2018-06-27 16:11:32 +03:00
{-# LANGUAGE DeriveLift #-}
{-# LANGUAGE FlexibleContexts #-}
{-# LANGUAGE FlexibleInstances #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE QuasiQuotes #-}
{-# LANGUAGE TemplateHaskell #-}
{-# LANGUAGE TypeFamilies #-}
module Hasura.RQL.DDL.Permission
( CreatePerm
, SetPermComment(..)
, purgePerm
, PermDef(..)
, InsPerm(..)
, InsPermDef
, CreateInsPerm
, clearInsInfra
, buildInsInfra
, buildInsPermInfo
, DropInsPerm
, dropInsPermP2
, SelPerm(..)
, SelPermDef
, CreateSelPerm
, buildSelPermInfo
, DropSelPerm
, dropSelPermP2
, UpdPerm(..)
, UpdPermDef
, CreateUpdPerm
, buildUpdPermInfo
, DropUpdPerm
, dropUpdPermP2
, DelPerm(..)
, DelPermDef
, CreateDelPerm
, buildDelPermInfo
, DropDelPerm
, dropDelPermP2
, IsPerm(..)
, addPermP1
, addPermP2
) where
2018-08-06 15:15:08 +03:00
import Hasura.Prelude
2018-06-27 16:11:32 +03:00
import Hasura.RQL.DDL.Permission.Internal
2018-08-17 17:44:43 +03:00
import Hasura.RQL.DDL.Permission.Triggers
2018-08-06 15:15:08 +03:00
import Hasura.RQL.DML.Internal (onlyPositiveInt)
2018-06-27 16:11:32 +03:00
import Hasura.RQL.Types
2018-11-16 15:40:23 +03:00
import Hasura.RQL.GBoolExp
2018-06-27 16:11:32 +03:00
import Hasura.SQL.Types
2018-08-06 15:15:08 +03:00
import qualified Database.PG.Query as Q
2018-06-27 16:11:32 +03:00
import qualified Hasura.SQL.DML as S
2018-10-26 17:58:20 +03:00
import Data.Aeson
2018-06-27 16:11:32 +03:00
import Data.Aeson.Casing
import Data.Aeson.TH
2018-10-26 17:58:20 +03:00
import Data.List
2018-08-06 15:15:08 +03:00
import Language.Haskell.TH.Syntax (Lift)
2018-06-27 16:11:32 +03:00
2018-10-26 17:58:20 +03:00
import qualified Data.HashMap.Strict as HM
2018-08-06 15:15:08 +03:00
import qualified Data.HashSet as HS
import qualified Data.Text as T
2018-06-27 16:11:32 +03:00
-- Insert permission
data InsPerm
= InsPerm
{ icCheck :: !BoolExp
, icAllowUpsert :: !(Maybe Bool)
2018-10-26 17:58:20 +03:00
, icSet :: !(Maybe Object)
2018-11-02 18:08:38 +03:00
, icColumns :: !(Maybe PermColSpec)
2018-06-27 16:11:32 +03:00
} deriving (Show, Eq, Lift)
$(deriveJSON (aesonDrop 2 snakeCase){omitNothingFields=True} ''InsPerm)
type InsPermDef = PermDef InsPerm
type CreateInsPerm = CreatePerm InsPerm
buildViewName :: QualifiedTable -> RoleName -> PermType -> QualifiedTable
buildViewName (QualifiedTable sn tn) (RoleName rTxt) pt =
QualifiedTable hdbViewsSchema $ TableName
(rTxt <> "__" <> T.pack (show pt) <> "__" <> snTxt <> "__" <> tnTxt)
hdbViewsSchema = SchemaName "hdb_views"
snTxt = getSchemaTxt sn
tnTxt = getTableTxt tn
buildView :: QualifiedTable -> QualifiedTable -> Q.Query
buildView tn vn =
Q.fromBuilder $ mconcat
2018-10-19 05:15:28 +03:00
[ "CREATE VIEW " <> toSQL vn
, " AS SELECT * FROM " <> toSQL tn
2018-06-27 16:11:32 +03:00
dropView :: QualifiedTable -> Q.Tx ()
dropView vn =
Q.unitQ dropViewS () False
dropViewS = Q.fromBuilder $
2018-10-19 05:15:28 +03:00
"DROP VIEW " <> toSQL vn
2018-06-27 16:11:32 +03:00
:: (QErrM m, CacheRM m)
=> TableInfo
-> PermDef InsPerm
2018-11-16 15:40:23 +03:00
