Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: allow comparing fields from different models in mutation policies #1476

Merged
merged 4 commits into from
Jun 2, 2024
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions packages/runtime/src/enhancements/policy/constraint-solver.ts
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
import Logic from 'logic-solver';
import { match } from 'ts-pattern';
import type {
CheckerConstraint,
ComparisonConstraint,
ComparisonTerm,
LogicalConstraint,
PermissionCheckerConstraint,
ValueConstraint,
VariableConstraint,
} from '../types';
Expand All @@ -22,7 +22,7 @@ export class ConstraintSolver {
/**
* Check the satisfiability of the given constraint.
*/
checkSat(constraint: CheckerConstraint): boolean {
checkSat(constraint: PermissionCheckerConstraint): boolean {
// reset state
this.stringTable = [];
this.variables = new Map<string, Logic.Formula>();
Expand All @@ -46,7 +46,7 @@ export class ConstraintSolver {
return !!solver.solve();
}

private buildFormula(constraint: CheckerConstraint): Logic.Formula {
private buildFormula(constraint: PermissionCheckerConstraint): Logic.Formula {
return match(constraint)
.when(
(c): c is ValueConstraint => c.kind === 'value',
Expand Down Expand Up @@ -100,11 +100,11 @@ export class ConstraintSolver {
return Logic.not(this.buildFormula(constraint.children[0]));
}

private isTrue(constraint: CheckerConstraint): unknown {
private isTrue(constraint: PermissionCheckerConstraint): unknown {
return constraint.kind === 'value' && constraint.value === true;
}

private isFalse(constraint: CheckerConstraint): unknown {
private isFalse(constraint: PermissionCheckerConstraint): unknown {
return constraint.kind === 'value' && constraint.value === false;
}

Expand Down
203 changes: 151 additions & 52 deletions packages/runtime/src/enhancements/policy/handler.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
/* eslint-disable @typescript-eslint/no-explicit-any */

import deepmerge from 'deepmerge';
ymc9 marked this conversation as resolved.
Show resolved Hide resolved
import { lowerCaseFirst } from 'lower-case-first';
import invariant from 'tiny-invariant';
import { P, match } from 'ts-pattern';
Expand All @@ -23,7 +24,7 @@ import { Logger } from '../logger';
import { createDeferredPromise, createFluentPromise } from '../promise';
import { PrismaProxyHandler } from '../proxy';
import { QueryUtils } from '../query-utils';
import type { CheckerConstraint } from '../types';
import type { EntityCheckerFunc, PermissionCheckerConstraint } from '../types';
import { clone, formatObject, isUnsafeMutate, prismaClientValidationError } from '../utils';
import { ConstraintSolver } from './constraint-solver';
import { PolicyUtil } from './policy-utils';
Expand Down Expand Up @@ -152,8 +153,7 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
}

const result = await this.modelClient[actionName](_args);
this.policyUtils.postProcessForRead(result, this.model, origArgs);
return result;
return this.policyUtils.postProcessForRead(result, this.model, origArgs);
}

//#endregion
Expand Down Expand Up @@ -779,10 +779,27 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
}
};

const _connectDisconnect = async (model: string, args: any, context: NestedWriteVisitorContext) => {
const _connectDisconnect = async (
model: string,
args: any,
context: NestedWriteVisitorContext,
operation: 'connect' | 'disconnect'
) => {
if (context.field?.backLink) {
const backLinkField = this.policyUtils.getModelField(model, context.field.backLink);
if (backLinkField?.isRelationOwner) {
let uniqueFilter = args;
if (operation === 'disconnect') {
// disconnect filter is not unique, need to build a reversed query to
// locate the entity and use its id fields as unique filter
const reversedQuery = this.policyUtils.buildReversedQuery(context);
const found = await db[model].findUnique({
where: reversedQuery,
select: this.policyUtils.makeIdSelection(model),
});
uniqueFilter = found && this.policyUtils.getIdFieldValues(model, found);
}

// update happens on the related model, require updatable,
// translate args to foreign keys so field-level policies can be checked
const checkArgs: any = {};
Expand All @@ -794,10 +811,15 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
}
}
}
await this.policyUtils.checkPolicyForUnique(model, args, 'update', db, checkArgs);

// register post-update check
await _registerPostUpdateCheck(model, args, args);
// `uniqueFilter` can be undefined if the entity to be disconnected doesn't exist
if (uniqueFilter) {
// check for update
await this.policyUtils.checkPolicyForUnique(model, uniqueFilter, 'update', db, checkArgs);

