zenstack 1.0.0 → 1.0.16

package/plugins/access-policy/policy-guard-generator.js

@@ -0,0 +1,349 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const ast_1 = require("@zenstackhq/language/ast");
+const sdk_1 = require("@zenstackhq/sdk");
+const change_case_1 = require("change-case");
+const langium_1 = require("langium");
+const path_1 = __importDefault(require("path"));
+const ts_morph_1 = require("ts-morph");
+const _1 = require(".");
+const utils_1 = require("../../language-server/utils");
+const ast_utils_1 = require("../../utils/ast-utils");
+const plugin_utils_1 = require("../plugin-utils");
+const expression_writer_1 = require("./expression-writer");
+const utils_2 = require("./utils");
+const zod_schema_generator_1 = require("./zod-schema-generator");
+/**
+ * Generates source file that contains Prisma query guard objects used for injecting database queries
+ */
+class PolicyGenerator {
+    generate(model, options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const output = options.output ? options.output : (0, plugin_utils_1.getDefaultOutputFolder)();
+            if (!output) {
+                console.error(`Unable to determine output path, not running plugin ${_1.name}`);
+                return;
+            }
+            const project = new ts_morph_1.Project();
+            const sf = project.createSourceFile(path_1.default.join(output, 'policy.ts'), undefined, { overwrite: true });
+            sf.addImportDeclaration({
+                namedImports: [{ name: 'QueryContext' }],
+                moduleSpecifier: `${plugin_utils_1.RUNTIME_PACKAGE}`,
+                isTypeOnly: true,
+            });
+            sf.addImportDeclaration({
+                namedImports: [{ name: 'z' }],
+                moduleSpecifier: 'zod',
+            });
+            // import enums
+            for (const e of model.declarations.filter((d) => (0, ast_1.isEnum)(d))) {
+                sf.addImportDeclaration({
+                    namedImports: [{ name: e.name }],
+                    moduleSpecifier: '@prisma/client',
+                });
+            }
+            const models = model.declarations.filter((d) => (0, ast_1.isDataModel)(d));
+            const policyMap = {};
+            for (const model of models) {
+                policyMap[model.name] = yield this.generateQueryGuardForModel(model, sf);
+            }
+            const zodGenerator = new zod_schema_generator_1.ZodSchemaGenerator();
+            sf.addVariableStatement({
+                declarationKind: ts_morph_1.VariableDeclarationKind.Const,
+                declarations: [
+                    {
+                        name: 'policy',
+                        initializer: (writer) => {
+                            writer.block(() => {
+                                writer.write('guard:');
+                                writer.inlineBlock(() => {
+                                    for (const [model, map] of Object.entries(policyMap)) {
+                                        writer.write(`${(0, change_case_1.camelCase)(model)}:`);
+                                        writer.inlineBlock(() => {
+                                            for (const [op, func] of Object.entries(map)) {
+                                                if (typeof func === 'object') {
+                                                    writer.write(`${op}: ${JSON.stringify(func)},`);
+                                                }
+                                                else {
+                                                    writer.write(`${op}: ${func},`);
+                                                }
+                                            }
+                                        });
+                                        writer.write(',');
+                                    }
+                                });
+                                writer.writeLine(',');
+                                writer.write('schema:');
+                                zodGenerator.generate(writer, models);
+                            });
+                        },
+                    },
+                ],
+            });
+            sf.addStatements('export default policy');
+            sf.formatText();
+            yield project.save();
+            yield project.emit();
+        });
+    }
+    getPolicyExpressions(model, kind, operation) {
+        const attrs = model.attributes.filter((attr) => { var _a; return ((_a = attr.decl.ref) === null || _a === void 0 ? void 0 : _a.name) === `@@${kind}`; });
+        const checkOperation = operation === 'postUpdate' ? 'update' : operation;
+        let result = attrs
+            .filter((attr) => {
