(core) give more detailed reasons for access denied when memos are present

Summary:
With this change, if a comment is added to an ACL formula, then that comment will be offered to the user if access is denied and that rule could potentially have granted access.

The code is factored so that when access is permitted, or when partially visible tables are being filtered, there is little overhead. Comments are gathered only when an explicit denial of access.

Test Plan: added tests, updated tests

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2730
This commit is contained in:
Paul Fitzpatrick 2021-02-15 16:36:33 -05:00
parent 422560504e
commit 6af811f7ab
17 changed files with 420 additions and 186 deletions

View File

@ -156,6 +156,9 @@ export interface CommResponseError {
error: string; error: string;
errorCode: string; errorCode: string;
shouldFork?: boolean; // if set, the server suggests forking the document. shouldFork?: boolean; // if set, the server suggests forking the document.
details?: any; // if set, error has extra details available. TODO - the treatment of
// details could do with some harmonisation between rest API and ws API,
// and between front-end and back-end types.
} }
function isCommResponseError(msg: CommResponse | CommResponseError): msg is CommResponseError { function isCommResponseError(msg: CommResponse | CommResponseError): msg is CommResponseError {
@ -460,6 +463,9 @@ export class Comm extends dispose.Disposable implements GristServerAPI, DocListA
code = ` [${message.errorCode}]`; code = ` [${message.errorCode}]`;
err.code = message.errorCode; err.code = message.errorCode;
} }
if (message.details) {
err.details = message.details;
}
err.shouldFork = message.shouldFork; err.shouldFork = message.shouldFork;
console.log(`Comm response #${reqId} ${r.methodName} ERROR:${code} ${message.error}` console.log(`Comm response #${reqId} ${r.methodName} ERROR:${code} ${message.error}`
+ (message.shouldFork ? ` (should fork)` : '')); + (message.shouldFork ? ` (should fork)` : ''));

View File

@ -7,6 +7,7 @@ import {timeFormat} from 'app/common/timeFormat';
import {bundleChanges, Disposable, Holder, IDisposable, IDisposableOwner } from 'grainjs'; import {bundleChanges, Disposable, Holder, IDisposable, IDisposableOwner } from 'grainjs';
import {Computed, dom, DomElementArg, MutableObsArray, obsArray, Observable} from 'grainjs'; import {Computed, dom, DomElementArg, MutableObsArray, obsArray, Observable} from 'grainjs';
import clamp = require('lodash/clamp'); import clamp = require('lodash/clamp');
import defaults = require('lodash/defaults');
// When rendering app errors, we'll only show the last few. // When rendering app errors, we'll only show the last few.
const maxAppErrors = 5; const maxAppErrors = 5;
@ -45,6 +46,8 @@ export interface INotifyOptions {
expireSec?: number; expireSec?: number;
badgeCounter?: boolean; badgeCounter?: boolean;
memos?: string[]; // A list of relevant notes.
// cssToastAction class from NotifyUI will be applied automatically to action elements. // cssToastAction class from NotifyUI will be applied automatically to action elements.
actions?: NotifyAction[]; actions?: NotifyAction[];
@ -87,12 +90,13 @@ export class Notification extends Expirable implements INotification {
expireSec: 0, expireSec: 0,
canUserClose: false, canUserClose: false,
actions: [], actions: [],
memos: [],
key: null, key: null,
}; };
constructor(_opts: INotifyOptions) { constructor(_opts: INotifyOptions) {
super(); super();
Object.assign(this.options, _opts); this.options = defaults({}, _opts, this.options)
if (this.options.expireSec > 0) { if (this.options.expireSec > 0) {
const expireTimer = setTimeout(() => this.expire(), 1000 * this.options.expireSec); const expireTimer = setTimeout(() => this.expire(), 1000 * this.options.expireSec);

View File

@ -84,7 +84,7 @@ export function reportError(err: Error|string): void {
} else if (err.name === 'NeedUpgradeError') { } else if (err.name === 'NeedUpgradeError') {
_notifier.createUserError(err.message, {actions: ['upgrade'], key: 'NEED_UPGRADE'}); _notifier.createUserError(err.message, {actions: ['upgrade'], key: 'NEED_UPGRADE'});
} else if (code === 'AUTH_NO_EDIT' || code === 'ACL_DENY') { } else if (code === 'AUTH_NO_EDIT' || code === 'ACL_DENY') {
_notifier.createUserError(message, {key: code}); _notifier.createUserError(err.message, {key: code, memos: details?.memos});
} else { } else {
// If we don't recognize it, consider it an application error (bug) that the user should be // If we don't recognize it, consider it an application error (bug) that the user should be
// able to report. // able to report.

View File

@ -57,6 +57,9 @@ function buildNotificationDom(item: Notification, options: IBeaconOpenOptions) {
item.options.actions.length ? cssToastActions( item.options.actions.length ? cssToastActions(
item.options.actions.map((action) => buildAction(action, item, options)) item.options.actions.map((action) => buildAction(action, item, options))
) : null, ) : null,
item.options.memos.length ? cssToastMemos(
item.options.memos.map(memo => cssToastMemo(memo))
) : null,
), ),
dom.maybe(item.options.canUserClose, () => dom.maybe(item.options.canUserClose, () =>
cssToastClose(testId('toast-close'), cssToastClose(testId('toast-close'),
@ -300,6 +303,19 @@ const cssToastAction = styled('div', `
} }
`); `);
const cssToastMemos = styled('div', `
margin-top: 16px;
display: flex;
flex-direction: column;
`);
const cssToastMemo = styled('div', `
margin: 3px;
color: ${colors.dark};
background: ${colors.light};
padding: 3px;
`);
const cssProgressBarWrapper = styled('div', ` const cssProgressBarWrapper = styled('div', `
margin-top: 18px; margin-top: 18px;
margin-bottom: 11px; margin-bottom: 11px;

View File

@ -272,7 +272,6 @@ function readAclRules(docData: DocData, {log, compile}: ReadAclOptions): ReadAcl
if (rule.userAttributes) { if (rule.userAttributes) {
if (tableId !== '*' || colIds !== '*') { if (tableId !== '*' || colIds !== '*') {
throw new Error(`ACLRule ${rule.id} invalid; user attributes must be on the default resource`); throw new Error(`ACLRule ${rule.id} invalid; user attributes must be on the default resource`);
continue;
} }
const parsed = JSON.parse(String(rule.userAttributes)); const parsed = JSON.parse(String(rule.userAttributes));
// TODO: could perhaps use ts-interface-checker here. // TODO: could perhaps use ts-interface-checker here.
@ -280,7 +279,6 @@ function readAclRules(docData: DocData, {log, compile}: ReadAclOptions): ReadAcl
[parsed.name, parsed.tableId, parsed.lookupColId, parsed.charId] [parsed.name, parsed.tableId, parsed.lookupColId, parsed.charId]
.every(p => p && typeof p === 'string'))) { .every(p => p && typeof p === 'string'))) {
throw new Error(`User attribute rule ${rule.id} is invalid`); throw new Error(`User attribute rule ${rule.id} is invalid`);
continue;
} }
parsed.origRecord = rule; parsed.origRecord = rule;
userAttributes.push(parsed as UserAttributeRule); userAttributes.push(parsed as UserAttributeRule);
@ -289,10 +287,12 @@ function readAclRules(docData: DocData, {log, compile}: ReadAclOptions): ReadAcl
} else if (rule.aclFormula && !rule.aclFormulaParsed) { } else if (rule.aclFormula && !rule.aclFormulaParsed) {
throw new Error(`ACLRule ${rule.id} invalid because missing its parsed formula`); throw new Error(`ACLRule ${rule.id} invalid because missing its parsed formula`);
} else { } else {
const aclFormulaParsed = rule.aclFormula && JSON.parse(String(rule.aclFormulaParsed));
body.push({ body.push({
origRecord: rule, origRecord: rule,
aclFormula: String(rule.aclFormula), aclFormula: String(rule.aclFormula),
matchFunc: rule.aclFormula ? compile?.(JSON.parse(String(rule.aclFormulaParsed))) : defaultMatchFunc, matchFunc: rule.aclFormula ? compile?.(aclFormulaParsed) : defaultMatchFunc,
memo: aclFormulaParsed && aclFormulaParsed[0] === 'Comment' && aclFormulaParsed[2],
permissions: parsePermissions(String(rule.permissionsText)), permissions: parsePermissions(String(rule.permissionsText)),
permissionsText: String(rule.permissionsText), permissionsText: String(rule.permissionsText),
}); });

