Safe Haskell | Unsafe |
---|
- type CollectionName = Collection
- type CollectionMap l = Labeled l (Map CollectionName (CollectionPolicy l))
- data CollectionPolicy l = CollectionPolicy {}
- data Collection l = Collection {}
- collection :: LabelState l p s => CollectionName -> l -> l -> RawPolicy l -> LIO l p s (Collection l)
- collectionP :: LabelState l p s => p -> CollectionName -> l -> l -> RawPolicy l -> LIO l p s (Collection l)
- collectionTCB :: LabelState l p s => CollectionName -> l -> l -> RawPolicy l -> LIO l p s (Collection l)
- type DatabaseName = Database
- data Database l = Database {
- dbIntern :: DatabaseName
- dbLabel :: l
- dbColPolicies :: CollectionMap l
- database :: LabelState l p s => DatabaseName -> l -> CollectionMap l -> LIO l p s (Database l)
- databaseP :: LabelState l p s => p -> DatabaseName -> l -> CollectionMap l -> LIO l p s (Database l)
- databaseTCB :: LabelState l p s => DatabaseName -> l -> CollectionMap l -> LIO l p s (Database l)
- assocCollection :: LabelState l p s => Collection l -> Database l -> LIO l p s (Database l)
- assocCollectionP :: LabelState l p s => p -> Collection l -> Database l -> LIO l p s (Database l)
- assocCollectionTCB :: LabelState l p s => Collection l -> Database l -> LIO l p s (Database l)
- data RawPolicy l = RawPolicy {
- rawDocPolicy :: Document l -> l
- rawFieldPolicies :: [(Key, FieldPolicy l)]
- data FieldPolicy l
- = SearchableField
- | FieldPolicy (Document l -> l)
- isSearchableField :: FieldPolicy l -> Bool
- searchableFields :: RawPolicy l -> [Key]
- data PolicyError
- data NoSuchDatabaseError = NoSuchDatabase
- newtype UnsafeLIO l p s a = UnsafeLIO {
- unUnsafeLIO :: LIO l p s a
- newtype LIOAction l p s a = LIOAction {
- unLIOAction :: Action (UnsafeLIO l p s) a
- newtype Action l p s a = Action (ReaderT (Database l) (LIOAction l p s) a)
- liftAction :: LabelState l p s => Action (UnsafeLIO l p s) a -> Action l p s a
- getDatabase :: Action l p s (Database l)
- data Cursor l = Cursor {
- curLabel :: l
- curIntern :: Cursor
- curProject :: Projector
- curPolicy :: CollectionPolicy l
- data Failure
Collection
type CollectionName = CollectionSource
Name of collection
type CollectionMap l = Labeled l (Map CollectionName (CollectionPolicy l))Source
A labeled Collection
map.
data CollectionPolicy l Source
Labels and policies associated with a collection. See Collection
.
data Collection l Source
A collection policy is is a label, clearance and labeling policy. The label specifies who can write to a collection (i.e., only computatoin whose current label flows to the label of the collection). The clearance limits the sensitivity of the data written to the collection (i.e., the labels of all data in the collection must flow to the clearance). Note that the collection label does not impose a restriction on the data (i.e., data can have high integrity). The collection policy specifies the policies for labeling documents and fields of documents.
Collection | |
|
:: LabelState l p s | |
=> CollectionName | Collection name |
-> l | Collection label |
-> l | Collection clearance |
-> RawPolicy l | Collection policy |
-> LIO l p s (Collection l) |
Create a collection given a collection name, label, clearance, and policy. Note that the collection label and clearance must be above the current label and below the current clearance.
:: LabelState l p s | |
=> p | Privileges |
-> CollectionName | Collection name |
-> l | Collection label |
-> l | Collection clearance |
-> RawPolicy l | Collection policy |
-> LIO l p s (Collection l) |
Same as collection
, but uses privileges when comparing the
collection label and clearance with the current label and clearance.
:: LabelState l p s | |
=> CollectionName | Collection name |
-> l | Collection label |
-> l | Collection clearance |
-> RawPolicy l | Collection policy |
-> LIO l p s (Collection l) |
Same as collection
, but ignores IFC.
Database
type DatabaseName = DatabaseSource
Name of database
A database has a label, which is used for controlling access to
the database, an internal identifier corresponding to the underlying
MongoDB database, and a set of Collection
s protected by a label.
