defmodule Ash.Policy.Info do @moduledoc """ An authorization extension for ash resources. For more information, see `Ash.Policy.Authorizer` """ @type request :: Ash.Engine.Request.t() alias Spark.Dsl.Extension @doc "Whether or not Ash policy authorizer is configured to show policy breakdowns in error messages" def show_policy_breakdowns? do Application.get_env(:ash, :policies)[:show_policy_breakdowns?] || false end @doc "Whether or not Ash policy authorizer is configured to log policy breakdowns" def log_policy_breakdowns do Application.get_env(:ash, :policies)[:log_policy_breakdowns] end @doc "Whether or not Ash policy authorizer is configured to log successful policy breakdowns" def log_successful_policy_breakdowns do Application.get_env(:ash, :policies)[:log_successful_policy_breakdowns] end @doc "Gets the field policies relevant to a given field" def field_policies_for_field(resource, field) do Extension.get_persisted(resource, :fields_to_field_policies, %{})[field] end @doc """ A utility to determine if a given query/changeset would pass authorization. *This is still experimental.* """ def strict_check(_actor, %{action: nil}, _) do raise "Cannot use `strict_check/3` unless an action has been set on the query/changeset" end def strict_check(actor, %{__struct__: Ash.Query} = query, api) do query = Ash.Query.set_context(query, %{private: %{pre_flight_authorization?: true}}) authorizer = %Ash.Policy.Authorizer{ actor: actor, resource: query.resource, action: query.action } case Ash.Policy.Authorizer.strict_check(authorizer, %{ api: api, query: query, changeset: nil }) do {:error, _error} -> false {:authorized, _} -> true {:filter, _, _} -> true _ -> :maybe end end def strict_check(actor, %{__struct__: Ash.Changeset} = changeset, api) do changeset = Ash.Changeset.set_context(changeset, %{private: %{pre_flight_authorization?: true}}) authorizer = %Ash.Policy.Authorizer{ actor: actor, resource: changeset.resource, action: changeset.action } case Ash.Policy.Authorizer.strict_check(authorizer, %{ api: api, changeset: changeset, query: nil }) do {:error, _error} -> false {:authorized, _} -> true {:filter, _, _} -> :maybe _ -> :maybe end end def describe_resource(resource) do resource |> policies() |> describe_policies() end defp describe_policies(policies) do Enum.map_join(policies, "\n", fn policy -> case policy.condition do empty when empty in [nil, []] -> describe_checks(policy.policies) conditions -> "When:\n" <> indent(describe_conditions(conditions)) <> "\nThen:\n" <> indent(describe_checks(policy.policies)) end end) end defp describe_checks(checks) do checks |> Enum.map_join("\n", fn %{type: type, check_module: check_module, check_opts: check_opts} -> "#{type}: #{check_module.describe(check_opts)}" end) |> Kernel.<>("\n") end defp describe_conditions(conditions) do Enum.map_join(conditions, " and ", fn {check_module, check_opts} -> check_module.describe(check_opts) end) end defp indent(string) do string |> String.split("\n") |> Enum.map_join("\n", fn line -> " " <> line end) end def field_policies(resource) do resource |> Extension.get_entities([:field_policies]) |> set_access_type(default_access_type(resource)) end def policies(resource) do resource |> Extension.get_entities([:policies]) |> set_access_type(default_access_type(resource)) end def default_access_type(resource) do Extension.get_opt(resource, [:policies], :default_access_type, :strict, false) end @doc """ A utility to determine if an actor is or may be authorized for a given action. A shortcut for calling `can/4` but with the `maybe_is` option defaulting to `false`, so this should always return a boolean. See the documentation of `can/4` for more. """ @type can_option? :: {:api, module} | {:maybe_is, boolean()} @spec can?( Ash.Resource.t(), atom() | Ash.Resource.Actions.action() | Ash.Query.t() | Ash.Changeset.t(), map() | nil, list(can_option?()) ) :: boolean() @deprecated "Please use `YourApi.can?