Copyright	© Clément Delafargue 2021
License	MIT
Maintainer	clement@delafargue.name
Safe Haskell	None
Language	Haskell2010

Auth.Biscuit.Datalog.Executor

Description

The Datalog engine, tasked with deriving new facts from existing facts and rules, as well as matching available facts against checks and policies

Synopsis

data BlockWithRevocationIds = BlockWithRevocationIds {
- bBlock :: Block
- genericRevocationId :: ByteString
- uniqueRevocationId :: ByteString
}
data ExecutionError
- = Timeout
- | TooManyFacts
- | TooManyIterations
- | FactsInBlocks
- | ResultError ResultError
data Limits = Limits {
- maxFacts :: Int
- maxIterations :: Int
- maxTime :: Int
- allowRegexes :: Bool
- allowBlockFacts :: Bool
- checkRevocationId :: ByteString -> IO (Either () ())
}
data ResultError
- = NoPoliciesMatched [Check]
- | FailedChecks (NonEmpty Check)
- | DenyRuleMatched [Check] Query
data World = World {
- rules :: Set Rule
- blockRules :: Set Rule
- facts :: Set Fact
}
type Bindings = Map Name Value
type Name = Text
computeAllFacts :: Limits -> World -> Either ExecutionError (Set Fact)
defaultLimits :: Limits
evaluateExpression :: Limits -> Bindings -> Expression -> Either String Value
runVerifier :: BlockWithRevocationIds -> [BlockWithRevocationIds] -> Verifier -> IO (Either ExecutionError Query)
runVerifierWithLimits :: Limits -> BlockWithRevocationIds -> [BlockWithRevocationIds] -> Verifier -> IO (Either ExecutionError Query)

Documentation

data BlockWithRevocationIds Source #

A parsed block, along with the associated revocation ids.

Constructors

BlockWithRevocationIds
Fields bBlock :: Block The parsed block genericRevocationId :: ByteString Generic revocation id (depends on the block contents and its primary key) uniqueRevocationId :: ByteString Unique revocation id (specific to the token)

data ExecutionError Source #

The result of running verification

Constructors

Timeout	Verification took too much time
TooManyFacts	Too many facts were generated during evaluation
TooManyIterations	Evaluation did not converge in the alloted number of iterations
FactsInBlocks	Some blocks contained either rules or facts while it was forbidden
ResultError ResultError	The checks and policies were not fulfilled after evaluation

Instances

Instances details

Eq ExecutionError Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods (==) :: ExecutionError -> ExecutionError -> Bool # (/=) :: ExecutionError -> ExecutionError -> Bool #
Show ExecutionError Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods showsPrec :: Int -> ExecutionError -> ShowS # show :: ExecutionError -> String # showList :: [ExecutionError] -> ShowS #

data Limits Source #

Settings for the executor restrictions See defaultLimits for default values.

Constructors

Limits

Fields

maxFacts :: Int
maximum number of facts that can be produced (else TooManyFacts is thrown)
maxIterations :: Int
maximum number of iterations before throwing TooManyIterations
maxTime :: Int
maximum duration the verification can take (in μs)
allowRegexes :: Bool
whether or not allowing `.matches()` during verification
allowBlockFacts :: Bool
wheter or not accept facts and rules in blocks. Even when they are enabled, they can’t give rise to facts containing `ambient` symbols
checkRevocationId :: ByteString -> IO (Either () ())
how to check for token revocation `Left ()` means that the given id is revoked, `Right ()` means it’s not revoked.

data ResultError Source #

The result of matching the checks and policies against all the available facts.

Constructors

NoPoliciesMatched [Check]	No policy matched. additionally some checks may have failed
FailedChecks (NonEmpty Check)	An allow rule matched, but at least one check failed
DenyRuleMatched [Check] Query	A deny rule matched. additionally some checks may have failed

Instances

Instances details

Eq ResultError Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods (==) :: ResultError -> ResultError -> Bool # (/=) :: ResultError -> ResultError -> Bool #
Show ResultError Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods showsPrec :: Int -> ResultError -> ShowS # show :: ResultError -> String # showList :: [ResultError] -> ShowS #

data World Source #

A collection of facts and rules used to derive new facts. Rules coming from blocks are stored separately since they are subject to specific restrictions regarding the facts they can generate.

Constructors

World
Fields rules :: Set Rule blockRules :: Set Rule facts :: Set Fact

Instances

Instances details

Show World Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods showsPrec :: Int -> World -> ShowS # show :: World -> String # showList :: [World] -> ShowS #
Semigroup World Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods (<>) :: World -> World -> World # sconcat :: NonEmpty World -> World # stimes :: Integral b => b -> World -> World #
Monoid World Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods mempty :: World # mappend :: World -> World -> World # mconcat :: [World] -> World #

type Bindings = Map Name Value Source #

A list of bound variables, with the associated value

type Name = Text Source #

A variable name

computeAllFacts Source #

Arguments

:: Limits	The maximum amount of iterations that can be reached
-> World	The initial rules and facts
-> Either ExecutionError (Set Fact)

Compute all possible facts, recursively calling itself until it can't generate new facts or a limit is reached

defaultLimits :: Limits Source #

Default settings for the executor restrictions. (1000 facts, 100 iterations, 1000μs max, regexes are allowed, facts and rules are allowed in blocks)

evaluateExpression :: Limits -> Bindings -> Expression -> Either String Value Source #

Given bindings for variables, reduce an expression to a single datalog value

runVerifier Source #

Arguments

:: BlockWithRevocationIds	The authority block
-> [BlockWithRevocationIds]	The extra blocks
-> Verifier	A verifier
-> IO (Either ExecutionError Query)

Given a series of blocks and a verifier, ensure that all the checks and policies match

runVerifierWithLimits Source #

Arguments

:: Limits	custom limits
-> BlockWithRevocationIds	The authority block
-> [BlockWithRevocationIds]	The extra blocks
-> Verifier	A verifier
-> IO (Either ExecutionError Query)

Given a series of blocks and a verifier, ensure that all the checks and policies match, with provided execution constraints