+            const opsValue = (0, sdk_1.getLiteral)(attr.args[0].value);
+            if (!opsValue) {
+                return false;
+            }
+            const ops = opsValue.split(',').map((s) => s.trim());
+            return ops.includes(checkOperation) || ops.includes('all');
+        })
+            .map((attr) => attr.args[1].value);
+        if (operation === 'update') {
+            result = this.processUpdatePolicies(result, false);
+        }
+        else if (operation === 'postUpdate') {
+            result = this.processUpdatePolicies(result, true);
+        }
+        return result;
+    }
+    processUpdatePolicies(expressions, postUpdate) {
+        return expressions
+            .map((expr) => this.visitPolicyExpression(expr, postUpdate))
+            .filter((e) => !!e);
+    }
+    visitPolicyExpression(expr, postUpdate) {
+        if ((0, ast_1.isBinaryExpr)(expr) && (expr.operator === '&&' || expr.operator === '||')) {
+            const left = this.visitPolicyExpression(expr.left, postUpdate);
+            const right = this.visitPolicyExpression(expr.right, postUpdate);
+            if (!left)
+                return right;
+            if (!right)
+                return left;
+            return Object.assign(Object.assign({}, expr), { left, right });
+        }
+        if ((0, ast_1.isUnaryExpr)(expr) && expr.operator === '!') {
+            const operand = this.visitPolicyExpression(expr.operand, postUpdate);
+            if (!operand)
+                return undefined;
+            return Object.assign(Object.assign({}, expr), { operand });
+        }
+        if (postUpdate && !this.hasFutureReference(expr)) {
+            return undefined;
+        }
+        else if (!postUpdate && this.hasFutureReference(expr)) {
+            return undefined;
+        }
+        return expr;
+    }
+    hasFutureReference(expr) {
+        var _a;
+        for (const node of (0, langium_1.streamAllContents)(expr)) {
+            if ((0, ast_1.isInvocationExpr)(node) && ((_a = node.function.ref) === null || _a === void 0 ? void 0 : _a.name) === 'future' && (0, utils_1.isFromStdlib)(node.function.ref)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    generateQueryGuardForModel(model, sourceFile) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const result = {};
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            const policies = (0, ast_utils_1.analyzePolicies)(model);
+            for (const kind of plugin_utils_1.ALL_OPERATION_KINDS) {
+                if (policies[kind] === true || policies[kind] === false) {
+                    result[kind] = policies[kind];
+                    continue;
+                }
+                const denies = this.getPolicyExpressions(model, 'deny', kind);
+                const allows = this.getPolicyExpressions(model, 'allow', kind);
+                if (kind === 'update' && allows.length === 0) {
+                    // no allow rule for 'update', policy is constant based on if there's
+                    // post-update counterpart
+                    if (this.getPolicyExpressions(model, 'allow', 'postUpdate').length === 0) {
+                        result[kind] = false;
+                        continue;
+                    }
+                    else {
+                        result[kind] = true;
+                        continue;
+                    }
+                }
+                if (kind === 'postUpdate' && allows.length === 0 && denies.length === 0) {
+                    // no rule 'postUpdate', always allow
+                    result[kind] = true;
+                    continue;
+                }
+                const func = this.generateQueryGuardFunction(sourceFile, model, kind, allows, denies);
+                // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+                result[kind] = func.getName();
+                if (kind === 'postUpdate') {
+                    const preValueSelect = this.generatePreValueSelect(model, allows, denies);
+                    if (preValueSelect) {
+                        result['preValueSelect'] = preValueSelect;
+                    }
+                }
+            }
+            return result;
+        });
+    }
+    // generates an object that can be used as the 'select' argument when fetching pre-update
+    // entity value
+    generatePreValueSelect(model, allows, denies) {
+        var _a;
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const result = {};
+        const addPath = (path) => {
+            let curr = result;
+            path.forEach((seg, i) => {
+                if (i === path.length - 1) {
+                    curr[seg] = true;
+                }
