Copyright	© Clément Delafargue 2021
License	MIT
Maintainer	clement@delafargue.name
Safe Haskell	None
Language	Haskell2010

Auth.Biscuit.Datalog.Executor

Description

The Datalog engine, tasked with deriving new facts from existing facts and rules, as well as matching available facts against checks and policies

Synopsis

data ExecutionError
- = Timeout
- | TooManyFacts
- | TooManyIterations
- | InvalidRule
- | ResultError ResultError
data Limits = Limits {
- maxFacts :: Int
- maxIterations :: Int
- maxTime :: Int
- allowRegexes :: Bool
}
data ResultError
- = NoPoliciesMatched [Check]
- | FailedChecks (NonEmpty Check)
- | DenyRuleMatched [Check] MatchedQuery
type Bindings = Map Name Value
type Name = Text
data MatchedQuery = MatchedQuery {
- matchedQuery :: Query
- bindings :: Set Bindings
}
type Scoped a = (Set Natural, a)
newtype FactGroup = FactGroup {
- getFactGroup :: Map (Set Natural) (Set Fact)
}
countFacts :: FactGroup -> Int
toScopedFacts :: FactGroup -> Set (Scoped Fact)
fromScopedFacts :: Set (Scoped Fact) -> FactGroup
keepAuthorized' :: FactGroup -> Maybe RuleScope -> Natural -> FactGroup
defaultLimits :: Limits
evaluateExpression :: Limits -> Bindings -> Expression -> Either String Value
extractVariables :: [Predicate] -> Set Name
getFactsForRule :: Limits -> Set (Scoped Fact) -> Rule -> Set (Scoped Fact)
checkCheck :: Limits -> Natural -> FactGroup -> Check -> Validation (NonEmpty Check) ()
checkPolicy :: Limits -> FactGroup -> Policy -> Maybe (Either MatchedQuery MatchedQuery)
getBindingsForRuleBody :: Limits -> Set (Scoped Fact) -> [Predicate] -> [Expression] -> Set (Scoped Bindings)
getCombinations :: [[Scoped Bindings]] -> [Scoped [Bindings]]

Documentation

data ExecutionError Source #

An error that can happen while running a datalog verification. The datalog computation itself can be aborted by runtime failsafe mechanisms, or it can run to completion but fail to fullfil checks and policies (ResultError).

Constructors

Timeout	Verification took too much time
TooManyFacts	Too many facts were generated during evaluation
TooManyIterations	Evaluation did not converge in the alloted number of iterations
InvalidRule	Some rules were malformed: every variable present in their head must appear in their body
ResultError ResultError	The evaluation ran to completion, but checks and policies were not fulfilled.

Instances

Instances details

Eq ExecutionError Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods (==) :: ExecutionError -> ExecutionError -> Bool # (/=) :: ExecutionError -> ExecutionError -> Bool #
Show ExecutionError Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods showsPrec :: Int -> ExecutionError -> ShowS # show :: ExecutionError -> String # showList :: [ExecutionError] -> ShowS #

data Limits Source #

Settings for the executor runtime restrictions. See defaultLimits for default values.

Constructors

Limits

Fields

maxFacts :: Int
maximum number of facts that can be produced before throwing TooManyFacts
maxIterations :: Int
maximum number of iterations before throwing TooManyIterations
maxTime :: Int
maximum duration the verification can take (in μs)
allowRegexes :: Bool
whether or not allowing `.matches()` during verification (untrusted regex computation can enable DoS attacks). This security risk is mitigated by the maxTime setting.

Instances

Instances details

Eq Limits Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods (==) :: Limits -> Limits -> Bool # (/=) :: Limits -> Limits -> Bool #
Show Limits Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods showsPrec :: Int -> Limits -> ShowS # show :: Limits -> String # showList :: [Limits] -> ShowS #

data ResultError Source #

The result of matching the checks and policies against all the available facts.

