nodedb 0.0.0-beta.1

Local-first, real-time, edge-to-cloud hybrid database for multi-modal workloads
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126

//! Data Plane RLS filter evaluation for post-fetch / post-candidate operations.
//!
//! The Control Plane injects serialized `ScanFilter` bytes into physical plan
//! `rls_filters` fields. This module deserializes and evaluates those filters
//! against documents fetched by the Data Plane.
//!
//! **Security contract**: If `rls_filters` is non-empty and the document does
//! not pass all filters, the handler MUST return `NOT_FOUND` (no info leak).
//! Empty `rls_filters` means no RLS policies apply — allow unconditionally.

use crate::bridge::scan_filter::ScanFilter;

/// Evaluate RLS filters against a document.
///
/// Returns `true` if the document passes all RLS filters (or if no filters).
/// Returns `false` if any filter rejects the document (caller must deny).
///
/// Used by point-get and key-get handlers after fetching the raw document.
pub fn rls_check_document(rls_filters: &[u8], doc: &serde_json::Value) -> bool {
    if rls_filters.is_empty() {
        return true;
    }

    let filters: Vec<ScanFilter> = match rmp_serde::from_slice(rls_filters) {
        Ok(f) => f,
        Err(_) => {
            // Deserialization failure → deny (fail-closed).
            tracing::warn!("RLS filter deserialization failed — denying access");
            return false;
        }
    };

    filters.iter().all(|f| f.matches(doc))
}

/// Evaluate RLS filters against raw MessagePack document bytes.
///
/// Decodes the document, then evaluates filters. Returns `true` if passes.
/// Returns `false` if decode fails or any filter rejects.
pub fn rls_check_msgpack_bytes(rls_filters: &[u8], doc_bytes: &[u8]) -> bool {
    if rls_filters.is_empty() {
        return true;
    }

    let doc = match super::super::doc_format::decode_document(doc_bytes) {
        Some(d) => d,
        None => return false, // Can't decode → deny
    };

    rls_check_document(rls_filters, &doc)
}

#[cfg(test)]
mod tests {
    use super::*;
    use serde_json::json;

    fn make_rls_bytes(field: &str, op: &str, value: serde_json::Value) -> Vec<u8> {
        let filter = ScanFilter {
            field: field.into(),
            op: op.into(),
            value,
            clauses: Vec::new(),
        };
        rmp_serde::to_vec_named(&vec![filter]).unwrap()
    }

    #[test]
    fn empty_filters_allow() {
        let doc = json!({"anything": "goes"});
        assert!(rls_check_document(&[], &doc));
    }

    #[test]
    fn matching_filter_allows() {
        let rls = make_rls_bytes("user_id", "eq", json!("42"));
        let doc = json!({"user_id": "42", "name": "alice"});
        assert!(rls_check_document(&rls, &doc));
    }

    #[test]
    fn non_matching_filter_denies() {
        let rls = make_rls_bytes("user_id", "eq", json!("42"));
        let doc = json!({"user_id": "99", "name": "bob"});
        assert!(!rls_check_document(&rls, &doc));
    }

    #[test]
    fn missing_field_denies() {
        let rls = make_rls_bytes("user_id", "eq", json!("42"));
        let doc = json!({"name": "alice"});
        assert!(!rls_check_document(&rls, &doc));
    }

    #[test]
    fn corrupt_filters_deny() {
        let corrupt = vec![0xFF, 0xFE, 0xFD];
        let doc = json!({"user_id": "42"});
        assert!(!rls_check_document(&corrupt, &doc));
    }

    #[test]
    fn multiple_filters_all_must_pass() {
        let filters = vec![
            ScanFilter {
                field: "user_id".into(),
                op: "eq".into(),
                value: json!("42"),
                clauses: Vec::new(),
            },
            ScanFilter {
                field: "status".into(),
                op: "eq".into(),
                value: json!("active"),
                clauses: Vec::new(),
            },
        ];
        let rls = rmp_serde::to_vec_named(&filters).unwrap();

        let doc_ok = json!({"user_id": "42", "status": "active"});
        assert!(rls_check_document(&rls, &doc_ok));

        let doc_bad = json!({"user_id": "42", "status": "banned"});
        assert!(!rls_check_document(&rls, &doc_bad));
    }
}