Permissions

Author: brunovcosta

abstra_json_sql/ast.py

@@ -46,6 +46,17 @@ class AndExpression(Expression):
     left: Expression
     right: Expression
 
+    @classmethod
+    def from_list(cls, expressions: List[Expression]) -> "AndExpression":
+        if len(expressions) == 0:
+            return AndExpression(TrueExpression(), TrueExpression())
+        elif len(expressions) == 1:
+            return AndExpression(TrueExpression(), expressions[0])
+        else:
+            return AndExpression(
+                expressions[0], AndExpression.from_list(expressions[1:])
+            )
+
 
 @dataclass
 class OrExpression(Expression):
@@ -213,6 +224,15 @@ class Select(Command):
     order_part: Optional[OrderBy] = None
     limit_part: Optional[Limit] = None
 
+    def get_tables(self) -> List[str]:
+        tables = []
+        if self.from_part:
+            tables.append(self.from_part.table)
+            if self.from_part.join:
+                for join in self.from_part.join:
+                    tables.append(join.table)
+        return tables
+
 
 @dataclass
 class WithPart(Ast):

abstra_json_sql/authorization.py

@@ -0,0 +1,159 @@
+from dataclasses import dataclass
+from typing import List, Literal, Optional
+
+from .ast import (
+    AndExpression,
+    Command,
+    Delete,
+    EqualExpression,
+    Expression,
+    Insert,
+    NameExpression,
+    Select,
+    Update,
+)
+from .lexer import scan
+from .parser import parse, parse_expression
+from .tables import ITablesSnapshot
+
+RuleCommand = Literal["SELECT", "INSERT", "UPDATE", "DELETE"]
+
+
+def includes_expression(main: Expression, sub: Expression) -> bool:
+    if main == sub:
+        return True
+    elif isinstance(main, AndExpression):
+        return includes_expression(main.left, sub) or includes_expression(
+            main.right, sub
+        )
+    return False
+
+
+def validate_insert_condition(condition: Expression) -> bool:
+    if isinstance(condition, AndExpression):
+        return validate_insert_condition(condition.left) and validate_insert_condition(
+            condition.right
+        )
+    elif isinstance(condition, EqualExpression):
+        if isinstance(condition.left, NameExpression):
+            return True
+    return False
+
+
+@dataclass
+class Rule:
+    type: Literal["GRANT", "REVOKE"]
+    command: RuleCommand
+    table_name: str
+    condition: Optional[str] = None
+
+    def __post_init__(self):
+        if self.command == "INSERT" and self.condition is not None:
+            cond_exp, _ = parse_expression(scan(self.condition))
+            if not validate_insert_condition(cond_exp):
+                raise NotImplementedError(
+                    "Only simple equality conditions are supported for INSERT rules."
+                )
+
+    def condition_met(self, command: Command) -> bool:
+        if self.condition is None:
+            return True
+        if isinstance(command, Select) and self.command == "SELECT":
+            cond_exp, _ = parse_expression(scan(self.condition))
+            if command.where_part is None:
+                return False
+            return includes_expression(command.where_part.expression, cond_exp)
+        elif isinstance(command, Update) and self.command == "UPDATE":
+            cond_exp, _ = parse_expression(scan(self.condition))
+            if command.where is None:
+                return False
+            return includes_expression(command.where.expression, cond_exp)
+        elif isinstance(command, Delete) and self.command == "DELETE":
+            cond_exp, _ = parse_expression(scan(self.condition))
+            if command.where is None:
+                return False
+            return includes_expression(command.where.expression, cond_exp)
+        elif isinstance(command, Insert) and self.command == "INSERT":
+            cond_exp, _ = parse_expression(scan(self.condition))
+            if command.columns is None:
+                return False
+
+            for value in command.values:
+                insert_expression = AndExpression.from_list(
+                    [
+                        EqualExpression(NameExpression(field), val)
+                        for field, val in zip(command.columns, value)
+                    ]
+                )
+                if includes_expression(insert_expression, cond_exp):
+                    return True
+        return False
+
+    def check(self, command: Command) -> Literal["ALLOW", "DENY", "NO_MATCH"]:
+        if isinstance(command, Select) and self.command == "SELECT":
+            if self.table_name in command.get_tables():
+                if self.condition_met(command):
+                    return "ALLOW" if self.type == "GRANT" else "DENY"
+                else:
+                    return "NO_MATCH"
+        elif isinstance(command, Insert) and self.command == "INSERT":
+            if self.table_name == command.table_name:
+                if self.condition_met(command):
+                    return "ALLOW" if self.type == "GRANT" else "DENY"
+                else:
+                    return "NO_MATCH"
+        elif isinstance(command, Update) and self.command == "UPDATE":
+            if self.table_name == command.table_name:
+                if self.condition_met(command):
+                    return "ALLOW" if self.type == "GRANT" else "DENY"
+                else:
+                    return "NO_MATCH"
+        elif isinstance(command, Delete) and self.command == "DELETE":
+            if self.table_name == command.table_name:
+                if self.condition_met(command):
+                    return "ALLOW" if self.type == "GRANT" else "DENY"
+                else:
+                    return "NO_MATCH"
+        return "NO_MATCH"
+
+
+class Permissions:
+    default: bool
+    rules: List[Rule]
+
+    def __init__(self, default: bool = False):
+        self.default = default
+        self.rules = []
+
+    def grant(
+        self, command: RuleCommand, table_name: str, condition: Optional[str]
+    ) -> "ITablesSnapshot":
+        if condition is None:
+
+            def condition(_):
+                return self.default
+
+        self.rules.append(Rule("GRANT", command, table_name, condition))
+        return self
+
+    def revoke(
+        self, command: RuleCommand, table_name: str, condition: Optional[str]
+    ) -> "ITablesSnapshot":
+        if condition is None:
+
+            def condition(_):
+                return not self.default
+
+        self.rules.append(Rule("REVOKE", command, table_name, condition))
+        return self
+
+    def allowed(self, sql: str):
+        cmd = parse(scan(sql))
+        allowed = self.default
+        for rule in self.rules:
+            result = rule.check(cmd)
+            if result == "ALLOW":
+                allowed = True
+            elif result == "DENY":
+                allowed = False
+        return allowed

