Module: Sequel::Privacy::Enforcer

Extended by:
T::Sig
Defined in:
lib/sequel/privacy/enforcer.rb

Overview

The Enforcer evaluates policy chains to determine if an action is allowed. It handles caching, single-match optimization, and policy combinators.

Constant Summary collapse

EVAL_KEY =

Thread-local flag set while a policy chain is being evaluated. Implicit :view enforcement (Model.call, field readers, association readers) checks this flag and returns raw data when set, so policies can traverse protected fields and associations without recursive filtering. Explicit ‘allow?` calls always run regardless.

:sequel_privacy_in_policy_eval

Class Method Summary collapse

Class Method Details

.compute_cache_key(policy, subject, actor, viewer_context, direct_object) ⇒ Object 



99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
 
# File 'lib/sequel/privacy/enforcer.rb', line 99

def self.compute_cache_key(policy, subject, actor, viewer_context, direct_object)
  if (keys = policy.cache_by)
    parts = T.let([policy, viewer_context], T::Array[T.untyped])
    keys.each do |k|
      parts << case k
               when :actor then actor
               when :subject then subject
               when :direct_object then direct_object
               end
    end
    return parts.hash
  end

  case policy.arity
  when 0
    [policy, viewer_context].hash
  when 1
    [policy, actor, viewer_context].hash
  when 2
    [policy, actor, subject, viewer_context].hash
  else
    [policy, actor, subject, direct_object, viewer_context].hash
  end
end

.enforce(policies, subject, viewer_context, direct_object = nil) ⇒ Object 



48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
 
# File 'lib/sequel/privacy/enforcer.rb', line 48

def self.enforce(policies, subject, viewer_context, direct_object = nil)
  saved = Thread.current[EVAL_KEY]
  Thread.current[EVAL_KEY] = true

  begin
    # All-powerful and omniscient contexts bypass all checks
    if viewer_context.is_a?(AllPowerfulVC)
      logger&.warn('BYPASS: All-powerful viewer context bypasses all privacy rules.')
      return true
    end

    if viewer_context.is_a?(OmniscientVC)
      logger&.debug { "BYPASS: Omniscient viewer context (#{viewer_context.reason})" }
      return true
    end

    actor = viewer_context.is_a?(ActorVC) ? viewer_context.actor : nil

    if policies.empty?
      logger&.error { "No policies for #{subject.class}[#{subject_id(subject)}]. Denying by default." }
      policies = [BuiltInPolicies::AlwaysDeny]
    end

    # Ensure policy chain ends with AlwaysDeny (fail-secure)
    unless policies.last == BuiltInPolicies::AlwaysDeny
      logger&.warn { 'Policy chain should end with AlwaysDeny. Appending it.' }
      policies = policies.dup << BuiltInPolicies::AlwaysDeny
    end

    policies.each do |uncasted_policy|
      result = policy_result(uncasted_policy, subject, actor, viewer_context, direct_object)
      return true if result == :allow
      return false if result == :deny
    end

    false
  ensure
    Thread.current[EVAL_KEY] = saved
  end
end

.evaluate_child_policies(child_policies, subject, actor, viewer_context, direct_object) ⇒ Object 



140
141
142
143
144
145
146
147
148
149
150
151
152
153
 
# File 'lib/sequel/privacy/enforcer.rb', line 140

def self.evaluate_child_policies(child_policies, subject, actor, viewer_context, direct_object)
  unless child_policies.all? { |c| c.is_a?(Proc) }
    Kernel.raise "Policy combinator contains non-policy members"
  end

  results = child_policies.map do |child_policy|
    policy_result(child_policy, subject, actor, viewer_context, direct_object)
  end

  return :deny if results.include?(:deny)
  return :allow if results.all? { |r| r == :allow }

