Safe Haskell | Trustworthy |
---|
- module Hails.Data.LBson
- type CollectionName = Collection
- data CollectionPolicy l
- data Collection l
- type CollectionMap l = Labeled l (Map CollectionName (CollectionPolicy l))
- collection :: LabelState l p s => CollectionName -> l -> l -> RawPolicy l -> LIO l p s (Collection l)
- collectionP :: LabelState l p s => p -> CollectionName -> l -> l -> RawPolicy l -> LIO l p s (Collection l)
- type DatabaseName = Database
- data Database l
- assocCollection :: LabelState l p s => Collection l -> Database l -> LIO l p s (Database l)
- assocCollectionP :: LabelState l p s => p -> Collection l -> Database l -> LIO l p s (Database l)
- data RawPolicy l = RawPolicy {
- rawDocPolicy :: Document l -> l
- rawFieldPolicies :: [(Key, FieldPolicy l)]
- data FieldPolicy l
- = SearchableField
- | FieldPolicy (Document l -> l)
- isSearchableField :: FieldPolicy l -> Bool
- data PolicyError
- data Action l p s a
- getDatabase :: Action l p s (Database l)
- data Selection l = Selection {
- selector :: Selector l
- coll :: CollectionName
- data Query l = Query {}
- data Cursor l
- data DBConf
- type DCAction = Action DCLabel DCPrivTCB ()
- dcAccess :: Database DCLabel -> DCAction a -> DC (Either Failure a)
- labelDatabase :: DBConf -> DCLabel -> DCLabel -> DC (Database DCLabel)
- class DatabasePolicy dbp where
- class DatabasePolicy dbp => PolicyGroup dbp where
- expandGroup :: dbp -> Principal -> DCAction [Principal]
- relabelGroups :: dbp -> DCLabeled a -> DC (DCLabeled a)
- relabelGroupsP :: PolicyGroup dbp => dbp -> DCPrivTCB -> Labeled DCLabel a -> DC (DCLabeled a)
- relabelGroupsSafe :: PolicyGroup dbp => dbp -> Labeled DCLabel a -> DC (DCLabeled a)
- class DatabasePolicy dbp => PrivilegeGrantGate dbp where
- withLabel :: DCPrivTCB -> DCLabel -> DC a -> DC a
- gateToLabeled :: DCPrivTCB -> DCLabeled (Document DCLabel) -> (Document DCLabel -> DC a) -> DC (DCLabeled a)
- insert :: Insert l p s doc => CollectionName -> doc -> Action l p s (Value l)
- insert_ :: Insert l p s doc => CollectionName -> doc -> Action l p s ()
- insertP :: Insert l p s doc => p -> CollectionName -> doc -> Action l p s (Value l)
- insertP_ :: Insert l p s doc => p -> CollectionName -> doc -> Action l p s ()
- save :: Insert l p s doc => CollectionName -> doc -> Action l p s ()
- saveP :: Insert l p s doc => p -> CollectionName -> doc -> Action l p s ()
- deleteOne :: (LabelState l p s, Serialize l) => Selection l -> Action l p s ()
- deleteOneP :: (LabelState l p s, Serialize l) => p -> Selection l -> Action l p s ()
- find :: (Serialize l, LabelState l p s) => Query l -> Action l p s (Cursor l)
- findP :: (Serialize l, LabelState l p s) => p -> Query l -> Action l p s (Cursor l)
- findOne :: (LabelState l p s, Serialize l) => Query l -> Action l p s (Maybe (LabeledDocument l))
- findOneP :: (LabelState l p s, Serialize l) => p -> Query l -> Action l p s (Maybe (LabeledDocument l))
- next :: (LabelState l p s, Serialize l) => Cursor l -> Action l p s (Maybe (LabeledDocument l))
- nextP :: (LabelState l p s, Serialize l) => p -> Cursor l -> Action l p s (Maybe (LabeledDocument l))
- select :: (Select selectionOrQuery, Label l) => Selector l -> CollectionName -> selectionOrQuery l
- data Failure
- labeledDocI :: LabelState l p s => HttpReq a -> Labeled l ByteString -> LIO l p s (Labeled l (Document l))
Documentation
module Hails.Data.LBson
Types
type CollectionName = CollectionSource
Name of collection
data CollectionPolicy l Source
Labels and policies associated with a collection. See Collection
.
