{{/* Copyright 2019-present Facebook Inc. All rights reserved. This source code is licensed under the Apache 2.0 license found in the LICENSE file in the root directory of this source tree. */}} {{ define "privacy" }} {{- with extend $ "Package" "privacy" -}} {{ template "header" . }} {{ end }} import "{{ $.Config.Package }}" {{ $pkg := base $.Config.Package }} var ( // Allow may be returned by rules to indicate that the policy // evaluation should terminate with an allow decision. Allow = errors.New("ent/privacy: allow rule") // Deny may be returned by rules to indicate that the policy // evaluation should terminate with an deny decision. Deny = errors.New("ent/privacy: deny rule") // Skip may be returned by rules to indicate that the policy // evaluation should continue to the next rule. Skip = errors.New("ent/privacy: skip rule") ) {{- range $decision := list "Allow" "Deny" "Skip" }} // {{ $decision }}f returns an formatted wrapped {{ $decision }} decision. func {{ $decision }}f(format string, a ...interface{}) error { return fmt.Errorf(format+": %w", append(a, {{ $decision }})...) } {{- end }} type ( // QueryPolicy combines multiple query rules into a single policy. QueryPolicy []QueryRule // QueryRule defines the interface deciding whether a // query is allowed and optionally modify it. QueryRule interface { EvalQuery(context.Context, {{ $pkg }}.Query) error } ) // EvalQuery evaluates a query against a query policy. func (policy QueryPolicy) EvalQuery(ctx context.Context, q {{ $pkg }}.Query) error { for _, rule := range policy { switch err := rule.EvalQuery(ctx, q); { case err == nil || errors.Is(err, Skip): case errors.Is(err, Allow): return nil default: return err } } return nil } // QueryRuleFunc type is an adapter to allow the use of // ordinary functions as query rules. type QueryRuleFunc func(context.Context, {{ $pkg }}.Query) error // Eval returns f(ctx, q). func (f QueryRuleFunc) EvalQuery(ctx context.Context, q {{ $pkg }}.Query) error { return f(ctx, q) } type ( // MutationPolicy combines multiple mutation rules into a single policy. MutationPolicy []MutationRule // MutationRule defines the interface deciding whether a // mutation is allowed and optionally modify it. MutationRule interface { EvalMutation(context.Context, {{ $pkg }}.Mutation) error } ) // EvalMutation evaluates a mutation against a mutation policy. func (policy MutationPolicy) EvalMutation(ctx context.Context, m {{ $pkg }}.Mutation) error { for _, rule := range policy { switch err := rule.EvalMutation(ctx, m); { case err == nil || errors.Is(err, Skip): case errors.Is(err, Allow): return nil default: return err } } return nil } // MutationRuleFunc type is an adapter to allow the use of // ordinary functions as mutation rules. type MutationRuleFunc func(context.Context, {{ $pkg }}.Mutation) error // EvalMutation returns f(ctx, m). func (f MutationRuleFunc) EvalMutation(ctx context.Context, m {{ $pkg }}.Mutation) error { return f(ctx, m) } // Policy groups query and mutation policies. type Policy struct { Query QueryPolicy Mutation MutationPolicy } // EvalQuery forwards evaluation to query policy. func (policy Policy) EvalQuery(ctx context.Context, q {{ $pkg }}.Query) error { return policy.Query.EvalQuery(ctx, q) } // EvalMutation forwards evaluation to mutation policy. func (policy Policy) EvalMutation(ctx context.Context, m {{ $pkg }}.Mutation) error { return policy.Mutation.EvalMutation(ctx, m) } // QueryMutationRule is the interface that groups query and mutation rules. type QueryMutationRule interface { QueryRule MutationRule } // AlwaysAllowRule returns a rule that returns an allow decision. func AlwaysAllowRule() QueryMutationRule { return fixedDecisionRule{Allow} } // AlwaysDenyRule returns a rule that returns a deny decision. func AlwaysDenyRule() QueryMutationRule { return fixedDecisionRule{Deny} } type fixedDecisionRule struct { err error } func (f fixedDecisionRule) EvalQuery(context.Context, {{ $pkg }}.Query) error { return f.err } func (f fixedDecisionRule) EvalMutation(context.Context, {{ $pkg }}.Mutation) error { return f.err } // DenyMutationOperationRule returns a rule denying specified mutation operation. func DenyMutationOperationRule(op {{ $pkg }}.Op) MutationRule { return MutationRuleFunc(func(_ context.Context, m {{ $pkg }}.Mutation) error { if m.Op().Is(op) { return Denyf("ent/privacy: operation %s is not allowed", m.Op()) } return Skip }) } {{- range $n := $.Nodes }} {{ $name := print $n.Name "QueryRuleFunc" }} {{ $type := printf "*%s.%s" $pkg $n.QueryName }} // The {{ $name }} type is an adapter to allow the use of ordinary // functions as a query rule. type {{ $name }} func(context.Context, {{ $type }}) error // EvalQuery return f(ctx, q). func (f {{ $name }}) EvalQuery(ctx context.Context, q {{ $pkg }}.Query) error { if q, ok := q.({{ $type }}); ok { return f(ctx, q) } return Denyf("ent/privacy: unexpected query type %T, expect {{ $type }}", q) } {{ $name = print $n.Name "MutationRuleFunc" }} {{ $type = printf "*%s.%s" $pkg $n.MutationName }} // The {{ $name }} type is an adapter to allow the use of ordinary // functions as a mutation rule. type {{ $name }} func(context.Context, {{ $type }}) error // EvalMutation calls f(ctx, m). func (f {{ $name }}) EvalMutation(ctx context.Context, m {{ $pkg }}.Mutation) error { if m, ok := m.({{ $type }}); ok { return f(ctx, m) } return Denyf("ent/privacy: unexpected mutation type %T, expect {{ $type }}", m) } {{- end }} {{ end }}