+                else {
+                    if (!curr[seg]) {
+                        curr[seg] = { select: {} };
+                    }
+                    curr = curr[seg].select;
+                }
+            });
+        };
+        const visit = (node) => {
+            if ((0, ast_1.isReferenceExpr)(node)) {
+                const target = (0, sdk_1.resolved)(node.target);
+                if ((0, ast_1.isDataModelField)(target)) {
+                    // a field selection, it's a terminal
+                    return [target.name];
+                }
+            }
+            else if ((0, ast_1.isMemberAccessExpr)(node)) {
+                if ((0, utils_2.isFutureExpr)(node.operand)) {
+                    // future().field is not subject to pre-update select
+                    return undefined;
+                }
+                // build a selection path inside-out for chained member access
+                const inner = visit(node.operand);
+                if (inner) {
+                    return [...inner, node.member.$refText];
+                }
+            }
+            return undefined;
+        };
+        for (const rule of [...allows, ...denies]) {
+            for (const expr of (0, langium_1.streamAllContents)(rule).filter((node) => (0, ast_1.isExpression)(node))) {
+                // only care about member access and reference expressions
+                if (!(0, ast_1.isMemberAccessExpr)(expr) && !(0, ast_1.isReferenceExpr)(expr)) {
+                    continue;
+                }
+                if (expr.$container.$type === ast_1.MemberAccessExpr) {
+                    // only visit top-level member access
+                    continue;
+                }
+                const path = visit(expr);
+                if (path) {
+                    if ((0, ast_1.isDataModel)((_a = expr.$resolvedType) === null || _a === void 0 ? void 0 : _a.decl)) {
+                        // member selection ended at a data model field, include its 'id'
+                        path.push('id');
+                    }
+                    addPath(path);
+                }
+            }
+        }
+        return Object.keys(result).length === 0 ? null : result;
+    }
+    generateQueryGuardFunction(sourceFile, model, kind, allows, denies) {
+        const func = sourceFile
+            .addFunction({
+            name: model.name + '_' + kind,
+            returnType: 'any',
+            parameters: [
+                {
+                    name: 'context',
+                    type: 'QueryContext',
+                },
+            ],
+        })
+            .addBody();
+        // check if any allow or deny rule contains 'auth()' invocation
+        let hasAuthRef = false;
+        for (const node of [...denies, ...allows]) {
+            for (const child of (0, langium_1.streamAllContents)(node)) {
+                if ((0, ast_1.isInvocationExpr)(child) && (0, sdk_1.resolved)(child.function).name === 'auth') {
+                    hasAuthRef = true;
+                    break;
+                }
+            }
+            if (hasAuthRef) {
+                break;
+            }
+        }
+        if (hasAuthRef) {
+            const userModel = model.$container.declarations.find((decl) => (0, ast_1.isDataModel)(decl) && decl.name === 'User');
+            if (!userModel) {
+                throw new sdk_1.PluginError('User model not found');
+            }
+            const userIdField = (0, ast_utils_1.getIdField)(userModel);
+            if (!userIdField) {
+                throw new sdk_1.PluginError('User model does not have an id field');
+            }
+            // normalize user to null to avoid accidentally use undefined in filter
+            func.addStatements(`const user = context.user ?? null;`);
+        }
+        // r = <guard object>;
+        func.addStatements((writer) => {
+            writer.write('return ');
+            const exprWriter = new expression_writer_1.ExpressionWriter(writer, kind === 'postUpdate');
+            const writeDenies = () => {
+                writer.conditionalWrite(denies.length > 1, '{ AND: [');
+                denies.forEach((expr, i) => {
+                    writer.inlineBlock(() => {
+                        writer.write('NOT: ');
+                        exprWriter.write(expr);
+                    });
+                    writer.conditionalWrite(i !== denies.length - 1, ',');
+                });
+                writer.conditionalWrite(denies.length > 1, ']}');
+            };
+            const writeAllows = () => {
+                writer.conditionalWrite(allows.length > 1, '{ OR: [');
+                allows.forEach((expr, i) => {
+                    exprWriter.write(expr);