data Collection l Source
A collection policy is is a label, clearance and labeling policy. The label specifies who can write to a collection (i.e., only computatoin whose current label flows to the label of the collection). The clearance limits the sensitivity of the data written to the collection (i.e., the labels of all data in the collection must flow to the clearance). Note that the collection label does not impose a restriction on the data (i.e., data can have high integrity). The collection policy specifies the policies for labeling documents and fields of documents.
type CollectionMap l = Labeled l (Map CollectionName (CollectionPolicy l))Source
A labeled Collection
map.
:: LabelState l p s | |
=> CollectionName | Collection name |
-> l | Collection label |
-> l | Collection clearance |
-> RawPolicy l | Collection policy |
-> LIO l p s (Collection l) |
Create a collection given a collection name, label, clearance, and policy. Note that the collection label and clearance must be above the current label and below the current clearance.
:: LabelState l p s | |
=> p | Privileges |
-> CollectionName | Collection name |
-> l | Collection label |
-> l | Collection clearance |
-> RawPolicy l | Collection policy |
-> LIO l p s (Collection l) |
Same as collection
, but uses privileges when comparing the
collection label and clearance with the current label and clearance.
type DatabaseName = DatabaseSource
Name of database
A database has a label, which is used for controlling access to
the database, an internal identifier corresponding to the underlying
MongoDB database, and a set of Collection
s protected by a label.
assocCollection :: LabelState l p s => Collection l -> Database l -> LIO l p s (Database l)Source
Same as assocCollectionP
, but does not use privileges when
writing to database collection map.
assocCollectionP :: LabelState l p s => p -> Collection l -> Database l -> LIO l p s (Database l)Source
Associate a collection with the underlying database.
A RawPolicy
encodes a document policy, and all
field policies. It is required that all fields of type
PolicyLabled
have a field/column policy -- if using only this
low-level interface a runtime-error will occur if this is not
satisfied.
RawPolicy | |
|
data FieldPolicy l Source
A FieldPolicy
specifies the policy-generated label of
a field. SearchabelField
specifies that the field can be
referenced in the selection clause of a Query
, and therefore
the document label does not apply to it.
SearchableField | |
FieldPolicy (Document l -> l) |
isSearchableField :: FieldPolicy l -> BoolSource
Returns True if the policy is for a searchable field
data PolicyError Source
Field/column policies are required for every PolicyLabled
value
in a document.
NoFieldPolicy | Policy for field not specified |
InvalidPolicy | Policy application invalid |
NoColPolicy | Policy for Collection not specified |
InvalidFieldPolicyType | Field with associated policy is not of PolicyLabeled type |
InvalidSearchableType | Searchable fields cannot contain labeled values |
PolicyViolation | Policy has been violated |
Monad (Action l p s) | |
Functor (Action l p s) | |
Applicative (Action l p s) | |
LabelState l p s => MonadLIO (Action l p s) l p s |
getDatabase :: Action l p s (Database l)Source
Get underlying database.
Selects documents in specified collection that match the selector.
Selection | |
|
Select Selection |
Use select to create a basic query with defaults, then modify if
desired. Example: (select sel col) {limit =: 10}
. Note that unlike
MongoDB's query functionality, our queries do not allow for
projections (since policies may need a field that is not projects).
Both the selection and sorting are restricted to searchable fields.
TODO: add snapshot.
Query | |
|
Select Query |
A labeled cursor. The cursor is labeled with the join of the database and collection it reads from.
dcAccess :: Database DCLabel -> DCAction a -> DC (Either Failure a)Source
Open a pipe to a supplied server, or localhost
.
TODO: add support for connecting to replicas.
:: DBConf | Database configuratoin |
-> DCLabel | Label of collection policies |
-> DCLabel | Database label |
-> DC (Database DCLabel) |
The withDB
functions should use this function to label
their databases.
