plsql-privileges 0.1.0

Privilege and authorization model for PL/SQL analysis
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306

//! Privilege-ambiguity feed.
//!
//! The privilege resolver ([`crate::resolve_privileges`]) records two
//! kinds of "can't decide statically" outcome:
//!
//! * [`AuthorizationAmbiguity`] — a unit's authorization depends on
//!   runtime role state (`RuntimeGrantOrRole`) or invoker-rights
//!   resolution (`InvokerRightsRuntimeResolution`).
//! * [`CrossSchemaWrite`] with a non-`None` `runtime_ambiguity` — a
//!   cross-schema write whose grant can't be confirmed statically.
//!
//! Those signals are useless if they stay trapped in the privilege
//! model. This module turns them into a flat feed two downstream
//! layers consume:
//!
//! 1. **Symbol resolution** — when a reference resolves to an object
//!    whose authorization is ambiguous, the resolver should not claim
//!    `High` confidence. [`downgrade_confidence`] computes the capped
//!    confidence for a given prior + reason.
//! 2. **SAST evidence** — each ambiguity becomes an [`Evidence`]
//!    record (stable `code`, dependent-role notes) a security rule
//!    can attach to its finding so an operator sees *why* the
//!    analyser hedged.
//!
//! The feed is pure data: it neither imports the symbol crate nor the
//! SAST crate (both are same-layer / downstream), so there is no
//! dependency cycle — the engine orchestration layer wires the feed
//! into whichever consumer needs it. Object/schema/role names are
//! interned [`plsql_core`] ids; the feed keeps them typed and renders
//! them via `Debug` for evidence text (the engine resolves ids back
//! to source identifiers through its interner when presenting).
//!
//! ## /oracle evidence
//!
//! * `DATABASE-REFERENCE.md` PL/SQL Language Reference — Invoker's
//!   vs. Definer's Rights: `AUTHID CURRENT_USER` defers privilege
//!   resolution to call time, which is exactly the static-analysis
//!   gap this feed records.
//! * `LOW-LEVEL-CATALOGS.md` — `SESSION_ROLES` / `DBA_ROLE_PRIVS`:
//!   the runtime role set that makes `RuntimeGrantOrRole` undecidable
//!   without a live session.

use serde::{Deserialize, Serialize};

use plsql_core::{
    Confidence, ConfidenceLevel, Evidence, ObjectName, RoleName, SchemaName, UnknownReason,
};

use crate::model::PrivilegeModel;

/// Stable evidence code so SAST rules / golden tests can match on it.
pub const AMBIGUITY_EVIDENCE_CODE: &str = "PRIV-AMBIGUITY";

/// One downstream-consumable ambiguity record.
#[derive(Clone, Debug, PartialEq, Serialize, Deserialize)]
pub struct AmbiguityFeedEntry {
    /// Owning schema of the affected object.
    pub schema: SchemaName,
    /// The affected object.
    pub object: ObjectName,
    /// Why the authorization is undecidable statically.
    pub reason: UnknownReason,
    /// Roles whose runtime state would change the outcome (may be
    /// empty when the ambiguity is not role-driven).
    pub dependent_roles: Vec<RoleName>,
    /// The confidence ceiling a symbol-resolution result that lands
    /// on this object must not exceed.
    pub confidence_ceiling: Confidence,
    /// Ready-to-attach SAST evidence record.
    pub sast_evidence: Evidence,
}

/// The strongest confidence a result may claim when its authorization
/// hinges on `reason`. Runtime role/grant state and invoker-rights
/// resolution are genuinely undecidable without a live session, so
/// they cap at `Low`; anything else we treat as `Opaque` (we don't
/// even know enough to call it `Low`).
#[must_use]
pub fn confidence_ceiling_for(reason: UnknownReason) -> ConfidenceLevel {
    match reason {
        UnknownReason::RuntimeGrantOrRole | UnknownReason::InvokerRightsRuntimeResolution => {
            ConfidenceLevel::Low
        }
        _ => ConfidenceLevel::Opaque,
    }
}