-> m (WithDeps InsPermInfo)
2018-11-02 18:08:38 +03:00
buildInsPermInfo tabInfo (PermDef rn (InsPerm chk upsrt set mCols) _) = withPathK "permission" $ do
2018-06-27 16:11:32 +03:00
(be, beDeps) <- withPathK "check" $
2018-11-16 15:40:23 +03:00
-- procBoolExp tn fieldInfoMap (S.QualVar "NEW") chk
procBoolExp tn fieldInfoMap chk
2018-06-27 16:11:32 +03:00
let deps = mkParentDep tn : beDeps
2018-10-26 17:58:20 +03:00
fltrHeaders = getDependentHeaders chk
setObj = fromMaybe mempty set
allowUpsrt = fromMaybe False upsrt
setColsSQL <- withPathK "set" $
fmap HM.fromList $ forM (HM.toList setObj) $ \(t, val) -> do
let pgCol = PGCol t
ty <- askPGType fieldInfoMap pgCol $
"column " <> pgCol <<> " not found in table " <>> tn
sqlExp <- valueParser ty val
return (pgCol, sqlExp)
let setHdrs = mapMaybe (fetchHdr . snd) (HM.toList setObj)
reqHdrs = fltrHeaders `union` setHdrs
2018-11-02 18:08:38 +03:00
preSetCols = HM.union setColsSQL nonInsColVals
2018-11-16 15:40:23 +03:00
return (InsPermInfo vn be allowUpsrt preSetCols reqHdrs, deps)
2018-06-27 16:11:32 +03:00
fieldInfoMap = tiFieldInfoMap tabInfo
tn = tiName tabInfo
vn = buildViewName tn rn PTInsert
2018-11-02 18:08:38 +03:00
allCols = map pgiName $ getCols fieldInfoMap
nonInsCols = case mCols of
Nothing -> []
Just cols -> (\\) allCols $ convColSpec fieldInfoMap cols
nonInsColVals = S.mkColDefValMap nonInsCols
2018-06-27 16:11:32 +03:00
2018-10-26 17:58:20 +03:00
fetchHdr (String t) = bool Nothing (Just $ T.toLower t)
2018-10-26 18:57:22 +03:00
$ isUserVar t
2018-10-26 17:58:20 +03:00
fetchHdr _ = Nothing
2018-09-04 16:39:48 +03:00
buildInsInfra :: QualifiedTable -> InsPermInfo -> Q.TxE QErr ()
2018-11-16 15:40:23 +03:00
buildInsInfra tn (InsPermInfo vn be _ _ _) = do
trigFnQ <- buildInsTrigFn vn tn $ toSQLBoolExp (S.QualVar "NEW") be
2018-06-27 16:11:32 +03:00
Q.catchE defaultTxErrorHandler $ do
-- Create the view
Q.unitQ (buildView tn vn) () False
-- Inject defaults on the view
Q.discardQ (injectDefaults vn tn) () False
-- Construct a trigger function
2018-09-29 08:42:47 +03:00
Q.unitQ trigFnQ () False
2018-06-27 16:11:32 +03:00
-- Add trigger for check expression
Q.unitQ (buildInsTrig vn) () False
clearInsInfra :: QualifiedTable -> Q.TxE QErr ()
clearInsInfra vn =
Q.catchE defaultTxErrorHandler $ do
dropView vn
Q.unitQ (dropInsTrigFn vn) () False
type DropInsPerm = DropPerm InsPerm
dropInsPermP2 :: (P2C m) => DropInsPerm -> QualifiedTable -> m ()
dropInsPermP2 = dropPermP2
type instance PermInfo InsPerm = InsPermInfo
instance IsPerm InsPerm where
type DropPermP1Res InsPerm = QualifiedTable
permAccessor = PAInsert
buildPermInfo = buildInsPermInfo
2018-09-04 16:39:48 +03:00
addPermP2Setup qt _ = liftTx . buildInsInfra qt
2018-06-27 16:11:32 +03:00
buildDropPermP1Res dp =
ipiView <$> dropPermP1 dp
dropPermP2Setup _ vn =
liftTx $ clearInsInfra vn
-- Select constraint
data SelPerm
= SelPerm
2018-10-26 12:02:44 +03:00
{ spColumns :: !PermColSpec -- Allowed columns
, spFilter :: !BoolExp -- Filter expression
