nodedb 0.3.0-beta.1

Local-first, real-time, edge-to-cloud hybrid database for multi-modal workloads
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

// SPDX-License-Identifier: BUSL-1.1

//! RLS predicate compilation helpers.
//!
//! SQL-text parsing for `CREATE RLS POLICY` is done by the `nodedb-sql`
//! AST layer (`nodedb-sql/src/ddl_ast/parse/rls.rs`). This module is
//! responsible only for the predicate compilation step — turning the
//! raw predicate text into a rich `RlsPredicate` AST — and for parsing
//! the `ON DENY` clause.

use pgwire::error::PgWireResult;

use crate::control::security::deny::{self, DenyMode};
use crate::control::security::predicate::RlsPredicate;
use crate::control::security::predicate_parser::{parse_predicate, validate_auth_refs};

use super::super::super::types::sqlstate_error;

/// Result of compiling an RLS predicate string.
pub struct CompiledPredicate {
    /// Compiled predicate AST. Substituted at query time via `AuthContext`.
    pub compiled_predicate: Option<RlsPredicate>,
    /// Deny-mode derived from the `ON DENY` clause.
    pub on_deny: DenyMode,
}

/// Compile a predicate string and optional `ON DENY` raw clause into a
/// `CompiledPredicate`. Called by the `create_rls_policy` handler after
/// the typed AST fields have been validated.
pub fn compile_rls_predicate(
    predicate_str: &str,
    on_deny_raw: Option<&str>,
) -> PgWireResult<CompiledPredicate> {
    let compiled = parse_predicate(predicate_str)
        .map_err(|e| sqlstate_error("42601", &format!("predicate parse error: {e}")))?;
    validate_auth_refs(&compiled).map_err(|e| sqlstate_error("42601", &e.to_string()))?;

    let on_deny = if let Some(deny_text) = on_deny_raw {
        let deny_parts: Vec<&str> = deny_text.split_whitespace().collect();
        // Strip leading DENY token if present.
        let slice = if deny_parts
            .first()
            .map(|s| s.eq_ignore_ascii_case("DENY"))
            .unwrap_or(false)
        {
            &deny_parts[1..]
        } else {
            &deny_parts[..]
        };
        deny::parse_on_deny(slice).map_err(|e| sqlstate_error("42601", &e.to_string()))?
    } else {
        DenyMode::default()
    };

    Ok(CompiledPredicate {
        compiled_predicate: Some(compiled),
        on_deny,
    })
}