agentlang 0.0.4 → 0.0.5

package/src/runtime/loader.ts

@@ -19,11 +19,10 @@ import {
   SchemaDefinition,
   isAgentDefinition,
   AgentDefinition,
-  SetAttribute,
-  isLiteral,
   isResolverDefinition,
   ResolverDefinition,
   ResolverMethodSpec,
+  AgentPropertyDef,
 } from '../language/generated/ast.js';
 import {
   addEntity,
@@ -417,27 +416,41 @@ async function addAgentDefinition(def: AgentDefinition, moduleName: string) {
   const attrsStrs = new Array<string>();
   attrsStrs.push(`name "${name}"`);
   const attrs = newInstanceAttributes();
-  def.body?.attributes.forEach((sa: SetAttribute) => {
+  def.body?.attributes.forEach((apdef: AgentPropertyDef) => {
     let v: any = undefined;
-    if (isLiteral(sa.value)) {
-      v = sa.value.str || sa.value.id || sa.value.num;
+    if (apdef.value.array) {
+      v = apdef.value.array.vals
+        .map((stmt: Statement) => {
+          if (stmt.pattern.literal) {
+            const s = stmt.pattern.literal.str;
+            if (s == undefined) {
+              throw new Error(`Only arrays of string-literals are to be passed to agent ${name}`);
+            }
+            return s;
+          } else {
+            throw new Error(`Invalid value in array passed to agent ${name}`);
+          }
+        })
+        .join(',');
+    } else {
+      v = apdef.value.str || apdef.value.id || apdef.value.num;
       if (v == undefined) {
-        v = sa.value.bool;
+        v = apdef.value.bool;
       }
     }
     if (v == undefined) {
       throw new Error(`Cannot initialize agent ${name}, only literals can be set for attributes`);
     }
-    if (llmName == undefined && sa.name == 'llm') {
+    if (llmName == undefined && apdef.name == 'llm') {
       llmName = v;
       hasUserLlm = true;
     }
     const ov = v;
-    if (isLiteral(sa.value) && (sa.value.str || sa.value.id)) {
+    if (apdef.value.str || apdef.value.id || apdef.value.array) {
       v = `"${v}"`;
     }
-    attrsStrs.push(`${sa.name} ${v}`);
-    attrs.set(sa.name, ov);
+    attrsStrs.push(`${apdef.name} ${v}`);
+    attrs.set(apdef.name, ov);
   });
   if (!attrs.has('llm')) {
     llmName = `${name}_llm`;

package/src/runtime/module.ts

@@ -2419,3 +2419,17 @@ export function instanceToObject<Type>(inst: Instance, obj: any): Type {
   });
   return obj as Type;
 }
+
+export function getEntityRbacRules(entityFqName: string): RbacSpecification[] | undefined {
+  const p = splitFqName(entityFqName);
+  const mn = p.getModuleName();
+  const en = p.getEntryName();
+  const m = isModule(mn) && fetchModule(mn);
+  if (m && m.isEntity(en)) {
+    const entity = getEntity(en, mn);
+    return entity.getRbacSpecifications()?.filter((spec: RbacSpecification) => {
+      return spec.expression != undefined;
+    });
+  }
+  return undefined;
+}

package/src/runtime/modules/auth.ts

@@ -35,7 +35,13 @@ entity User {
     id UUID @id @default(uuid()),
     email Email @unique @indexed,
     firstName String,
-    lastName String
+    lastName String,
+    @rbac [(allow: [read, delete, update, create], where: auth.user = this.id)],
+    @after {delete AfterDeleteUser}
+}
+
+workflow AfterDeleteUser {
+  {RemoveUserSession {id AfterDeleteUser.User.id}}
 }
 
 workflow CreateUser {
@@ -124,7 +130,8 @@ entity Session {
   id UUID @id,
   userId UUID @indexed,
   authToken String @optional,
-  isActive Boolean
+  isActive Boolean,
+  @rbac [(allow: [read, delete, update, create], where: auth.user = this.userId)]
 }
 
 
@@ -147,6 +154,10 @@ workflow RemoveSession {
   purge {Session {id? RemoveSession.id}}
 }
 
+workflow RemoveUserSession {
+  {Session {userId? RemoveUserSession.id}} as [session];
+  purge {Session {id? session.id}}
+}
 
 workflow signup {
   await Auth.signUpUser(signup.email, signup.password, signup.userData)

package/src/runtime/resolvers/sqldb/database.ts

@@ -14,6 +14,7 @@ import {
   InstanceAttributes,
   newInstanceAttributes,
   RbacPermissionFlag,
+  RbacSpecification,
   Relationship,
 } from '../../module.js';
 import pgvector from 'pgvector';
@@ -29,13 +30,15 @@ export class DbContext {
   resourceFqName: string;
   activeEnv: Environment;
   private needAuthCheckFlag: boolean = true;
+  rbacRules: RbacSpecification[] | undefined;
 
   constructor(
     resourceFqName: string,
     authInfo: ResolverAuthInfo,
     activeEnv: Environment,
     txnId?: string,
-    inKernelMode?: boolean
+    inKernelMode?: boolean,
+    rbacRules?: RbacSpecification[]
   ) {
     this.resourceFqName = resourceFqName;
     this.authInfo = authInfo;
@@ -44,6 +47,7 @@ export class DbContext {
     if (inKernelMode != undefined) {
       this.inKernelMode = inKernelMode;
     }
+    this.rbacRules = rbacRules;
   }
   private static GlobalDbContext: DbContext | undefined;
 