abstra_json_sql/authorization_test.py

@@ -0,0 +1,80 @@
+from unittest import TestCase
+
+from .authorization import Permissions
+
+
+class TestPermissions(TestCase):
+    def test_select(self):
+        p = Permissions(default=False)
+        p.grant("SELECT", "users", "age > 18")
+
+        self.assertFalse(p.allowed("select * from users"))
+        self.assertTrue(p.allowed("select * from users where age > 18"))
+
+        p.revoke("SELECT", "users", "age < 21")
+        self.assertFalse(p.allowed("select * from users where age < 21"))
+
+    def test_select_complex(self):
+        p = Permissions(default=False)
+        p.grant("SELECT", "orders", "status = 'completed' AND total > 100")
+
+        self.assertFalse(p.allowed("select * from orders where status = 'pending'"))
+        self.assertFalse(p.allowed("select * from orders where total <= 100"))
+        self.assertTrue(
+            p.allowed("select * from orders where status = 'completed' AND total > 100")
+        )
+
+        p.revoke("SELECT", "orders", "customer_id = 42")
+        self.assertFalse(
+            p.allowed(
+                "select * from orders where customer_id = 42 AND status = 'completed' AND total > 100"
+            )
+        )
+
+    def test_insert(self):
+        p = Permissions(default=False)
+        p.grant("INSERT", "users", "name = 'Alice'")
+
+        self.assertFalse(p.allowed("insert into users (name, age) values ('Bob', 25)"))
+        self.assertTrue(p.allowed("insert into users (name, age) values ('Alice', 30)"))
+
+        p.revoke("INSERT", "users", "age = 18")
+        self.assertFalse(
+            p.allowed("insert into users (name, age) values ('Alice', 18)")
+        )
+        self.assertTrue(p.allowed("insert into users (name, age) values ('Alice', 20)"))
+
+    def test_update(self):
+        p = Permissions(default=False)
+        p.grant("UPDATE", "users", "age < 65")
+
+        self.assertFalse(p.allowed("update users set age = age + 1 where age >= 65"))
+        self.assertTrue(p.allowed("update users set age = age + 1 where age < 65"))
+
+        p.revoke("UPDATE", "users", "status = 'inactive'")
+        self.assertFalse(
+            p.allowed("update users set age = age + 1 where status = 'inactive'")
+        )
+        self.assertFalse(
+            p.allowed("update users set age = age + 1 where status = 'active'")
+        )
+
+        p.grant("UPDATE", "users", "status = 'active'")
+        self.assertTrue(
+            p.allowed("update users set age = age + 1 where status = 'active'")
+        )
+
+    def test_delete(self):
+        p = Permissions(default=False)
+        p.grant("DELETE", "users", "status = 'inactive'")
+
+        self.assertFalse(p.allowed("delete from users where status = 'active'"))
+        self.assertTrue(p.allowed("delete from users where status = 'inactive'"))
+
+        p.revoke("DELETE", "users", "age < 18")
+        self.assertFalse(
+            p.allowed("delete from users where status = 'inactive' and age < 18")
+        )
+        self.assertTrue(
+            p.allowed("delete from users where status = 'inactive' and age >= 18")
+        )