more fixes

Author: ymc9

packages/runtime/src/enhancements/policy/constraint-solver.ts

@@ -57,7 +57,7 @@ export class ConstraintSolver {
                 (c) => this.buildVariableFormula(c)
             )
             .when(
-                (c): c is ComparisonConstraint => ['eq', 'gt', 'gte', 'lt', 'lte'].includes(c.kind),
+                (c): c is ComparisonConstraint => ['eq', 'ne', 'gt', 'gte', 'lt', 'lte'].includes(c.kind),
                 (c) => this.buildComparisonFormula(c)
             )
             .when(
@@ -71,24 +71,51 @@ export class ConstraintSolver {
 
     private buildLogicalFormula(constraint: LogicalConstraint) {
         return match(constraint.kind)
-            .with('and', () => Logic.and(...constraint.children.map((c) => this.buildFormula(c))))
-            .with('or', () => Logic.or(...constraint.children.map((c) => this.buildFormula(c))))
-            .with('not', () => {
-                if (constraint.children.length !== 1) {
-                    throw new Error('"not" constraint must have exactly one child');
-                }
-                return Logic.not(this.buildFormula(constraint.children[0]));
-            })
+            .with('and', () => this.buildAndFormula(constraint))
+            .with('or', () => this.buildOrFormula(constraint))
+            .with('not', () => this.buildNotFormula(constraint))
             .exhaustive();
     }
 
+    private buildAndFormula(constraint: LogicalConstraint): Logic.Formula {
+        if (constraint.children.some((c) => this.isFalse(c))) {
+            // short-circuit
+            return Logic.FALSE;
+        }
+        return Logic.and(...constraint.children.map((c) => this.buildFormula(c)));
+    }
+
+    private buildOrFormula(constraint: LogicalConstraint): Logic.Formula {
+        if (constraint.children.some((c) => this.isTrue(c))) {
+            // short-circuit
+            return Logic.TRUE;
+        }
+        return Logic.or(...constraint.children.map((c) => this.buildFormula(c)));
+    }
+
+    private buildNotFormula(constraint: LogicalConstraint) {
+        if (constraint.children.length !== 1) {
+            throw new Error('"not" constraint must have exactly one child');
+        }
+        return Logic.not(this.buildFormula(constraint.children[0]));
+    }
+
+    private isTrue(constraint: CheckerConstraint): unknown {
+        return constraint.kind === 'value' && constraint.value === true;
+    }
+
+    private isFalse(constraint: CheckerConstraint): unknown {
+        return constraint.kind === 'value' && constraint.value === false;
+    }
+
     private buildComparisonFormula(constraint: ComparisonConstraint) {
         if (constraint.left.kind === 'value' && constraint.right.kind === 'value') {
             // constant comparison
             const left: ValueConstraint = constraint.left;
             const right: ValueConstraint = constraint.right;
             return match(constraint.kind)
                 .with('eq', () => (left.value === right.value ? Logic.TRUE : Logic.FALSE))
+                .with('ne', () => (left.value !== right.value ? Logic.TRUE : Logic.FALSE))
                 .with('gt', () => (left.value > right.value ? Logic.TRUE : Logic.FALSE))
                 .with('gte', () => (left.value >= right.value ? Logic.TRUE : Logic.FALSE))
                 .with('lt', () => (left.value < right.value ? Logic.TRUE : Logic.FALSE))
@@ -98,6 +125,7 @@ export class ConstraintSolver {
 
         return match(constraint.kind)
             .with('eq', () => this.transformEquality(constraint.left, constraint.right))
+            .with('ne', () => this.transformInequality(constraint.left, constraint.right))
             .with('gt', () =>
                 this.transformComparison(constraint.left, constraint.right, (l, r) => Logic.greaterThan(l, r))
             )
@@ -177,6 +205,10 @@ export class ConstraintSolver {
         }
     }
 