View File

@ -28,6 +28,8 @@ export interface ApiErrorDetails {
// If set, contains suggestions for fixing a problem. // If set, contains suggestions for fixing a problem.
tips?: ApiTip[]; tips?: ApiTip[];
memos?: string[];
} }
/** /**

View File

@ -136,6 +136,9 @@ function throwApiError(url: string, resp: Response | AxiosResponse, body: any) {
if (body.error) { if (body.error) {
details.userError = body.error; details.userError = body.error;
} }
if (body.memos) {
details.memos = body.memos;
}
throw new ApiError(`Request to ${url} failed with status ${resp.status}: ` + throw new ApiError(`Request to ${url} failed with status ${resp.status}: ` +
`${resp.statusText} (${body.error || 'unknown cause'})`, resp.status, details); `${resp.statusText} (${body.error || 'unknown cause'})`, resp.status, details);
} }

View File

@ -3,6 +3,7 @@ import {OpenDocMode} from 'app/common/DocListAPI';
interface ErrorDetails { interface ErrorDetails {
status?: number; status?: number;
accessMode?: OpenDocMode; accessMode?: OpenDocMode;
memos?: string[];
} }
/** /**
@ -13,11 +14,9 @@ interface ErrorDetails {
* *
*/ */
export class ErrorWithCode extends Error { export class ErrorWithCode extends Error {
public accessMode?: OpenDocMode; constructor(public code: string, message: string, public details: ErrorDetails = {}) {
public status?: number;
constructor(public code: string, message: string, details: ErrorDetails = {}) {
super(message); super(message);
this.status = details.status;
this.accessMode = details.accessMode;
} }
public get accessMode() { return this.details?.accessMode; }
public get status() { return this.details?.status; }
} }

View File

@ -17,6 +17,9 @@ export interface RulePart {
// Compiled version of aclFormula. // Compiled version of aclFormula.
matchFunc?: AclMatchFunc; matchFunc?: AclMatchFunc;
// Optional memo, currently extracted from comment in formula.
memo?: string;
} }
// Light wrapper around characteristics or records. // Light wrapper around characteristics or records.

View File

@ -64,6 +64,7 @@ function _compileNode(parsedAclFormula: ParsedAclFormula): AclEvalFunc {
const attrName = rawArgs[1] as string; const attrName = rawArgs[1] as string;
return _compileAndCombine([args[0]], ([value]) => getAttr(value, attrName, args[0])); return _compileAndCombine([args[0]], ([value]) => getAttr(value, attrName, args[0]));
} }
case 'Comment': return _compileNode(args[0]);
} }
throw new Error(`Unknown node type '${parsedAclFormula[0]}'`); throw new Error(`Unknown node type '${parsedAclFormula[0]}'`);
} }

View File

@ -29,7 +29,6 @@ import {toTableDataAction} from 'app/common/DocActions';
import {DocData} from 'app/common/DocData'; import {DocData} from 'app/common/DocData';
import {DocSnapshots} from 'app/common/DocSnapshot'; import {DocSnapshots} from 'app/common/DocSnapshot';
import {EncActionBundleFromHub} from 'app/common/EncActionBundle'; import {EncActionBundleFromHub} from 'app/common/EncActionBundle';
import {ErrorWithCode} from 'app/common/ErrorWithCode';
import {byteString, countIf} from 'app/common/gutil'; import {byteString, countIf} from 'app/common/gutil';
import {InactivityTimer} from 'app/common/InactivityTimer'; import {InactivityTimer} from 'app/common/InactivityTimer';
import * as marshal from 'app/common/marshal'; import * as marshal from 'app/common/marshal';
@ -604,9 +603,8 @@ export class ActiveDoc extends EventEmitter {
// If user does not have rights to access what this query is asking for, fail. // If user does not have rights to access what this query is asking for, fail.
const tableAccess = await this._granularAccess.getTableAccess(docSession, query.tableId); const tableAccess = await this._granularAccess.getTableAccess(docSession, query.tableId);
if (tableAccess.read === 'deny') {
throw new Error('not authorized to read table'); this._granularAccess.assertCanRead(tableAccess);
}
// Some tests read _grist_ tables via the api. The _fetchQueryFromDB method // Some tests read _grist_ tables via the api. The _fetchQueryFromDB method
// currently cannot read those tables, so we load them from the data engine // currently cannot read those tables, so we load them from the data engine
@ -614,7 +612,7 @@ export class ActiveDoc extends EventEmitter {
// Also, if row-level access is being controlled, we wait for formula columns // Also, if row-level access is being controlled, we wait for formula columns
// to be populated. // to be populated.
const wantFull = waitForFormulas || query.tableId.startsWith('_grist_') || const wantFull = waitForFormulas || query.tableId.startsWith('_grist_') ||
tableAccess.read === 'mixed'; this._granularAccess.getReadPermission(tableAccess) === 'mixed';
const onDemand = this._onDemandActions.isOnDemand(query.tableId); const onDemand = this._onDemandActions.isOnDemand(query.tableId);
this.logInfo(docSession, "fetchQuery %s %s", JSON.stringify(query), this.logInfo(docSession, "fetchQuery %s %s", JSON.stringify(query),
onDemand ? "(onDemand)" : "(regular)"); onDemand ? "(onDemand)" : "(regular)");
@ -636,7 +634,7 @@ export class ActiveDoc extends EventEmitter {
} }
// If row-level access is being controlled, filter the data appropriately. // If row-level access is being controlled, filter the data appropriately.
// Likewise if column-level access is being controlled. // Likewise if column-level access is being controlled.
if (tableAccess.read !== 'allow') { if (this._granularAccess.getReadPermission(tableAccess) !== 'allow') {
await this._granularAccess.filterData(docSession, data!); await this._granularAccess.filterData(docSession, data!);
} }
this.logInfo(docSession, "fetchQuery -> %d rows, cols: %s", this.logInfo(docSession, "fetchQuery -> %d rows, cols: %s",
@ -1181,14 +1179,12 @@ export class ActiveDoc extends EventEmitter {
protected async _applyUserActions(docSession: OptDocSession, actions: UserAction[], protected async _applyUserActions(docSession: OptDocSession, actions: UserAction[],
options: ApplyUAOptions = {}): Promise<ApplyUAResult> { options: ApplyUAOptions = {}): Promise<ApplyUAResult> {
if (!await this._granularAccess.canMaybeApplyUserActions(docSession, actions)) {
throw new ErrorWithCode('ACL_DENY', 'Action blocked by access rules');
}
const client = docSession.client; const client = docSession.client;
this.logDebug(docSession, "_applyUserActions(%s, %s)", client, shortDesc(actions)); this.logDebug(docSession, "_applyUserActions(%s, %s)", client, shortDesc(actions));
this._inactivityTimer.ping(); // The doc is in active use; ping it to stay open longer. this._inactivityTimer.ping(); // The doc is in active use; ping it to stay open longer.
await this._granularAccess.assertCanMaybeApplyUserActions(docSession, actions);
const user = docSession.mode === 'system' ? 'grist' : const user = docSession.mode === 'system' ? 'grist' :
(client && client.session ? (await client.session.getEmail()) : ""); (client && client.session ? (await client.session.getEmail()) : "");