+                    writer.conditionalWrite(i !== allows.length - 1, ',');
+                });
+                writer.conditionalWrite(allows.length > 1, ']}');
+            };
+            if (allows.length > 0 && denies.length > 0) {
+                writer.write('{ AND: [');
+                writeDenies();
+                writer.write(',');
+                writeAllows();
+                writer.write(']}');
+            }
+            else if (denies.length > 0) {
+                writeDenies();
+            }
+            else if (allows.length > 0) {
+                writeAllows();
+            }
+            else {
+                // disallow any operation
+                writer.write(`{ ${sdk_1.GUARD_FIELD_NAME}: false }`);
+            }
+            writer.write(';');
+        });
+        return func;
+    }
+}
+exports.default = PolicyGenerator;
+//# sourceMappingURL=policy-guard-generator.js.map

package/plugins/access-policy/policy-guard-generator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-guard-generator.js","sourceRoot":"","sources":["../../../src/plugins/access-policy/policy-guard-generator.ts"],"names":[],"mappings":";;;;;;;;;;;;;;AAAA,kDAckC;AAElC,yCAAqG;AACrG,6CAAwC;AACxC,qCAA4C;AAC5C,gDAAwB;AACxB,uCAA6F;AAC7F,wBAAyB;AACzB,uDAA2D;AAC3D,qDAAoE;AACpE,kDAA+F;AAC/F,2DAAuD;AACvD,mCAAuC;AACvC,iEAA4D;AAE5D;;GAEG;AACH,MAAqB,eAAe;IAC1B,QAAQ,CAAC,KAAY,EAAE,OAAsB;;YAC/C,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAE,OAAO,CAAC,MAAiB,CAAC,CAAC,CAAC,IAAA,qCAAsB,GAAE,CAAC;YACtF,IAAI,CAAC,MAAM,EAAE;gBACT,OAAO,CAAC,KAAK,CAAC,uDAAuD,OAAI,EAAE,CAAC,CAAC;gBAC7E,OAAO;aACV;YAED,MAAM,OAAO,GAAG,IAAI,kBAAO,EAAE,CAAC;YAC9B,MAAM,EAAE,GAAG,OAAO,CAAC,gBAAgB,CAAC,cAAI,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAEpG,EAAE,CAAC,oBAAoB,CAAC;gBACpB,YAAY,EAAE,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;gBACxC,eAAe,EAAE,GAAG,8BAAe,EAAE;gBACrC,UAAU,EAAE,IAAI;aACnB,CAAC,CAAC;YAEH,EAAE,CAAC,oBAAoB,CAAC;gBACpB,YAAY,EAAE,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;gBAC7B,eAAe,EAAE,KAAK;aACzB,CAAC,CAAC;YAEH,eAAe;YACf,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAA,YAAM,EAAC,CAAC,CAAC,CAAC,EAAE;gBACzD,EAAE,CAAC,oBAAoB,CAAC;oBACpB,YAAY,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBAChC,eAAe,EAAE,gBAAgB;iBACpC,CAAC,CAAC;aACN;YAED,MAAM,MAAM,GAAG,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAA,iBAAW,EAAC,CAAC,CAAC,CAAgB,CAAC;YAE/E,MAAM,SAAS,GAA8D,EAAE,CAAC;YAChF,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE;gBACxB,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,IAAI,CAAC,0BAA0B,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;aAC5E;YAED,MAAM,YAAY,GAAG,IAAI,yCAAkB,EAAE,CAAC;YAE9C,EAAE,CAAC,oBAAoB,CAAC;gBACpB,eAAe,EAAE,kCAAuB,CAAC,KAAK;gBAC9C,YAAY,EAAE;oBACV;wBACI,IAAI,EAAE,QAAQ;wBACd,WAAW,EAAE,CAAC,MAAM,EAAE,EAAE;4BACpB,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE;gCACd,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;gCACvB,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE;oCACpB,KAAK,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE;wCAClD,MAAM,CAAC,KAAK,CAAC,GAAG,IAAA,uBAAS,EAAC,KAAK,CAAC,GAAG,CAAC,CAAC;wCACrC,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE;4CACpB,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE;gDAC1C,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE;oDAC1B,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;iDACnD;qDAAM;oDACH,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,IAAI,GAAG,CAAC,CAAC;iDACnC;6CACJ;wCACL,CAAC,CAAC,CAAC;wCACH,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;qCACrB;gCACL,CAAC,CAAC,CAAC;gCAEH,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gCAEtB,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;gCACxB,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;4BAC1C,CAAC,CAAC,CAAC;wBACP,CAAC;qBACJ;iBACJ;aACJ,CAAC,CAAC;YAEH,EAAE,CAAC,aAAa,CAAC,uBAAuB,CAAC,CAAC;YAE1C,EAAE,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;YACrB,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;QACzB,CAAC;KAAA;IAEO,oBAAoB,CAAC,KAAgB,EAAE,IAAgB,EAAE,SAA8B;QAC3F,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,WAAC,OAAA,CAAA,MAAA,IAAI,CAAC,IAAI,CAAC,GAAG,0CAAE,IAAI,MAAK,KAAK,IAAI,EAAE,CAAA,EAAA,CAAC,CAAC;QAErF,MAAM,cAAc,GAAG,SAAS,KAAK,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;QAEzE,IAAI,MAAM,GAAG,KAAK;aACb,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;YACb,MAAM,QAAQ,GAAG,IAAA,gBAAU,EAAS,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YACxD,IAAI,CAAC,QAAQ,EAAE;gBACX,OAAO,KAAK,CAAC;aAChB;YACD,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YACrD,OAAO,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC/D,CAAC,CAAC;aACD,