@@ -93,6 +97,12 @@ export class DbContext {
     return this;
   }
 
+  switchAuthCheck(flag: boolean): boolean {
+    const old = this.needAuthCheckFlag;
+    this.needAuthCheckFlag = flag;
+    return old;
+  }
+
   isPermitted(): boolean {
     return this.inKernelMode || !this.needAuthCheckFlag;
   }
@@ -379,8 +389,29 @@ export async function insertRows(
   }
   if (hasPerm) {
     await insertRowsHelper(tableName, rows, ctx, doUpsert);
-    if (!ctx.isInKernelMode() && !doUpsert) {
-      await createOwnership(tableName, rows, ctx);
+    if (!doUpsert) {
+      if (!ctx.isInKernelMode()) {
+        await createOwnership(tableName, rows, ctx);
+      }
+      if (ctx.rbacRules) {
+        for (let i = 0; i < ctx.rbacRules.length; ++i) {
+          const rbacRule = ctx.rbacRules[i];
+          const e = rbacRule.expression;
+          if (e) {
+            const [selfRef, userRef] = e.lhs.startsWith('this.') ? [e.lhs, e.rhs] : [e.rhs, e.lhs];
+            if (userRef == 'auth.user') {
+              const attr = selfRef.split('.')[1];
+              for (let j = 0; j < rows.length; ++j) {
+                const r: any = rows[j];
+                const userId = r[attr];
+                if (userId) {
+                  await createLimitedOwnership(tableName, [r], userId, rbacRule.permissions, ctx);
+                }
+              }
+            }
+          }
+        }
+      }
     }
   } else {
     throw new UnauthorisedError({ opr: 'insert', entity: tableName });
@@ -430,13 +461,33 @@ export async function insertBetweenRow(
 
 const PathKey = PathAttributeName as keyof object;
 
+const AllPerms = new Set<RbacPermissionFlag>()
+  .add(RbacPermissionFlag.CREATE)
+  .add(RbacPermissionFlag.READ)
+  .add(RbacPermissionFlag.UPDATE)
+  .add(RbacPermissionFlag.DELETE);
+
 async function createOwnership(tableName: string, rows: object[], ctx: DbContext): Promise<void> {
+  await createLimitedOwnership(tableName, rows, ctx.authInfo.userId, AllPerms, ctx);
+}
+
+async function createLimitedOwnership(
+  tableName: string,
+  rows: object[],
+  userId: string,
+  perms: Set<RbacPermissionFlag>,
+  ctx: DbContext
+): Promise<void> {
   const ownerRows: object[] = [];
   rows.forEach((r: object) => {
     ownerRows.push({
       id: crypto.randomUUID(),
       path: r[PathKey],
-      user_id: ctx.authInfo.userId,
+      user_id: userId,
+      c: perms.has(RbacPermissionFlag.CREATE),
+      r: perms.has(RbacPermissionFlag.READ),
+      d: perms.has(RbacPermissionFlag.DELETE),
+      u: perms.has(RbacPermissionFlag.UPDATE),
     });
   });
   const tname = ownersTable(tableName);

package/src/runtime/resolvers/sqldb/impl.ts

@@ -6,6 +6,7 @@ import {
   getAllBetweenRelationships,
   getAllOneToOneRelationshipsForEntity,
   getBetweenInstanceNodeValues,
+  getEntityRbacRules,
   Instance,
   InstanceAttributes,
   isBetweenRelationship,
@@ -72,7 +73,8 @@ export class SqlDbResolver extends Resolver {
       this.authInfo,
       activeEnv,
       this.txnId,
-      activeEnv.isInKernelMode()
+      activeEnv.isInKernelMode(),
+      getEntityRbacRules(resourceFqName)
     );
   }
 
@@ -151,12 +153,11 @@ export class SqlDbResolver extends Resolver {
     let result = SqlDbResolver.EmptyResultSet;
 
     const tableName = asTableName(inst.moduleName, inst.name);
-    const rslt: any = await getMany(
-      tableName,
-      queryAll ? undefined : inst.queryAttributesAsObject(),
-      queryAll ? undefined : inst.queryAttributeValuesAsObject(),
-      this.getDbContext(inst.getFqName())
-    );
+    const fqName = inst.getFqName();
+    const ctx = this.getDbContext(fqName);
+    const qattrs: any = queryAll ? undefined : inst.queryAttributesAsObject();
+    const qvals: any = queryAll ? undefined : inst.queryAttributeValuesAsObject();
+    const rslt: any = await getMany(tableName, qattrs, qvals, ctx);
     if (rslt instanceof Array) {
       result = new Array<Instance>();
       rslt.forEach((r: object) => {

package/src/runtime/util.ts

@@ -528,3 +528,15 @@ export function walkDownInstancePath(path: string): [string, string, string | un
   }
   return [moduleName, entryName, undefined, parts];
 }
+
+export function areSetsEqual<T>(set1: Set<T>, set2: Set<T>): boolean {
+  if (set1.size !== set2.size) {
+    return false;
+  }
+  for (const item of set1) {
+    if (!set2.has(item)) {
+      return false;
+    }
+  }
+  return true;
+}