Class: Vkit::Policy::BundleCompiler

Inherits:

Object

Object
Vkit::Policy::BundleCompiler

show all

Defined in:: lib/vkit/policy/bundle_compiler.rb

Constant Summary collapse

FORMAT_VERSION =

"v1"

Class Method Summary collapse

.canonical_json(obj) ⇒ Object

Canonicalization.
.compile!(org_slug:, bundle_version:, policies_dir:, registry_dir:, source: {}) ⇒ Object
.extract_approval(p) ⇒ Object
.extract_masking(p) ⇒ Object
.load_installed_packs ⇒ Object
.load_policies(dir) ⇒ Object

Loading.
.load_registry(dir) ⇒ Object
.normalize_action(action) ⇒ Object
.normalize_fields(fields) ⇒ Object
.normalize_mask_method(method) ⇒ Object
.normalize_policies(policies) ⇒ Object
.normalize_registry(raw) ⇒ Object
.normalize_source(source) ⇒ Object

Normalization.
.sort_keys_deep(value) ⇒ Object

Class Method Details

.canonical_json(obj) ⇒ `Object`

Canonicalization



177
178
179

# File 'lib/vkit/policy/bundle_compiler.rb', line 177

def self.canonical_json(obj)
  JSON.generate(sort_keys_deep(obj))
end

.compile!(org_slug:, bundle_version:, policies_dir:, registry_dir:, source: {}) ⇒ `Object`

# File 'lib/vkit/policy/bundle_compiler.rb', line 12

def self.compile!(org_slug:, bundle_version:, policies_dir:, registry_dir:, source: {})
  policies = load_policies(policies_dir)
  registry = load_registry(registry_dir)

  bundle = {
    "bundle" => {
      "format_version" => FORMAT_VERSION,
      "org_slug" => org_slug,
      "bundle_version" => bundle_version,
      "created_at" => Time.now.utc.iso8601,
      "source" => normalize_source(source),
      "checksum" => "" # filled below
    },
    "registry" => registry,
    "policies" => normalize_policies(policies),
    "signing" => nil
  }

  bundle["bundle"]["installed_packs"] = load_installed_packs
  canonical = canonical_json(bundle)
  bundle["bundle"]["checksum"] = Digest::SHA256.hexdigest(canonical)

  bundle
end

.extract_approval(p) ⇒ `Object`

# File 'lib/vkit/policy/bundle_compiler.rb', line 100

def self.extract_approval(p)
  return unless p.dig("action", "require_approval")
  { "approver_role" => p.dig("action", "approver_role") }
end

.extract_masking(p) ⇒ `Object`

# File 'lib/vkit/policy/bundle_compiler.rb', line 105

def self.extract_masking(p)
  return unless p.dig("action", "mask")

  raw =
    p["masking"] ||
    p.dig("action", "masking") || {}

  default_method =
    normalize_mask_method(raw["default_method"]) if raw["default_method"]

  rules =
    case raw["rules"]
    when Hash
      raw["rules"].each_with_object({}) do |(field, method), acc|
        acc[field.to_s] = normalize_mask_method(method)
      end
    else
      {}
    end

  result = {}
  result["default_method"] = default_method if default_method
  result["rules"] = rules if rules.any?

  return if result.empty?

  result
end

.load_installed_packs ⇒ `Object`

# File 'lib/vkit/policy/bundle_compiler.rb', line 192

def self.load_installed_packs
  tracking_path = File.join(".vkit", "packs.yaml")
  return [] unless File.exist?(tracking_path)

  data = YAML.safe_load(File.read(tracking_path), permitted_classes: [], permitted_symbols: [], aliases: true)
  packs = data["installed_packs"] || {}

  packs.map do |name, meta|
    {
      "name" => name,
      "version" => meta["version"]
    }
  end
rescue
  []
end

.load_policies(dir) ⇒ `Object`

# File 'lib/vkit/policy/bundle_compiler.rb', line 38

def self.load_policies(dir)
  files = Dir[File.join(dir, "*.y{a,}ml")].sort
  raise "No policy files found in #{dir}" if files.empty?

  files.map do |f|
    data = YAML.load_file(f)
    raise "Policy file #{f} must be a Hash" unless data.is_a?(Hash)

    PolicyValidator.validate!(data, file: File.basename(f))

    data.merge("__file" => File.basename(f))
  end
end

.load_registry(dir) ⇒ `Object`

# File 'lib/vkit/policy/bundle_compiler.rb', line 52

def self.load_registry(dir)
  path = File.join(dir, "registry.yaml")
  raise "Missing datasets/registry.yaml" unless File.exist?(path)

  raw = YAML.load_file(path)
  normalize_registry(raw)
end

.normalize_action(action) ⇒ `Object`

# File 'lib/vkit/policy/bundle_compiler.rb', line 91

def self.normalize_action(action)
  return "allow" unless action.is_a?(Hash)

  return "deny" if action["deny"]
  return "require_approval" if action["require_approval"]
  return "mask" if action["mask"]
  "allow"
end

