Module: Sequel::Privacy::Enforcer

Extended by:

T::Sig

Defined in:

lib/sequel/privacy/enforcer.rb

Constant Summary

EVAL_KEY =

Thread-local flag set while a policy chain is being evaluated. Implicit :view enforcement (Model.call, field readers, association readers) checks this flag and returns raw data when set, so policies can traverse protected fields and associations without recursive filtering. Explicit ‘allow?` calls always run regardless.

:sequel_privacy_in_policy_eval

Class Method Summary

• .compute_cache_key(policy, subject, actor, viewer_context, direct_object) ⇒ Object
• .enforce(policies, subject, viewer_context, direct_object = nil) ⇒ Object
• .evaluate_child_policies(child_policies, subject, actor, viewer_context, direct_object) ⇒ Object
• .execute_policy(policy, subject, actor, direct_object) ⇒ Object
• .in_policy_eval? ⇒ Boolean
• .log_result(policy, result, actor, subject, from_cache, skipped) ⇒ Object
• .logger ⇒ Object
• .policy_result(uncasted_policy, subject, actor, viewer_context, direct_object) ⇒ Object
• .subject_id(subject) ⇒ Object
• .valid_outcome?(outcome) ⇒ Boolean

Class Method Details

.compute_cache_key(policy, subject, actor, viewer_context, direct_object) ⇒ Object

# File 'lib/sequel/privacy/enforcer.rb', line 97

def self.compute_cache_key(policy, subject, actor, viewer_context, direct_object)
  if (keys = policy.cache_by)
    parts = T.let([policy, viewer_context], T::Array[T.untyped])
    keys.each do |k|
      parts << case k
               when :actor then actor
               when :subject then subject
               when :direct_object then direct_object
               end
    end
    return parts.hash
  end

  case policy.arity
  when 0
    [policy, viewer_context].hash
  when 1
    [policy, actor, viewer_context].hash
  when 2
    [policy, actor, subject, viewer_context].hash
  else
    [policy, actor, subject, direct_object, viewer_context].hash
  end
end

.enforce(policies, subject, viewer_context, direct_object = nil) ⇒ Object

# File 'lib/sequel/privacy/enforcer.rb', line 46

def self.enforce(policies, subject, viewer_context, direct_object = nil)
  saved = Thread.current[EVAL_KEY]
  Thread.current[EVAL_KEY] = true

  begin
    # All-powerful and omniscient contexts bypass all checks
    if viewer_context.is_a?(AllPowerfulVC)
      logger&.warn('BYPASS: All-powerful viewer context bypasses all privacy rules.')
      return true
    end

    if viewer_context.is_a?(OmniscientVC)
      logger&.debug { "BYPASS: Omniscient viewer context (#{viewer_context.reason})" }
      return true
    end

    actor = viewer_context.is_a?(ActorVC) ? viewer_context.actor : nil

    if policies.empty?
      logger&.error { "No policies for #{subject.class}[#{subject_id(subject)}]. Denying by default." }
      policies = [BuiltInPolicies::AlwaysDeny]
    end

    # Ensure policy chain ends with AlwaysDeny (fail-secure)
    unless policies.last == BuiltInPolicies::AlwaysDeny
      logger&.warn { 'Policy chain should end with AlwaysDeny. Appending it.' }
      policies = policies.dup << BuiltInPolicies::AlwaysDeny
    end

    policies.each do |uncasted_policy|
      result = policy_result(uncasted_policy, subject, actor, viewer_context, direct_object)
      return true if result == :allow
      return false if result == :deny
    end

    false
  ensure
    Thread.current[EVAL_KEY] = saved
  end
end

.evaluate_child_policies(child_policies, subject, actor, viewer_context, direct_object) ⇒ Object

# File 'lib/sequel/privacy/enforcer.rb', line 138

def self.evaluate_child_policies(child_policies, subject, actor, viewer_context, direct_object)
  Kernel.raise 'Policy combinator contains non-policy members' unless child_policies.all? { |c| c.is_a?(Proc) }

  results = child_policies.map do |child_policy|
    policy_result(child_policy, subject, actor, viewer_context, direct_object)
  end

  return :deny if results.include?(:deny)
  return :allow if results.all? { |r| r == :allow }