/// Cap `prior` at the ceiling implied by `reason`. Never *raises*
/// confidence — if the prior is already at/under the ceiling it is
/// returned unchanged (only the explanation is appended). Ordering
/// uses `ConfidenceLevel`'s derived `Ord` where `High < Medium <
/// Low < Opaque` (a larger discriminant == less confident), so the
/// capped level is `max(prior, ceiling)`.
#[must_use]
pub fn downgrade_confidence(prior: &Confidence, reason: UnknownReason) -> Confidence {
    let ceiling = confidence_ceiling_for(reason);
    let level = prior.level.max(ceiling);
    let note = format!(
        "privilege authorization is ambiguous ({reason:?}); confidence capped at {ceiling:?}"
    );
    let explanation = match &prior.explanation {
        Some(prev) if !prev.is_empty() => format!("{prev}; {note}"),
        _ => note,
    };
    Confidence::new(level, explanation)
}

fn ceiling_confidence(reason: UnknownReason, context: &str) -> Confidence {
    Confidence::new(confidence_ceiling_for(reason), context.to_string())
}

/// Build the flat ambiguity feed from a resolved [`PrivilegeModel`].
///
/// Deterministic: entries appear in the model's own order
/// (`runtime_ambiguities` first, then ambiguous `cross_schema_writes`).
/// `O(n)` over the two source vectors.
#[must_use]
pub fn ambiguity_feed(model: &PrivilegeModel) -> Vec<AmbiguityFeedEntry> {
    let mut feed = Vec::new();

    for amb in &model.runtime_ambiguities {
        let summary = format!(
            "{:?}.{:?} authorization depends on runtime role state ({:?})",
            amb.schema, amb.object, amb.reason
        );
        let mut ev = Evidence::new(AMBIGUITY_EVIDENCE_CODE, summary);
        if !amb.dependent_roles.is_empty() {
            ev = ev.with_note(format!("dependent roles: {:?}", amb.dependent_roles));
        }
        ev.confidence = Some(ceiling_confidence(
            amb.reason,
            "static analysis cannot confirm the grant without a live session",
        ));
        feed.push(AmbiguityFeedEntry {
            schema: amb.schema,
            object: amb.object,
            reason: amb.reason,
            dependent_roles: amb.dependent_roles.clone(),
            confidence_ceiling: ceiling_confidence(
                amb.reason,
                "authorization ambiguity from privilege model",
            ),
            sast_evidence: ev,
        });
    }

    for csw in &model.cross_schema_writes {
        let Some(reason) = csw.runtime_ambiguity else {
            continue;
        };
        let summary = format!(
            "cross-schema write {:?}.{:?} -> {:?}.{:?} ({:?}) cannot be confirmed statically ({:?})",
            csw.caller_schema,
            csw.caller_object,
            csw.target_schema,
            csw.target_object,
            csw.privilege,
            reason
        );
        let mut ev = Evidence::new(AMBIGUITY_EVIDENCE_CODE, summary);
        ev = ev.with_note("cross-schema write authorization is runtime-dependent");
        ev.confidence = Some(ceiling_confidence(
            reason,
            "grant for the cross-schema write is runtime-resolved",
        ));
        feed.push(AmbiguityFeedEntry {
            schema: csw.target_schema,
            object: csw.target_object,
            reason,
            dependent_roles: Vec::new(),
            confidence_ceiling: ceiling_confidence(reason, "cross-schema write ambiguity"),
            sast_evidence: ev,
        });
    }

    feed
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::model::{AuthorizationAmbiguity, CrossSchemaWrite};
    use plsql_catalog::GrantPrivilege;
    use plsql_core::SymbolId;

    fn sn(id: u64) -> SchemaName {
        SchemaName::from(SymbolId::new(id))
    }
    fn on(id: u64) -> ObjectName {
        ObjectName::from(SymbolId::new(id))
    }
    fn rn(id: u64) -> RoleName {
        RoleName::from(SymbolId::new(id))
    }

