-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathquery.go
550 lines (508 loc) · 15.1 KB
/
query.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
package oso
import "fmt"
import "encoding/json"
import "errors"
import "math/rand"
import "reflect"
type queryId struct{ id string }
func (q queryId) MarshalJSON() ([]byte, error) {
return json.Marshal(q.id)
}
type queryConstraint struct {
Type string `json:"type"`
IDs []string `json:"ids"`
}
func (this queryConstraint) clone() queryConstraint {
if this.IDs == nil {
return queryConstraint{
Type: this.Type,
IDs: nil,
}
}
return queryConstraint{
Type: this.Type,
IDs: append([]string{}, this.IDs...),
}
}
type QueryFact struct {
Predicate string
Args []queryArg
}
type IntoQueryArg interface {
intoQueryArg() queryArg
}
func NewQueryFact(predicate string, args ...IntoQueryArg) QueryFact {
queryArgs := make([]queryArg, 0, len(args))
for _, arg := range args {
queryArgs = append(queryArgs, arg.intoQueryArg())
}
return QueryFact{
Predicate: predicate,
Args: queryArgs,
}
}
type queryArg struct {
typ string
varId queryId
value string
}
type apiQueryCall struct {
predicate string
args []queryId
}
func (call apiQueryCall) MarshalJSON() ([]byte, error) {
return json.Marshal([]interface{}{call.predicate, call.args})
}
const letterBytes = "0123456789abcdefghijklmnopqrstuvwxyz"
func randId(n int) queryId {
b := make([]byte, n)
for i := range b {
b[i] = letterBytes[rand.Intn(len(letterBytes))]
}
return queryId{id: fmt.Sprintf("var_%s", b)}
}
// A Variable which can be referred to in a query.
// Should be constructed with the [TypedVar] helper.
//
// A Variable must have a non-empty typ and id. Empty strings in either field are invalid.
type Variable struct {
typ string
id queryId
}
func (vari Variable) intoQueryArg() queryArg {
return queryArg{
typ: vari.typ,
varId: vari.id,
value: "", // nil
}
}
func (val Value) intoQueryArg() queryArg {
return queryArg{
typ: val.Type,
varId: queryId{}, // nil
value: val.ID,
}
}
// Construct a new query variable of a specific type.
//
// Note that you must use a concrete type here: the abstract types "Actor" and "Resource"
// are not allowed.
func TypedVar(Type string) Variable {
return Variable{
typ: Type,
id: randId(7),
}
}
// Helper class to support building a custom Oso query.
//
// Initialize this with [OsoClientImpl.BuildQuery] and chain calls to [QueryBuilder.And] and [QueryBuilder.In] to add additional constraints.
//
// After building your query, run it and get the results by calling one of the Evaluate* methods.
type QueryBuilder struct {
oso OsoClientImpl
predicate apiQueryCall
calls []apiQueryCall
constraints map[queryId]queryConstraint
contextFacts []Fact
Error error
}
func newBuilder(oso OsoClientImpl, fact QueryFact) QueryBuilder {
this := QueryBuilder{oso: oso, calls: []apiQueryCall{}, constraints: map[queryId]queryConstraint{}}
args := make([]queryId, 0, len(fact.Args))
for _, arg := range fact.Args {
id := this.pushArg(arg)
args = append(args, id)
}
this.predicate = apiQueryCall{predicate: fact.Predicate, args: args}
return this
}
func (this QueryBuilder) clone() QueryBuilder {
constraints := map[queryId]queryConstraint{}
for k, v := range this.constraints {
constraints[k] = v.clone()
}
return QueryBuilder{
oso: this.oso,
predicate: this.predicate,
calls: append([]apiQueryCall{}, this.calls...),
constraints: constraints,
contextFacts: append([]Fact{}, this.contextFacts...),
Error: this.Error,
}
}
func (this *QueryBuilder) pushArg(arg queryArg) queryId {
if arg.value == "" { // variable
argId := arg.varId
if _, exists := this.constraints[argId]; !exists {
this.constraints[argId] = queryConstraint{Type: arg.typ, IDs: nil}
}
return argId
} else { // value
value := arg.value
type_ := arg.typ
newVar := TypedVar(type_)
newId := newVar.id
this.constraints[newId] = queryConstraint{Type: type_, IDs: []string{value}}
return newId
}
}
// Constrain a query variable to be one of a set of values.
