findMany, so we need to
501
- // translate unique constraint filters into a flat filter
502
- // e.g.: { a_b: { a: '1', b: '1' } } => { a: '1', b: '1' }
503
- yield this.flattenGeneratedUniqueField(model, filter);
504
- const idFields = this.getIdFields(model);
505
- // eslint-disable-next-line @typescript-eslint/no-unused-vars
506
- const select = Object.assign({}, preValueSelect);
507
- for (const idField of idFields) {
508
- select[idField.name] = true;
509
- }
510
- const query = { where: filter, select };
511
- if (this.shouldLogQuery) {
512
- this.logger.info(`[withPolicy] \`findMany\` for fetching pre-update entities:\n${(0, utils_1.formatObject)(args)}`);
513
- }
514
- const entities = yield this.db[model].findMany(query);
515
- entities.forEach((entity) => {
516
- addUpdatedEntity(model, this.getEntityIds(model, entity), entity);
517
- });
518
- }
519
- });
520
- // args processor for delete
521
- const processDelete = (model, args, context) => __awaiter(this, void 0, void 0, function* () {
522
- const guard = yield this.getAuthGuard(model, 'delete');
523
- if (guard === false) {
524
- throw this.deniedByPolicy(model, 'delete');
525
- }
526
- else if (guard !== true) {
527
- if (this.isToOneRelation(context.field)) {
528
- // see comments in processUpdate
529
- const subQuery = yield buildReversedQuery(context);
530
- yield this.checkPolicyForFilter(model, subQuery, 'delete', this.db);
531
- }
532
- else {
533
- yield this.checkPolicyForFilter(model, args, 'delete', this.db);
517
+ }
518
+ // Zod schema is to be checked for "create" and "postUpdate"
519
+ const schema = ['create', 'postUpdate'].includes(operation) ? this.getZodSchema(model) : undefined;
520
+ if (this.isTrue(guard) && !schema) {
521
+ // unconditionally allowed
522
+ return;
523
+ }
524
+ const select = schema
525
+ ? // need to validate against schema, need to fetch all fields
526
+ undefined
527
+ : // only fetch id fields
528
+ this.makeIdSelection(model);
529
+ let where = this.clone(uniqueFilter);
530
+ // query args may have be of combined-id form, need to flatten it to call findFirst
531
+ this.flattenGeneratedUniqueField(model, where);
532
+ // query with policy guard
533
+ where = this.and(where, guard);
534
+ const query = { select, where };
535
+ if (this.shouldLogQuery) {
536
+ this.logger.info(`[policy] checking ${model} for ${operation}, \`findFirst\`:\n${(0, utils_1.formatObject)(query)}`);
537
+ }
538
+ const result = yield db[model].findFirst(query);
539
+ if (!result) {
540
+ throw this.deniedByPolicy(model, operation, `entity ${(0, utils_1.formatObject)(uniqueFilter)} failed policy check`);
541
+ }
542
+ if (schema) {
543
+ // TODO: push down schema check to the database
544
+ const parseResult = schema.safeParse(result);
545
+ if (!parseResult.success) {
546
+ const error = (0, zod_validation_error_1.fromZodError)(parseResult.error);
547
+ if (this.logger.enabled('info')) {
548
+ this.logger.info(`entity ${model} failed validation for operation ${operation}: ${error}`);
534
549
  }
550
+ throw this.deniedByPolicy(model, operation, `entities ${JSON.stringify(uniqueFilter)} failed validation: [${error}]`, constants_1.CrudFailureReason.DATA_VALIDATION_VIOLATION);
535
551
  }
552
+ }
553
+ });
554
+ }
555
+ getFieldUpdateGuards(db, model, args) {
556
+ var _a;
557
+ const allFieldGuards = [];
558
+ for (const [k, v] of Object.entries((_a = args.data) !== null && _a !== void 0 ? _a : args)) {
559
+ if (typeof v === 'undefined') {
560
+ continue;
561
+ }
562
+ const fieldGuard = this.getFieldUpdateAuthGuard(db, model, k);
563
+ if (this.isFalse(fieldGuard)) {
564
+ return { guard: allFieldGuards, rejectedByField: k };
565
+ }
566
+ allFieldGuards.push(fieldGuard);
567
+ }
568
+ return { guard: this.and(...allFieldGuards), rejectedByField: undefined };
569
+ }
570
+ /**
571
+ * Tries rejecting a request based on static "false" policy.