    #[test]
    fn confidence_ceiling_runtime_role_is_low() {
        assert_eq!(
            confidence_ceiling_for(UnknownReason::RuntimeGrantOrRole),
            ConfidenceLevel::Low
        );
        assert_eq!(
            confidence_ceiling_for(UnknownReason::InvokerRightsRuntimeResolution),
            ConfidenceLevel::Low
        );
    }

    #[test]
    fn confidence_ceiling_other_reasons_are_opaque() {
        assert_eq!(
            confidence_ceiling_for(UnknownReason::DynamicSqlOpaque),
            ConfidenceLevel::Opaque
        );
    }

    #[test]
    fn downgrade_never_raises_confidence() {
        let prior = Confidence::new(ConfidenceLevel::Opaque, None);
        let out = downgrade_confidence(&prior, UnknownReason::RuntimeGrantOrRole);
        assert_eq!(out.level, ConfidenceLevel::Opaque);
    }

    #[test]
    fn downgrade_caps_high_to_low_for_runtime_role() {
        let prior = Confidence::new(ConfidenceLevel::High, Some("resolved in catalog".into()));
        let out = downgrade_confidence(&prior, UnknownReason::RuntimeGrantOrRole);
        assert_eq!(out.level, ConfidenceLevel::Low);
        let expl = out.explanation.unwrap();
        assert!(expl.contains("resolved in catalog"));
        assert!(expl.contains("capped at Low"));
    }

    #[test]
    fn empty_model_yields_empty_feed() {
        assert!(ambiguity_feed(&PrivilegeModel::default()).is_empty());
    }

    #[test]
    fn runtime_ambiguity_becomes_feed_entry_with_evidence() {
        let model = PrivilegeModel {
            runtime_ambiguities: vec![AuthorizationAmbiguity {
                schema: sn(1),
                object: on(2),
                reason: UnknownReason::RuntimeGrantOrRole,
                dependent_roles: vec![rn(3)],
                evidence: Evidence::new("X", "x"),
            }],
            ..PrivilegeModel::default()
        };
        let feed = ambiguity_feed(&model);
        assert_eq!(feed.len(), 1);
        let e = &feed[0];
        assert_eq!(e.schema, sn(1));
        assert_eq!(e.reason, UnknownReason::RuntimeGrantOrRole);
        assert_eq!(e.confidence_ceiling.level, ConfidenceLevel::Low);
        assert_eq!(e.sast_evidence.code, AMBIGUITY_EVIDENCE_CODE);
        assert_eq!(e.dependent_roles, vec![rn(3)]);
        assert!(
            e.sast_evidence
                .notes
                .iter()
                .any(|n| n.contains("dependent roles"))
        );
    }

    #[test]
    fn cross_schema_write_without_ambiguity_is_skipped() {
        let model = PrivilegeModel {
            cross_schema_writes: vec![CrossSchemaWrite {
                caller_schema: sn(1),
                caller_object: on(2),
                target_schema: sn(3),
                target_object: on(4),
                privilege: GrantPrivilege::Update,
                confidence: Confidence::new(ConfidenceLevel::High, None),
                evidence: Evidence::new("X", "x"),
                runtime_ambiguity: None,
            }],
            ..PrivilegeModel::default()
        };
        assert!(ambiguity_feed(&model).is_empty());
    }

    #[test]
    fn cross_schema_write_with_ambiguity_targets_written_object() {
        let model = PrivilegeModel {
            cross_schema_writes: vec![CrossSchemaWrite {
                caller_schema: sn(1),
                caller_object: on(2),
                target_schema: sn(3),
                target_object: on(4),
                privilege: GrantPrivilege::Update,
                confidence: Confidence::new(ConfidenceLevel::Low, None),
                evidence: Evidence::new("X", "x"),
                runtime_ambiguity: Some(UnknownReason::RuntimeGrantOrRole),
            }],
            ..PrivilegeModel::default()
        };
        let feed = ambiguity_feed(&model);
        assert_eq!(feed.len(), 1);
        // The feed entry keys on the *written* object so the symbol
        // layer downgrades references that resolve to it.
        assert_eq!(feed[0].schema, sn(3));
        assert_eq!(feed[0].object, on(4));
    }
}