` instead." def can?(resource, action_or_query_or_changeset, actor, opts \\ []) do opts = Keyword.put(opts, :maybe_is, Keyword.get(opts, :maybe_is, false)) can(resource, action_or_query_or_changeset, actor, opts) end @doc """ A utility to determine if an actor is or may be authorized for a given action/query/changeset. This only runs the "strict check" portion of policies, meaning that it can return `:maybe` in some cases. If you have `access_type :runtime` in any of your policies, then you may get `:maybe` from this function. To customize what is returned in the case of `:maybe` you can provide the `maybe_is` option, i.e `maybe_is: true`. This makes sense when you want to a show a button, but only if the user may be able to perform the action. For read actions, an important thing to factor in here is that typically policies just end up filtering the action. This means that even if you try to read something you can't read, your read action will succeed but nothing will be returned, and this function would return `true`. """ @type can_option :: {:api, module} | {:maybe_is, boolean() | :maybe} @spec can( Ash.Resource.t(), atom() | Ash.Resource.Actions.action() | Ash.Query.t() | Ash.Changeset.t(), map() | nil, list(can_option()) ) :: boolean() | :maybe @deprecated "Please use `YourApi.can` instead." def can(resource, action_or_query_or_changeset, actor, opts \\ []) do api = Keyword.fetch!(opts, :api) maybe_is = Keyword.get(opts, :maybe_is, :maybe) action_or_query_or_changeset = case action_or_query_or_changeset do %Ash.Query{} = query -> query %Ash.Changeset{} = changeset -> changeset %Ash.Resource.Actions.Create{} = action -> action %Ash.Resource.Actions.Read{} = action -> action %Ash.Resource.Actions.Update{} = action -> action %Ash.Resource.Actions.Destroy{} = action -> action name when is_atom(name) -> Ash.Resource.Info.action(resource, name) end # Get action type from resource case action_or_query_or_changeset do %Ash.Query{} = query -> run_check(actor, query, api: api, maybe_is: maybe_is) %Ash.Changeset{} = changeset -> run_check(actor, changeset, api: api, maybe_is: maybe_is) %{type: :update, name: name} -> query = struct(resource) |> Ash.Changeset.new(%{}) |> Ash.Changeset.for_update(name) run_check(actor, query, api: api, maybe_is: maybe_is) %{type: :create, name: name} -> query = resource |> Ash.Changeset.new() |> Ash.Changeset.for_create(name) run_check(actor, query, api: api, maybe_is: maybe_is) %{type: :read, name: name} -> query = Ash.Query.for_read(resource, name) run_check(actor, query, api: api, maybe_is: maybe_is) %{type: :destroy, name: name} -> query = struct(resource) |> Ash.Changeset.new() |> Ash.Changeset.for_destroy(name) run_check(actor, query, api: api, maybe_is: maybe_is) _ -> raise ArgumentError, message: "Invalid action/query/changeset \"#{inspect(action_or_query_or_changeset)}\"" end end defp run_check(actor, query, api: api, maybe_is: maybe_is) do case strict_check(actor, query, api) do true -> true :maybe -> maybe_is _ -> false end end # This should be done at compile time defp set_access_type(policies, default) when is_list(policies) do Enum.map(policies, &set_access_type(&1, default)) end defp set_access_type( %Ash.Policy.Policy{ policies: policies, condition: conditions, checks: checks, access_type: access_type } = policy, default ) do %{ policy | policies: set_access_type(policies, access_type || default), condition: set_access_type(conditions, access_type || default), checks: set_access_type(checks, default), access_type: access_type || default } end defp set_access_type(%Ash.Policy.Check{check_opts: check_opts} = check, default) do %{check | check_opts: Keyword.update(check_opts, :access_type, default, &(&1 || default))} end defp set_access_type({module, opts}, default), do: {module, Keyword.update(opts, :access_type, default, &(&1 || default))} defp set_access_type(other, _), do: other end