572
+ */
573
+ tryReject(db, model, operation) {
574
+ const guard = this.getAuthGuard(db, model, operation);
575
+ if (this.isFalse(guard)) {
576
+ throw this.deniedByPolicy(model, operation);
577
+ }
578
+ }
579
+ /**
580
+ * Checks if a model exists given a unique filter.
581
+ */
582
+ checkExistence(db, model, uniqueFilter, throwIfNotFound = false) {
583
+ return __awaiter(this, void 0, void 0, function* () {
584
+ uniqueFilter = this.clone(uniqueFilter);
585
+ this.flattenGeneratedUniqueField(model, uniqueFilter);
586
+ if (this.shouldLogQuery) {
587
+ this.logger.info(`[policy] checking ${model} existence, \`findFirst\`:\n${(0, utils_1.formatObject)(uniqueFilter)}`);
588
+ }
589
+ const existing = yield db[model].findFirst({
590
+ where: uniqueFilter,
591
+ select: this.makeIdSelection(model),
536
592
  });
537
- // process relation updates: connect, connectOrCreate, and disconnect
538
- const processRelationUpdate = (model, args, context) => __awaiter(this, void 0, void 0, function* () {
539
- var _a;
540
- if ((_a = context.field) === null || _a === void 0 ? void 0 : _a.backLink) {
541
- // fetch the backlink field of the model being connected
542
- const backLinkField = (0, model_meta_1.resolveField)(this.modelMeta, model, context.field.backLink);
543
- if (backLinkField.isRelationOwner) {
544
- // the target side of relation owns the relation,
545
- // mark it as updated
546
- yield processUpdate(model, args, context);
593
+ if (!existing && throwIfNotFound) {
594
+ throw this.notFound(model);
595
+ }
596
+ return existing;
597
+ });
598
+ }
599
+ /**
600
+ * Returns an entity given a unique filter with read policy checked. Reject if not readable.
601
+ */
602
+ readBack(db, model, operation, selectInclude, uniqueFilter) {
603
+ return __awaiter(this, void 0, void 0, function* () {
604
+ uniqueFilter = this.clone(uniqueFilter);
605
+ this.flattenGeneratedUniqueField(model, uniqueFilter);
606
+ const readArgs = { select: selectInclude.select, include: selectInclude.include, where: uniqueFilter };
607
+ const error = this.deniedByPolicy(model, operation, 'result is not allowed to be read back', constants_1.CrudFailureReason.RESULT_NOT_READABLE);
608
+ const injectResult = this.injectForRead(db, model, readArgs);
609
+ if (!injectResult) {
610
+ return { error, result: undefined };
611
+ }
612
+ // inject select needed for field-level read checks
613
+ this.injectReadCheckSelect(model, readArgs);
614
+ if (this.shouldLogQuery) {
615
+ this.logger.info(`[policy] checking read-back, \`findFirst\` ${model}:\n${(0, utils_1.formatObject)(readArgs)}`);
616
+ }
617
+ const result = yield db[model].findFirst(readArgs);
618
+ if (!result) {
619
+ return { error, result: undefined };
620
+ }
621
+ this.postProcessForRead(result, model, selectInclude);
622
+ return { result, error: undefined };
623
+ });
624
+ }
625
+ /**
626
+ * Injects field selection needed for checking field-level read policy into query args.
