package guardian
Role-based access control for OCaml
Install
Dune Dependency
Authors
Maintainers
Sources
0.1.0.tar.gz
md5=4aa712fb5ae59dc3483d4f1d84a59b97
sha512=b5b936f35d6a519760c100480a0e3748db23989d10d58b601d05b3c235dbe3ef0a9253676a5f6ce33b45ece9fd0caaba6ae9097fe2c73f370b7166051a4a2ec6
doc/src/guardian.backend/mariadb_backend.ml.html
Source file mariadb_backend.ml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425open CCFun.Infix open Lwt.Infix open Caqti_request.Infix module Make (ActorRoles : Guardian.RoleSig) (TargetRoles : Guardian.RoleSig) (Database : Database_pools.Sig) = struct module Guard = Guardian.Make (ActorRoles) (TargetRoles) module Authorizer = Guard.Authorizer module BaseType (Core : Guardian.RoleSig) = struct include Core let t = let open CCResult in Caqti_type.( custom ~encode:(Core.show %> return) ~decode:(of_string %> return) string) ;; end module Uuid = struct module UuidBase (Core : Guard.Uuid.Sig) = struct include Core let t = Caqti_type.( custom ~encode:(to_string %> CCResult.return) ~decode:(fun id -> id |> of_string |> CCOption.to_result (Format.asprintf "Invalid UUID: %s" id)) string) ;; end module Actor = UuidBase (Guard.Uuid.Actor) module Target = UuidBase (Guard.Uuid.Target) end module Owner = struct let t = Uuid.Actor.t end module Role = BaseType (ActorRoles) module Kind = BaseType (TargetRoles) module Roles = struct include Guard.RoleSet let t = Caqti_type.( custom ~encode:(to_yojson %> Yojson.Safe.to_string %> CCResult.return) ~decode:(Yojson.Safe.from_string %> of_yojson) string) ;; end module Action = struct include Guard.Action let t = let open CCResult in Caqti_type.( custom ~encode:(Guard.Action.show %> return) ~decode:(of_string %> return) string) ;; end include Guard.MakePersistence (struct type 'a actor = 'a Guard.Actor.t type 'b target = 'b Guard.Target.t type actor_spec = Guard.ActorSpec.t type effect = Guard.Effect.t type validation_set = Guard.ValidationSet.t type kind = TargetRoles.t type role_set = Roles.t type roles = ActorRoles.t type rule = Guard.Rule.t type target_spec = Guard.TargetSpec.t type ('rv, 'err) monad = ('rv, 'err) Lwt_result.t module Repo = struct module Rule = struct include Guard.Rule let t = let encode = let open Guard in function | ActorSpec.Entity arole, act, TargetSpec.Entity trole -> Ok (arole, (None, (act, (trole, None)))) | ActorSpec.Id (arole, aid), act, TargetSpec.Entity trole -> Ok (arole, (Some aid, (act, (trole, None)))) | ActorSpec.Entity arole, act, TargetSpec.Id (trole, tid) -> Ok (arole, (None, (act, (trole, Some tid)))) | ActorSpec.Id (arole, aid), act, TargetSpec.Id (trole, tid) -> Ok (arole, (Some aid, (act, (trole, Some tid)))) in let decode (arole, (aid, (act, (trole, tid)))) = let open Guard in match aid, tid with | Some aid, Some tid -> Ok (ActorSpec.Id (arole, aid), act, TargetSpec.Id (trole, tid)) | None, Some tid -> Ok (ActorSpec.Entity arole, act, TargetSpec.Id (trole, tid)) | Some aid, None -> Ok (ActorSpec.Id (arole, aid), act, TargetSpec.Entity trole) | None, None -> Ok (ActorSpec.Entity arole, act, TargetSpec.Entity trole) in Caqti_type.