View File

@ -276,6 +276,9 @@ export class Client {
if (err.code) { if (err.code) {
response.errorCode = err.code; response.errorCode = err.code;
} }
if (err.details) {
response.details = err.details;
}
if (typeof code === 'string' && code === 'AUTH_NO_EDIT' && err.accessMode === 'fork') { if (typeof code === 'string' && code === 'AUTH_NO_EDIT' && err.accessMode === 'fork') {
response.shouldFork = true; response.shouldFork = true;
} }

View File

@ -1,6 +1,4 @@
import { MixedPermissionSet, PartialPermissionSet, PermissionSet, TablePermissionSet } from 'app/common/ACLPermissions'; import { ALL_PERMISSION_PROPS } from 'app/common/ACLPermissions';
import { makePartialPermissions, mergePartialPermissions, mergePermissions } from 'app/common/ACLPermissions';
import { emptyPermissionSet, toMixed } from 'app/common/ACLPermissions';
import { ACLRuleCollection } from 'app/common/ACLRuleCollection'; import { ACLRuleCollection } from 'app/common/ACLRuleCollection';
import { ActionGroup } from 'app/common/ActionGroup'; import { ActionGroup } from 'app/common/ActionGroup';
import { createEmptyActionSummary } from 'app/common/ActionSummary'; import { createEmptyActionSummary } from 'app/common/ActionSummary';
@ -15,7 +13,7 @@ import { DocData } from 'app/common/DocData';
import { UserOverride } from 'app/common/DocListAPI'; import { UserOverride } from 'app/common/DocListAPI';
import { ErrorWithCode } from 'app/common/ErrorWithCode'; import { ErrorWithCode } from 'app/common/ErrorWithCode';
import { AclMatchInput, InfoView } from 'app/common/GranularAccessClause'; import { AclMatchInput, InfoView } from 'app/common/GranularAccessClause';
import { RuleSet, UserInfo } from 'app/common/GranularAccessClause'; import { UserInfo } from 'app/common/GranularAccessClause';
import { getSetMapValue, isObject } from 'app/common/gutil'; import { getSetMapValue, isObject } from 'app/common/gutil';
import { canView, Role } from 'app/common/roles'; import { canView, Role } from 'app/common/roles';
import { FullUser } from 'app/common/UserAPI'; import { FullUser } from 'app/common/UserAPI';
@ -23,9 +21,11 @@ import { HomeDBManager } from 'app/gen-server/lib/HomeDBManager';
import { compileAclFormula } from 'app/server/lib/ACLFormula'; import { compileAclFormula } from 'app/server/lib/ACLFormula';
import { getDocSessionAccess, getDocSessionUser, OptDocSession } from 'app/server/lib/DocSession'; import { getDocSessionAccess, getDocSessionUser, OptDocSession } from 'app/server/lib/DocSession';
import * as log from 'app/server/lib/log'; import * as log from 'app/server/lib/log';
import { PermissionInfo, PermissionSetWithContext, TablePermissionSetWithContext } from 'app/server/lib/PermissionInfo';
import { integerParam } from 'app/server/lib/requestUtils'; import { integerParam } from 'app/server/lib/requestUtils';
import { getRelatedRows, getRowIdsFromDocAction } from 'app/server/lib/RowAccess'; import { getRelatedRows, getRowIdsFromDocAction } from 'app/server/lib/RowAccess';
import cloneDeep = require('lodash/cloneDeep'); import cloneDeep = require('lodash/cloneDeep');
import fromPairs = require('lodash/fromPairs');
import get = require('lodash/get'); import get = require('lodash/get');
import pullAt = require('lodash/pullAt'); import pullAt = require('lodash/pullAt');
@ -85,7 +85,7 @@ const OK_ACTIONS = new Set(['Calculate', 'AddEmptyTable']);
* steps and clients. We expect modifications to be serialized, and the following * steps and clients. We expect modifications to be serialized, and the following
* pattern of calls for modifications: * pattern of calls for modifications:
* *
* - canMaybeApplyUserActions(), called with UserActions for an initial access check. * - assertCanMaybeApplyUserActions(), called with UserActions for an initial access check.
* Since not all checks can be done without analyzing UserActions into DocActions, * Since not all checks can be done without analyzing UserActions into DocActions,
* it is ok for this call to pass even if a more definitive test later will fail. * it is ok for this call to pass even if a more definitive test later will fail.
* - canApplyDocActions(), called when DocActions have been produced from UserActions, * - canApplyDocActions(), called when DocActions have been produced from UserActions,
@ -146,7 +146,7 @@ export class GranularAccess {
*/ */
public async hasTableAccess(docSession: OptDocSession, tableId: string) { public async hasTableAccess(docSession: OptDocSession, tableId: string) {
const pset = await this.getTableAccess(docSession, tableId); const pset = await this.getTableAccess(docSession, tableId);
return pset.read !== 'deny'; return this.getReadPermission(pset) !== 'deny';
} }
/** /**
@ -280,9 +280,11 @@ export class GranularAccess {
* TODO: not smart about intermediate states, if there is a table or column rename it will * TODO: not smart about intermediate states, if there is a table or column rename it will
* have trouble, and might forbid something that should be allowed. * have trouble, and might forbid something that should be allowed.
*/ */
public async canMaybeApplyUserActions(docSession: OptDocSession, actions: UserAction[]): Promise<boolean> { public async assertCanMaybeApplyUserActions(docSession: OptDocSession, actions: UserAction[]): Promise<boolean> {
for (const action of actions) { for (const action of actions) {
if (!await this.canMaybeApplyUserAction(docSession, action)) { return false; } if (!await this.assertCanMaybeApplyUserAction(docSession, action)) {
throw new ErrorWithCode('ACL_DENY', 'Action blocked by access rules');
}
} }
return true; return true;
} }
@ -290,7 +292,7 @@ export class GranularAccess {
/** /**
* Check if user can apply a given action to the document. * Check if user can apply a given action to the document.
*/ */
public async canMaybeApplyUserAction(docSession: OptDocSession, a: UserAction|DocAction): Promise<boolean> { public async assertCanMaybeApplyUserAction(docSession: OptDocSession, a: UserAction|DocAction): Promise<boolean> {
const name = a[0] as string; const name = a[0] as string;
if (OK_ACTIONS.has(name)) { return true; } if (OK_ACTIONS.has(name)) { return true; }
if (SPECIAL_ACTIONS.has(name)) { if (SPECIAL_ACTIONS.has(name)) {
@ -300,9 +302,9 @@ export class GranularAccess {
return this.hasFullAccess(docSession); return this.hasFullAccess(docSession);
} }
if (a[0] === 'ApplyUndoActions') { if (a[0] === 'ApplyUndoActions') {
return this.canMaybeApplyUserActions(docSession, a[1] as UserAction[]); return this.assertCanMaybeApplyUserActions(docSession, a[1] as UserAction[]);
} else if (a[0] === 'ApplyDocActions') { } else if (a[0] === 'ApplyDocActions') {
return this.canMaybeApplyUserActions(docSession, a[1] as UserAction[]); return this.assertCanMaybeApplyUserActions(docSession, a[1] as UserAction[]);
} else if (isTableAction(a)) { } else if (isTableAction(a)) {
const tableId = getTableId(a); const tableId = getTableId(a);
// If there are any access control nuances, deny _grist_* tables. // If there are any access control nuances, deny _grist_* tables.