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QAEvC,IAAI,SAAS,KAAK,QAAQ,EAAE;YACxB,MAAM,GAAG,IAAI,CAAC,qBAAqB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;SACtD;aAAM,IAAI,SAAS,KAAK,YAAY,EAAE;YACnC,MAAM,GAAG,IAAI,CAAC,qBAAqB,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;SACrD;QAED,OAAO,MAAM,CAAC;IAClB,CAAC;IAEO,qBAAqB,CAAC,WAAyB,EAAE,UAAmB;QACxE,OAAO,WAAW;aACb,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,qBAAqB,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;aAC3D,MAAM,CAAC,CAAC,CAAC,EAAmB,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC;IAEO,qBAAqB,CAAC,IAAgB,EAAE,UAAmB;QAC/D,IAAI,IAAA,kBAAY,EAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,KAAK,IAAI,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC,EAAE;YAC1E,MAAM,IAAI,GAAG,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;YAC/D,MAAM,KAAK,GAAG,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;YACjE,IAAI,CAAC,IAAI;gBAAE,OAAO,KAAK,CAAC;YACxB,IAAI,CAAC,KAAK;gBAAE,OAAO,IAAI,CAAC;YACxB,uCAAY,IAAI,KAAE,IAAI,EAAE,KAAK,IAAG;SACnC;QAED,IAAI,IAAA,iBAAW,EAAC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,KAAK,GAAG,EAAE;YAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YACrE,IAAI,CAAC,OAAO;gBAAE,OAAO,SAAS,CAAC;YAC/B,uCAAY,IAAI,KAAE,OAAO,IAAG;SAC/B;QAED,IAAI,UAAU,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE;YAC9C,OAAO,SAAS,CAAC;SACpB;aAAM,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE;YACrD,OAAO,SAAS,CAAC;SACpB;QAED,OAAO,IAAI,CAAC;IAChB,CAAC;IAEO,kBAAkB,CAAC,IAAgB;;QACvC,KAAK,MAAM,IAAI,IAAI,IAAA,2BAAiB,EAAC,IAAI,CAAC,EAAE;YACxC,IAAI,IAAA,sBAAgB,EAAC,IAAI,CAAC,IAAI,CAAA,MAAA,IAAI,CAAC,QAAQ,CAAC,GAAG,0CAAE,IAAI,MAAK,QAAQ,IAAI,IAAA,oBAAY,EAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;gBACnG,OAAO,IAAI,CAAC;aACf;SACJ;QACD,OAAO,KAAK,CAAC;IACjB,CAAC;IAEa,0BAA0B,CAAC,KAAgB,EAAE,UAAsB;;YAC7E,MAAM,MAAM,GAA8C,EAAE,CAAC;YAE7D,8DAA8D;YAC9D,MAAM,QAAQ,GAAQ,IAAA,2BAAe,EAAC,KAAK,CAAC,CAAC;YAE7C,KAAK,MAAM,IAAI,IAAI,kCAAmB,EAAE;gBACpC,IAAI,QAAQ,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,KAAK,KAAK,EAAE;oBACrD,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;oBAC9B,SAAS;iBACZ;gBAED,MAAM,MAAM,GAAG,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;gBAC9D,MAAM,MAAM,GAAG,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;gBAE/D,IAAI,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE;oBAC1C,qEAAqE;oBACrE,0BAA0B;oBAC1B,IAAI,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE;wBACtE,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;wBACrB,SAAS;qBACZ;yBAAM;wBACH,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;wBACpB,SAAS;qBACZ;iBACJ;gBAED,IAAI,IAAI,KAAK,YAAY,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE;oBACrE,qCAAqC;oBACrC,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;oBACpB,SAAS;iBACZ;gBAED,MAAM,IAAI,GAAG,IAAI,CAAC,0BAA0B,CAAC,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;gBACtF,oEAAoE;gBACpE,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,OAAO,EAAG,CAAC;gBAE/B,IAAI,IAAI,KAAK,YAAY,EAAE;oBACvB,MAAM,cAAc,GAAG,IAAI,CAAC,sBAAsB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;oBAC1E,IAAI,cAAc,EAAE;wBAChB,MAAM,CAAC,gBAAgB,CAAC,GAAG,cAAc,CAAC;qBAC7C;iBACJ;aACJ;YACD,OAAO,MAAM,CAAC;QAClB,CAAC;KAAA;IAED,yFAAyF;IACzF,eAAe;IACP,sBAAsB,CAAC,KAAgB,EAAE,MAAoB,EAAE,MAAoB;;QACvF,8DAA8D;QAC9D,MAAM,MAAM,GAAQ,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,CAAC,IAAc,EAAE,EAAE;YAC/B,IAAI,IAAI,GAAG,MAAM,CAAC;YAClB,IAAI,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;gBACpB,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE;oBACvB,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;iBACpB;qBAAM;oBACH,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;wBACZ,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;qBAC9B;oBACD,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;iBAC3B;YACL,CAAC,CAAC,CAAC;QACP,CAAC,CAAC;QAEF,MAAM,KAAK,GAAG,CAAC,IAAgB,EAAwB,EAAE;YACrD,IAAI,IAAA,qBAAe,EAAC,IAAI,CAAC,EAAE;gBACvB,MAAM,MAAM,GAAG,IAAA,cAAQ,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACrC,IAAI,IAAA,sBAAgB,EAAC,MAAM,CAAC,EAAE;oBAC1B,qCAAqC;oBACrC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;iBACxB;aACJ;iBAAM,IAAI,IAAA,wBAAkB,EAAC,IAAI,CAAC,EAAE;gBACjC,IAAI,IAAA,oBAAY,EAAC,IAAI,CAAC,OAAO,CAAC,EAAE;oBAC5B,qDAAqD;oBACrD,OAAO,SAAS,CAAC;iBACpB;gBAED,8DAA8D;gBAC9D,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAClC,IAAI,KAAK,EAAE;oBACP,OAAO,CAAC,GAAG,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;iBAC3C;aACJ;YACD,OAAO,SAAS,CAAC;QACrB,CAAC,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,CAAC,GAAG,MAAM,EAAE,GAAG,MAAM,CAAC,EAAE;YACvC,KAAK,MAAM,IAAI,IAAI,IAAA,2BAAiB,EAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAsB,EAAE,CAAC,IAAA,kBAAY,EAAC,IAAI,CAAC,CAAC,EAAE;gBACjG,0DAA0D;gBAC1D,IAAI,CAAC,IAAA,wBAAkB,EAAC,IAAI,CAAC,IAAI,CAAC,IAAA,qBAAe,EAAC,IAAI,CAAC,EAAE;oBACrD,SAAS;iBACZ;gBAED,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,KAAK,sBAAgB,EAAE;oBAC5C,qCAAqC;oBACrC,SAAS;iBACZ;gBAED,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC;gBACzB,IAAI,IAAI,EAAE;oBACN,IAAI,IAAA,iBAAW,EAAC,MAAA,IAAI,CAAC,aAAa,0CAAE,IAAI,CAAC,EAAE;wBACvC,iEAAiE;wBACjE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;qBACnB;oBACD,OAAO,CAAC,IAAI,CAAC,CAAC;iBACjB;aACJ;SACJ;QAED,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC;IAC5D,CAAC;IAEO,0BAA0B,CAC9B,UAAsB,EACtB,KAAgB,EAChB,IAAyB,EACzB,MAAoB,EACpB,MAAoB;QAEpB,MAAM,IAAI,GAAG,UAAU;aAClB,WAAW,CAAC;YACT,IAAI,EAAE,KAAK,CAAC,IAAI,GAAG,GAAG,GAAG,IAAI;YAC7B,UAAU,EAAE,KAAK;YACjB,UAAU,EAAE;gBACR;oBACI,IAAI,EAAE,SAAS;oBACf,IAAI,EAAE,cAAc;iBACvB;aACJ;SACJ,CAAC;aACD,OAAO,EAAE,CAAC;QAEf,+DAA+D;QAC/D,IAAI,UAAU,GAAG,KAAK,CAAC;QACvB,KAAK,MAAM,IAAI,IAAI,CAAC,GAAG,MAAM,EAAE,GAAG,MAAM,CAAC,EAAE;YACvC,KAAK,MAAM,KAAK,IAAI,IAAA,2BAAiB,EAAC,IAAI,CAAC,EAAE;gBACzC,IAAI,IAAA,sBAAgB,EAAC,KAAK,CAAC,IAAI,IAAA,cAAQ,EAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,IAAI,KAAK,MAAM,EAAE;oBACrE,UAAU,GAAG,IAAI,CAAC;oBAClB,MAAM;iBACT;aACJ;YACD,IAAI,UAAU,EAAE;gBACZ,MAAM;aACT;SACJ;QAED,IAAI,UAAU,EAAE;YACZ,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,CAChD,CAAC,IAAI,EAAqB,EAAE,CAAC,IAAA,iBAAW,EAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,CACzE,CAAC;YACF,IAAI,CAAC,SAAS,EAAE;gBACZ,MAAM,IAAI,iBAAW,CAAC,sBAAsB,CAAC,CAAC;aACjD;YACD,MAAM,WAAW,GAAG,IAAA,sBAAU,EAAC,SAAS,CAAC,CAAC;YAC1C,IAAI,CAAC,WAAW,EAAE;gBACd,MAAM,IAAI,iBAAW,CAAC,sCAAsC,CAAC,CAAC;aACjE;YAED,uEAAuE;YACvE,IAAI,CAAC,aAAa,CAAC,oCAAoC,CAAC,CAAC;SAC5D;QAED,sBAAsB;QACtB,IAAI,CAAC,aAAa,CAAC,CAAC,MAAM,EAAE,EAAE;YAC1B,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACxB,MAAM,UAAU,GAAG,IAAI,oCAAgB,CAAC,MAAM,EAAE,IAAI,KAAK,YAAY,CAAC,CAAC;YACvE,MAAM,WAAW,GAAG,GAAG,EAAE;gBACrB,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,UAAU,CAAC,CAAC;gBACvD,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;oBACvB,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE;wBACpB,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;wBACtB,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAC3B,CAAC,CAAC,CAAC;oBACH,MAAM,CAAC,gBAAgB,CAAC,CAAC,KAAK,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;gBAC1D,CAAC,CAAC,CAAC;gBACH,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC;YACrD,CAAC,CAAC;YAEF,MAAM,WAAW,GAAG,GAAG,EAAE;gBACrB,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,SAAS,CAAC,CAAC;gBACtD,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;oBACvB,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBACvB,MAAM,CAAC,gBAAgB,CAAC,CAAC,KAAK,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;gBAC1D,CAAC,CAAC,CAAC;gBACH,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC;YACrD,CAAC,CAAC;YAEF,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE;gBACxC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;gBACzB,WAAW,EAAE,CAAC;gBACd,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAClB,WAAW,EAAE,CAAC;gBACd,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;aACtB;iBAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE;gBAC1B,WAAW,EAAE,CAAC;aACjB;iBAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE;gBAC1B,WAAW,EAAE,CAAC;aACjB;iBAAM;gBACH,yBAAyB;gBACzB,MAAM,CAAC,KAAK,CAAC,KAAK,sBAAgB,WAAW,CAAC,CAAC;aAClD;YACD,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACtB,CAAC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IAChB,CAAC;CACJ;AA/VD,kCA+VC"}

package/plugins/access-policy/typescript-expression-transformer.d.ts

@@ -0,0 +1,26 @@
+import { Expression } from '@zenstackhq/language/ast';
+/**
+ * Transforms ZModel expression to plain TypeScript expression.
+ */
+export default class TypeScriptExpressionTransformer {
+    private readonly isPostGuard;
+    /**
+     * Constructs a new TypeScriptExpressionTransformer.
+     *
+     * @param isPostGuard indicates if we're writing for post-update conditions
+     */
+    constructor(isPostGuard?: boolean);
+    /**
+     *
+     * @param expr
+     * @returns
+     */
+    transform(expr: Expression): string;
+    private this;
+    private memberAccess;
+    private invocation;
+    private reference;
+    private null;
+    private array;
+    private literal;
+}

package/plugins/access-policy/typescript-expression-transformer.js

@@ -0,0 +1,111 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const ast_1 = require("@zenstackhq/language/ast");
+const sdk_1 = require("@zenstackhq/sdk");
+const ast_utils_1 = require("../../utils/ast-utils");
+const utils_1 = require("./utils");
+/**
+ * Transforms ZModel expression to plain TypeScript expression.
