Merge pull request #18 from dotindustries/feature/bre-56-add-object-schema-to-context

feat: add object schema to context

Author: nadilas

Makefile

@@ -30,11 +30,11 @@ grpc-install:
 
 buf-install:
 	printf $(COLOR) "Install/update buf..."
-	go install github.com/bufbuild/buf/cmd/buf@v1.6.0
+	go install github.com/bufbuild/buf/cmd/buf@latest
 
 api-linter-install:
 	printf $(COLOR) "Install/update api-linter..."
-	go install github.com/googleapis/api-linter/cmd/api-linter@v1.32.3
+	go install github.com/googleapis/api-linter/cmd/api-linter@latest
 
 ##### Linters #####
 api-linter:

apps/api/api/add.go

@@ -17,7 +17,7 @@ func (b *BreaseHandler) CreateRule(ctx context.Context, c *connect.Request[v1.Cr
 	ctxID := c.Msg.ContextId
 	rule := c.Msg.Rule
 
-	if !auth.HasPermission(ctx, auth.PermissionWrite) {
+	if !auth.HasPermission(ctx, auth.PermissionCreateRule) {
 		return nil, connect.NewError(connect.CodePermissionDenied, fmt.Errorf("permission denied"))
 	}
 

apps/api/api/delete.go

@@ -13,7 +13,7 @@ import (
 
 func (b *BreaseHandler) DeleteRule(ctx context.Context, c *connect.Request[contextv1.DeleteRuleRequest]) (*connect.Response[emptypb.Empty], error) {
 	orgID := auth.CtxString(ctx, auth.ContextOrgKey)
-	if !auth.HasPermission(ctx, auth.PermissionWrite) {
+	if !auth.HasPermission(ctx, auth.PermissionCreateRule) {
 		return nil, connect.NewError(connect.CodePermissionDenied, fmt.Errorf("permission denied"))
 	}
 	err := b.db.RemoveRule(ctx, orgID, c.Msg.ContextId, c.Msg.RuleId)

apps/api/api/evaluate.go

@@ -6,6 +6,8 @@ import (
 	"connectrpc.com/connect"
 	"context"
 	"fmt"
+	"github.com/kaptinlin/jsonschema"
+	"go.dot.industries/brease/cache"
 	"go.dot.industries/brease/code"
 	"google.golang.org/protobuf/types/known/structpb"
 
@@ -14,10 +16,34 @@ import (
 )
 
 func (b *BreaseHandler) Evaluate(ctx context.Context, c *connect.Request[contextv1.EvaluateRequest]) (*connect.Response[contextv1.EvaluateResponse], error) {
-	orgID := auth.CtxString(ctx, auth.ContextOrgKey)
-	if !auth.HasPermission(ctx, auth.PermissionEvaluate) && !auth.HasPermission(ctx, auth.PermissionRead) {
-		return nil, connect.NewError(connect.CodePermissionDenied, fmt.Errorf("permission denied"))
+	orgID, _, _, cErr := permissionCheck(ctx, auth.PermissionEvaluate, auth.PermissionReadRule)
+	if cErr != nil {
+		return nil, cErr
 	}
+
+	schema, err := b.db.GetObjectSchema(ctx, orgID, c.Msg.ContextId)
+	if err != nil {
+		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("failed to fetch object schema: %v", err))
+	}
+	if schema != "" {
+		compiledSchema, schemaErr := b.compiledObjectSchema(ctx, schema)
+		if schemaErr != nil {
+			return nil, connect.NewError(connect.CodeInvalidArgument, errors.Wrap(schemaErr, fmt.Errorf("invalid json schema")))
+		}
+		res := compiledSchema.ValidateStruct(c.Msg.Object)
+		if !res.Valid {
+			es := res.ToList()
+			errStr := ""
+			for _, e := range es.Errors {
+				if len(errStr) > 0 {
+					errStr += ", "
+				}
+				errStr += e
+			}
+			return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid object shape: %s", errStr))
+		}
+	}
+
 	codeBlock, err := b.findCode(ctx, c.Msg, orgID)
 	if err != nil {
 		return nil, err
@@ -33,6 +59,20 @@ func (b *BreaseHandler) Evaluate(ctx context.Context, c *connect.Request[context
 	}), nil
 }
 
