(core) Implement much of the general AccessRules UI.

Summary:
- Factored out ACLRuleCollection into its own file, and use for building UI.
- Moved AccessRules out of UserManager to a page linked from left panel.
- Changed default RulePart to be the last part of a rule for simpler code.
- Implemented much of the UI for adding/deleting rules.
  - For now, editing the ACLFormula and Permissions is done using text inputs.
- Implemented saving rules by syncing a bundle of them.
- Fixed DocData to clean up action bundle in case of an early error.

Test Plan: WIP planning to add some new browser tests for the UI

Reviewers: paulfitz

Reviewed By: paulfitz

Differential Revision: https://phab.getgrist.com/D2678

app/common/ACLRuleCollection.ts

@@ -0,0 +1,224 @@
+import { parsePermissions } from 'app/common/ACLPermissions';
+import { ILogger } from 'app/common/BaseAPI';
+import { RowRecord } from 'app/common/DocActions';
+import { DocData } from 'app/common/DocData';
+import { AclMatchFunc, ParsedAclFormula, RulePart, RuleSet, UserAttributeRule } from 'app/common/GranularAccessClause';
+import { getSetMapValue } from 'app/common/gutil';
+import sortBy = require('lodash/sortBy');
+
+const defaultMatchFunc: AclMatchFunc = () => true;
+
+// This is the hard-coded default RuleSet that's added to any user-created default rule.
+const DEFAULT_RULE_SET: RuleSet = {
+  tableId: '*',
+  colIds: '*',
+  body: [{
+    aclFormula: "user.Access in ['editors', 'owners']",
+    matchFunc:  (input) => ['editors', 'owners'].includes(String(input.user.Access)),
+    permissions: parsePermissions('all'),
+    permissionsText: 'all',
+  }, {
+    aclFormula: "user.Access in ['viewers']",
+    matchFunc:  (input) => ['viewers'].includes(String(input.user.Access)),
+    permissions: parsePermissions('+R'),
+    permissionsText: '+R',
+  }, {
+    aclFormula: "",
+    matchFunc: defaultMatchFunc,
+    permissions: parsePermissions('none'),
+    permissionsText: 'none',
+  }],
+};
+
+export class ACLRuleCollection {
+  // In the absence of rules, some checks are skipped. For now this is important to maintain all
+  // existing behavior. TODO should make sure checking access against default rules is equivalent
+  // and efficient.
+  private _haveRules = false;
+
+  // Map of tableId to list of column RuleSets (those with colIds other than '*')
+  private _columnRuleSets = new Map<string, RuleSet[]>();
+
+  // Maps 'tableId:colId' to one of the RuleSets in the list _columnRuleSets.get(tableId).
+  private _tableColumnMap = new Map<string, RuleSet>();
+
+  // Map of tableId to the single default RuleSet for the table (colIds of '*')
+  private _tableRuleSets = new Map<string, RuleSet>();
+
+  // The default RuleSet (tableId '*', colIds '*')
+  private _defaultRuleSet: RuleSet = DEFAULT_RULE_SET;
+
+  // List of all tableIds mentioned in rules.
+  private _tableIds: string[] = [];
+
+  // Maps name to the corresponding UserAttributeRule.
+  private _userAttributeRules = new Map<string, UserAttributeRule>();
+
+  // Whether there are ANY user-defined rules.
+  public haveRules(): boolean {
+    return this._haveRules;
+  }
+
+  // Return the RuleSet for "tableId:colId", or undefined if there isn't one for this column.
+  public getColumnRuleSet(tableId: string, colId: string): RuleSet|undefined {
+    return this._tableColumnMap.get(`${tableId}:${colId}`);
+  }
+
+  // Return all RuleSets for "tableId:<any colId>", not including "tableId:*".
+  public getAllColumnRuleSets(tableId: string): RuleSet[] {
+    return this._columnRuleSets.get(tableId) || [];
+  }
+
+  // Return the RuleSet for "tableId:*".
+  public getTableDefaultRuleSet(tableId: string): RuleSet|undefined {
+    return this._tableRuleSets.get(tableId);
+  }
+
+  // Return the RuleSet for "*:*".
+  public getDocDefaultRuleSet(): RuleSet {
+    return this._defaultRuleSet;
+  }
+
+  // Return the list of all tableId mentions in ACL rules.
+  public getAllTableIds(): string[] {
+    return this._tableIds;
+  }
+
+  // Returns a Map of user attribute name to the corresponding UserAttributeRule.
+  public getUserAttributeRules(): Map<string, UserAttributeRule> {
+    return this._userAttributeRules;
+  }
+
+  /**
+   * Update granular access from DocData.
+   */
+  public async update(docData: DocData, options: ReadAclOptions) {
+    const {ruleSets, userAttributes} = readAclRules(docData, options);
+
+    // Build a map of user characteristics rules.
+    const userAttributeMap = new Map<string, UserAttributeRule>();
+    for (const userAttr of userAttributes) {
+      userAttributeMap.set(userAttr.name, userAttr);
+    }
+
+    // Build maps of ACL rules.
+    const colRuleSets = new Map<string, RuleSet[]>();
+    const tableColMap = new Map<string, RuleSet>();