@ -311,8 +313,8 @@ export class GranularAccess {
return !this.hasNuancedAccess(docSession); return !this.hasNuancedAccess(docSession);
} }
const tableAccess = await this.getTableAccess(docSession, tableId); const tableAccess = await this.getTableAccess(docSession, tableId);
const accessFn = getAccessForActionType(a); const accessCheck = getAccessForActionType(a, 'fatal');
const access = accessFn(tableAccess); const access = accessCheck.get(tableAccess);
// if access is mixed, leave this to be checked in detail later. // if access is mixed, leave this to be checked in detail later.
return access === 'allow' || access === 'mixed' || access === 'mixedColumns'; return access === 'allow' || access === 'mixed' || access === 'mixedColumns';
} }
@ -337,7 +339,7 @@ export class GranularAccess {
const access = getDocSessionAccess(docSession); const access = getDocSessionAccess(docSession);
if (!canView(access)) { return false; } if (!canView(access)) { return false; }
const permInfo = await this._getAccess(docSession); const permInfo = await this._getAccess(docSession);
return permInfo.getFullAccess().read === 'allow'; return this.getReadPermission(permInfo.getFullAccess()) === 'allow';
} }
/** /**
@ -399,7 +401,7 @@ export class GranularAccess {
const tableId = rec.tableId as string; const tableId = rec.tableId as string;
const tableRef = rec.id; const tableRef = rec.id;
const tableAccess = permInfo.getTableAccess(tableId); const tableAccess = permInfo.getTableAccess(tableId);
if (tableAccess.read === 'deny') { if (this.getReadPermission(tableAccess) === 'deny') {
censoredTables.add(tableRef); censoredTables.add(tableRef);
} }
// TODO If some columns are allowed and the rest (*) are denied, we need to be able to // TODO If some columns are allowed and the rest (*) are denied, we need to be able to
@ -407,7 +409,7 @@ export class GranularAccess {
for (const ruleSet of this._ruleCollection.getAllColumnRuleSets(tableId)) { for (const ruleSet of this._ruleCollection.getAllColumnRuleSets(tableId)) {
if (Array.isArray(ruleSet.colIds)) { if (Array.isArray(ruleSet.colIds)) {
for (const colId of ruleSet.colIds) { for (const colId of ruleSet.colIds) {
if (permInfo.getColumnAccess(tableId, colId).read === 'deny') { if (this.getReadPermission(permInfo.getColumnAccess(tableId, colId)) === 'deny') {
censoredColumnCodes.add(columnCode(tableRef, colId)); censoredColumnCodes.add(columnCode(tableRef, colId));
} }
} }
@ -475,7 +477,7 @@ export class GranularAccess {
* Distill the clauses for the given session and table, to figure out the * Distill the clauses for the given session and table, to figure out the
* access level and any row-level access functions needed. * access level and any row-level access functions needed.
*/ */
public async getTableAccess(docSession: OptDocSession, tableId: string): Promise<TablePermissionSet> { public async getTableAccess(docSession: OptDocSession, tableId: string): Promise<TablePermissionSetWithContext> {
return (await this._getAccess(docSession)).getTableAccess(tableId); return (await this._getAccess(docSession)).getTableAccess(tableId);
} }
@ -486,12 +488,14 @@ export class GranularAccess {
public async filterData(docSession: OptDocSession, data: TableDataAction) { public async filterData(docSession: OptDocSession, data: TableDataAction) {
const permInfo = await this._getAccess(docSession); const permInfo = await this._getAccess(docSession);
const tableId = getTableId(data); const tableId = getTableId(data);
if (permInfo.getTableAccess(tableId).read === 'mixed') { if (this.getReadPermission(permInfo.getTableAccess(tableId)) === 'mixed') {
await this._filterRowsAndCells(docSession, data, data, data, canRead); await this._filterRowsAndCells(docSession, data, data, data, readAccessCheck);
} }
// Filter columns, omitting any to which the user has no access, regardless of rows. // Filter columns, omitting any to which the user has no access, regardless of rows.
this._filterColumns(data[3], (colId) => permInfo.getColumnAccess(tableId, colId).read !== 'deny'); this._filterColumns(
data[3],
(colId) => this.getReadPermission(permInfo.getColumnAccess(tableId, colId)) !== 'deny');
} }
public async getUserOverride(docSession: OptDocSession): Promise<UserOverride|undefined> { public async getUserOverride(docSession: OptDocSession): Promise<UserOverride|undefined> {
@ -499,25 +503,33 @@ export class GranularAccess {
return this._getUserAttributes(docSession).override; return this._getUserAttributes(docSession).override;
} }
public getReadPermission(ps: PermissionSetWithContext) {
return ps.perms.read;
}
public assertCanRead(ps: PermissionSetWithContext) {
readAccessCheck.throwIfDenied(ps);
}
/** /**
* Strip out any denied columns from an action. Returns null if nothing is left. * Strip out any denied columns from an action. Returns null if nothing is left.
* accessFn may throw if denials are fatal. * accessCheck may throw if denials are fatal.
*/ */
private _pruneColumns(a: DocAction, permInfo: PermissionInfo, tableId: string, private _pruneColumns(a: DocAction, permInfo: PermissionInfo, tableId: string,
accessFn: AccessFn): DocAction|null { accessCheck: AccessCheck): DocAction|null {
if (a[0] === 'RemoveRecord' || a[0] === 'BulkRemoveRecord') { if (a[0] === 'RemoveRecord' || a[0] === 'BulkRemoveRecord') {
return a; return a;
} else if (a[0] === 'AddRecord' || a[0] === 'BulkAddRecord' || a[0] === 'UpdateRecord' || } else if (a[0] === 'AddRecord' || a[0] === 'BulkAddRecord' || a[0] === 'UpdateRecord' ||
a[0] === 'BulkUpdateRecord' || a[0] === 'ReplaceTableData' || a[0] === 'TableData') { a[0] === 'BulkUpdateRecord' || a[0] === 'ReplaceTableData' || a[0] === 'TableData') {
const na = cloneDeep(a); const na = cloneDeep(a);
this._filterColumns(na[3], (colId) => accessFn(permInfo.getColumnAccess(tableId, colId)) !== 'deny'); this._filterColumns(na[3], (colId) => accessCheck.get(permInfo.getColumnAccess(tableId, colId)) !== 'deny');
if (Object.keys(na[3]).length === 0) { return null; } if (Object.keys(na[3]).length === 0) { return null; }
return na; return na;
} else if (a[0] === 'AddColumn' || a[0] === 'RemoveColumn' || a[0] === 'RenameColumn' || } else if (a[0] === 'AddColumn' || a[0] === 'RemoveColumn' || a[0] === 'RenameColumn' ||
a[0] === 'ModifyColumn') { a[0] === 'ModifyColumn') {
const na = cloneDeep(a); const na = cloneDeep(a);
const colId: string = na[2]; const colId: string = na[2];
if (accessFn(permInfo.getColumnAccess(tableId, colId)) === 'deny') { return null; } if (accessCheck.get(permInfo.getColumnAccess(tableId, colId)) === 'deny') { return null; }
throw new ErrorWithCode('NEED_RELOAD', 'document needs reload'); throw new ErrorWithCode('NEED_RELOAD', 'document needs reload');
} else { } else {
// Remaining cases of AddTable, RemoveTable, RenameTable should have // Remaining cases of AddTable, RemoveTable, RenameTable should have
@ -614,22 +626,22 @@ export class GranularAccess {