// register post-update check
await _registerPostUpdateCheck(model, uniqueFilter, uniqueFilter);
}
}
}
};
Expand Down Expand Up @@ -970,14 +992,14 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
}
},

connect: async (model, args, context) => _connectDisconnect(model, args, context),
connect: async (model, args, context) => _connectDisconnect(model, args, context, 'connect'),

connectOrCreate: async (model, args, context) => {
// the where condition is already unique, so we can use it to check if the target exists
const existing = await this.policyUtils.checkExistence(db, model, args.where);
if (existing) {
// connect
await _connectDisconnect(model, args.where, context);
await _connectDisconnect(model, args.where, context, 'connect');
return true;
} else {
// create
Expand All @@ -997,7 +1019,7 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
}
},

disconnect: async (model, args, context) => _connectDisconnect(model, args, context),
disconnect: async (model, args, context) => _connectDisconnect(model, args, context, 'disconnect'),

set: async (model, args, context) => {
// find the set of items to be replaced
Expand All @@ -1012,10 +1034,10 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
const currentSet = await db[model].findMany(findCurrSetArgs);

// register current set for update (foreign key)
await Promise.all(currentSet.map((item) => _connectDisconnect(model, item, context)));
await Promise.all(currentSet.map((item) => _connectDisconnect(model, item, context, 'disconnect')));

// proceed with connecting the new set
await Promise.all(enumerate(args).map((item) => _connectDisconnect(model, item, context)));
await Promise.all(enumerate(args).map((item) => _connectDisconnect(model, item, context, 'connect')));
},

delete: async (model, args, context) => {
Expand Down Expand Up @@ -1160,48 +1182,78 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr

args.data = this.validateUpdateInputSchema(this.model, args.data);

if (this.policyUtils.hasAuthGuard(this.model, 'postUpdate') || this.policyUtils.getZodSchema(this.model)) {
// use a transaction to do post-update checks
const postWriteChecks: PostWriteCheckRecord[] = [];
return this.queryUtils.transaction(this.prisma, async (tx) => {
// collect pre-update values
let select = this.policyUtils.makeIdSelection(this.model);
const preValueSelect = this.policyUtils.getPreValueSelect(this.model);
if (preValueSelect) {
select = { ...select, ...preValueSelect };
}
const currentSetQuery = { select, where: args.where };
this.policyUtils.injectAuthGuardAsWhere(tx, currentSetQuery, this.model, 'read');

if (this.shouldLogQuery) {
this.logger.info(`[policy] \`findMany\` ${this.model}: ${formatObject(currentSetQuery)}`);
}
const currentSet = await tx[this.model].findMany(currentSetQuery);

postWriteChecks.push(
...currentSet.map((preValue) => ({
model: this.model,
operation: 'postUpdate' as PolicyOperationKind,
uniqueFilter: this.policyUtils.getEntityIds(this.model, preValue),
preValue: preValueSelect ? preValue : undefined,
}))
);

// proceed with the update
const result = await tx[this.model].updateMany(args);
const entityChecker = this.policyUtils.getEntityChecker(this.model, 'update');

// run post-write checks
await this.runPostWriteChecks(postWriteChecks, tx);
const canProceedWithoutTransaction =
// no post-update rules
!this.policyUtils.hasAuthGuard(this.model, 'postUpdate') &&
// no Zod schema
!this.policyUtils.getZodSchema(this.model) &&
// no entity checker
!entityChecker;

return result;
});
} else {
if (canProceedWithoutTransaction) {
// proceed without a transaction
if (this.shouldLogQuery) {
this.logger.info(`[policy] \`updateMany\` ${this.model}: ${formatObject(args)}`);
}
return this.modelClient.updateMany(args);
}

// collect post-update checks
const postWriteChecks: PostWriteCheckRecord[] = [];

return this.queryUtils.transaction(this.prisma, async (tx) => {
// collect pre-update values
let select = this.policyUtils.makeIdSelection(this.model);
const preValueSelect = this.policyUtils.getPreValueSelect(this.model);
if (preValueSelect) {
select = { ...select, ...preValueSelect };
}

