reddb-io-server 1.9.0

RedDB server-side engine: storage, runtime, replication, MCP, AI, and the gRPC/HTTP/RedWire/PG-wire dispatchers. Re-exported by the umbrella `reddb` crate.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295

//! Policy enforcement mode (#712).
//!
//! Controls what `AuthStore::check_policy_authz_with_role` does when the
//! policy evaluator returns [`DefaultDeny`][crate::auth::policies::Decision::DefaultDeny]
//! — i.e. no statement matched, neither allow nor deny.
//!
//! * [`PolicyEnforcementMode::LegacyRbac`] — fall back to the legacy
//!   role-based decision computed by [`legacy_rbac_decision`]. This is
//!   the default for existing installs so upgrading does not silently
//!   tighten access for principals that have not yet been migrated to
//!   IAM policies.
//! * [`PolicyEnforcementMode::PolicyOnly`] — surface the `DefaultDeny`
//!   as a deny. This is the default for fresh bootstraps and the
//!   long-term posture; the upcoming `MIGRATE POLICY MODE TO
//!   'policy_only'` SQL (next slice, S5B) flips an existing install
//!   over after the operator has audited their attached policies.
//!
//! The mode is plumbed through [`super::store::AuthStore`] and read on
//! every policy decision. It is configured by the `red.config.policy.
//! enforcement_mode` config key — see `runtime::impl_config` for the
//! write-path validation and the boot-time loader.

use super::action_catalog::{lookup, ActionCategory};
use super::Role;

/// Config key that selects the enforcement mode.
pub const ENFORCEMENT_MODE_CONFIG_KEY: &str = "red.config.policy.enforcement_mode";

/// Version at which `policy_only` becomes the only accepted mode and the
/// `legacy_rbac` fallback is removed. Reported by `SHOW POLICIES` so
/// operators know how long they have to migrate.
pub const POLICY_ONLY_HARD_VERSION: &str = "1.0.0";

/// Selects the behaviour of the policy evaluator when no statement
/// matches the requested `(action, resource)` pair. See the module
/// docs for the semantics of each variant.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum PolicyEnforcementMode {
    /// Fall back to the role-based decision when no policy matches.
    LegacyRbac,
    /// Treat "no matching policy" as `DefaultDeny`.
    PolicyOnly,
}

impl PolicyEnforcementMode {
    pub fn as_str(self) -> &'static str {
        match self {
            Self::LegacyRbac => "legacy_rbac",
            Self::PolicyOnly => "policy_only",
        }
    }

    /// Parse a configuration value. Returns `None` for any string that
    /// is not exactly one of the two accepted modes — callers turn that
    /// `None` into the "invalid value" rejection at config-write time.
    pub fn parse(value: &str) -> Option<Self> {
        match value {
            "legacy_rbac" => Some(Self::LegacyRbac),
            "policy_only" => Some(Self::PolicyOnly),
            _ => None,
        }
    }

    /// Default for a fresh bootstrap (no prior config, no prior users).
    /// Fresh installs start in the strict posture so they never carry
    /// the legacy RBAC fallback as accumulated technical debt.
    pub const fn default_fresh_bootstrap() -> Self {
        Self::PolicyOnly
    }

    /// Default for an existing install that has no
    /// `enforcement_mode` key set. Preserves pre-#712 behaviour so the
    /// upgrade is non-disruptive; operators move to `policy_only`
    /// explicitly via the migration command (S5B).
    pub const fn default_existing_install() -> Self {
        Self::LegacyRbac
    }
}

impl std::fmt::Display for PolicyEnforcementMode {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.write_str(self.as_str())
    }
}

/// Computes the legacy role-based decision for a `(role, action)` pair.
///
/// This is the function `LegacyRbac` mode falls back to when the
/// evaluator returns `DefaultDeny`. The mapping is action-category
/// driven (via [`super::action_catalog`]) so that adding a new action
/// to the catalog inherits a sensible role floor without touching this
/// function.
///
/// Category → required role floor:
///
/// * `Dml` reads (`select`) → `Read`.
/// * `Dml` writes / `Schema` → `Write`.
/// * `Ddl`, `Function`, `Mgmt`, `Policy`, `Admin`, `Config`, `Vault`,
///   `Wildcard`, `Other` → `Admin`.
/// * `Ai` → `Read` (analytics-facing surface; reserved category today).
///
/// Unknown actions (not in the catalog) require `Admin`, matching the
/// conservative pre-#712 default for verbs the kernel does not
/// recognise.
pub fn legacy_rbac_decision(role: Role, action: &str) -> bool {
    let required = required_role_for_action(action);
    role >= required
}