.normalize_fields(fields) ⇒ `Object`

# File 'lib/vkit/policy/bundle_compiler.rb', line 155

def self.normalize_fields(fields)
  fields.map do |name, meta|
    {
      "name" => name.to_s,
      "type" => meta["type"],
      "sensitivity" => meta["sensitivity"].to_s,
      "tags" => [meta["category"]].compact.map(&:to_s)
    }
  end
end

.normalize_mask_method(method) ⇒ `Object`

# File 'lib/vkit/policy/bundle_compiler.rb', line 166

def self.normalize_mask_method(method)
  case method.to_s
  when "redact"   then "full"
  when "hash"     then "hash"
  when "truncate" then "partial"
  when "nullify"  then "full"
  else "full"
  end
end

.normalize_policies(policies) ⇒ `Object`

# File 'lib/vkit/policy/bundle_compiler.rb', line 65

def self.normalize_policies(policies)
  seen = {}

  normalized = policies.map do |p|
    id = p["id"].to_s.strip
    raise "Policy id missing in #{p["__file"]}" if id.empty?
    raise "Duplicate policy id: #{id}" if seen[id]
    seen[id] = true

    {
      "id" => id,
      "description" => p["description"],
      "match" => p["match"],
      "when" => p["context"],          # ADAPT authoring → runtime
      "action" => normalize_action(p["action"]),
      "reason" => p.dig("action", "reason"),
      "approval" => extract_approval(p),
      "masking" => extract_masking(p),
      "ttl_seconds" => p.dig("action", "ttl"),
      "priority" => p["priority"]
    }.compact
  end

  normalized.sort_by { |p| [-(p["priority"] || 0), p["id"]] }
end

.normalize_registry(raw) ⇒ `Object`

# File 'lib/vkit/policy/bundle_compiler.rb', line 134

def self.normalize_registry(raw)
  datasets = raw.map do |name, data|
    {
      "name" => name.to_s,
      "datasource" => data["datasource"].to_s,
      "fields" => normalize_fields(data["fields"] || {})
    }
  end

  datasources =
    datasets
      .map { |d| d["datasource"] }
      .uniq
      .map { |ds| { "name" => ds, "type" => "postgres", "config" => {} } }

  {
    "datasets" => datasets,
    "datasources" => datasources
  }
end

.normalize_source(source) ⇒ `Object`

Normalization



61
62
63

# File 'lib/vkit/policy/bundle_compiler.rb', line 61

def self.normalize_source(source)
  { "type" => "git" }.merge(source.transform_keys(&:to_s))
end

.sort_keys_deep(value) ⇒ `Object`

# File 'lib/vkit/policy/bundle_compiler.rb', line 181

def self.sort_keys_deep(value)
  case value
  when Hash
    value.keys.sort.each_with_object({}) { |k, h| h[k] = sort_keys_deep(value[k]) }
  when Array
    value.map { |v| sort_keys_deep(v) }
  else
    value
  end
end

Class: Vkit::Policy::BundleCompiler

Constant Summary collapse

Class Method Summary collapse

Class Method Details

.canonical_json(obj) ⇒ Object

.compile!(org_slug:, bundle_version:, policies_dir:, registry_dir:, source: {}) ⇒ Object

.extract_approval(p) ⇒ Object

.extract_masking(p) ⇒ Object

.load_installed_packs ⇒ Object

.load_policies(dir) ⇒ Object

.load_registry(dir) ⇒ Object

.normalize_action(action) ⇒ Object

.normalize_fields(fields) ⇒ Object

.normalize_mask_method(method) ⇒ Object

.normalize_policies(policies) ⇒ Object

.normalize_registry(raw) ⇒ Object

.normalize_source(source) ⇒ Object

.sort_keys_deep(value) ⇒ Object

.canonical_json(obj) ⇒ `Object`

.compile!(org_slug:, bundle_version:, policies_dir:, registry_dir:, source: {}) ⇒ `Object`

.extract_approval(p) ⇒ `Object`

.extract_masking(p) ⇒ `Object`

.load_installed_packs ⇒ `Object`

.load_policies(dir) ⇒ `Object`

.load_registry(dir) ⇒ `Object`

.normalize_action(action) ⇒ `Object`

.normalize_fields(fields) ⇒ `Object`

.normalize_mask_method(method) ⇒ `Object`

.normalize_policies(policies) ⇒ `Object`

.normalize_registry(raw) ⇒ `Object`

.normalize_source(source) ⇒ `Object`

.sort_keys_deep(value) ⇒ `Object`