627
+ * @returns
628
+ */
629
+ injectReadCheckSelect(model, args) {
630
+ if (!this.hasFieldLevelPolicy(model)) {
631
+ return;
632
+ }
633
+ const readFieldSelect = this.getReadFieldSelect(model);
634
+ if (!readFieldSelect) {
635
+ return;
636
+ }
637
+ this.doInjectReadCheckSelect(model, args, { select: readFieldSelect });
638
+ }
639
+ doInjectReadCheckSelect(model, args, input) {
640
+ if (!(input === null || input === void 0 ? void 0 : input.select)) {
641
+ return;
642
+ }
643
+ let target; // injection target
644
+ let isInclude = false; // if the target is include or select
645
+ if (args.select) {
646
+ target = args.select;
647
+ isInclude = false;
648
+ }
649
+ else if (args.include) {
650
+ target = args.include;
651
+ isInclude = true;
652
+ }
653
+ else {
654
+ target = args.select = this.makeAllScalarFieldSelect(model);
655
+ isInclude = false;
656
+ }
657
+ if (!isInclude) {
658
+ // merge selects
659
+ for (const [k, v] of Object.entries(input.select)) {
660
+ if (v === true) {
661
+ if (!target[k]) {
662
+ target[k] = true;
547
663
  }
548
664
  }
549
- });
550
- // use a visitor to process args before conducting the write action
551
- const visitor = new nested_write_vistor_1.NestedWriteVisitor(this.modelMeta, {
552
- create: (model, args) => __awaiter(this, void 0, void 0, function* () {
553
- yield processCreate(model, args);
554
- }),
555
- connectOrCreate: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
556
- if (args.create) {
557
- yield processCreate(model, args.create);
558
- }
559
- if (args.where) {
560
- yield processRelationUpdate(model, args.where, context);
561
- }
562
- }),
563
- connect: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
564
- yield processRelationUpdate(model, args, context);
565
- }),
566
- disconnect: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
567
- yield processRelationUpdate(model, args, context);
568
- }),
569
- update: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
570
- yield processUpdate(model, args.where, context);
571
- }),
572
- updateMany: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
573
- yield processUpdateMany(model, args, context);
574
- }),
575
- upsert: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
576
- if (args.create) {
577
- yield processCreate(model, args.create);
578
- }
579
- if (args.update) {
580
- yield processUpdate(model, args.where, context);
581
- }
582
- }),
583
- delete: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
584
- yield processDelete(model, args, context);
585
- }),
586
- // eslint-disable-next-line @typescript-eslint/no-unused-vars
587
- deleteMany: (model, args, _context) => __awaiter(this, void 0, void 0, function* () {
588
- const guard = yield this.getAuthGuard(model, 'delete');
589
- if (guard === false) {
590
- throw this.deniedByPolicy(model, 'delete');
591
- }
592
- else if (guard !== true) {
593
- if (args.where) {
594
- args.where = this.and(args.where, guard);
595
- }
596
- else {
597
- const copy = (0, deepcopy_1.default)(args);
598
- for (const key of Object.keys(args)) {
599
- delete args[key];
600
- }
601
- const combined = this.and(copy, guard);
602
- Object.assign(args, combined);
603
- }
604
- }
605
- }),
606
- });
607
- yield visitor.visit(model, action, args);
608
- if (createdModels.size === 0 && updatedModels.size === 0) {
609
- // no post-check needed, we can proceed with the write without transaction
610
- return yield writeAction(this.db[model], args);
611
665
  }
612
- else {
613
- return yield this.transaction(this.db, (tx) => __awaiter(this, void 0, void 0, function* () {
614
- // proceed with the update (with args processed)
615
- const result = yield writeAction(tx[model], args);
616
- if (createdModels.size > 0) {
617
- // do post-check on created entities
618
- yield Promise.all([...createdModels].map((model) => this.checkPolicyForFilter(model, { [constants_1.TRANSACTION_FIELD_NAME]: `${transactionId}:create` }, 'create', tx)));
666
+ }
667
+ // recurse into nested selects (relation fields)
668
+ for (const [k, v] of Object.entries(input.select)) {
669
+ if (typeof v === 'object' && (v === null || v === void 0 ? void 0 : v.select)) {
670
+ const field = (0, model_meta_1.resolveField)(this.modelMeta, model, k);
671
+ if (field === null || field === void 0 ? void 0 : field.isDataModel) {
672
+ // recurse into relation
673
+ if (isInclude && target[k] === true) {
674