// For example:
//
// repos := []string {"acme", "anvil"}
// repo := TypedVar("Repo")
// action := TypedVar("String")
// // Get all the actions the actor can perform on the repos that are in the given set
// authorizedActions, err := oso.
// BuildQuery(NewQueryFact("allow", actor, action, repo)).
// In(repo, repos).
// EvaluateValues(action)
func (this QueryBuilder) In(v Variable, values []string) QueryBuilder {
if this.Error != nil {
return this
}
clone := this.clone()
bind, exists := clone.constraints[v.id]
if !exists {
clone.Error = errors.New("can only constrain variables that are used in the query")
return clone
}
if bind.IDs != nil {
clone.Error = errors.New("can only set values on each variable once")
return clone
}
bind.IDs = values
return clone
}
// Add another condition that must be true of the query results.
// For example:
//
// // Query for all the repos on which the given actor can perform the given action,
// // and require the repos to belong to the given folder
// repo := TypedVar("Repo")
// authorizedReposInFolder, err := oso.
// BuildQuery(NewQueryFact("allow", actor, action, repo)).
// And(NewQueryFact("has_relation", repo, String("folder"), folder)).
// EvaluateValues(repo)
func (this QueryBuilder) And(fact QueryFact) QueryBuilder {
if this.Error != nil {
return this
}
clone := this.clone()
args := make([]queryId, 0, len(fact.Args))
for _, arg := range fact.Args {
id := clone.pushArg(arg)
args = append(args, id)
}
clone.calls = append(clone.calls, apiQueryCall{predicate: fact.Predicate, args: args})
return clone
}
// Add context facts to the query.
func (this QueryBuilder) WithContextFacts(facts []Fact) QueryBuilder {
if this.Error != nil {
return this
}
out := this.clone()
out.contextFacts = append(out.contextFacts, facts...)
return out
}
func (this QueryBuilder) asQuery() (query, error) {
constraints := make(map[string]queryConstraint)
for k, v := range this.constraints {
constraints[k.id] = v
}
contextFacts := make([]fact, 0, len(this.contextFacts))
for _, fact := range this.contextFacts {
ifact, err := toInternalFact(fact)
if err != nil {
return query{}, err
}
contextFacts = append(contextFacts, *ifact)
}
return query{
Predicate: this.predicate,
Calls: this.calls,
Constraints: constraints,
ContextFacts: contextFacts,
}, nil
}
// Evaluate the query and return a boolean representing if the action is authorized or not.
//
// // true if the given actor can perform the given action on the given resource
// allowed, err := oso.
// BuildQuery(NewQueryFact("allow", actor, action, resource)).
// EvaluateExists()
func (this QueryBuilder) EvaluateExists() (bool, error) {
if this.Error != nil {
return false, this.Error
}
query, err := this.asQuery()
if err != nil {
return false, err
}
results, err := this.oso.postQuery(query)
if err != nil {
return false, err
}
can := len(results.Results) != 0
return can, nil
}
// Evaluate the query and return a slice of values for the given variable. For example:
//
// action := TypedVar("String")
// // all the actions the actor can perform on the given resource- eg. ["read", "write"]
// actions, err := oso.
// BuildQuery(NewQueryFact("allow", actor, action, resource)).