// Return the results, also applying any cell-level access control. // Return the results, also applying any cell-level access control.
for (const docAction of revisedDocActions) { for (const docAction of revisedDocActions) {
await this._filterRowsAndCells(docSession, rowsAfter, rowsAfter, docAction, canRead); await this._filterRowsAndCells(docSession, rowsAfter, rowsAfter, docAction, readAccessCheck);
} }
return revisedDocActions; return revisedDocActions;
} }
/** /**
* Like _pruneRows, but fails immediately if access to any row is forbidden. * Like _pruneRows, but fails immediately if access to any row is forbidden.
* The accessFn supplied should throw an error on denial. * The accessCheck supplied should throw an error on denial.
*/ */
private async _checkRows(docSession: OptDocSession, a: DocAction, idx: number, private async _checkRows(docSession: OptDocSession, a: DocAction, idx: number,
accessFn: AccessFn): Promise<void> { accessCheck: AccessCheck): Promise<void> {
// For the moment, only deal with Record-related actions. // For the moment, only deal with Record-related actions.
// TODO: process table/column schema changes more carefully. // TODO: process table/column schema changes more carefully.
if (isSchemaAction(a)) { return; } if (isSchemaAction(a)) { return; }
const {rowsBefore, rowsAfter} = await this._getRowsBeforeAndAfter(idx); const {rowsBefore, rowsAfter} = await this._getRowsBeforeAndAfter(idx);
await this._filterRowsAndCells(docSession, rowsBefore, rowsAfter, a, accessFn); await this._filterRowsAndCells(docSession, rowsBefore, rowsAfter, a, accessCheck);
} }
private async _getRowsBeforeAndAfter(idx: number) { private async _getRowsBeforeAndAfter(idx: number) {
@ -656,7 +668,7 @@ export class GranularAccess {
* Modify action in place, scrubbing any rows and cells to which access is not granted. * Modify action in place, scrubbing any rows and cells to which access is not granted.
*/ */
private async _filterRowsAndCells(docSession: OptDocSession, rowsBefore: TableDataAction, rowsAfter: TableDataAction, private async _filterRowsAndCells(docSession: OptDocSession, rowsBefore: TableDataAction, rowsAfter: TableDataAction,
docAction: DocAction, accessFn: AccessFn) { docAction: DocAction, accessCheck: AccessCheck) {
if (docAction && isSchemaAction(docAction)) { if (docAction && isSchemaAction(docAction)) {
// TODO should filter out metadata about an unavailable column, probably. // TODO should filter out metadata about an unavailable column, probably.
return []; return [];
@ -696,14 +708,14 @@ export class GranularAccess {
const rowPermInfo = new PermissionInfo(this._ruleCollection, input); const rowPermInfo = new PermissionInfo(this._ruleCollection, input);
// getTableAccess() evaluates all column rules for THIS record. So it's really rowAccess. // getTableAccess() evaluates all column rules for THIS record. So it's really rowAccess.
const rowAccess = rowPermInfo.getTableAccess(tableId); const rowAccess = rowPermInfo.getTableAccess(tableId);
const access = accessFn(rowAccess); const access = accessCheck.get(rowAccess);
if (access === 'deny') { if (access === 'deny') {
toRemove.push(idx); toRemove.push(idx);
} else if (access !== 'allow' && colValues) { } else if (access !== 'allow' && colValues) {
// Go over column rules. // Go over column rules.
for (const colId of Object.keys(colValues)) { for (const colId of Object.keys(colValues)) {
const colAccess = rowPermInfo.getColumnAccess(tableId, colId); const colAccess = rowPermInfo.getColumnAccess(tableId, colId);
if (accessFn(colAccess) === 'deny') { if (accessCheck.get(colAccess) === 'deny') {
censorAt(colId, idx); censorAt(colId, idx);
} }
} }
@ -737,7 +749,7 @@ export class GranularAccess {
const rowPermInfo = new PermissionInfo(this._ruleCollection, input); const rowPermInfo = new PermissionInfo(this._ruleCollection, input);
// getTableAccess() evaluates all column rules for THIS record. So it's really rowAccess. // getTableAccess() evaluates all column rules for THIS record. So it's really rowAccess.
const rowAccess = rowPermInfo.getTableAccess(tableId); const rowAccess = rowPermInfo.getTableAccess(tableId);
if (canRead(rowAccess) === 'deny') { if (this.getReadPermission(rowAccess) === 'deny') {
toRemove.push(rowIds[idx]); toRemove.push(rowIds[idx]);
} }
} }
@ -1003,134 +1015,36 @@ export class GranularAccess {
const tableId = getTableId(a); const tableId = getTableId(a);
const permInfo = await this._getAccess(docSession); const permInfo = await this._getAccess(docSession);
const tableAccess = permInfo.getTableAccess(tableId); const tableAccess = permInfo.getTableAccess(tableId);
const access = tableAccess.read; const access = this.getReadPermission(tableAccess);
if (access === 'deny') { return []; } if (access === 'deny') { return []; }
if (access === 'allow') { return [a]; } if (access === 'allow') { return [a]; }
if (access === 'mixedColumns') { if (access === 'mixedColumns') {
return [this._pruneColumns(a, permInfo, tableId, canRead)].filter(isObject); return [this._pruneColumns(a, permInfo, tableId, readAccessCheck)].filter(isObject);
} }
// The remainder is the mixed condition. // The remainder is the mixed condition.
const revisedDocActions = await this._pruneRows(docSession, a, idx); const revisedDocActions = await this._pruneRows(docSession, a, idx);
const result = revisedDocActions.map(na => this._pruneColumns(na, permInfo, tableId, const result = revisedDocActions.map(na => this._pruneColumns(na, permInfo, tableId,
canRead)).filter(isObject); readAccessCheck)).filter(isObject);
return result; return result;
} }
private async _checkIncomingDocAction(docSession: OptDocSession, a: DocAction, idx: number): Promise<void> { private async _checkIncomingDocAction(docSession: OptDocSession, a: DocAction, idx: number): Promise<void> {
const accessFn = denyIsFatal(getAccessForActionType(a)); const accessCheck = getAccessForActionType(a, 'fatal');
const tableId = getTableId(a); const tableId = getTableId(a);
const permInfo = await this._getAccess(docSession); const permInfo = await this._getAccess(docSession);
const tableAccess = permInfo.getTableAccess(tableId); const tableAccess = permInfo.getTableAccess(tableId);
const access = accessFn(tableAccess); const access = accessCheck.get(tableAccess);
if (access === 'allow') { return; } if (access === 'allow') { return; }
if (access === 'mixedColumns') { if (access === 'mixedColumns') {
// Somewhat abusing prune method by calling it with an access function that // Somewhat abusing prune method by calling it with an access function that
// throws on denial. // throws on denial.
this._pruneColumns(a, permInfo, tableId, accessFn); this._pruneColumns(a, permInfo, tableId, accessCheck);
} }
// The remainder is the mixed condition. // The remainder is the mixed condition.
await this._checkRows(docSession, a, idx, accessFn); await this._checkRows(docSession, a, idx, accessCheck);
// Somewhat abusing prune method by calling it with an access function that // Somewhat abusing prune method by calling it with an access function that