+ // select all fields for the relation
675
+ target[k] = { select: this.makeAllScalarFieldSelect(field.type) };
619
676
  }
620
- if (updatedModels.size > 0) {
621
- // do post-check on updated entities
622
- yield Promise.all([...updatedModels.entries()]
623
- .map(([model, modelEntities]) => modelEntities.map(({ ids, value: preValue }) => __awaiter(this, void 0, void 0, function* () { return this.checkPostUpdate(model, ids, tx, preValue); })))
624
- .flat());
677
+ else if (!target[k]) {
678
+ // ensure an empty select clause
679
+ target[k] = { select: {} };
625
680
  }
626
- return result;
627
- }));
681
+ // recurse
682
+ this.doInjectReadCheckSelect(field.type, target[k], v);
683
+ }
628
684
  }
629
- });
630
- }
631
- transaction(db, action) {
632
- if (db.__zenstack_tx) {
633
- // already in transaction, don't nest
634
- return action(db);
635
685
  }
636
- else {
637
- return db.$transaction((tx) => action(tx));
686
+ }
687
+ makeAllScalarFieldSelect(model) {
688
+ const fields = this.modelMeta.fields[(0, lower_case_first_1.lowerCaseFirst)(model)];
689
+ const result = {};
690
+ if (fields) {
691
+ Object.entries(fields).forEach(([k, v]) => {
692
+ if (!v.isDataModel) {
693
+ result[k] = true;
694
+ }
695
+ });
638
696
  }
697
+ return result;
639
698
  }
699
+ //#endregion
700
+ //#region Errors
640
701
  deniedByPolicy(model, operation, extra, reason) {
641
- return (0, utils_1.prismaClientKnownRequestError)(this.db, `denied by policy: ${model} entities failed '${operation}' check${extra ? ', ' + extra : ''}`, { clientVersion: (0, version_1.getVersion)(), code: 'P2004', meta: { reason } });
702
+ return (0, utils_1.prismaClientKnownRequestError)(this.db, `denied by policy: ${model} entities failed '${operation}' check${extra ? ', ' + extra : ''}`, { clientVersion: (0, version_1.getVersion)(), code: constants_1.PrismaErrorCode.CONSTRAINED_FAILED, meta: { reason } });
642
703
  }
643
704
  notFound(model) {
644
705
  return (0, utils_1.prismaClientKnownRequestError)(this.db, `entity not found for model ${model}`, {
@@ -646,122 +707,152 @@ class PolicyUtil {
646
707
  code: 'P2025',
647
708
  });
648
709
  }
710
+ validationError(message) {
711
+ return (0, utils_1.prismaClientValidationError)(this.db, message, {
712
+ clientVersion: (0, version_1.getVersion)(),
713
+ });
714
+ }
649
715
  unknownError(message) {
650
716
  return (0, utils_1.prismaClientUnknownRequestError)(this.db, message, {
651
717
  clientVersion: (0, version_1.getVersion)(),
652
718
  });
653
719
  }
720
+ //#endregion
721
+ //#region Misc
654
722
  /**
655
- * Given a filter, check if applying access policy filtering will result
656
- * in data being trimmed, and if so, throw an error.
723
+ * Gets field selection for fetching pre-update entity values for the given model.
657
724
  */
658
- checkPolicyForFilter(model, filter, operation, db) {
659
- return __awaiter(this, void 0, void 0, function* () {
660
- const guard = yield this.getAuthGuard(model, operation);
661
- const schema = (operation === 'create' || operation === 'update') && (yield this.getModelSchema(model));
662
- if (guard === true && !schema) {
663
- // unconditionally allowed
664
- return;
665
- }
666
- // if (this.logger.enabled('info')) {
667
- // this.logger.info(`Checking policy for ${model}#${JSON.stringify(filter)} for ${operation}`);
668
- // }
669
- const queryFilter = (0, deepcopy_1.default)(filter);
670
- // query args will be used with findMany, so we need to
671
- // translate unique constraint filters into a flat filter
672
- // e.g.: { a_b: { a: '1', b: '1' } } => { a: '1', b: '1' }
673
- yield this.flattenGeneratedUniqueField(model, queryFilter);
674
- const countArgs = { where: queryFilter };
675
- // if (this.shouldLogQuery) {
676
- // this.logger.info(
677
- // `[withPolicy] \`count\` for policy check without guard:\n${formatObject(countArgs)}`
678
- // );
679
- // }
680
- const count = (yield db[model].count(countArgs));
681
- if (count === 0) {
682
- // there's nothing to filter out
725
+ getPreValueSelect(model) {
726
+ const guard = this.policy.guard[(0, lower_case_first_1.lowerCaseFirst)(model)];
727
+ if (!guard) {
728
+ throw this.unknownError(`unable to load policy guard for ${model}`);
729
+ }
730
+ return guard[constants_1.PRE_UPDATE_VALUE_SELECTOR];
731
+ }
732
+ getReadFieldSelect(model) {
733
+ const guard = this.policy.guard[(0, lower_case_first_1.lowerCaseFirst)(model)];
734