+func (b *BreaseHandler) compiledObjectSchema(ctx context.Context, schema string) (*jsonschema.Schema, error) {
+	compiled := b.cache.Get(ctx, cache.SimpleHash(schema))
+	if compiled != nil && compiled != "" {
+		return compiled.(*jsonschema.Schema), nil
+	}
+	compiledSchema, err := b.jsonSchemaCompiler.Compile([]byte(schema))
+	if err != nil {
+		return nil, err
+	}
+	// if we can't set it to cache, at worst it's gonna cause a delay on the next call
+	_ = b.cache.Set(ctx, cache.SimpleHash(schema), compiledSchema)
+	return compiledSchema, err
+}
+
 func (b *BreaseHandler) run(ctx context.Context, codeBlock string, object *structpb.Struct) ([]*rulev1.EvaluationResult, error) {
 	compiledScript, err := b.findScript(ctx, codeBlock)
 	if err != nil {

apps/api/api/handler.go

@@ -3,18 +3,12 @@ package api
 import (
 	"buf.build/gen/go/dot/brease/grpc/go/brease/auth/v1/authv1grpc"
 	"buf.build/gen/go/dot/brease/grpc/go/brease/context/v1/contextv1grpc"
-	authv1 "buf.build/gen/go/dot/brease/protocolbuffers/go/brease/auth/v1"
-	contextv1 "buf.build/gen/go/dot/brease/protocolbuffers/go/brease/context/v1"
-	rulev1 "buf.build/gen/go/dot/brease/protocolbuffers/go/brease/rule/v1"
-	"connectrpc.com/connect"
-	"context"
+	"github.com/kaptinlin/jsonschema"
 	"go.dot.industries/brease/auth"
 	"go.dot.industries/brease/cache"
 	"go.dot.industries/brease/code"
 	"go.dot.industries/brease/storage"
 	"go.uber.org/zap"
-	"google.golang.org/grpc/metadata"
-	"google.golang.org/protobuf/types/known/emptypb"
 )
 
 type OpenApiHandler interface {
@@ -23,128 +17,28 @@ type OpenApiHandler interface {
 }
 
 type BreaseHandler struct {
-	db        storage.Database
-	logger    *zap.Logger
-	assembler *code.Assembler
-	compiler  *code.Compiler
-	token     auth.Token
-	OpenApi   OpenApiHandler
+	db                 storage.Database
+	logger             *zap.Logger
+	assembler          *code.Assembler
+	compiler           *code.Compiler
+	token              auth.Token
+	jsonSchemaCompiler *jsonschema.Compiler
+	cache              cache.Cache
 }
 
 func NewHandler(db storage.Database, c cache.Cache, logger *zap.Logger) *BreaseHandler {
 	if db == nil {
 		panic("database cannot be nil")
 	}
 	bh := &BreaseHandler{
-		db:        db,
-		logger:    logger,
-		assembler: code.NewAssembler(logger, c),
-		compiler:  code.NewCompiler(logger),
-		token:     auth.NewToken(logger),
+		db:                 db,
+		logger:             logger,
+		assembler:          code.NewAssembler(logger, c),
+		compiler:           code.NewCompiler(logger),
+		token:              auth.NewToken(logger),
+		jsonSchemaCompiler: jsonschema.NewCompiler(),
+		cache:              c,
 	}
 