+ */
+class TypeScriptExpressionTransformer {
+    /**
+     * Constructs a new TypeScriptExpressionTransformer.
+     *
+     * @param isPostGuard indicates if we're writing for post-update conditions
+     */
+    constructor(isPostGuard = false) {
+        this.isPostGuard = isPostGuard;
+    }
+    /**
+     *
+     * @param expr
+     * @returns
+     */
+    transform(expr) {
+        switch (expr.$type) {
+            case ast_1.LiteralExpr:
+                return this.literal(expr);
+            case ast_1.ArrayExpr:
+                return this.array(expr);
+            case ast_1.NullExpr:
+                return this.null();
+            case ast_1.ThisExpr:
+                return this.this(expr);
+            case ast_1.ReferenceExpr:
+                return this.reference(expr);
+            case ast_1.InvocationExpr:
+                return this.invocation(expr);
+            case ast_1.MemberAccessExpr:
+                return this.memberAccess(expr);
+            default:
+                throw new sdk_1.PluginError(`Unsupported expression type: ${expr.$type}`);
+        }
+    }
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    this(expr) {
+        // "this" is mapped to id comparison
+        return 'id';
+    }
+    memberAccess(expr) {
+        if (!expr.member.ref) {
+            throw new sdk_1.PluginError(`Unresolved MemberAccessExpr`);
+        }
+        if ((0, ast_1.isThisExpr)(expr.operand)) {
+            return expr.member.ref.name;
+        }
+        else if ((0, utils_1.isFutureExpr)(expr.operand)) {
+            if (!this.isPostGuard) {
+                throw new sdk_1.PluginError(`future() is only supported in postUpdate rules`);
+            }
+            return expr.member.ref.name;
+        }
+        else {
+            // normalize field access to null instead of undefined to avoid accidentally use undefined in filter
+            return `(${this.transform(expr.operand)} ? ${this.transform(expr.operand)}.${expr.member.ref.name} : null)`;
+        }
+    }
+    invocation(expr) {
+        var _a;
+        if ((0, ast_utils_1.isAuthInvocation)(expr)) {
+            return 'user';
+        }
+        else {
+            throw new sdk_1.PluginError(`Function invocation is not supported: ${(_a = expr.function.ref) === null || _a === void 0 ? void 0 : _a.name}`);
+        }
+    }
+    reference(expr) {
+        if (!expr.target.ref) {
+            throw new sdk_1.PluginError(`Unresolved ReferenceExpr`);
+        }
+        if ((0, ast_1.isEnumField)(expr.target.ref)) {
+            return `${expr.target.ref.$container.name}.${expr.target.ref.name}`;
+        }
+        else {
+            if (this.isPostGuard) {
+                // if we're processing post-update, any direct field access should be
+                // treated as access to context.preValue, which is entity's value before
+                // the update
+                return `context.preValue?.${expr.target.ref.name}`;
+            }
+            else {
+                return expr.target.ref.name;
+            }
+        }
+    }
+    null() {
+        return 'null';
+    }
+    array(expr) {
+        return `[${expr.items.map((item) => this.transform(item)).join(', ')}]`;
+    }
+    literal(expr) {
+        if (typeof expr.value === 'string') {
+            return `'${expr.value}'`;
+        }
+        else {
+            return expr.value.toString();
+        }
+    }
+}
+exports.default = TypeScriptExpressionTransformer;
+//# sourceMappingURL=typescript-expression-transformer.js.map

