ash/lib/ash/authorizer.ex

defmodule Ash.Authorizer do
  @moduledoc """
  The interface for an ash authorizer

  These will typically be implemented by an extension, but a custom
  one can be implemented by defining an extension that also adopts this behaviour.

  Then you can extend a resource with `authorizers: [YourAuthorizer]`
  """
  @type state :: map
  @type context :: map
  @callback initial_state(
              Ash.Resource.t(),
              Ash.Resource.record(),
              Ash.Resource.Actions.action(),
              boolean
            ) :: state
  @callback strict_check_context(state) :: [atom]
  @callback strict_check(state, context) ::
              {:authorized, state}
              | {:continue, state}
              | {:filter, Keyword.t()}
              | {:filter, Keyword.t(), state}
              | {:filter_and_continue, Keyword.t(), state}
              | {:error, term}
  @callback alter_filter(filter :: Ash.Filter.t(), state, context) ::
              {:ok, Ash.Filter.t()} | {:error, Ash.Error.t()}
  @callback add_calculations(Ash.Query.t() | Ash.Changeset.t(), state, context) ::
              {:ok, Ash.Query.t() | Ash.Changeset.t(), state} | {:error, Ash.Error.t()}
  @callback alter_results(state, list(Ash.Resource.record()), context) ::
              {:ok, list(Ash.Resource.record())} | {:error, Ash.Error.t()}
  @callback check_context(state) :: [atom]
  @callback check(state, context) ::
              :authorized | {:data, list(Ash.Resource.record())} | {:error, term}
  @callback exception(atom, state) :: no_return

  @optional_callbacks [exception: 2, add_calculations: 3, alter_results: 3, alter_filter: 3]

  def initial_state(module, actor, resource, action, verbose?) do
    module.initial_state(actor, resource, action, verbose?)
  end

  def exception(module, reason, state) do
    if function_exported?(module, :exception, 2) do
      module.exception(reason, state)
    else
      if reason == :must_pass_strict_check do
        Ash.Error.Forbidden.MustPassStrictCheck.exception([])
      else
        Ash.Error.Forbidden.exception([])
      end
    end
  end

  def strict_check_context(module, state) do
    Enum.uniq(module.strict_check_context(state) ++ [:query, :changeset])
  end

  def strict_check(module, state, context) do
    module.strict_check(state, context)
  end

  def add_calculations(module, query_or_changeset, state, context) do
    if function_exported?(module, :add_calculations, 3) do
      module.add_calculations(query_or_changeset, state, context)
    else
      {:ok, query_or_changeset, state}
    end
  end

  def alter_results(module, state, records, context) do
    if function_exported?(module, :alter_results, 3) do
      module.alter_results(state, records, context)
    else
      {:ok, records}
    end
  end

  def alter_filter(module, state, filter, context) do
    if function_exported?(module, :alter_filter, 3) do
      module.alter_filter(filter, state, context)
    else
      {:ok, filter}
    end
  end

  def check_context(module, state) do
    module.check_context(state)
  end

  def check(module, state, context) do
    module.check(state, context)
  end
end
feat: rebuild DSL inner workings for extensibility (#70) 2020-06-14 18:39:11 +12:00			`defmodule Ash.Authorizer do`
chore: wrap up remaining lint errors 2020-06-02 17:47:25 +12:00			`@moduledoc """`
			`The interface for an ash authorizer`

			`These will typically be implemented by an extension, but a custom`
docs: remove outdated `@authorizers` reference 2022-10-19 11:43:33 +13:00			`one can be implemented by defining an extension that also adopts this behaviour.`