// merge selection required for running additional checker
const entityChecker = this.policyUtils.getEntityChecker(this.model, 'update');
if (entityChecker?.selector) {
select = deepmerge(select, entityChecker.selector);
}

const currentSetQuery = { select, where: args.where };
this.policyUtils.injectAuthGuardAsWhere(tx, currentSetQuery, this.model, 'update');

if (this.shouldLogQuery) {
this.logger.info(`[policy] \`findMany\` ${this.model}: ${formatObject(currentSetQuery)}`);
}
let candidates = await tx[this.model].findMany(currentSetQuery);

if (entityChecker) {
// filter candidates with additional checker and build an id filter
const r = this.buildIdFilterWithEntityChecker(candidates, entityChecker.func);
candidates = r.filteredCandidates;

// merge id filter into update's where clause
args.where = args.where ? { AND: [args.where, r.idFilter] } : r.idFilter;
}

postWriteChecks.push(
...candidates.map((preValue) => ({
model: this.model,
operation: 'postUpdate' as PolicyOperationKind,
uniqueFilter: this.policyUtils.getEntityIds(this.model, preValue),
preValue: preValueSelect ? preValue : undefined,
}))
);

// proceed with the update
if (this.shouldLogQuery) {
this.logger.info(`[policy] \`updateMany\` in tx for ${this.model}: ${formatObject(args)}`);
}
const result = await tx[this.model].updateMany(args);

// run post-write checks
await this.runPostWriteChecks(postWriteChecks, tx);

return result;
});
});
}

Expand Down Expand Up @@ -1328,14 +1380,49 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
this.policyUtils.tryReject(this.prisma, this.model, 'delete');

// inject policy conditions
args = args ?? {};
args = clone(args);
this.policyUtils.injectAuthGuardAsWhere(this.prisma, args, this.model, 'delete');

// conduct the deletion
if (this.shouldLogQuery) {
this.logger.info(`[policy] \`deleteMany\` ${this.model}:\n${formatObject(args)}`);
const entityChecker = this.policyUtils.getEntityChecker(this.model, 'delete');
if (entityChecker) {
// additional checker exists, need to run deletion inside a transaction
return this.queryUtils.transaction(this.prisma, async (tx) => {
// find the delete candidates, selecting id fields and fields needed for
// running the additional checker
let candidateSelect = this.policyUtils.makeIdSelection(this.model);
if (entityChecker.selector) {
candidateSelect = deepmerge(candidateSelect, entityChecker.selector);
}

if (this.shouldLogQuery) {
this.logger.info(
`[policy] \`findMany\` ${this.model}: ${formatObject({
where: args.where,
select: candidateSelect,
})}`
);
}
const candidates = await tx[this.model].findMany({ where: args.where, select: candidateSelect });

// build a ID filter based on id values filtered by the additional checker
const { idFilter } = this.buildIdFilterWithEntityChecker(candidates, entityChecker.func);

// merge the ID filter into the where clause
args.where = args.where ? { AND: [args.where, idFilter] } : idFilter;

// finally, conduct the deletion with the combined where clause
if (this.shouldLogQuery) {
this.logger.info(`[policy] \`deleteMany\` in tx for ${this.model}:\n${formatObject(args)}`);
}
return tx[this.model].deleteMany(args);
});
} else {
// conduct the deletion directly
if (this.shouldLogQuery) {
this.logger.info(`[policy] \`deleteMany\` ${this.model}:\n${formatObject(args)}`);
}
return this.modelClient.deleteMany(args);
}
return this.modelClient.deleteMany(args);
});
}

Expand Down Expand Up @@ -1469,7 +1556,7 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
if (args.where) {
// combine runtime filters with generated constraints

const extraConstraints: CheckerConstraint[] = [];
const extraConstraints: PermissionCheckerConstraint[] = [];
for (const [field, value] of Object.entries(args.where)) {
if (value === undefined) {
continue;
Expand Down Expand Up @@ -1599,5 +1686,17 @@ export class PolicyProxyHandler<DbClient extends DbClientContract> implements Pr
}
}

private buildIdFilterWithEntityChecker(candidates: any[], entityChecker: EntityCheckerFunc) {
const filteredCandidates = candidates.filter((value) => entityChecker(value, { user: this.context?.user }));
const idFields = this.policyUtils.getIdFields(this.model);
let idFilter: any;
if (idFields.length === 1) {
idFilter = { [idFields[0].name]: { in: filteredCandidates.map((x) => x[idFields[0].name]) } };
} else {
idFilter = { AND: filteredCandidates.map((x) => this.policyUtils.getIdFieldValues(this.model, x)) };
}
return { filteredCandidates, idFilter };
}

//#endregion
}
Loading
Loading