( custom ~encode ~decode (tup2 Role.t (tup2 (option Uuid.Actor.t) (tup2 Action.t (tup2 Kind.t (option Uuid.Target.t)))))) ;; let find_all ?ctx target_spec = let select = Format.asprintf {sql| SELECT actor_role, LOWER(CONCAT( SUBSTR(HEX(actor_uuid), 1, 8), '-', SUBSTR(HEX(actor_uuid), 9, 4), '-', SUBSTR(HEX(actor_uuid), 13, 4), '-', SUBSTR(HEX(actor_uuid), 17, 4), '-', SUBSTR(HEX(actor_uuid), 21) )), act, target_role, LOWER(CONCAT( SUBSTR(HEX(target_uuid), 1, 8), '-', SUBSTR(HEX(target_uuid), 9, 4), '-', SUBSTR(HEX(target_uuid), 13, 4), '-', SUBSTR(HEX(target_uuid), 17, 4), '-', SUBSTR(HEX(target_uuid), 21) )) FROM guardian_rules %s |sql} in match target_spec with | Guard.TargetSpec.Id (role, uuid) -> let where = {sql|WHERE target_role = ? AND target_uuid = UNHEX(REPLACE(?, '-', ''))|sql} in let caqti = select where |> Caqti_type.(tup2 Kind.t Uuid.Target.t ->* t) in Database.collect ?ctx caqti (role, uuid) | Guard.TargetSpec.Entity role -> let where = {sql|WHERE target_role = ?|sql} in let caqti = select where |> Kind.t ->* t in Database.collect ?ctx caqti role ;; let act_on_rule ?ctx query rule = let caqti = Caqti_type.(t ->. unit) query in Database.exec ?ctx caqti rule |> Lwt_result.ok ;; let save ?ctx rule = let query = {sql| INSERT INTO guardian_rules (actor_role, actor_uuid, act, target_role, target_uuid) VALUES (?, UNHEX(REPLACE(?, '-', '')), ?, ?, UNHEX(REPLACE(?, '-', ''))) |sql} in act_on_rule ?ctx query rule ;; let delete ?ctx rule = (* TODO: only mark as deleted *) let query = {sql| DELETE FROM guardian_rules WHERE actor_role = ? AND actor_uuid = UNHEX(REPLACE(?, '-', '')) AND act = ? AND target_role = ? AND target_uuid = UNHEX(REPLACE(?, '-', '')) |sql} in act_on_rule ?ctx query rule ;; end module Actor = struct let create ?ctx ?owner roles id = let caqti = {sql| INSERT INTO guardian_actors (uuid, roles, owner) VALUES (UNHEX(REPLACE(?, '-', '')), ?, UNHEX(REPLACE(?, '-', ''))) ON DUPLICATE KEY UPDATE updated_at = NOW() |sql} |> Caqti_type.(tup3 Uuid.Actor.t Roles.t (option Owner.t) ->. unit) in Database.exec ?ctx caqti (id, roles, owner) |> Lwt_result.ok ;; let mem ?ctx id = let caqti = {sql|SELECT roles FROM guardian_actors WHERE uuid = UNHEX(REPLACE(?, '-', ''))|sql} |> Uuid.Actor.t ->? Caqti_type.string in Database.find_opt ?ctx caqti id >|= CCOption.is_some |> Lwt_result.ok ;; let find ?ctx typ id = let open Lwt.Infix in let open Lwt_result.Syntax in let caqti = {sql| SELECT roles, LOWER(CONCAT( SUBSTR(HEX(owner), 1, 8), '-', SUBSTR(HEX(owner), 9, 4), '-', SUBSTR(HEX(owner), 13, 4), '-', SUBSTR(HEX(owner), 17, 4), '-', SUBSTR(HEX(owner), 21) )) FROM guardian_actors WHERE uuid = UNHEX(REPLACE(?, '-', '')) |sql} |> Caqti_type.(Uuid.Actor.t ->? tup2 Roles.t (option Owner.t)) in let* roles, owner = Database.find_opt ?ctx caqti id >|= CCOption.to_result (Format.asprintf "Actor ('%s') not found" ([%show: Uuid.Actor.t] id)) in Guard.Actor.make ?owner roles typ id |> Lwt.return_ok ;; let find_roles ?ctx id = let open Lwt.Infix in let caqti = {sql|SELECT roles FROM guardian_actors WHERE uuid = UNHEX(REPLACE(?, '-', ''))|sql} |> Uuid.Actor.t ->? Roles.t in Database.find_opt ?ctx caqti id >|= CCOption.to_result "No actor roles found." ;; let update_roles_request ?ctx uuid roles = let caqti = {sql|UPDATE guardian_actors SET roles = ? WHERE uuid = UNHEX(REPLACE(?, '-', ''))|sql} |> Caqti_type.(tup2 Roles.t Uuid.Actor.t ->. unit) in Database.exec ?ctx caqti (roles, uuid) |> Lwt_result.ok ;; let grant_roles ?ctx uuid roles = let open Lwt_result.Syntax in let* pre_roles = find_roles ?ctx uuid in let roles' = Roles.union roles pre_roles in if Roles.