package/plugins/access-policy/typescript-expression-transformer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"typescript-expression-transformer.js","sourceRoot":"","sources":["../../../src/plugins/access-policy/typescript-expression-transformer.ts"],"names":[],"mappings":";;AAAA,kDAWkC;AAClC,yCAA8C;AAC9C,qDAAyD;AACzD,mCAAuC;AAEvC;;GAEG;AACH,MAAqB,+BAA+B;IAChD;;;;OAIG;IACH,YAA6B,cAAc,KAAK;QAAnB,gBAAW,GAAX,WAAW,CAAQ;IAAG,CAAC;IAEpD;;;;OAIG;IACH,SAAS,CAAC,IAAgB;QACtB,QAAQ,IAAI,CAAC,KAAK,EAAE;YAChB,KAAK,iBAAW;gBACZ,OAAO,IAAI,CAAC,OAAO,CAAC,IAAmB,CAAC,CAAC;YAE7C,KAAK,eAAS;gBACV,OAAO,IAAI,CAAC,KAAK,CAAC,IAAiB,CAAC,CAAC;YAEzC,KAAK,cAAQ;gBACT,OAAO,IAAI,CAAC,IAAI,EAAE,CAAC;YAEvB,KAAK,cAAQ;gBACT,OAAO,IAAI,CAAC,IAAI,CAAC,IAAgB,CAAC,CAAC;YAEvC,KAAK,mBAAa;gBACd,OAAO,IAAI,CAAC,SAAS,CAAC,IAAqB,CAAC,CAAC;YAEjD,KAAK,oBAAc;gBACf,OAAO,IAAI,CAAC,UAAU,CAAC,IAAsB,CAAC,CAAC;YAEnD,KAAK,sBAAgB;gBACjB,OAAO,IAAI,CAAC,YAAY,CAAC,IAAwB,CAAC,CAAC;YAEvD;gBACI,MAAM,IAAI,iBAAW,CAAC,gCAAgC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;SAC3E;IACL,CAAC;IAED,6DAA6D;IACrD,IAAI,CAAC,IAAc;QACvB,oCAAoC;QACpC,OAAO,IAAI,CAAC;IAChB,CAAC;IAEO,YAAY,CAAC,IAAsB;QACvC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE;YAClB,MAAM,IAAI,iBAAW,CAAC,6BAA6B,CAAC,CAAC;SACxD;QAED,IAAI,IAAA,gBAAU,EAAC,IAAI,CAAC,OAAO,CAAC,EAAE;YAC1B,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC;SAC/B;aAAM,IAAI,IAAA,oBAAY,EAAC,IAAI,CAAC,OAAO,CAAC,EAAE;YACnC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE;gBACnB,MAAM,IAAI,iBAAW,CAAC,gDAAgD,CAAC,CAAC;aAC3E;YACD,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC;SAC/B;aAAM;YACH,oGAAoG;YACpG,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC;SAC/G;IACL,CAAC;IAEO,UAAU,CAAC,IAAoB;;QACnC,IAAI,IAAA,4BAAgB,EAAC,IAAI,CAAC,EAAE;YACxB,OAAO,MAAM,CAAC;SACjB;aAAM;YACH,MAAM,IAAI,iBAAW,CAAC,yCAAyC,MAAA,IAAI,CAAC,QAAQ,CAAC,GAAG,0CAAE,IAAI,EAAE,CAAC,CAAC;SAC7F;IACL,CAAC;IAEO,SAAS,CAAC,IAAmB;QACjC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE;YAClB,MAAM,IAAI,iBAAW,CAAC,0BAA0B,CAAC,CAAC;SACrD;QAED,IAAI,IAAA,iBAAW,EAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;YAC9B,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;SACvE;aAAM;YACH,IAAI,IAAI,CAAC,WAAW,EAAE;gBAClB,qEAAqE;gBACrE,wEAAwE;gBACxE,aAAa;gBACb,OAAO,qBAAqB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;aACtD;iBAAM;gBACH,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC;aAC/B;SACJ;IACL,CAAC;IAEO,IAAI;QACR,OAAO,MAAM,CAAC;IAClB,CAAC;IAEO,KAAK,CAAC,IAAe;QACzB,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;IAC5E,CAAC;IAEO,OAAO,CAAC,IAAiB;QAC7B,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE;YAChC,OAAO,IAAI,IAAI,CAAC,KAAK,GAAG,CAAC;SAC5B;aAAM;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;SAChC;IACL,CAAC;CACJ;AA3GD,kDA2GC"}

package/plugins/access-policy/utils.d.ts

@@ -0,0 +1,5 @@
+import { Expression } from '@zenstackhq/language/ast';
+/**
+ * Returns if the given expression is a "future()" method call.
+ */
+export declare function isFutureExpr(expr: Expression): boolean;

package/plugins/access-policy/utils.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isFutureExpr = void 0;
+const ast_1 = require("@zenstackhq/language/ast");
+const utils_1 = require("../../language-server/utils");
+/**
+ * Returns if the given expression is a "future()" method call.
+ */
+function isFutureExpr(expr) {
+    var _a;
+    return !!((0, ast_1.isInvocationExpr)(expr) && ((_a = expr.function.ref) === null || _a === void 0 ? void 0 : _a.name) === 'future' && (0, utils_1.isFromStdlib)(expr.function.ref));
+}
+exports.isFutureExpr = isFutureExpr;
+//# sourceMappingURL=utils.js.map

package/plugins/access-policy/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../src/plugins/access-policy/utils.ts"],"names":[],"mappings":";;;AAAA,kDAAwE;AACxE,uDAA2D;AAE3D;;GAEG;AACH,SAAgB,YAAY,CAAC,IAAgB;;IACzC,OAAO,CAAC,CAAC,CAAC,IAAA,sBAAgB,EAAC,IAAI,CAAC,IAAI,CAAA,MAAA,IAAI,CAAC,QAAQ,CAAC,GAAG,0CAAE,IAAI,MAAK,QAAQ,IAAI,IAAA,oBAAY,EAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;AACjH,CAAC;AAFD,oCAEC"}

package/plugins/access-policy/zod-schema-generator.d.ts

@@ -0,0 +1,12 @@
+import { DataModel } from '@zenstackhq/language/ast';
+import { CodeBlockWriter } from 'ts-morph';
+/**
+ * Writes Zod schema for data models.
+ */
+export declare class ZodSchemaGenerator {
+    generate(writer: CodeBlockWriter, models: DataModel[]): void;
+    private hasValidationAttributes;
+    private makeFieldValidator;
+    private makeZodSchema;
+    private getAttrLiteralArg;
+}