+    const tableRuleSets = new Map<string, RuleSet>();
+    const tableIds = new Set<string>();
+    let defaultRuleSet: RuleSet = DEFAULT_RULE_SET;
+
+    this._haveRules = (ruleSets.length > 0);
+    for (const ruleSet of ruleSets) {
+      if (ruleSet.tableId === '*') {
+        if (ruleSet.colIds === '*') {
+          defaultRuleSet = {
+            ...ruleSet,
+            body: [...ruleSet.body, ...DEFAULT_RULE_SET.body],
+          };
+        } else {
+          // tableId of '*' cannot list particular columns.
+          throw new Error(`Invalid rule for tableId ${ruleSet.tableId}, colIds ${ruleSet.colIds}`);
+        }
+      } else if (ruleSet.colIds === '*') {
+        tableIds.add(ruleSet.tableId);
+        if (tableRuleSets.has(ruleSet.tableId)) {
+          throw new Error(`Invalid duplicate default rule for ${ruleSet.tableId}`);
+        }
+        tableRuleSets.set(ruleSet.tableId, ruleSet);
+      } else {
+        tableIds.add(ruleSet.tableId);
+        getSetMapValue(colRuleSets, ruleSet.tableId, () => []).push(ruleSet);
+        for (const colId of ruleSet.colIds) {
+          tableColMap.set(`${ruleSet.tableId}:${colId}`, ruleSet);
+        }
+      }
+    }
+
+    // Update GranularAccess state.
+    this._columnRuleSets = colRuleSets;
+    this._tableColumnMap = tableColMap;
+    this._tableRuleSets = tableRuleSets;
+    this._defaultRuleSet = defaultRuleSet;
+    this._tableIds = [...tableIds];
+    this._userAttributeRules = userAttributeMap;
+  }
+}
+
+export interface ReadAclOptions {
+  log: ILogger;     // For logging warnings during rule processing.
+  compile?: (parsed: ParsedAclFormula) => AclMatchFunc;
+}
+
+export interface ReadAclResults {
+  ruleSets: RuleSet[];
+  userAttributes: UserAttributeRule[];
+}
+
+/**
+ * Parse all ACL rules in the document from DocData into a list of RuleSets and of
+ * UserAttributeRules. This is used by both client-side code and server-side.
+ */
+function readAclRules(docData: DocData, {log, compile}: ReadAclOptions): ReadAclResults {
+  const resourcesTable = docData.getTable('_grist_ACLResources')!;
+  const rulesTable = docData.getTable('_grist_ACLRules')!;
+
+  const ruleSets: RuleSet[] = [];
+  const userAttributes: UserAttributeRule[] = [];
+
+  // Group rules by resource first, ordering by rulePos. Each group will become a RuleSet.
+  const rulesByResource = new Map<number, RowRecord[]>();
+  for (const ruleRecord of sortBy(rulesTable.getRecords(), 'rulePos')) {
+    getSetMapValue(rulesByResource, ruleRecord.resource, () => []).push(ruleRecord);
+  }
+
+  for (const [resourceId, rules] of rulesByResource.entries()) {
+    const resourceRec = resourcesTable.getRecord(resourceId as number);
+    if (!resourceRec) {
+      log.error(`ACLRule ${rules[0].id} ignored; refers to an invalid ACLResource ${resourceId}`);
+      continue;
+    }
+    if (!resourceRec.tableId || !resourceRec.colIds) {
+      // This should only be the case for the old-style default rule/resource, which we
+      // intentionally ignore and skip.
+      continue;
+    }
+    const tableId = resourceRec.tableId as string;
+    const colIds = resourceRec.colIds === '*' ? '*' : (resourceRec.colIds as string).split(',');
+
+    const body: RulePart[] = [];
+    for (const rule of rules) {
+      if (rule.userAttributes) {
+        if (tableId !== '*' || colIds !== '*') {
+          log.warn(`ACLRule ${rule.id} ignored; user attributes must be on the default resource`);
+          continue;
+        }
+        const parsed = JSON.parse(String(rule.userAttributes));
+        // TODO: could perhaps use ts-interface-checker here.
+        if (!(parsed && typeof parsed === 'object' &&
+          [parsed.name, parsed.tableId, parsed.lookupColId, parsed.charId]
+          .every(p => p && typeof p === 'string'))) {
+          log.warn(`User attribute rule ${rule.id} is invalid`);
+          continue;
+        }
+        parsed.origRecord = rule;
+        userAttributes.push(parsed as UserAttributeRule);
+      } else if (body.length > 0 && !body[body.length - 1].aclFormula) {
+        log.warn(`ACLRule ${rule.id} ignored because listed after default rule`);
+      } else if (rule.aclFormula && !rule.aclFormulaParsed) {
+        log.warn(`ACLRule ${rule.id} ignored because missing its parsed formula`);
+      } else {
+        body.push({
+          origRecord: rule,
+          aclFormula: String(rule.aclFormula),
+          matchFunc: rule.aclFormula ? compile?.(JSON.parse(String(rule.aclFormulaParsed))) : defaultMatchFunc,
+          permissions: parsePermissions(String(rule.permissionsText)),
+          permissionsText: String(rule.permissionsText),
+        });
+      }
+    }
+    const ruleSet: RuleSet = {tableId, colIds, body};
+    ruleSets.push(ruleSet);
+  }
+  return {ruleSets, userAttributes};
+}