// throws on denial. // throws on denial.
this._pruneColumns(a, permInfo, tableId, accessFn); this._pruneColumns(a, permInfo, tableId, accessCheck);
}
}
/**
* Evaluate a RuleSet on a given input (user and optionally record). If a record is needed but not
* included, the result may include permission values like 'allowSome', 'denySome'.
*/
function evaluateRule(ruleSet: RuleSet, input: AclMatchInput): PartialPermissionSet {
let pset: PartialPermissionSet = emptyPermissionSet();
for (const rule of ruleSet.body) {
try {
if (rule.matchFunc!(input)) {
pset = mergePartialPermissions(pset, rule.permissions);
}
} catch (e) {
if (e.code === 'NEED_ROW_DATA') {
pset = mergePartialPermissions(pset, makePartialPermissions(rule.permissions));
} else {
// For other errors, assume the rule is invalid, and treat as a non-match.
// TODO An appropriate user should be alerted that a clause is not being honored.
log.warn("ACLRule for %s failed: %s", ruleSet.tableId, e.message);
}
}
}
return pset;
}
/**
* Helper for evaluating rules given a particular user and optionally a record. It evaluates rules
* for a column, table, or document, with caching to avoid evaluating the same rule multiple times.
*/
class PermissionInfo {
private _ruleResults = new Map<RuleSet, MixedPermissionSet>();
// Construct a PermissionInfo for a particular input, which is a combination of user and
// optionally a record.
constructor(private _acls: ACLRuleCollection, private _input: AclMatchInput) {}
// Get permissions for "tableId:colId", defaulting to "tableId:*" and "*:*" as needed.
// If 'mixed' is returned, different rows may have different permissions. It should never return
// 'mixed' if the input includes `rec`.
public getColumnAccess(tableId: string, colId: string): MixedPermissionSet {
const ruleSet: RuleSet|undefined = this._acls.getColumnRuleSet(tableId, colId);
return ruleSet ? this._processColumnRule(ruleSet) : this._getTableDefaultAccess(tableId);
}
// Combine permissions from all rules for the given table.
// If 'mixedColumns' is returned, different columns have different permissions, but they do NOT
// depend on rows. If 'mixed' is returned, some permissions depend on rows.
public getTableAccess(tableId: string): TablePermissionSet {
const columnAccess = this._acls.getAllColumnRuleSets(tableId).map(rs => this._processColumnRule(rs));
columnAccess.push(this._getTableDefaultAccess(tableId));
return mergePermissions(columnAccess, (bits) => (
bits.every(b => b === 'allow') ? 'allow' :
bits.every(b => b === 'deny') ? 'deny' :
bits.every(b => b === 'allow' || b === 'deny') ? 'mixedColumns' :
'mixed'
));
}
// Combine permissions from all rules throughout.
// If 'mixed' is returned, then different tables, rows, or columns have different permissions.
public getFullAccess(): MixedPermissionSet {
const tableAccess = this._acls.getAllTableIds().map(tableId => this.getTableAccess(tableId));
tableAccess.push(this._getDocDefaultAccess());
return mergePermissions(tableAccess, (bits) => (
bits.every(b => b === 'allow') ? 'allow' :
bits.every(b => b === 'deny') ? 'deny' :
'mixed'
));
}
// Get permissions for "tableId:*", defaulting to "*:*" as needed.
// If 'mixed' is returned, different rows may have different permissions.
private _getTableDefaultAccess(tableId: string): MixedPermissionSet {
const ruleSet: RuleSet|undefined = this._acls.getTableDefaultRuleSet(tableId);
return ruleSet ? this._processRule(ruleSet, () => this._getDocDefaultAccess()) :
this._getDocDefaultAccess();
}
// Get permissions for "*:*".
private _getDocDefaultAccess(): MixedPermissionSet {
return this._processRule(this._acls.getDocDefaultRuleSet());
}
// Evaluate and cache the given column rule, falling back to the corresponding table default.
private _processColumnRule(ruleSet: RuleSet): MixedPermissionSet {
return this._processRule(ruleSet, () => this._getTableDefaultAccess(ruleSet.tableId));
}
// Evaluate the given rule, with the default fallback, and cache the result.
private _processRule(ruleSet: RuleSet, defaultAccess?: () => MixedPermissionSet): MixedPermissionSet {
return getSetMapValue(this._ruleResults, ruleSet, () => {
const pset = evaluateRule(ruleSet, this._input);
return toMixed(defaultAccess ? mergePartialPermissions(pset, defaultAccess()) : pset);
});
} }
} }
@ -1173,34 +1087,49 @@ class UserAttributes {
public override?: UserOverride; public override?: UserOverride;
} }
// A function for extracting one of the create/read/update/delete/schemaEdit permissions
// from a permission set.
type AccessFn = (ps: PermissionSet<string>) => string;
// Get an AccessFn appropriate for the specific action. class AccessCheck {
// TODO: deal with ReplaceTableData, which both deletes and creates rows. constructor(public access: 'update'|'delete'|'create'|'schemaEdit'|'read',
function getAccessForActionType(a: DocAction): AccessFn { public severity: 'check'|'fatal') {
if (a[0] === 'UpdateRecord' || a[0] === 'BulkUpdateRecord') { }
return (ps) => ps.update;
} else if (a[0] === 'RemoveRecord' || a[0] === 'BulkRemoveRecord') { public get(ps: PermissionSetWithContext): string {
return (ps) => ps.delete; const result = ps.perms[this.access];
} else if (a[0] === 'AddRecord' || a[0] === 'BulkAddRecord') { if (result !== 'deny' || this.severity !== 'fatal') { return result; }
return (ps) => ps.create; this.throwIfDenied(ps);
} else { return result;
return (ps) => ps.schemaEdit; }
public throwIfDenied(ps: PermissionSetWithContext): void {
const result = ps.perms[this.access];
if (result !== 'deny') { return; }
const memos = ps.getMemos()[this.access];
throw new ErrorWithCode('ACL_DENY', `Blocked by ${ps.ruleType} access rules`, {
memos,
status: 403
});
} }
} }
// Tweak an AccessFn so that it throws an exception if access is denied. export const accessChecks = {
function denyIsFatal(fn: AccessFn): AccessFn { check: fromPairs(ALL_PERMISSION_PROPS.map(prop => [prop, new AccessCheck(prop, 'check')])),
return (ps) => { fatal: fromPairs(ALL_PERMISSION_PROPS.map(prop => [prop, new AccessCheck(prop, 'fatal')])),
const result = fn(ps); };
if (result === 'deny') { throw new ErrorWithCode('ACL_DENY', 'Blocked by access rules'); }
return result;
};
}
// A simple access function that returns the "read" permission.
function canRead(ps: PermissionSet<string>) { // The AccessCheck for the "read" permission is used enough to merit a shortcut.
return ps.read; const readAccessCheck = accessChecks.check.read;
// Get an AccessCheck appropriate for the specific action.
// TODO: deal with ReplaceTableData, which both deletes and creates rows.
function getAccessForActionType(a: DocAction, severity: 'check'|'fatal'): AccessCheck {
if (a[0] === 'UpdateRecord' || a[0] === 'BulkUpdateRecord') {
return accessChecks[severity].update;
} else if (a[0] === 'RemoveRecord' || a[0] === 'BulkRemoveRecord') {
return accessChecks[severity].delete;
} else if (a[0] === 'AddRecord' || a[0] === 'BulkAddRecord') {
return accessChecks[severity].create;
} else {
return accessChecks[severity].schemaEdit;
}
} }