Database | |
|
database :: LabelState l p s => DatabaseName -> l -> CollectionMap l -> LIO l p s (Database l)Source
Same as databaseP
, but does not use privileges when comparing
the current label (and clearance) with the supplied database label.
:: LabelState l p s | |
=> p | Privileges |
-> DatabaseName | Name of database |
-> l | Label of database |
-> CollectionMap l | Labeled colleciton map |
-> LIO l p s (Database l) |
Create a Database
. Given a set of privileges, the name of the
database, the database label, and set of collections, create a
database. Note that this does not restrict an application from
creating arbitrary databases and collections---this should be
handled by a shim layer.
databaseTCB :: LabelState l p s => DatabaseName -> l -> CollectionMap l -> LIO l p s (Database l)Source
Sameas databaseP
, but ignores IFC checks.
assocCollection :: LabelState l p s => Collection l -> Database l -> LIO l p s (Database l)Source
Same as assocCollectionP
, but does not use privileges when
writing to database collection map.
assocCollectionP :: LabelState l p s => p -> Collection l -> Database l -> LIO l p s (Database l)Source
Associate a collection with the underlying database.
assocCollectionTCB :: LabelState l p s => Collection l -> Database l -> LIO l p s (Database l)Source
Same as assocCollectionP
, but ignores IFC.
Policies
A RawPolicy
encodes a document policy, and all
field policies. It is required that all fields of type
PolicyLabled
have a field/column policy -- if using only this
low-level interface a runtime-error will occur if this is not
satisfied.
RawPolicy | |
|
data FieldPolicy l Source
A FieldPolicy
specifies the policy-generated label of
a field. SearchabelField
specifies that the field can be
referenced in the selection clause of a Query
, and therefore
the document label does not apply to it.
SearchableField | |
FieldPolicy (Document l -> l) |
isSearchableField :: FieldPolicy l -> BoolSource
Returns True if the policy is for a searchable field
searchableFields :: RawPolicy l -> [Key]Source
Returns a list of the SearchableField
s speicified in a
RawPolicy
data PolicyError Source
Field/column policies are required for every PolicyLabled
value
in a document.
NoFieldPolicy | Policy for field not specified |
InvalidPolicy | Policy application invalid |
NoColPolicy | Policy for Collection not specified |
InvalidFieldPolicyType | Field with associated policy is not of PolicyLabeled type |
InvalidSearchableType | Searchable fields cannot contain labeled values |
PolicyViolation | Policy has been violated |
Monad
newtype UnsafeLIO l p s a Source
Since it would be a security violation to make LIO
an instance
of MonadIO
, we create a Mongo-specific, wrapper for
LIO
that is instance of MonadIO
.
NOTE: IT IS IMPORTANT THAT UnsafeLIO
NEVER BE EXPOSED BY MODULES
THAT ARE NOT Unsafe.
UnsafeLIO | |
|
LabelState l p s => MonadBase IO (UnsafeLIO l p s) | UNSAFE: Instance of |
LabelState l p s => MonadBaseControl IO (UnsafeLIO l p s) | UNSAFE: Instance of |
Monad (UnsafeLIO l p s) | |
Functor (UnsafeLIO l p s) | |
Applicative (UnsafeLIO l p s) | |
LabelState l p s => MonadIO (UnsafeLIO l p s) | UNSAFE: Instance of |
LabelState l p s => MonadLIO (UnsafeLIO l p s) l p s |
newtype LIOAction l p s a Source
An LIO action with MongoDB access.
LIOAction | |
|
Monad (LIOAction l p s) | |
Functor (LIOAction l p s) | |
Applicative (LIOAction l p s) | |
LabelState l p s => MonadLIO (LIOAction l p s) l p s |
Monad (Action l p s) | |
Functor (Action l p s) | |
Applicative (Action l p s) | |
LabelState l p s => MonadLIO (Action l p s) l p s |
liftAction :: LabelState l p s => Action (UnsafeLIO l p s) a -> Action l p s aSource
Lift a MongoDB action into Action
monad.
getDatabase :: Action l p s (Database l)Source
Get underlying database.
Cursor
A labeled cursor. The cursor is labeled with the join of the database and collection it reads from.
Cursor | |
|
Misc
data Failure
A connection failure, or a read or write exception like cursor expired or inserting a duplicate key.
Note, unexpected data from the server is not a Failure, rather it is a programming error (you should call error
in this case) because the client and server are incompatible and requires a programming change.