Crate plsql_privileges

Expand description

Privilege and authorization model for PL/SQL analysis.

Models authorization-relevant semantics by combining source-code annotations (AUTHID, ACCESSIBLE BY) with catalog-derived grants and roles.

This crate is Layer 2 of the dependency graph — it depends on plsql-core and plsql-catalog.

Structs§

AccessControlEntry: Whether a unit is accessible by specific callers.
AmbiguityFeedEntry: One downstream-consumable ambiguity record.
AuthidDistribution: Bucketed AUTHID distribution. Pre-populated with zeros so consumers can rely on every bucket existing even when the count is 0.
AuthorizationAmbiguity: An authorization that cannot be resolved statically because it depends on runtime role state.
CrossSchemaWrite: Cross-schema write — a unit writes to an object in a different schema.
DoctorReasonRow: Per-reason count row. Sorted by reason for stable serialization.
PrivilegeConfig: Configuration for privilege resolution.
PrivilegeDoctorReport: Aggregated diagnostic counts for a single PrivilegeModel. The shape is stable across versions — new fields are added behind #[serde(default)] so older snapshots keep deserializing.
PrivilegeModel: Aggregated privilege model for an analysis run.
ResolvedPrivilege: Resolved privilege for a specific principal (user/role/public) on a specific object.
SynonymPrivilegePath: A resolved privilege that was inferred through a synonym chain.

AuthorizationMode: Authorization mode for a PL/SQL compilation unit.
GrantOption: Whether a privilege grant can be further delegated.
PrivilegePosture: Overall posture for the privilege model. Three-state by design — Caution is for anything that an agent should investigate; Unknown is reserved for cases where the model itself is suspect (e.g. runtime_ambiguities outnumber privileges).

AMBIGUITY_EVIDENCE_CODE: Stable evidence code so SAST rules / golden tests can match on it.

ambiguity_feed: Build the flat ambiguity feed from a resolved PrivilegeModel.
authorization_mode_for_object: Determine the authorization mode for a PL/SQL unit from its catalog metadata.
confidence_ceiling_for: The strongest confidence a result may claim when its authorization hinges on reason. Runtime role/grant state and invoker-rights resolution are genuinely undecidable without a live session, so they cap at Low; anything else we treat as Opaque (we don’t even know enough to call it Low).
doctor_report: Build a PrivilegeDoctorReport from a PrivilegeModel.
downgrade_confidence: Cap prior at the ceiling implied by reason. Never raises confidence — if the prior is already at/under the ceiling it is returned unchanged (only the explanation is appended). Ordering uses ConfidenceLevel’s derived Ord where High < Medium < Low < Opaque (a larger discriminant == less confident), so the capped level is max(prior, ceiling).
resolve_privileges: Resolve a privilege model from a catalog snapshot and configuration.