, spLimit :: !(Maybe Int) -- Limit value
, spAllowAggregations :: !(Maybe Bool) -- Allow aggregation
2018-06-27 16:11:32 +03:00
} deriving (Show, Eq, Lift)
$(deriveJSON (aesonDrop 2 snakeCase){omitNothingFields=True} ''SelPerm)
:: (QErrM m, CacheRM m)
=> TableInfo
-> SelPerm
2018-11-16 15:40:23 +03:00
-> m (WithDeps SelPermInfo)
2018-06-27 16:11:32 +03:00
buildSelPermInfo tabInfo sp = do
let pgCols = convColSpec fieldInfoMap $ spColumns sp
(be, beDeps) <- withPathK "filter" $
2018-11-16 15:40:23 +03:00
procBoolExp tn fieldInfoMap $ spFilter sp
2018-06-27 16:11:32 +03:00
-- check if the columns exist
void $ withPathK "columns" $ indexedForM pgCols $ \pgCol ->
askPGType fieldInfoMap pgCol autoInferredErr
let deps = mkParentDep tn : beDeps ++ map (mkColDep "untyped" tn) pgCols
depHeaders = getDependentHeaders $ spFilter sp
2018-08-06 15:15:08 +03:00
mLimit = spLimit sp
withPathK "limit" $ mapM_ onlyPositiveInt mLimit
2018-06-27 16:11:32 +03:00
2018-11-16 15:40:23 +03:00
return (SelPermInfo (HS.fromList pgCols) tn be mLimit allowAgg depHeaders, deps)
2018-06-27 16:11:32 +03:00
tn = tiName tabInfo
fieldInfoMap = tiFieldInfoMap tabInfo
2018-10-26 12:02:44 +03:00
allowAgg = or $ spAllowAggregations sp
2018-06-27 16:11:32 +03:00
autoInferredErr = "permissions for relationships are automatically inferred"
type SelPermDef = PermDef SelPerm
type CreateSelPerm = CreatePerm SelPerm
type DropSelPerm = DropPerm SelPerm
type instance PermInfo SelPerm = SelPermInfo
dropSelPermP2 :: (P2C m) => DropSelPerm -> m ()
dropSelPermP2 dp = dropPermP2 dp ()
instance IsPerm SelPerm where
type DropPermP1Res SelPerm = ()
permAccessor = PASelect
buildPermInfo ti (PermDef _ a _) =
buildSelPermInfo ti a
buildDropPermP1Res =
void . dropPermP1
addPermP2Setup _ _ _ = return ()
dropPermP2Setup _ _ = return ()
-- Update constraint
data UpdPerm
= UpdPerm
{ ucColumns :: !PermColSpec -- Allowed columns
, ucFilter :: !BoolExp -- Filter expression
} deriving (Show, Eq, Lift)
$(deriveJSON (aesonDrop 2 snakeCase){omitNothingFields=True} ''UpdPerm)
type UpdPermDef = PermDef UpdPerm
type CreateUpdPerm = CreatePerm UpdPerm
:: (QErrM m, CacheRM m)
=> TableInfo
-> UpdPerm
2018-11-16 15:40:23 +03:00
-> m (WithDeps UpdPermInfo)
2018-06-27 16:11:32 +03:00
buildUpdPermInfo tabInfo (UpdPerm colSpec fltr) = do
(be, beDeps) <- withPathK "filter" $
2018-11-16 15:40:23 +03:00
procBoolExp tn fieldInfoMap fltr
2018-06-27 16:11:32 +03:00
-- check if the columns exist
_ <- withPathK "columns" $ indexedForM updCols $ \updCol ->
askPGType fieldInfoMap updCol relInUpdErr
let deps = mkParentDep tn : beDeps ++ map (mkColDep "untyped" tn) updCols
depHeaders = getDependentHeaders fltr
2018-11-16 15:40:23 +03:00
return (UpdPermInfo (HS.fromList updCols) tn be depHeaders, deps)
2018-06-27 16:11:32 +03:00
tn = tiName tabInfo
fieldInfoMap = tiFieldInfoMap tabInfo
updCols = convColSpec fieldInfoMap colSpec
relInUpdErr = "relationships can't be used in update"
type instance PermInfo UpdPerm = UpdPermInfo
type DropUpdPerm = DropPerm UpdPerm