// EvaluateValues(action)
func (this QueryBuilder) EvaluateValues(t Variable) ([]string, error) {
if this.Error != nil {
return nil, this.Error
}
query, err := this.asQuery()
if err != nil {
return nil, err
}
results, err := this.oso.postQuery(query)
if err != nil {
return nil, err
}
out := make([]string, 0, len(results.Results))
for _, row := range results.Results {
out = append(out, handleWildcard(row[t.id.id]))
}
return out, nil
}
// Evaluate the query and return a slice of tuples of values for the given variables. For example:
//
// action := TypedVar("String")
// repo := TypedVar("Repo")
// // a slice of pairs of allowed actions and repo IDs- eg. [["read", "acme"], ["read", "anvil"], ["write", "anvil"]]
// pairs, err := oso.
// BuildQuery(NewQueryFact("allow", actor, action, repo)).
// EvaluateCombinations([]Variable {action, repo})
func (this QueryBuilder) EvaluateCombinations(ts []Variable) ([][]string, error) {
if this.Error != nil {
return nil, this.Error
}
query, err := this.asQuery()
if err != nil {
return nil, err
}
results, err := this.oso.postQuery(query)
if err != nil {
return nil, err
}
out := make([][]string, 0, len(results.Results))
for _, row := range results.Results {
outRow := make([]string, 0, len(ts))
for _, t := range ts {
outRow = append(outRow, handleWildcard(row[t.id.id]))
}
out = append(out, outRow)
}
return out, nil
}
// Evaluate the query, and write the result into the `out` parameter.
// The shape of the return value is determined by what you pass in:
//
// - If you pass no arguments, returns a boolean. For example:
//
// // true if the given actor can perform the given action on the given resource
// var allowed bool
// err := oso.
// BuildQuery(NewQueryFact("allow", actor, action, resource)).
// Evaluate(&allowed, nil)
//
// - If you pass a variable, returns a slice of values for that variable. For example:
//
// action := TypedVar("String")
// // all the actions the actor can perform on the given resource- eg. ["read", "write"]
// var actions []string
// err := oso.
// BuildQuery(NewQueryFact("allow", actor, action, resource)).
// Evaluate(&actions, action)
//
// - If you pass a slice of variables, returns a slice of tuples of values for those variables.
// For example:
//
// action := TypedVar("String")
// repo := TypedVar("Repo")
// // a slice of pairs of allowed actions and repo IDs- eg. [["read", "acme"], ["read", "anvil"], ["write", "anvil"]]
// var pairs [][]string
// err := oso.
// BuildQuery(NewQueryFact("allow", actor, action, repo)).
// Evaluate(&pairs, []Variable {action, repo})
//
// - If you pass a map mapping one input variable (call it K) to another
// (call it V), returns a map of unique values of K to the unique values of
// V for each value of K. For example:
//
// action := TypedVar("String")
// repo := TypedVar("Repo")
// // a map of repo IDs to allowed actions- eg. { "acme": ["read"], "anvil": ["read", "write"]}
// var mapping map[string][]string
// err := oso.
// BuildQuery(NewQueryFact("allow", actor, action, repo)).
// Evaluate(&mapping, map[Variable]Variable{repo: action})
func (this QueryBuilder) Evaluate(out interface{}, arg interface{}) error {
if this.Error != nil {
return this.Error
}
query, err := this.asQuery()
if err != nil {
return err
}
results, err := this.oso.postQuery(query)
if err != nil {
return err
}
return evaluateResults(reflect.ValueOf(out), arg, results.Results)
}
func evaluateResults(out reflect.Value, arg interface{}, results []map[string]string) error {
if out.Kind() != reflect.Pointer {
return errors.New("`out` must be pointer")
}
if arg == nil {
out.Elem().SetBool(len(results) != 0)
return nil
}
ref := reflect.ValueOf(arg)
switch ref.Kind() {
case reflect.Struct:
if _, ok := arg.(Variable); !ok {
return fmt.Errorf("non-Variable struct `%s`", ref.Type().String())
}
fallthrough
case reflect.Slice:
outElem := out.Elem().Type()
list := reflect.MakeSlice(outElem, 0, len(results))
for _, r := range results {
elem := reflect.New(outElem.Elem())
err := evaluateResultItem(elem, arg, r)
if err != nil {
return err
}
list = reflect.Append(list, elem.Elem())
}
out.Elem().Set(list)
return nil
case reflect.Map:
outElem := out.Elem().Type()
structuredGrouping := reflect.MakeMap(outElem)
if ref.Len() > 1 {
return errors.New("`Evaluate` cannot accept maps with >1 elements")
}
for _, v := range ref.MapKeys() {
subarg := ref.MapIndex(v)
vari, ok := v.Interface().(Variable)
if !ok {
return fmt.Errorf("non-Variable key `%s`", v.Type().String())
}
grouping := map[string][]map[string]string{}
for _, result := range results {
key, exists := result[vari.id.id]
if !exists {
return errors.New("API result missing variable. This shouldn't happen--please reach out to Oso.")