			Then you can extend a resource with `authorizers: [YourAuthorizer]`
chore: wrap up remaining lint errors 2020-06-02 17:47:25 +12:00			`"""`
WIP 2020-05-21 10:59:58 +12:00			`@type state :: map`
WIP 2020-05-31 15:55:01 +12:00			`@type context :: map`
improvement: many compile time fixes via code splitting feat: refactored manage_relationship options/behavior 2021-02-23 14:29:31 +13:00			`@callback initial_state(`
			`Ash.Resource.t(),`
			`Ash.Resource.record(),`
			`Ash.Resource.Actions.action(),`
			`boolean`
			`) :: state`
WIP 2020-05-21 10:59:58 +12:00			`@callback strict_check_context(state) :: [atom]`
WIP 2020-05-31 15:55:01 +12:00			`@callback strict_check(state, context) ::`
improvement: optimize policy check running with laziness Implemented lazy evaluation of individual checks, so that checks that are demonstrably irrelevant when building policies are not checked at all. This will often mean no need to visit the sat solver at all, or only with a very minimal set of filter checks. 2023-03-11 07:28:16 +13:00			`{:authorized, state}`
WIP 2020-05-30 19:29:27 +12:00			`\| {:continue, state}`
			`\| {:filter, Keyword.t()}`
fix: allow new `filter` pattern in typespec 2021-12-22 07:06:19 +13:00			`\| {:filter, Keyword.t(), state}`
WIP 2020-05-31 15:55:01 +12:00			`\| {:filter_and_continue, Keyword.t(), state}`
improvement: many compile time fixes via code splitting feat: refactored manage_relationship options/behavior 2021-02-23 14:29:31 +13:00			`\| {:error, term}`
feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00			`@callback alter_filter(filter :: Ash.Filter.t(), state, context) ::`
			`{:ok, Ash.Filter.t()} \| {:error, Ash.Error.t()}`
improvement: support `changeset.load` 2023-06-06 05:30:17 +12:00			`@callback add_calculations(Ash.Query.t() \| Ash.Changeset.t(), state, context) ::`
feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00			`{:ok, Ash.Query.t() \| Ash.Changeset.t(), state} \| {:error, Ash.Error.t()}`
improvement: support `changeset.load` 2023-06-06 05:30:17 +12:00			`@callback alter_results(state, list(Ash.Resource.record()), context) ::`
			`{:ok, list(Ash.Resource.record())} \| {:error, Ash.Error.t()}`
WIP 2020-05-21 10:59:58 +12:00			`@callback check_context(state) :: [atom]`
WIP 2020-05-31 15:55:01 +12:00			`@callback check(state, context) ::`
improvement: many compile time fixes via code splitting feat: refactored manage_relationship options/behavior 2021-02-23 14:29:31 +13:00			`:authorized \| {:data, list(Ash.Resource.record())} \| {:error, term}`
improvement: customizable exception for authorizers 2021-12-21 19:07:06 +13:00			`@callback exception(atom, state) :: no_return`

feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00			`@optional_callbacks [exception: 2, add_calculations: 3, alter_results: 3, alter_filter: 3]`
WIP 2020-05-21 10:59:58 +12:00
			`def initial_state(module, actor, resource, action, verbose?) do`
			`module.initial_state(actor, resource, action, verbose?)`
			`end`

improvement: customizable exception for authorizers 2021-12-21 19:07:06 +13:00			`def exception(module, reason, state) do`
			`if function_exported?(module, :exception, 2) do`
			`module.exception(reason, state)`
			`else`
improvement: add more authorizer state management Added more opportunities for authorizers to pass back state. This is being used to ensure that ash policy authorizer errors can always have enough information to provide a policy breakdown 2021-12-22 06:24:12 +13:00			`if reason == :must_pass_strict_check do`
			`Ash.Error.Forbidden.MustPassStrictCheck.exception([])`
			`else`
			`Ash.Error.Forbidden.exception([])`
			`end`
improvement: customizable exception for authorizers 2021-12-21 19:07:06 +13:00			`end`
			`end`

WIP 2020-05-21 10:59:58 +12:00			`def strict_check_context(module, state) do`
chore: fix credo/dialyzer 2023-06-23 06:19:40 +12:00			`Enum.uniq(module.strict_check_context(state) ++ [:query, :changeset])`
WIP 2020-05-21 10:59:58 +12:00			`end`

			`def strict_check(module, state, context) do`
			`module.strict_check(state, context)`
			`end`

improvement: support `changeset.load` 2023-06-06 05:30:17 +12:00			`def add_calculations(module, query_or_changeset, state, context) do`
			`if function_exported?(module, :add_calculations, 3) do`
			`module.add_calculations(query_or_changeset, state, context)`
			`else`
feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00			`{:ok, query_or_changeset, state}`
improvement: support `changeset.load` 2023-06-06 05:30:17 +12:00			`end`
			`end`

			`def alter_results(module, state, records, context) do`
feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00			`if function_exported?(module, :alter_results, 3) do`
improvement: support `changeset.load` 2023-06-06 05:30:17 +12:00			`module.alter_results(state, records, context)`
			`else`
			`{:ok, records}`
			`end`
			`end`

feat: add `field_policies` see included documentation for more information on how field policies work. 2023-06-23 04:28:39 +12:00			`def alter_filter(module, state, filter, context) do`
			`if function_exported?(module, :alter_filter, 3) do`
			`module.alter_filter(filter, state, context)`
			`else`
			`{:ok, filter}`
			`end`
			`end`

WIP 2020-05-21 10:59:58 +12:00			`def check_context(module, state) do`
			`module.check_context(state)`
			`end`

WIP 2020-05-31 15:55:01 +12:00			`def check(module, state, context) do`
			`module.check(state, context)`
WIP 2020-05-21 10:59:58 +12:00			`end`
			`end`