-	bh.OpenApi = &openApiHandler{handler: bh}
-
 	return bh
 }
-
-type openApiHandler struct {
-	handler *BreaseHandler
-}
-
-func (o *openApiHandler) GetToken(ctx context.Context, empty *emptypb.Empty) (*authv1.TokenPair, error) {
-	ctx = o.forwardMetadata(ctx)
-	r, err := o.handler.GetToken(ctx, connect.NewRequest(empty))
-	if err != nil {
-		return nil, err
-	}
-	return r.Msg, nil
-}
-
-func (o *openApiHandler) RefreshToken(ctx context.Context, request *authv1.RefreshTokenRequest) (*authv1.TokenPair, error) {
-	ctx = o.forwardMetadata(ctx)
-	r, err := o.handler.RefreshToken(ctx, connect.NewRequest(request))
-	if err != nil {
-		return nil, err
-	}
-	return r.Msg, nil
-}
-
-func (o *openApiHandler) ListRules(ctx context.Context, request *contextv1.ListRulesRequest) (*contextv1.ListRulesResponse, error) {
-	ctx = o.forwardMetadata(ctx)
-	r, err := o.handler.ListRules(ctx, connect.NewRequest(request))
-	if err != nil {
-		return nil, err
-	}
-	return r.Msg, nil
-}
-
-func (o *openApiHandler) GetRule(ctx context.Context, request *contextv1.GetRuleRequest) (*rulev1.VersionedRule, error) {
-	ctx = o.forwardMetadata(ctx)
-	r, err := o.handler.GetRule(ctx, connect.NewRequest(request))
-	if err != nil {
-		return nil, err
-	}
-	return r.Msg, nil
-}
-
-func (o *openApiHandler) GetRuleVersions(ctx context.Context, request *contextv1.ListRuleVersionsRequest) (*contextv1.ListRuleVersionsResponse, error) {
-	ctx = o.forwardMetadata(ctx)
-	r, err := o.handler.GetRuleVersions(ctx, connect.NewRequest(request))
-	if err != nil {
-		return nil, err
-	}
-	return r.Msg, nil
-}
-
-func (o *openApiHandler) CreateRule(ctx context.Context, request *contextv1.CreateRuleRequest) (*rulev1.VersionedRule, error) {
-	ctx = o.forwardMetadata(ctx)
-	r, err := o.handler.CreateRule(ctx, connect.NewRequest(request))
-	if err != nil {
-		return nil, err
-	}
-	return r.Msg, nil
-}
-
-func (o *openApiHandler) UpdateRule(ctx context.Context, request *contextv1.UpdateRuleRequest) (*rulev1.VersionedRule, error) {
-	ctx = o.forwardMetadata(ctx)
-	r, err := o.handler.UpdateRule(ctx, connect.NewRequest(request))
-	if err != nil {
-		return nil, err
-	}
-	return r.Msg, nil
-}
-
-func (o *openApiHandler) DeleteRule(ctx context.Context, request *contextv1.DeleteRuleRequest) (*emptypb.Empty, error) {
-	ctx = o.forwardMetadata(ctx)
-	r, err := o.handler.DeleteRule(ctx, connect.NewRequest(request))
-	if err != nil {
-		return nil, err
-	}
-	return r.Msg, nil
-}
-
-func (o *openApiHandler) Evaluate(ctx context.Context, request *contextv1.EvaluateRequest) (*contextv1.EvaluateResponse, error) {
-	ctx = o.forwardMetadata(ctx)
-	r, err := o.handler.Evaluate(ctx, connect.NewRequest(request))
-	if err != nil {
-		return nil, err
-	}
-	return r.Msg, nil
-}
-
-func (o *openApiHandler) forwardMetadata(ctx context.Context) context.Context {
-	md, ok := metadata.FromIncomingContext(ctx)
-	if !ok {
-		return ctx
-	}
-
-	if orgIds := md.Get(auth.ContextOrgKey); len(orgIds) > 0 {
-		ctx = context.WithValue(ctx, auth.ContextOrgKey, orgIds[0])
-	}
-	if userIds := md.Get(auth.ContextUserIDKey); len(userIds) > 0 {
-		ctx = context.WithValue(ctx, auth.ContextUserIDKey, userIds[0])
-	}
-
-	return ctx
-}