}
key = handleWildcard(key)
if list, exists := grouping[key]; exists {
grouping[key] = append(list, result)
} else {
grouping[key] = append([]map[string]string{}, result)
}
}
for key, value := range grouping {
subout := reflect.New(outElem.Elem())
err := evaluateResults(subout, subarg.Interface(), value)
if err != nil {
return err
}
structuredGrouping.SetMapIndex(reflect.ValueOf(key), subout.Elem())
}
}
out.Elem().Set(structuredGrouping)
return nil
}
return errors.New("bad type match in evaluateResults")
}
func evaluateResultItem(out reflect.Value, arg interface{}, result map[string]string) error {
if out.Kind() != reflect.Pointer {
return errors.New("`out` must be pointer")
}
ref := reflect.ValueOf(arg)
switch ref.Kind() {
case reflect.Struct:
t, ok := arg.(Variable)
if !ok {
return fmt.Errorf("non-Variable struct `%s`", ref.Type().String())
}
out.Elem().Set(reflect.ValueOf(handleWildcard(result[t.id.id])))
return nil
case reflect.Slice:
outElem := out.Elem().Type()
list := reflect.MakeSlice(outElem, 0, ref.Len())
for i := 0; i < ref.Len(); i++ {
subarg := ref.Index(i)
elem := reflect.New(outElem.Elem())
err := evaluateResultItem(elem, subarg.Interface(), result)
if err != nil {
return err
}
list = reflect.Append(list, elem.Elem())
}
out.Elem().Set(list)
return nil
}
return errors.New("bad type match in evaluateResultItem")
}
func handleWildcard(v string) string {
if v == "" {
return "*"
}
return v
}
// Fetches a complete SQL query that can be run against your database,
// selecting a row for each authorized combination of the query variables in
// `columnNamesToQueryVars` (ie. combinations of variables that satisfy the
// Oso query).
// If you pass an empty map, the returned SQL query will select a single row
// with a boolean column called `result`.
func (this QueryBuilder) EvaluateLocalSelect(columnNamesToQueryVars map[string]Variable) (string, error) {
if this.Error != nil {
return "", this.Error
}
query, err := this.asQuery()
if err != nil {
return "", err
}
queryVarsToColumnNames := make(map[string]string)
for columnName, queryVar := range columnNamesToQueryVars {
id := queryVar.id.id
if _, containsKey := queryVarsToColumnNames[id]; containsKey {
return "", fmt.Errorf("Found a duplicated %s variable- you may not select a query variable more than once.", queryVar.typ)
}
queryVarsToColumnNames[id] = columnName
}
result, err := this.oso.postQueryLocal(query, localQuerySelect(queryVarsToColumnNames))
if err != nil {
return "", err
}
return result.Sql, nil
}
// Fetches a SQL fragment, which you can embed into the `WHERE` clause of a SQL
// query against your database to filter out unauthorized rows (ie. rows that
// don't satisfy the Oso query).
func (this QueryBuilder) EvaluateLocalFilter(columnName string, queryVar Variable) (string, error) {
if this.Error != nil {
return "", this.Error
}
query, err := this.asQuery()
if err != nil {
return "", err
}
result, err := this.oso.postQueryLocal(query, localQueryFilter(columnName, queryVar.id.id))
if err != nil {
return "", err
}
return result.Sql, nil
}