(cardinal roles' > cardinal pre_roles) then update_roles_request ?ctx uuid roles' else Lwt.return_ok () ;; let revoke_roles ?ctx uuid roles = let open Lwt_result.Syntax in (* TODO: only mark as deleted -> add second revoked_roles column *) let* pre_roles = find_roles ?ctx uuid in let roles' = Roles.diff pre_roles roles in update_roles_request ?ctx uuid roles' ;; let find_owner ?ctx id = let caqti = {sql| SELECT LOWER(CONCAT( SUBSTR(HEX(owner), 1, 8), '-', SUBSTR(HEX(owner), 9, 4), '-', SUBSTR(HEX(owner), 13, 4), '-', SUBSTR(HEX(owner), 17, 4), '-', SUBSTR(HEX(owner), 21) )) FROM guardian_actors WHERE uuid = UNHEX(REPLACE(?, '-', '')) |sql} |> Uuid.Actor.t ->? Owner.t in Database.find_opt ?ctx caqti id |> Lwt_result.ok ;; let save_owner ?ctx ?owner id = let caqti = Caqti_type.(tup2 (option Owner.t) Uuid.Actor.t ->. unit) {sql| UPDATE guardian_actors SET owner = UNHEX(REPLACE(?, '-', '')) WHERE uuid = UNHEX(REPLACE(?, '-', '')) |sql} in Database.exec ?ctx caqti (owner, id) |> Lwt_result.ok ;; end module Target = struct let create ?ctx ?owner kind id = let caqti = {sql| INSERT INTO guardian_targets (uuid, kind, owner) VALUES (UNHEX(REPLACE(?, '-', '')), ?, UNHEX(REPLACE(?, '-', ''))) ON DUPLICATE KEY UPDATE updated_at = NOW() |sql} |> Caqti_type.(tup3 Uuid.Target.t Kind.t (option Owner.t) ->. unit) in Database.exec ?ctx caqti (id, kind, owner) |> Lwt_result.ok ;; let mem ?ctx id = let caqti = {sql|SELECT kind FROM guardian_targets WHERE uuid = UNHEX(REPLACE(?, '-', ''))|sql} |> Uuid.Target.t ->? Kind.t in Database.find_opt ?ctx caqti id >|= CCOption.is_some |> Lwt_result.ok ;; let find_owner_base ?ctx typ id = let open Lwt.Infix in let caqti = {sql| SELECT LOWER(CONCAT( SUBSTR(HEX(owner), 1, 8), '-', SUBSTR(HEX(owner), 9, 4), '-', SUBSTR(HEX(owner), 13, 4), '-', SUBSTR(HEX(owner), 17, 4), '-', SUBSTR(HEX(owner), 21) )) FROM guardian_targets WHERE uuid = UNHEX(REPLACE(?, '-', '')) AND kind = ? |sql} |> Caqti_type.(tup2 Uuid.Target.t Kind.t ->? option Owner.t) in Database.find_opt ?ctx caqti (id, typ) >|= CCOption.flatten ;; let find ?ctx typ id = let%lwt owner = find_owner_base ?ctx typ id in Guard.Target.make ?owner typ id |> Lwt.return_ok ;; let find_kind ?ctx id = let open Lwt.Infix in let caqti = {sql|SELECT kind FROM guardian_targets WHERE uuid = UNHEX(REPLACE(?, '-', ''))|sql} |> Uuid.Target.t ->? Kind.t in Database.find_opt ?ctx caqti id >|= CCOption.to_result (Format.asprintf "Target ('%s') not found - no kind" ([%show: Uuid.Target.t] id)) ;; let find_owner ?ctx typ = find_owner_base ?ctx typ %> Lwt_result.ok let save_owner ?ctx ?owner id = let caqti = {sql| UPDATE guardian_targets SET owner = UNHEX(REPLACE(?, '-', '')) WHERE uuid = UNHEX(REPLACE(?, '-', '')) |sql} |> Caqti_type.(tup2 (option Owner.t) Uuid.Target.t ->. unit) in Database.exec ?ctx caqti (owner, id) |> Lwt_result.ok ;; end end (** [find_migrations ()] returns a list of all migrations as a tuple with key, datetime and sql query **) let find_migrations () = Migrations.all (** [find_clean ()] returns a list of all migrations as a tuple with key and sql query **) let find_clean () = Migrations.all_tables |> CCList.map (fun m -> m, Format.asprintf "TRUNCATE TABLE %s" m) ;; (** [migrate ()] runs all migration on a specified context [?ctx] **) let migrate ?ctx () = () |> find_migrations |> Lwt_list.iter_s (fun (key, date, sql) -> Logs.debug (fun m -> m "Migration: Run '%s' from '%s'" key date); Database.exec ?ctx (sql |> Caqti_type.(unit ->. unit)) ()) ;; (** [clean ()] runs clean on a specified context [?ctx] **) let clean ?ctx () = () |> find_clean |> Lwt_list.iter_s (fun (key, sql) -> Logs.debug (fun m -> m "Clean: Run '%s'" key); Database.exec ?ctx (sql |> Caqti_type.(unit ->. unit)) ()) ;; end) end