+    private transformInequality(left: ComparisonTerm, right: ComparisonTerm) {
+        return Logic.not(this.transformEquality(left, right));
+    }
+
     private transformComparison(
         left: ComparisonTerm,
         right: ComparisonTerm,

packages/runtime/src/enhancements/types.ts

@@ -66,7 +66,7 @@ export type ComparisonTerm = VariableConstraint | ValueConstraint;
  * Comparison constraint
  */
 export type ComparisonConstraint = {
-    kind: 'eq' | 'gt' | 'gte' | 'lt' | 'lte';
+    kind: 'eq' | 'ne' | 'gt' | 'gte' | 'lt' | 'lte';
     left: ComparisonTerm;
     right: ComparisonTerm;
 };

packages/schema/src/plugins/enhancer/policy/constraint-transformer.ts

@@ -1,7 +1,8 @@
-import { ZModelCodeGenerator, isAuthInvocation } from '@zenstackhq/sdk';
+import { ZModelCodeGenerator, getRelationKeyPairs, isAuthInvocation, isDataModelFieldReference } from '@zenstackhq/sdk';
 import {
     BinaryExpr,
     BooleanLiteral,
+    DataModelField,
     Expression,
     ExpressionType,
     LiteralExpr,
@@ -160,46 +161,28 @@ export class ConstraintTransformer {
     }
 
     private transformComparison(expr: BinaryExpr) {
-        if (this.isAuthEqualNull(expr)) {
-            // `auth() == null` => `user === null`
-            return this.value(`${this.options.authAccessor} === null`, 'boolean');
-        }
-
-        if (this.isAuthNotEqualNull(expr)) {
-            // `auth() != null` => `user !== null`
-            return this.value(`${this.options.authAccessor} !== null`, 'boolean');
+        if (isAuthInvocation(expr.left) || isAuthInvocation(expr.right)) {
+            // handle the case if any operand is `auth()` invocation
+            const authComparison = this.transformAuthComparison(expr);
+            return authComparison ?? this.nextVar();
         }
 
         const leftOperand = this.getComparisonOperand(expr.left);
         const rightOperand = this.getComparisonOperand(expr.right);
 
-        const op = match(expr.operator)
-            .with('==', () => 'eq')
-            .with('!=', () => 'eq')
-            .with('<', () => 'lt')
-            .with('<=', () => 'lte')
-            .with('>', () => 'gt')
-            .with('>=', () => 'gte')
-            .otherwise(() => {
-                throw new Error(`Unsupported operator: ${expr.operator}`);
-            });
-
-        let result = `{ kind: '${op}', left: ${leftOperand}, right: ${rightOperand} }`;
-        if (expr.operator === '!=') {
-            // transform "!=" into "not eq"
-            result = this.not(result);
-        }
+        const op = this.mapOperatorToConstraintKind(expr.operator);
+        const result = `{ kind: '${op}', left: ${leftOperand}, right: ${rightOperand} }`;
 
-        // `auth()` access can be undefined, when that happens, we assume a false condition
-        // for the comparison, unless we're directly comparing `auth() != null`
+        // `auth()` member access can be undefined, when that happens, we assume a false condition
+        // for the comparison
 
         const leftAuthAccess = this.getAuthAccess(expr.left);
         const rightAuthAccess = this.getAuthAccess(expr.right);
 
-        if (leftAuthAccess) {
+        if (leftAuthAccess && rightOperand) {
             // `auth().f op x` => `auth().f !== undefined && auth().f op x`
             return this.and(this.value(`${this.normalizeToNull(leftAuthAccess)} !== null`, 'boolean'), result);
-        } else if (rightAuthAccess) {
+        } else if (rightAuthAccess && leftOperand) {
             // `x op auth().f` => `auth().f !== undefined && x op auth().f`
             return this.and(this.value(`${this.normalizeToNull(rightAuthAccess)} !== null`, 'boolean'), result);
         }
@@ -212,6 +195,64 @@ export class ConstraintTransformer {
         return result;
     }
 