  :pass
end

.execute_policy(policy, subject, actor, direct_object) ⇒ Object

# File 'lib/sequel/privacy/enforcer.rb', line 217

def self.execute_policy(policy, subject, actor, direct_object)
  # Policies with arity >= 1 expect an actor as the first arg.
  # Anonymous viewers (no actor) auto-deny unless the policy opts in
  # with allow_anonymous: true (for state-gate policies that examine
  # only the subject).
  return :deny if !actor && policy.arity >= 1 && !policy.allow_anonymous?

  case policy.arity
  when 0
    Actions.evaluate(&policy)
  when 1
    Actions.evaluate(actor, &policy)
  when 2
    Actions.evaluate(actor, subject, &policy)
  else
    Actions.evaluate(actor, subject, direct_object, &policy)
  end
end

.in_policy_eval? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/sequel/privacy/enforcer.rb', line 27

def self.in_policy_eval?
  Thread.current[EVAL_KEY] == true
end

.log_result(policy, result, actor, subject, from_cache, skipped) ⇒ Object

# File 'lib/sequel/privacy/enforcer.rb', line 246

def self.log_result(policy, result, actor, subject, from_cache, skipped)
  return unless logger

  actor_id = actor ? actor.id : 'anonymous'
  logger.debug do
    msg = "#{result.to_s.upcase}: #{policy.policy_name || 'anonymous'} for actor[#{actor_id}] on #{subject.class}[#{subject_id(subject)}]"
    msg += ' (cached)' if from_cache
    msg += ' (skipped: single_match)' if skipped
    msg
  end

  return unless policy.comment && %i[deny allow].include?(result)

  logger.debug { " ⮑  #{policy.comment}" }
end

.logger ⇒ Object

# File 'lib/sequel/privacy/enforcer.rb', line 21

def logger
  Sequel::Privacy.logger
end

.policy_result(uncasted_policy, subject, actor, viewer_context, direct_object) ⇒ Object

# File 'lib/sequel/privacy/enforcer.rb', line 161

def self.policy_result(uncasted_policy, subject, actor, viewer_context, direct_object)
  from_cache = false
  skipped_from_single_match = false

  policy = T.cast(uncasted_policy, TPolicy, checked: false)

  # Single-match optimization
  if policy.single_match?
    match_key = [policy, actor, viewer_context].hash
    if (matched = Sequel::Privacy.single_matches[match_key]) && matched != subject.hash
      skipped_from_single_match = true
      result = :pass
    end
  end

  # Check cache
  cache_key = compute_cache_key(policy, subject, actor, viewer_context, direct_object)
  if !skipped_from_single_match && policy.cacheable? && Sequel::Privacy.cache.key?(cache_key)
    from_cache = true
    result = Sequel::Privacy.cache[cache_key]
    Kernel.raise InvalidPolicyOutcomeError unless result && valid_outcome?(result)
  end

  # Execute policy if not cached
  result ||= execute_policy(policy, subject, actor, direct_object)
  result ||= :pass

  # Handle combinator results
  result = evaluate_child_policies(result, subject, actor, viewer_context, direct_object) if result.is_a?(Array)

  # Cache result
  Sequel::Privacy.cache[cache_key] = result if policy.cacheable? && !from_cache

  # Log result
  log_result(policy, result, actor, subject, from_cache, skipped_from_single_match)

  # Record single-match
  if policy.single_match? && result == :allow
    Sequel::Privacy.single_matches[[policy, actor, viewer_context].hash] = subject.hash
  end

  unless valid_outcome?(result)
    Kernel.raise InvalidPolicyOutcomeError, "Policy returned #{result.inspect}, expected :allow, :deny, or :pass"
  end

  result
end

.subject_id(subject) ⇒ Object

# File 'lib/sequel/privacy/enforcer.rb', line 263

def self.subject_id(subject)
  subject.respond_to?(:pk) ? subject.pk : subject.object_id
end

.valid_outcome?(outcome) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/sequel/privacy/enforcer.rb', line 123

def self.valid_outcome?(outcome)
  %i[allow pass deny].include?(outcome)
end