+ if (!guard) {
735
+ throw this.unknownError(`unable to load policy guard for ${model}`);
736
+ }
737
+ return guard[constants_1.FIELD_LEVEL_READ_CHECKER_SELECTOR];
738
+ }
739
+ checkReadField(model, field, entity) {
740
+ const guard = this.policy.guard[(0, lower_case_first_1.lowerCaseFirst)(model)];
741
+ if (!guard) {
742
+ throw this.unknownError(`unable to load policy guard for ${model}`);
743
+ }
744
+ const func = guard[`${constants_1.FIELD_LEVEL_READ_CHECKER_PREFIX}${field}`];
745
+ if (!func) {
746
+ return true;
747
+ }
748
+ else {
749
+ return func(entity, { user: this.user });
750
+ }
751
+ }
752
+ hasFieldValidation(model) {
753
+ var _a, _b;
754
+ return ((_b = (_a = this.policy.validation) === null || _a === void 0 ? void 0 : _a[(0, lower_case_first_1.lowerCaseFirst)(model)]) === null || _b === void 0 ? void 0 : _b.hasValidation) === true;
755
+ }
756
+ hasFieldLevelPolicy(model) {
757
+ const guard = this.policy.guard[(0, lower_case_first_1.lowerCaseFirst)(model)];
758
+ if (!guard) {
759
+ throw this.unknownError(`unable to load policy guard for ${model}`);
760
+ }
761
+ return !!guard[constants_1.HAS_FIELD_LEVEL_POLICY_FLAG];
762
+ }
763
+ /**
764
+ * Gets Zod schema for the given model and access kind.
765
+ *
766
+ * @param kind If undefined, returns the full schema.
767
+ */
768
+ getZodSchema(model, kind = undefined) {
769
+ var _a, _b;
770
+ if (!this.hasFieldValidation(model)) {
771
+ return undefined;
772
+ }
773
+ const schemaKey = `${(0, upper_case_first_1.upperCaseFirst)(model)}${kind ? (0, upper_case_first_1.upperCaseFirst)(kind) : ''}Schema`;
774
+ return (_b = (_a = this.zodSchemas) === null || _a === void 0 ? void 0 : _a.models) === null || _b === void 0 ? void 0 : _b[schemaKey];
775
+ }
776
+ /**
777
+ * Post processing checks and clean-up for read model entities.
778
+ */
779
+ postProcessForRead(data, model, queryArgs) {
780
+ // preserve the original data as it may be needed for checking field-level readability,
781
+ // while the "data" will be manipulated during traversal (deleting unreadable fields)
782
+ const origData = this.clone(data);
783
+ this.doPostProcessForRead(data, model, origData, queryArgs, this.hasFieldLevelPolicy(model));
784
+ }
785
+ doPostProcessForRead(data, model, fullData, queryArgs, hasFieldLevelPolicy, path = '') {
786
+ var _a, _b;
787
+ if (data === null || data === undefined) {
788
+ return;
789
+ }
790
+ for (const [entityData, entityFullData] of (0, utils_1.zip)(data, fullData)) {
791
+ if (typeof entityData !== 'object' || !entityData) {
683
792
  return;
684
793
  }
685
- if (guard === false) {
686
- // unconditionally denied
687
- throw this.deniedByPolicy(model, operation, `${count} ${(0, pluralize_1.default)('entity', count)} failed policy check`);
688
- }
689
- // build a query condition with policy injected
690
- const guardedQuery = { where: this.and(queryFilter, guard) };
691
- if (schema) {
692
- // we've got schemas, so have to fetch entities and validate them
693
- // if (this.shouldLogQuery) {
694
- // this.logger.info(
695
- // `[withPolicy] \`findMany\` for policy check with guard:\n${formatObject(countArgs)}`
696
- // );
697
- // }
698
- const entities = yield db[model].findMany(guardedQuery);
699
- if (entities.length < count) {
700
- if (this.logger.enabled('info')) {
701
- this.logger.info(`entity ${model} failed policy check for operation ${operation}`);
702
- }
703
- throw this.deniedByPolicy(model, operation, `${count - entities.length} ${(0, pluralize_1.default)('entity', count - entities.length)} failed policy check`);
794
+ for (const [field, fieldData] of Object.entries(entityData)) {
795
+ if (fieldData === undefined) {
796
+ continue;
704
797
  }
705
- // TODO: push down schema check to the database
706
- const schemaCheckErrors = entities.map((entity) => schema.safeParse(entity)).filter((r) => !r.success);
707
- if (schemaCheckErrors.length > 0) {
708
- const error = schemaCheckErrors.map((r) => !r.success && (0, zod_validation_error_1.fromZodError)(r.error).message).join(', ');
709
- if (this.logger.enabled('info')) {
710
- this.logger.info(`entity ${model} failed schema check for operation ${operation}: ${error}`);
711
- }
712
- throw this.deniedByPolicy(model, operation, `entities failed schema check: [${error}]`);
798
+ const fieldInfo = (0, model_meta_1.resolveField)(this.modelMeta, model, field);
799
+ if (!fieldInfo) {
800
+ // could be _count, etc.