+    private transformAuthComparison(expr: BinaryExpr) {
+        if (this.isAuthEqualNull(expr)) {
+            // `auth() == null` => `user === null`
+            return this.value(`${this.options.authAccessor} === null`, 'boolean');
+        }
+
+        if (this.isAuthNotEqualNull(expr)) {
+            // `auth() != null` => `user !== null`
+            return this.value(`${this.options.authAccessor} !== null`, 'boolean');
+        }
+
+        // auth() equality check against a relation, translate to id-fk comparison
+        const operand = isAuthInvocation(expr.left) ? expr.right : expr.left;
+        if (!isDataModelFieldReference(operand)) {
+            return undefined;
+        }
+
+        // get id-fk field pairs from the relation field
+        const relationField = operand.target.ref as DataModelField;
+        const idFkPairs = getRelationKeyPairs(relationField);
+
+        // build id-fk field comparison constraints
+        const fieldConstraints: string[] = [];
+
+        idFkPairs.forEach(({ id, foreignKey }) => {
+            const idFieldType = this.mapType(id.type.type as ExpressionType);
+            if (!idFieldType) {
+                return;
+            }
+            const fkFieldType = this.mapType(foreignKey.type.type as ExpressionType);
+            if (!fkFieldType) {
+                return;
+            }
+
+            const op = this.mapOperatorToConstraintKind(expr.operator);
+            const authIdAccess = `${this.options.authAccessor}?.${id.name}`;
+
+            fieldConstraints.push(
+                this.and(
+                    // `auth()?.id != null` guard
+                    this.value(`${this.normalizeToNull(authIdAccess)} !== null`, 'boolean'),
+                    // `auth()?.id [op] fkField`
+                    `{ kind: '${op}', left: ${this.value(authIdAccess, idFieldType)}, right: ${this.variable(
+                        foreignKey.name,
+                        fkFieldType
+                    )} }`
+                )
+            );
+        });
+
+        // combine field constraints
+        if (fieldConstraints.length > 0) {
+            return this.and(...fieldConstraints);
+        }
+
+        return undefined;
+    }
+
     // normalize `auth()` access undefined value to null
     private normalizeToNull(expr: string) {
         return `(${expr} ?? null)`;
@@ -241,7 +282,7 @@ export class ConstraintTransformer {
         const fieldAccess = this.getFieldAccess(expr);
         if (fieldAccess) {
             // model field access is transformed into a named variable
-            const mappedType = this.mapType(expr);
+            const mappedType = this.mapExpressionType(expr);
             if (mappedType) {
                 return this.variable(fieldAccess.name, mappedType);
             } else {
@@ -251,7 +292,7 @@ export class ConstraintTransformer {
 
         const authAccess = this.getAuthAccess(expr);
         if (authAccess) {
-            const mappedType = this.mapType(expr);
+            const mappedType = this.mapExpressionType(expr);
             if (mappedType) {
                 return `${this.value(authAccess, mappedType)}`;
             } else {
@@ -262,14 +303,31 @@ export class ConstraintTransformer {
         return undefined;
     }
 
-    private mapType(expression: Expression) {
-        return match(expression.$resolvedType?.decl as ExpressionType)
+    private mapExpressionType(expression: Expression) {
+        return this.mapType(expression.$resolvedType?.decl as ExpressionType);
+    }
+
+    private mapType(type: ExpressionType) {
+        return match(type)
             .with('Boolean', () => 'boolean')
             .with('Int', () => 'number')
             .with('String', () => 'string')
             .otherwise(() => undefined);
     }
 
+    private mapOperatorToConstraintKind(operator: BinaryExpr['operator']) {
+        return match(operator)
+            .with('==', () => 'eq')
+            .with('!=', () => 'ne')
+            .with('<', () => 'lt')
+            .with('<=', () => 'lte')
+            .with('>', () => 'gt')
+            .with('>=', () => 'gte')
+            .otherwise(() => {
+                throw new Error(`Unsupported operator: ${operator}`);
+            });
+    }
+
     private getFieldAccess(expr: Expression) {
         if (isReferenceExpr(expr)) {
             return isDataModelField(expr.target.ref) ? { name: expr.target.$refText } : undefined;

packages/schema/src/plugins/enhancer/policy/policy-guard-generator.ts

@@ -922,7 +922,7 @@ export class PolicyGenerator {
         statements.push(`return ${transformed};`);
 
         const func = sourceFile.addFunction({
-            name: `${model.name}Checker_${kind}`,
+            name: `${model.name}$checker$${kind}`,
             returnType: 'CheckerConstraint',
             parameters: [
                 {

packages/sdk/src/utils.ts

@@ -298,9 +298,9 @@ export function isForeignKeyField(field: DataModelField) {
 }
 