  :pass
end

.execute_policy(policy, subject, actor, direct_object) ⇒ Object 



225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
 
# File 'lib/sequel/privacy/enforcer.rb', line 225

def self.execute_policy(policy, subject, actor, direct_object)
  # Policies with arity >= 1 expect an actor as the first arg.
  # Anonymous viewers (no actor) auto-deny unless the policy opts in
  # with allow_anonymous: true (for state-gate policies that examine
  # only the subject).
  if !actor && policy.arity >= 1 && !policy.allow_anonymous?
    return :deny
  end

  case policy.arity
  when 0
    Actions.evaluate(&policy)
  when 1
    Actions.evaluate(actor, &policy)
  when 2
    Actions.evaluate(actor, subject, &policy)
  else
    Actions.evaluate(actor, subject, direct_object, &policy)
  end
end

.in_policy_eval?Boolean

Returns:

  • (Boolean) 


29
30
31
 
# File 'lib/sequel/privacy/enforcer.rb', line 29

def self.in_policy_eval?
  Thread.current[EVAL_KEY] == true
end

.log_result(policy, result, actor, subject, from_cache, skipped) ⇒ Object 



256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
 
# File 'lib/sequel/privacy/enforcer.rb', line 256

def self.log_result(policy, result, actor, subject, from_cache, skipped)
  return unless logger

  actor_id = actor ? actor.id : 'anonymous'
  logger.debug do
    msg = "#{result.to_s.upcase}: #{policy.policy_name || 'anonymous'} for actor[#{actor_id}] on #{subject.class}[#{subject_id(subject)}]"
    msg += " (cached)" if from_cache
    msg += " (skipped: single_match)" if skipped
    msg
  end

  if policy.comment && %i[deny allow].include?(result)
    logger.debug { "#{policy.comment}" }
  end
end

.loggerObject 



23
24
25
 
# File 'lib/sequel/privacy/enforcer.rb', line 23

def logger
  Sequel::Privacy.logger
end

.policy_result(uncasted_policy, subject, actor, viewer_context, direct_object) ⇒ Object 



165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
 
# File 'lib/sequel/privacy/enforcer.rb', line 165

def self.policy_result(uncasted_policy, subject, actor, viewer_context, direct_object)
  from_cache = false
  skipped_from_single_match = false

  policy = T.cast(uncasted_policy, TPolicy, checked: false)

  # Single-match optimization
  if policy.single_match?
    match_key = [policy, actor, viewer_context].hash
    if (matched = Sequel::Privacy.single_matches[match_key]) && matched != subject.hash
      skipped_from_single_match = true
      result = :pass
    end
  end

  # Check cache
  cache_key = compute_cache_key(policy, subject, actor, viewer_context, direct_object)
  if !skipped_from_single_match && policy.cacheable? && Sequel::Privacy.cache.key?(cache_key)
    from_cache = true
    result = Sequel::Privacy.cache[cache_key]
    Kernel.raise InvalidPolicyOutcomeError unless result && valid_outcome?(result)
  end

  # Execute policy if not cached
  result ||= execute_policy(policy, subject, actor, direct_object)
  result ||= :pass

  # Handle combinator results
  if result.is_a?(Array)
    result = evaluate_child_policies(result, subject, actor, viewer_context, direct_object)
  end

  # Cache result
  if policy.cacheable? && !from_cache
    Sequel::Privacy.cache[cache_key] = result
  end

  # Log result
  log_result(policy, result, actor, subject, from_cache, skipped_from_single_match)

  # Record single-match
  if policy.single_match? && result == :allow
    Sequel::Privacy.single_matches[[policy, actor, viewer_context].hash] = subject.hash
  end

  unless valid_outcome?(result)
    Kernel.raise InvalidPolicyOutcomeError, "Policy returned #{result.inspect}, expected :allow, :deny, or :pass"
  end

  result
end

.subject_id(subject) ⇒ Object 



273
274
275
 
# File 'lib/sequel/privacy/enforcer.rb', line 273

def self.subject_id(subject)
  subject.respond_to?(:pk) ? subject.pk : subject.object_id
end

.valid_outcome?(outcome) ⇒ Boolean

Returns:

  • (Boolean) 


125
126
127
 
# File 'lib/sequel/privacy/enforcer.rb', line 125

def self.valid_outcome?(outcome)
  %i[allow pass deny].include?(outcome)
end