biscuit-haskell-0.2.1.0: Library support for the Biscuit security token
Copyright© Clément Delafargue 2021
LicenseMIT
Maintainerclement@delafargue.name
Safe HaskellNone
LanguageHaskell2010

Auth.Biscuit.Datalog.Executor

Description

The Datalog engine, tasked with deriving new facts from existing facts and rules, as well as matching available facts against checks and policies

Synopsis

Documentation

data ExecutionError Source #

An error that can happen while running a datalog verification. The datalog computation itself can be aborted by runtime failsafe mechanisms, or it can run to completion but fail to fullfil checks and policies (ResultError).

Constructors

Timeout

Verification took too much time

TooManyFacts

Too many facts were generated during evaluation

TooManyIterations

Evaluation did not converge in the alloted number of iterations

InvalidRule

Some rules were malformed: every variable present in their head must appear in their body

ResultError ResultError

The evaluation ran to completion, but checks and policies were not fulfilled.

data Limits Source #

Settings for the executor runtime restrictions. See defaultLimits for default values.

Constructors

Limits 

Fields

Instances

Instances details
Eq Limits Source # 
Instance details

Defined in Auth.Biscuit.Datalog.Executor

Methods

(==) :: Limits -> Limits -> Bool #

(/=) :: Limits -> Limits -> Bool #

Show Limits Source # 
Instance details

Defined in Auth.Biscuit.Datalog.Executor

data ResultError Source #

The result of matching the checks and policies against all the available facts.

Constructors

NoPoliciesMatched [Check]

No policy matched. additionally some checks may have failed

FailedChecks (NonEmpty Check)

An allow rule matched, but at least one check failed

DenyRuleMatched [Check] MatchedQuery

A deny rule matched. additionally some checks may have failed

Instances

Instances details
Eq ResultError Source # 
Instance details

Defined in Auth.Biscuit.Datalog.Executor

Show ResultError Source # 
Instance details

Defined in Auth.Biscuit.Datalog.Executor

type Bindings = Map Name Value Source #

A list of bound variables, with the associated value

type Name = Text Source #

A variable name

data MatchedQuery Source #

A datalog query that was matched, along with the values that matched

Constructors

MatchedQuery 

Instances

Instances details
Eq MatchedQuery Source # 
Instance details

Defined in Auth.Biscuit.Datalog.Executor

Show MatchedQuery Source # 
Instance details

Defined in Auth.Biscuit.Datalog.Executor

type Scoped a = (Set Natural, a) Source #

defaultLimits :: Limits Source #

Default settings for the executor restrictions. - 1000 facts - 100 iterations - 1000μs max - regexes are allowed - facts and rules are allowed in blocks

evaluateExpression :: Limits -> Bindings -> Expression -> Either String Value Source #

Given bindings for variables, reduce an expression to a single datalog value

getFactsForRule :: Limits -> Set (Scoped Fact) -> Rule -> Set (Scoped Fact) Source #

Given a rule and a set of available (scoped) facts, we find all fact combinations that match the rule body, and generate new facts by applying the bindings to the rule head (while keeping track of the facts origins)

getBindingsForRuleBody :: Limits -> Set (Scoped Fact) -> [Predicate] -> [Expression] -> Set (Scoped Bindings) Source #

Given a set of scoped facts and a rule body, we generate a set of variable bindings that satisfy the rule clauses (predicates match, and expression constraints are fulfilled)

getCombinations :: [[Scoped Bindings]] -> [Scoped [Bindings]] Source #

Given a list of possible matches for each predicate, give all the combinations of one match per predicate, keeping track of the origin of each match