/// Internal: minimum role required to satisfy `action` under the legacy
/// RBAC posture. Exposed via [`legacy_rbac_decision`].
fn required_role_for_action(action: &str) -> Role {
    // The two distinct reads in the DML category. Everything else in
    // the DML category mutates data and demands Write.
    if action == "select"
        || action == "queue:peek"
        || action == "queue:presence:read"
        || action == "vector:read"
        || action == "vector:search"
        || action == "vector:artifact:read"
    {
        return Role::Read;
    }
    match lookup(action) {
        Some(entry) => match entry.category {
            ActionCategory::Dml => Role::Write,
            ActionCategory::Schema => Role::Write,
            ActionCategory::Ai => Role::Read,
            ActionCategory::Notification => Role::Write,
            ActionCategory::Stream => Role::Write,
            ActionCategory::Queue => Role::Write,
            ActionCategory::Graph => Role::Read,
            // Operational reads default to `Role::Read` under legacy RBAC —
            // the HTTP surface is already gated by the `RED_ADMIN_TOKEN`
            // env path or by the role middleware's read-gate, so
            // demanding `Admin` here would lock out existing dashboards
            // on installs that haven't adopted IAM. The fine-grained
            // scope is enforced by `check_ops_http_policy` when IAM is
            // active.
            ActionCategory::Ops => Role::Read,
            ActionCategory::Vector => Role::Write,
            ActionCategory::Ddl
            | ActionCategory::Function
            | ActionCategory::Mgmt
            | ActionCategory::Policy
            | ActionCategory::Admin
            | ActionCategory::Config
            | ActionCategory::Vault
            | ActionCategory::Wildcard
            | ActionCategory::Other => Role::Admin,
        },
        None => Role::Admin,
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn parse_accepts_both_modes() {
        assert_eq!(
            PolicyEnforcementMode::parse("legacy_rbac"),
            Some(PolicyEnforcementMode::LegacyRbac)
        );
        assert_eq!(
            PolicyEnforcementMode::parse("policy_only"),
            Some(PolicyEnforcementMode::PolicyOnly)
        );
    }

    #[test]
    fn parse_rejects_invalid_values() {
        for bad in &[
            "",
            "rbac",
            "LEGACY_RBAC",
            "policy-only",
            "off",
            " policy_only",
        ] {
            assert!(
                PolicyEnforcementMode::parse(bad).is_none(),
                "parse should reject {bad:?}"
            );
        }
    }

    #[test]
    fn defaults_documented_for_fresh_vs_existing() {
        // Fresh bootstraps land in the strict posture; existing
        // installs land in the lenient one so an upgrade does not
        // accidentally lock anyone out.
        assert_eq!(
            PolicyEnforcementMode::default_fresh_bootstrap(),
            PolicyEnforcementMode::PolicyOnly
        );
        assert_eq!(
            PolicyEnforcementMode::default_existing_install(),
            PolicyEnforcementMode::LegacyRbac
        );
    }

    #[test]
    fn display_round_trip() {
        for m in &[
            PolicyEnforcementMode::LegacyRbac,
            PolicyEnforcementMode::PolicyOnly,
        ] {
            let s = m.to_string();
            assert_eq!(PolicyEnforcementMode::parse(&s), Some(*m));
        }
    }

    #[test]
    fn legacy_rbac_select_requires_only_read() {
        assert!(legacy_rbac_decision(Role::Read, "select"));
        assert!(legacy_rbac_decision(Role::Write, "select"));
        assert!(legacy_rbac_decision(Role::Admin, "select"));
    }

    #[test]
    fn legacy_rbac_dml_write_requires_write() {
        for action in &["insert", "update", "delete", "truncate", "write"] {
            assert!(
                !legacy_rbac_decision(Role::Read, action),
                "Read must not satisfy {action}",
            );
            assert!(
                legacy_rbac_decision(Role::Write, action),
                "Write must satisfy {action}",
            );
            assert!(
                legacy_rbac_decision(Role::Admin, action),
                "Admin must satisfy {action}",
            );
        }
    }

    #[test]
    fn legacy_rbac_admin_categories_require_admin() {
        for action in &[
            "create",
            "drop",
            "alter",
            "grant",
            "revoke",
            "policy:put",
            "admin:bootstrap",
            "config:write",
            "vault:read",
            "*",
        ] {
            assert!(
                !legacy_rbac_decision(Role::Read, action),
                "Read must not satisfy {action}",
            );
            assert!(
                !legacy_rbac_decision(Role::Write, action),
                "Write must not satisfy {action}",
            );
            assert!(
                legacy_rbac_decision(Role::Admin, action),
                "Admin must satisfy {action}",
            );
        }
    }

    #[test]
    fn legacy_rbac_unknown_action_requires_admin() {
        // Conservative default: an action verb the catalog does not
        // know about cannot be granted to non-admins under legacy
        // RBAC fallback. Operators must add the verb to the catalog
        // (and ideally to a policy) before non-admin principals can
        // use it.
        assert!(!legacy_rbac_decision(Role::Read, "made-up:verb"));
        assert!(!legacy_rbac_decision(Role::Write, "made-up:verb"));
        assert!(legacy_rbac_decision(Role::Admin, "made-up:verb"));
    }

    #[test]
    fn hard_version_constant_is_well_formed() {
        // We expose this string in SHOW POLICIES. It must parse as a
        // dotted semver-style identifier (digits and dots only), with
        // at least one dot, so client tooling can compare versions.
        let v = POLICY_ONLY_HARD_VERSION;
        assert!(v.contains('.'), "hard version must look like x.y[.z]");
        for ch in v.chars() {
            assert!(
                ch.is_ascii_digit() || ch == '.',
                "hard version must contain only digits and dots, got {ch:?}"
            );
        }
    }
}