 /**
- * Gets the foreign key fields of the given relation field.
+ * Gets the foreign key-id field pairs from the given relation field.
  */
-export function getForeignKeyFields(relationField: DataModelField) {
+export function getRelationKeyPairs(relationField: DataModelField) {
     if (!isRelationshipField(relationField)) {
         return [];
     }
@@ -309,11 +309,31 @@ export function getForeignKeyFields(relationField: DataModelField) {
     if (relAttr) {
         // find "fields" arg
         const fieldsArg = getAttributeArg(relAttr, 'fields');
+        let fkFields: DataModelField[];
         if (fieldsArg && isArrayExpr(fieldsArg)) {
-            return fieldsArg.items
+            fkFields = fieldsArg.items
                 .filter((item): item is ReferenceExpr => isReferenceExpr(item))
                 .map((item) => item.target.ref as DataModelField);
+        } else {
+            return [];
         }
+
+        // find "references" arg
+        const referencesArg = getAttributeArg(relAttr, 'references');
+        let idFields: DataModelField[];
+        if (referencesArg && isArrayExpr(referencesArg)) {
+            idFields = referencesArg.items
+                .filter((item): item is ReferenceExpr => isReferenceExpr(item))
+                .map((item) => item.target.ref as DataModelField);
+        } else {
+            return [];
+        }
+
+        if (idFields.length !== fkFields.length) {
+            throw new Error(`Relation's references arg and fields are must have equal length`);
+        }
+
+        return idFields.map((idField, i) => ({ id: idField, foreignKey: fkFields[i] }));
     }
 
     return [];

tests/integration/tests/enhancements/with-policy/checker.test.ts

@@ -306,6 +306,48 @@ describe('Permission checker', () => {
         await expect(enhance({ id: 1, admin: false }).model.check('update')).toResolveTruthy();
     });
 
+    it('auth compared with relation field', async () => {
+        const { enhance } = await loadSchema(
+            `
+            model User {
+                id Int @id @default(autoincrement())
+                models Model[]
+            }
+
+            model Model {
+                id Int @id @default(autoincrement())
+                owner User @relation(fields: [ownerId], references: [id])
+                ownerId Int
+                @@allow('read', auth().id == ownerId)
+                @@allow('create', auth().id != ownerId)
+                @@allow('update', auth() == owner)
+                @@allow('delete', auth() != owner)
+            }
+            `,
+            { preserveTsFiles: true }
+        );
+
+        await expect(enhance().model.check('read')).toResolveFalsy();
+        await expect(enhance({ id: 1 }).model.check('read')).toResolveTruthy();
+        await expect(enhance({ id: 1 }).model.check('read', { ownerId: 1 })).toResolveTruthy();
+        await expect(enhance({ id: 1 }).model.check('read', { ownerId: 2 })).toResolveFalsy();
+
+        await expect(enhance().model.check('create')).toResolveFalsy();
+        await expect(enhance({ id: 1 }).model.check('create')).toResolveTruthy();
+        await expect(enhance({ id: 1 }).model.check('create', { ownerId: 1 })).toResolveFalsy();
+        await expect(enhance({ id: 1 }).model.check('create', { ownerId: 2 })).toResolveTruthy();
+
+        await expect(enhance().model.check('update')).toResolveFalsy();
+        await expect(enhance({ id: 1 }).model.check('update')).toResolveTruthy();
+        await expect(enhance({ id: 1 }).model.check('update', { ownerId: 1 })).toResolveTruthy();
+        await expect(enhance({ id: 1 }).model.check('update', { ownerId: 2 })).toResolveFalsy();
+
+        await expect(enhance().model.check('delete')).toResolveFalsy();
+        await expect(enhance({ id: 1 }).model.check('delete')).toResolveTruthy();
+        await expect(enhance({ id: 1 }).model.check('delete', { ownerId: 1 })).toResolveFalsy();
+        await expect(enhance({ id: 1 }).model.check('delete', { ownerId: 2 })).toResolveTruthy();
+    });
+
     it('auth null check', async () => {
         const { enhance } = await loadSchema(
             `
@@ -336,7 +378,7 @@ describe('Permission checker', () => {
         await expect(enhance({ id: 1, level: 1 }).model.check('update')).toResolveTruthy();
     });
 
-    it('auth with relation', async () => {
+    it('auth with relation access', async () => {
         const { enhance } = await loadSchema(
             `
             model User {