801
+ continue;
713
802
  }
714
- }
715
- else {
716
- // count entities with policy injected and see if any of them are filtered out
717
- // if (this.shouldLogQuery) {
718
- // this.logger.info(
719
- // `[withPolicy] \`count\` for policy check with guard:\n${formatObject(guardedQuery)}`
720
- // );
721
- // }
722
- const guardedCount = (yield db[model].count(guardedQuery));
723
- if (guardedCount < count) {
724
- if (this.logger.enabled('info')) {
725
- this.logger.info(`entity ${model} failed policy check for operation ${operation}`);
803
+ if (hasFieldLevelPolicy) {
804
+ // 1. remove fields selected for checking field-level policies but not selected by the original query args
805
+ // 2. evaluate field-level policies and remove fields that are not readable
806
+ if (!fieldInfo.isDataModel) {
807
+ // scalar field, delete unselected ones
808
+ const select = queryArgs === null || queryArgs === void 0 ? void 0 : queryArgs.select;
809
+ if (select && typeof select === 'object' && select[field] !== true) {
810
+ // there's a select clause but this field is not included
811
+ delete entityData[field];
812
+ continue;
813
+ }
726
814
  }
727
- throw this.deniedByPolicy(model, operation, `${count - guardedCount} ${(0, pluralize_1.default)('entity', count - guardedCount)} failed policy check`);
728
- }
729
- }
730
- });
731
- }
732
- checkPostUpdate(model, ids, db, preValue) {
733
- return __awaiter(this, void 0, void 0, function* () {
734
- // if (this.logger.enabled('info')) {
735
- // this.logger.info(`Checking post-update policy for ${model}#${ids}, preValue: ${formatObject(preValue)}`);
736
- // }
737
- const guard = yield this.getAuthGuard(model, 'postUpdate', preValue);
738
- // build a query condition with policy injected
739
- const guardedQuery = { where: this.and(ids, guard) };
740
- // query with policy injected
741
- const entity = yield db[model].findFirst(guardedQuery);
742
- // see if we get fewer items with policy, if so, reject with an throw
743
- if (!entity) {
744
- if (this.logger.enabled('info')) {
745
- this.logger.info(`entity ${model} failed policy check for operation postUpdate`);
746
- }
747
- throw this.deniedByPolicy(model, 'postUpdate');
748
- }
749
- // TODO: push down schema check to the database
750
- const schema = yield this.getModelSchema(model);
751
- if (schema) {
752
- const schemaCheckResult = schema.safeParse(entity);
753
- if (!schemaCheckResult.success) {
754
- const error = (0, zod_validation_error_1.fromZodError)(schemaCheckResult.error).message;
755
- if (this.logger.enabled('info')) {
756
- this.logger.info(`entity ${model} failed schema check for operation postUpdate: ${error}`);
815
+ else {
816
+ // relation field, delete if not selected or included
817
+ const include = queryArgs === null || queryArgs === void 0 ? void 0 : queryArgs.include;
818
+ const select = queryArgs === null || queryArgs === void 0 ? void 0 : queryArgs.select;
819
+ if (!(include === null || include === void 0 ? void 0 : include[field]) && !(select === null || select === void 0 ? void 0 : select[field])) {
820
+ // relation field not included or selected
821
+ delete entityData[field];
822
+ continue;
823
+ }
757
824
  }
758
- throw this.deniedByPolicy(model, 'postUpdate', `entity failed schema check: ${error}`);
825
+ // delete unreadable fields
826