Constructors

NoPoliciesMatched [Check]	No policy matched. additionally some checks may have failed
FailedChecks (NonEmpty Check)	An allow rule matched, but at least one check failed
DenyRuleMatched [Check] MatchedQuery	A deny rule matched. additionally some checks may have failed

Instances

Instances details

Eq ResultError Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods (==) :: ResultError -> ResultError -> Bool # (/=) :: ResultError -> ResultError -> Bool #
Show ResultError Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods showsPrec :: Int -> ResultError -> ShowS # show :: ResultError -> String # showList :: [ResultError] -> ShowS #

type Bindings = Map Name Value Source #

A list of bound variables, with the associated value

type Name = Text Source #

A variable name

data MatchedQuery Source #

A datalog query that was matched, along with the values that matched

Constructors

MatchedQuery
Fields matchedQuery :: Query bindings :: Set Bindings

Instances

Instances details

Eq MatchedQuery Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods (==) :: MatchedQuery -> MatchedQuery -> Bool # (/=) :: MatchedQuery -> MatchedQuery -> Bool #
Show MatchedQuery Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods showsPrec :: Int -> MatchedQuery -> ShowS # show :: MatchedQuery -> String # showList :: [MatchedQuery] -> ShowS #

type Scoped a = (Set Natural, a) Source #

newtype FactGroup Source #

Constructors

FactGroup
Fields getFactGroup :: Map (Set Natural) (Set Fact)

Instances

Instances details

Eq FactGroup Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods (==) :: FactGroup -> FactGroup -> Bool # (/=) :: FactGroup -> FactGroup -> Bool #
Show FactGroup Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods showsPrec :: Int -> FactGroup -> ShowS # show :: FactGroup -> String # showList :: [FactGroup] -> ShowS #
Semigroup FactGroup Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods (<>) :: FactGroup -> FactGroup -> FactGroup # sconcat :: NonEmpty FactGroup -> FactGroup # stimes :: Integral b => b -> FactGroup -> FactGroup #
Monoid FactGroup Source #
Instance details Defined in Auth.Biscuit.Datalog.Executor Methods mempty :: FactGroup # mappend :: FactGroup -> FactGroup -> FactGroup # mconcat :: [FactGroup] -> FactGroup #

countFacts :: FactGroup -> Int Source #

toScopedFacts :: FactGroup -> Set (Scoped Fact) Source #

fromScopedFacts :: Set (Scoped Fact) -> FactGroup Source #

keepAuthorized' :: FactGroup -> Maybe RuleScope -> Natural -> FactGroup Source #

defaultLimits :: Limits Source #

Default settings for the executor restrictions. - 1000 facts - 100 iterations - 1000μs max - regexes are allowed - facts and rules are allowed in blocks

evaluateExpression :: Limits -> Bindings -> Expression -> Either String Value Source #

Given bindings for variables, reduce an expression to a single datalog value

extractVariables :: [Predicate] -> Set Name Source #

getFactsForRule :: Limits -> Set (Scoped Fact) -> Rule -> Set (Scoped Fact) Source #

Given a rule and a set of available (scoped) facts, we find all fact combinations that match the rule body, and generate new facts by applying the bindings to the rule head (while keeping track of the facts origins)

checkCheck :: Limits -> Natural -> FactGroup -> Check -> Validation (NonEmpty Check) () Source #

checkPolicy :: Limits -> FactGroup -> Policy -> Maybe (Either MatchedQuery MatchedQuery) Source #

getBindingsForRuleBody :: Limits -> Set (Scoped Fact) -> [Predicate] -> [Expression] -> Set (Scoped Bindings) Source #

Given a set of scoped facts and a rule body, we generate a set of variable bindings that satisfy the rule clauses (predicates match, and expression constraints are fulfilled)

getCombinations :: [[Scoped Bindings]] -> [Scoped [Bindings]] Source #

Given a list of possible matches for each predicate, give all the combinations of one match per predicate, keeping track of the origin of each match