View File

@ -0,0 +1,239 @@
import { ALL_PERMISSION_PROPS, emptyPermissionSet,
makePartialPermissions, mergePartialPermissions, mergePermissions,
MixedPermissionSet, PartialPermissionSet, PermissionSet, TablePermissionSet,
toMixed } from 'app/common/ACLPermissions';
import { ACLRuleCollection } from 'app/common/ACLRuleCollection';
import { AclMatchInput, RuleSet } from 'app/common/GranularAccessClause';
import { getSetMapValue } from 'app/common/gutil';
import * as log from 'app/server/lib/log';
import { mapValues } from 'lodash';
/**
* A PermissionSet with context about how it was created. Allows us to produce more
* informative error messages.
*/
export interface PermissionSetWithContextOf<T = PermissionSet> {
perms: T;
ruleType: 'full'|'table'|'column';
getMemos: () => MemoSet;
}
export type MixedPermissionSetWithContext = PermissionSetWithContextOf<MixedPermissionSet>;
export type TablePermissionSetWithContext = PermissionSetWithContextOf<TablePermissionSet>;
export type PermissionSetWithContext = PermissionSetWithContextOf<PermissionSet<string>>;
// Accumulator for memos of relevant rules.
export type MemoSet = PermissionSet<string[]>;
// Merge MemoSets straightforwardly, by concatenation.
export function mergeMemoSets(psets: MemoSet[]): MemoSet {
const result: Partial<MemoSet> = {};
for (const prop of ALL_PERMISSION_PROPS) {
result[prop] = ([] as string[]).concat(...psets.map(p => p[prop]));
}
return result as MemoSet;
}
export function emptyMemoSet(): MemoSet {
return {
read: [],
create: [],
update: [],
delete: [],
schemaEdit: [],
};
}
/**
* Abstract base class for processing rules given a particular input.
* Main use of this class will be to calculate permissions, but will also
* be used to calculate metadata about permissions.
*/
abstract class RuleInfo<MixedT extends TableT, TableT> {
// Construct a RuleInfo for a particular input, which is a combination of user and
// optionally a record.
constructor(protected _acls: ACLRuleCollection, protected _input: AclMatchInput) {}
public getColumnAspect(tableId: string, colId: string): MixedT {
const ruleSet: RuleSet|undefined = this._acls.getColumnRuleSet(tableId, colId);
return ruleSet ? this._processColumnRule(ruleSet) : this._getTableDefaultAspect(tableId);
}
public getTableAspect(tableId: string): TableT {
const columnAccess = this._acls.getAllColumnRuleSets(tableId).map(rs => this._processColumnRule(rs));
columnAccess.push(this._getTableDefaultAspect(tableId));
return this._mergeTableAccess(columnAccess);
}
public getFullAspect(): MixedT {
const tableAccess = this._acls.getAllTableIds().map(tableId => this.getTableAspect(tableId));
tableAccess.push(this._getDocDefaultAspect());
return this._mergeFullAccess(tableAccess);
}
protected abstract _processRule(ruleSet: RuleSet, defaultAccess?: () => MixedT): MixedT;
protected abstract _mergeTableAccess(access: MixedT[]): TableT;
protected abstract _mergeFullAccess(access: TableT[]): MixedT;
private _getTableDefaultAspect(tableId: string): MixedT {
const ruleSet: RuleSet|undefined = this._acls.getTableDefaultRuleSet(tableId);
return ruleSet ? this._processRule(ruleSet, () => this._getDocDefaultAspect()) :
this._getDocDefaultAspect();
}
private _getDocDefaultAspect(): MixedT {
return this._processRule(this._acls.getDocDefaultRuleSet());
}
private _processColumnRule(ruleSet: RuleSet): MixedT {
return this._processRule(ruleSet, () => this._getTableDefaultAspect(ruleSet.tableId));
}
}
/**
* Pool memos from rules, on the assumption that access has been denied and we are looking
* for possible explanations to offer the user.
*/
export class MemoInfo extends RuleInfo<MemoSet, MemoSet> {
protected _processRule(ruleSet: RuleSet, defaultAccess?: () => MemoSet): MemoSet {
const pset = extractMemos(ruleSet, this._input);
return defaultAccess ? mergeMemoSets([pset, defaultAccess()]) : pset;
}
protected _mergeTableAccess(access: MemoSet[]): MemoSet {
return mergeMemoSets(access);
}
protected _mergeFullAccess(access: MemoSet[]): MemoSet {
return mergeMemoSets(access);
}
}
/**
* Helper for evaluating rules given a particular user and optionally a record. It evaluates rules
* for a column, table, or document, with caching to avoid evaluating the same rule multiple times.
*/
export class PermissionInfo extends RuleInfo<MixedPermissionSet, TablePermissionSet> {
private _ruleResults = new Map<RuleSet, MixedPermissionSet>();
// Get permissions for "tableId:colId", defaulting to "tableId:*" and "*:*" as needed.
// If 'mixed' is returned, different rows may have different permissions. It should never return
// 'mixed' if the input includes `rec`.
// Wrap permissions with information about how they were computed. This allows
// us to issue more informative error messages.
public getColumnAccess(tableId: string, colId: string): MixedPermissionSetWithContext {
return {
perms: this.getColumnAspect(tableId, colId),
ruleType: 'column',
getMemos: () => new MemoInfo(this._acls, this._input).getColumnAspect(tableId, colId)
};
}
// Combine permissions from all rules for the given table.
// If 'mixedColumns' is returned, different columns have different permissions, but they do NOT
// depend on rows. If 'mixed' is returned, some permissions depend on rows.
// Wrap permission sets for better error messages.
public getTableAccess(tableId: string): TablePermissionSetWithContext {
return {
perms: this.getTableAspect(tableId),
ruleType: 'table',
getMemos: () => new MemoInfo(this._acls, this._input).getTableAspect(tableId)
};
}
// Combine permissions from all rules throughout.
// If 'mixed' is returned, then different tables, rows, or columns have different permissions.
// Wrap permission sets for better error messages.
public getFullAccess(): MixedPermissionSetWithContext {
return {
perms: this.getFullAspect(),
ruleType: 'full',
getMemos: () => new MemoInfo(this._acls, this._input).getFullAspect()
};
}
protected _processRule(ruleSet: RuleSet, defaultAccess?: () => MixedPermissionSet): MixedPermissionSet {
return getSetMapValue(this._ruleResults, ruleSet, () => {
const pset = evaluateRule(ruleSet, this._input);
return toMixed(defaultAccess ? mergePartialPermissions(pset, defaultAccess()) : pset);
});
}
protected _mergeTableAccess(access: MixedPermissionSet[]): TablePermissionSet {
return mergePermissions(access, (bits) => (
bits.every(b => b === 'allow') ? 'allow' :
bits.every(b => b === 'deny') ? 'deny' :
bits.every(b => b === 'allow' || b === 'deny') ? 'mixedColumns' :
'mixed'
));
}
protected _mergeFullAccess(access: TablePermissionSet[]): MixedPermissionSet {
return mergePermissions(access, (bits) => (
bits.every(b => b === 'allow') ? 'allow' :
bits.every(b => b === 'deny') ? 'deny' :
'mixed'
));
}
}
/**
* Evaluate a RuleSet on a given input (user and optionally record). If a record is needed but not
* included, the result may include permission values like 'allowSome', 'denySome'.
*/
function evaluateRule(ruleSet: RuleSet, input: AclMatchInput): PartialPermissionSet {
let pset: PartialPermissionSet = emptyPermissionSet();
for (const rule of ruleSet.body) {
try {
if (rule.matchFunc!(input)) {
pset = mergePartialPermissions(pset, rule.permissions);
}
} catch (e) {
if (e.code === 'NEED_ROW_DATA') {
pset = mergePartialPermissions(pset, makePartialPermissions(rule.permissions));
} else {
// Unexpected error. Interpret rule pessimistically.
// Anything it would explicitly allow, no longer allow through this rule.
// Anything it would explicitly deny, go ahead and deny.
pset = mergePartialPermissions(pset, mapValues(rule.permissions, val => (val === 'allow' ? "" : val)));
log.warn("ACLRule for %s failed: %s", ruleSet.tableId, e.message);
}
}
}
return pset;
}
/**
* If a rule has a memo, and passes, add that memo for all permissions it denies.
* If a rule has a memo, and fails, add that memo for all permissions it allows.
*/
function extractMemos(ruleSet: RuleSet, input: AclMatchInput): MemoSet {
const pset = emptyMemoSet();
for (const rule of ruleSet.body) {
try {
const passing = rule.matchFunc!(input);
for (const prop of ALL_PERMISSION_PROPS) {
const p = rule.permissions[prop];
const memos: string[] = pset[prop];
if (rule.memo) {
if (passing && p === 'deny') {
memos.push(rule.memo);
} else if (!passing && p === 'allow') {
memos.push(rule.memo);
}
}
}
} catch (e) {
if (e.code !== 'NEED_ROW_DATA') {
// If a rule is failing unexpectedly, give some information via memos.
// TODO: Could give a more structured result.
for (const prop of ALL_PERMISSION_PROPS) {
pset[prop].push(`Rule [${rule.aclFormula}] for ${ruleSet.tableId} has an error: ${e.message}`);
}
}
}
}
return pset;
}