apps/api/api/openapi_handler.go

@@ -0,0 +1,133 @@
+package api
+
+import (
+	authv1 "buf.build/gen/go/dot/brease/protocolbuffers/go/brease/auth/v1"
+	contextv1 "buf.build/gen/go/dot/brease/protocolbuffers/go/brease/context/v1"
+	rulev1 "buf.build/gen/go/dot/brease/protocolbuffers/go/brease/rule/v1"
+	"connectrpc.com/connect"
+	"context"
+	"github.com/janvaclavik/govar"
+	"go.dot.industries/brease/auth"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/protobuf/types/known/emptypb"
+)
+
+type openApiHandler struct {
+	handler *BreaseHandler
+}
+
+func (o *openApiHandler) GetObjectSchema(ctx context.Context, request *contextv1.GetObjectSchemaRequest) (*contextv1.GetObjectSchemaResponse, error) {
+	ctx = o.forwardMetadata(ctx)
+	r, err := o.handler.GetObjectSchema(ctx, connect.NewRequest(request))
+	if err != nil {
+		return nil, err
+	}
+	return r.Msg, nil
+}
+
+func (o *openApiHandler) ReplaceObjectSchema(ctx context.Context, request *contextv1.ReplaceObjectSchemaRequest) (*contextv1.ReplaceObjectSchemaResponse, error) {
+	ctx = o.forwardMetadata(ctx)
+	r, err := o.handler.ReplaceObjectSchema(ctx, connect.NewRequest(request))
+	if err != nil {
+		return nil, err
+	}
+	return r.Msg, nil
+}
+
+func (o *openApiHandler) GetToken(ctx context.Context, empty *emptypb.Empty) (*authv1.TokenPair, error) {
+	ctx = o.forwardMetadata(ctx)
+	r, err := o.handler.GetToken(ctx, connect.NewRequest(empty))
+	if err != nil {
+		return nil, err
+	}
+	return r.Msg, nil
+}
+
+func (o *openApiHandler) RefreshToken(ctx context.Context, request *authv1.RefreshTokenRequest) (*authv1.TokenPair, error) {
+	ctx = o.forwardMetadata(ctx)
+	r, err := o.handler.RefreshToken(ctx, connect.NewRequest(request))
+	if err != nil {
+		return nil, err
+	}
+	return r.Msg, nil
+}
+
+func (o *openApiHandler) ListRules(ctx context.Context, request *contextv1.ListRulesRequest) (*contextv1.ListRulesResponse, error) {
+	ctx = o.forwardMetadata(ctx)
+	govar.Dump(ctx)
+	r, err := o.handler.ListRules(ctx, connect.NewRequest(request))
+	if err != nil {
+		return nil, err
+	}
+	return r.Msg, nil
+}
+
+func (o *openApiHandler) GetRule(ctx context.Context, request *contextv1.GetRuleRequest) (*rulev1.VersionedRule, error) {
+	ctx = o.forwardMetadata(ctx)
+	r, err := o.handler.GetRule(ctx, connect.NewRequest(request))
+	if err != nil {
+		return nil, err
+	}
+	return r.Msg, nil
+}
+
+func (o *openApiHandler) GetRuleVersions(ctx context.Context, request *contextv1.ListRuleVersionsRequest) (*contextv1.ListRuleVersionsResponse, error) {
+	ctx = o.forwardMetadata(ctx)
+	r, err := o.handler.GetRuleVersions(ctx, connect.NewRequest(request))
+	if err != nil {
+		return nil, err
+	}
+	return r.Msg, nil
+}
+
+func (o *openApiHandler) CreateRule(ctx context.Context, request *contextv1.CreateRuleRequest) (*rulev1.VersionedRule, error) {
+	ctx = o.forwardMetadata(ctx)
+	r, err := o.handler.CreateRule(ctx, connect.NewRequest(request))
+	if err != nil {
+		return nil, err
+	}
+	return r.Msg, nil
+}
+
+func (o *openApiHandler) UpdateRule(ctx context.Context, request *contextv1.UpdateRuleRequest) (*rulev1.VersionedRule, error) {
+	ctx = o.forwardMetadata(ctx)
+	r, err := o.handler.UpdateRule(ctx, connect.NewRequest(request))
+	if err != nil {
+		return nil, err
+	}
+	return r.Msg, nil
+}
+
+func (o *openApiHandler) DeleteRule(ctx context.Context, request *contextv1.DeleteRuleRequest) (*emptypb.Empty, error) {
+	ctx = o.forwardMetadata(ctx)
+	r, err := o.handler.DeleteRule(ctx, connect.NewRequest(request))
+	if err != nil {
+		return nil, err
+	}
+	return r.Msg, nil
+}
+
+func (o *openApiHandler) Evaluate(ctx context.Context, request *contextv1.EvaluateRequest) (*contextv1.EvaluateResponse, error) {
+	ctx = o.forwardMetadata(ctx)
+	r, err := o.handler.Evaluate(ctx, connect.NewRequest(request))
+	if err != nil {
+		return nil, err
+	}
+	return r.Msg, nil
+}
+
+func (o *openApiHandler) forwardMetadata(ctx context.Context) context.Context {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return ctx
+	}
+
+	if orgIds := md.Get(auth.ContextOrgKey); len(orgIds) > 0 {
+		ctx = context.WithValue(ctx, auth.ContextOrgKey, orgIds[0])
+	}
+	if userIds := md.Get(auth.ContextUserIDKey); len(userIds) > 0 {
+		ctx = context.WithValue(ctx, auth.ContextUserIDKey, userIds[0])
+	}
+
+	return ctx
+}