+ if (!this.checkReadField(model, field, entityFullData)) {
827
+ if (this.shouldLogQuery) {
828
+ this.logger.info(`[policy] dropping unreadable field ${path ? path + '.' : ''}${field}`);
829
+ }
830
+ delete entityData[field];
831
+ continue;
832
+ }
833
+ }
834
+ if (fieldInfo.isDataModel) {
835
+ // recurse into nested fields
836
+ const nextArgs = (_b = ((_a = queryArgs === null || queryArgs === void 0 ? void 0 : queryArgs.select) !== null && _a !== void 0 ? _a : queryArgs === null || queryArgs === void 0 ? void 0 : queryArgs.include)) === null || _b === void 0 ? void 0 : _b[field];
837
+ this.doPostProcessForRead(fieldData, fieldInfo.type, entityFullData[field], nextArgs, hasFieldLevelPolicy, path ? path + '.' + field : field);
759
838
  }
760
839
  }
761
- });
840
+ }
762
841
  }
763
- isToOneRelation(field) {
764
- return !!field && field.isDataModel && !field.isArray;
842
+ /**
843
+ * Gets information for all fields of a model.
844
+ */
845
+ getModelFields(model) {
846
+ model = (0, lower_case_first_1.lowerCaseFirst)(model);
847
+ return this.modelMeta.fields[model];
848
+ }
849
+ /**
850
+ * Gets information for a specific model field.
851
+ */
852
+ getModelField(model, field) {
853
+ var _a;
854
+ model = (0, lower_case_first_1.lowerCaseFirst)(model);
855
+ return (_a = this.modelMeta.fields[model]) === null || _a === void 0 ? void 0 : _a[field];
765
856
  }
766
857
  /**
767
858
  * Clones an object and makes sure it's not empty.
@@ -770,13 +861,13 @@ class PolicyUtil {
770
861
  return value ? (0, deepcopy_1.default)(value) : {};
771
862
  }
772
863
  /**
773
- * Gets "id" field for a given model.
864
+ * Gets "id" fields for a given model.
774
865
  */
775
866
  getIdFields(model) {
776
867
  return (0, utils_1.getIdFields)(this.modelMeta, model, true);
777
868
  }
778
869
  /**
779
- * Gets id field value from an entity.
870
+ * Gets id field values from an entity.
780
871
  */
781
872
  getEntityIds(model, entityData) {
782
873
  const idFields = this.getIdFields(model);
@@ -786,8 +877,37 @@ class PolicyUtil {
786
877
  }
787
878
  return result;
788
879
  }
789
- get shouldLogQuery() {
790
- return this.logPrismaQuery && this.logger.enabled('info');
880
+ /**
881
+ * Creates a selection object for id fields for the given model.
882
+ */
883
+ makeIdSelection(model) {
884
+ const idFields = this.getIdFields(model);
885
+ return Object.assign({}, ...idFields.map((f) => ({ [f.name]: true })));
886
+ }
887
+ mergeWhereClause(where, extra) {
888
+ var _a;
889
+ if (!where) {
890
+ throw new Error('invalid where clause');
891
+ }
892
+ extra = this.reduce(extra);
893
+ if (this.isTrue(extra)) {
894
+ return;
895
+ }
896
+ // instead of simply wrapping with AND, we preserve the structure
897
+ // of the original where clause and merge `extra` into it so that
898
+ // unique query can continue working
899
+ if (where.AND) {
900
+ // merge into existing AND clause
901
+ const conditions = Array.isArray(where.AND) ? [...where.AND] : [where.AND];
902
+ conditions.push(extra);
903
+ const combined = this.and(...conditions);
904
+ // make sure the merging always goes under AND
905
+ where.AND = (_a = combined.AND) !== null && _a !== void 0 ? _a : combined;
906
+ }
907
+ else {
908
+ // insert an AND clause
909
+ where.AND = [extra];
910
+ }
791
911
  }
792
912
  }
793
913
  exports.PolicyUtil = PolicyUtil;