View File

@ -24,8 +24,15 @@ export const jsonErrorHandler: express.ErrorRequestHandler = (err, req, res, nex
log.warn("Error during api call to %s: (%s) user %d params %s body %s", req.path, err.message, log.warn("Error during api call to %s: (%s) user %d params %s body %s", req.path, err.message,
mreq.userId, mreq.userId,
JSON.stringify(req.params), JSON.stringify(req.body)); JSON.stringify(req.params), JSON.stringify(req.body));
res.status(err.status || 500).json({error: err.message || 'internal error', let details = err.details && {...err.details};
details: err.details}); const status = details?.status || err.status || 500;
if (details) {
// Remove some details exposed for websocket API only.
delete details.accessMode;
delete details.status; // TODO: reconcile err.status and details.status, no need for both.
if (Object.keys(details).length === 0) { details = undefined; }
}
res.status(status).json({error: err.message || 'internal error', details});
}; };
/** /**

View File

@ -1,5 +1,7 @@
import ast import ast
import io
import json import json
import tokenize
from collections import namedtuple from collections import namedtuple
import asttokens import asttokens
@ -22,10 +24,16 @@ def parse_acl_formula(acl_formula):
Const value (number, string, bool) Const value (number, string, bool)
Name name (string) Name name (string)
Attr node, attr_name Attr node, attr_name
Comment node, comment
""" """
try: try:
tree = ast.parse(acl_formula, mode='eval') tree = ast.parse(acl_formula, mode='eval')
return _TreeConverter().visit(tree) result = _TreeConverter().visit(tree)
for part in tokenize.generate_tokens(io.StringIO(acl_formula.decode('utf-8')).readline):
if part[0] == tokenize.COMMENT and part[1].startswith('#'):
result = ['Comment', result, part[1][1:].strip()]
break
return result
except SyntaxError as err: except SyntaxError as err:
# In case of an error, include line and offset. # In case of an error, include line and offset.
raise SyntaxError("%s on line %s col %s" % (err.args[0], err.lineno, err.offset)) raise SyntaxError("%s on line %s col %s" % (err.args[0], err.lineno, err.offset))

View File

@ -79,6 +79,24 @@ class TestACLFormula(unittest.TestCase):
['Attr', ['Attr', ['Name', 'user'], 'Status'], 'IsActive'] ['Attr', ['Attr', ['Name', 'user'], 'Status'], 'IsActive']
]) ])
self.assertEqual(parse_acl_formula(
"True # Comment! "),
['Comment', ['Const', True], 'Comment!'])
self.assertEqual(parse_acl_formula(
"\"#x\" == \" # Not a comment \"#Comment!"),
['Comment',
['Eq', ['Const', '#x'], ['Const', ' # Not a comment ']],
'Comment!'
])
self.assertEqual(parse_acl_formula(
"# Allow owners\nuser.Access == 'owners' # ignored\n# comment ignored"),
['Comment',
['Eq', ['Attr', ['Name', 'user'], 'Access'], ['Const', 'owners']],
'Allow owners'
])
def test_unsupported(self): def test_unsupported(self):
# Test a few constructs we expect to fail # Test a few constructs we expect to fail
# Not an expression # Not an expression