dropUpdPermP2 :: (P2C m) => DropUpdPerm -> m ()
dropUpdPermP2 dp = dropPermP2 dp ()
instance IsPerm UpdPerm where
type DropPermP1Res UpdPerm = ()
permAccessor = PAUpdate
buildPermInfo ti (PermDef _ a _) =
buildUpdPermInfo ti a
addPermP2Setup _ _ _ = return ()
buildDropPermP1Res =
void . dropPermP1
dropPermP2Setup _ _ = return ()
-- Delete permission
data DelPerm
= DelPerm { dcFilter :: !BoolExp }
deriving (Show, Eq, Lift)
$(deriveJSON (aesonDrop 2 snakeCase){omitNothingFields=True} ''DelPerm)
type DelPermDef = PermDef DelPerm
type CreateDelPerm = CreatePerm DelPerm
:: (QErrM m, CacheRM m)
=> TableInfo
-> DelPerm
2018-11-16 15:40:23 +03:00
-> m (WithDeps DelPermInfo)
2018-06-27 16:11:32 +03:00
buildDelPermInfo tabInfo (DelPerm fltr) = do
(be, beDeps) <- withPathK "filter" $
2018-11-16 15:40:23 +03:00
procBoolExp tn fieldInfoMap fltr
2018-06-27 16:11:32 +03:00
let deps = mkParentDep tn : beDeps
depHeaders = getDependentHeaders fltr
2018-11-16 15:40:23 +03:00
return (DelPermInfo tn be depHeaders, deps)
2018-06-27 16:11:32 +03:00
tn = tiName tabInfo
fieldInfoMap = tiFieldInfoMap tabInfo
type DropDelPerm = DropPerm DelPerm
dropDelPermP2 :: (P2C m) => DropDelPerm -> m ()
dropDelPermP2 dp = dropPermP2 dp ()
type instance PermInfo DelPerm = DelPermInfo
instance IsPerm DelPerm where
type DropPermP1Res DelPerm = ()
permAccessor = PADelete
buildPermInfo ti (PermDef _ a _) =
buildDelPermInfo ti a
addPermP2Setup _ _ _ = return ()
buildDropPermP1Res =
void . dropPermP1
dropPermP2Setup _ _ = return ()
data SetPermComment
= SetPermComment
{ apTable :: !QualifiedTable
, apRole :: !RoleName
, apPermission :: !PermType
, apComment :: !(Maybe T.Text)
} deriving (Show, Eq, Lift)
$(deriveJSON (aesonDrop 2 snakeCase) ''SetPermComment)
setPermCommentP1 :: (P1C m) => SetPermComment -> m ()
setPermCommentP1 (SetPermComment qt rn pt _) = do
tabInfo <- askTabInfo qt
action tabInfo
action tabInfo = case pt of
PTInsert -> assertPermDefined rn PAInsert tabInfo
PTSelect -> assertPermDefined rn PASelect tabInfo
PTUpdate -> assertPermDefined rn PAUpdate tabInfo
PTDelete -> assertPermDefined rn PADelete tabInfo
setPermCommentP2 :: (P2C m) => SetPermComment -> m RespBody
setPermCommentP2 apc = do
liftTx $ setPermCommentTx apc
return successMsg
instance HDBQuery SetPermComment where
type Phase1Res SetPermComment = ()
phaseOne = setPermCommentP1
phaseTwo q _ = setPermCommentP2 q
schemaCachePolicy = SCPNoChange
:: SetPermComment
-> Q.TxE QErr ()
setPermCommentTx (SetPermComment (QualifiedTable sn tn) rn pt comment) =
Q.unitQE defaultTxErrorHandler [Q.sql|
UPDATE hdb_catalog.hdb_permission
SET comment = $1
WHERE table_schema = $2
AND table_name = $3
AND role_name = $4
AND perm_type = $5
|] (comment, sn, tn, rn, permTypeToCode pt) True
purgePerm :: (P2C m) => QualifiedTable -> RoleName -> PermType -> m ()
purgePerm qt rn pt =
case pt of
PTInsert -> dropInsPermP2 dp $ buildViewName qt rn PTInsert
PTSelect -> dropSelPermP2 dp
PTUpdate -> dropUpdPermP2 dp
PTDelete -> dropDelPermP2 dp
dp :: DropPerm a
dp = DropPerm qt rn