TODO (DS/AL(: make every searchable field indexable.
class DatabasePolicy dbp whereSource
Policy modules are instances of this class. In particular, when
an application accesses a database, the runtime invokes
createDatabasePolicy
in the appropriate policy module.
createDatabasePolicy :: DBConf -> DCPrivTCB -> DC dbpSource
Given a DBConf
generate an instance of this
DatabasePolicy
. This is the main entry point for policy
modules. Policies should, in general, ether discard DBConf
or
store it in such a way that it is inaccessible to other modules
since it contains the priviledge of the policy.
policyDB :: dbp -> Database DCLabelSource
Get the actual underlying Database
instance for this policy.
class DatabasePolicy dbp => PolicyGroup dbp whereSource
Class used to define groups in a policy-specific manner.
expandGroup :: dbp -> Principal -> DCAction [Principal]Source
Expands a principal of the form "#group_name" into a list of
Principal
s
relabelGroups :: dbp -> DCLabeled a -> DC (DCLabeled a)Source
Relabeles the Labeled
value by using the policy's privilege
to downgrade the label and optionally re-taint in an application
specific way, e.g. exanding groups of the form "#group_name"
to a policy specified disjuction of real principals.
Policies are expected to implement this function by wrapping
relabelGroupsP
using their privilege and implementing
expandGroup
, which is called by relabelGroupsP
.
relabelGroupsP :: PolicyGroup dbp => dbp -> DCPrivTCB -> Labeled DCLabel a -> DC (DCLabeled a)Source
Looks for disjuctions the privilege is able to downgrade and
rewrites them by invoking expandGroup
on each principle in the
disjuction. Using the result, the function relabels the Labeled
value. Clients should not call this directly, instead clients
should call relabelGroups
which policies may implement by
wrapping this function.
relabelGroupsSafe :: PolicyGroup dbp => dbp -> Labeled DCLabel a -> DC (DCLabeled a)Source
A wrapper around relabelGroups
that drops the current
privileges and restores them after getting a result from
relabelGroups
.
class DatabasePolicy dbp => PrivilegeGrantGate dbp whereSource
Class used to define policy-specifi privilege granting gate.
withLabel :: DCPrivTCB -> DCLabel -> DC a -> DC aSource
Given a set of privileges, a desired label and action. Lower the current label as close tothe desired label as possible, execute the action and raise the current label.
gateToLabeled :: DCPrivTCB -> DCLabeled (Document DCLabel) -> (Document DCLabel -> DC a) -> DC (DCLabeled a)Source
Given a set of privileges, a labeled document and computaiton on the (unlabeled version of the) documnet, downgrade the current label with the supplied privileges execute (only integrity), unlabel the document and apply the computation to it. The result is then labeled with the current label and the current label is reset to the original (if possible).
Query
insert :: Insert l p s doc => CollectionName -> doc -> Action l p s (Value l)Source
Insert document into collection and return its _id
value,
which is created automatically if not supplied. It is required that
the current label flow to the label of the collection and database
(and vice versa). Additionally, the document must be well-formed
with respect to the collection policy. In other words, all the
labeled values must be below the collection clearance and the
policy be applied successfully.
insert_ :: Insert l p s doc => CollectionName -> doc -> Action l p s ()Source
Same as insert
except it does not return _id
insertP :: Insert l p s doc => p -> CollectionName -> doc -> Action l p s (Value l)Source
Same as insert
, but uses privileges when applying the
collection policies, and doing label comparisons.
insertP_ :: Insert l p s doc => p -> CollectionName -> doc -> Action l p s ()Source
Same as insertP
except it does not return _id
save :: Insert l p s doc => CollectionName -> doc -> Action l p s ()Source
Update a document based on the _id
value. The IFC requirements
subsume those of insert
. Specifically, in addition to being able
to apply all the policies and requiring that the current label flow
to the label of the collection and database save
requires that
the current label flow to the label of the existing database record.
saveP :: Insert l p s doc => p -> CollectionName -> doc -> Action l p s ()Source
Like save
, but uses privileges when performing label
comparisons.
deleteOne :: (LabelState l p s, Serialize l) => Selection l -> Action l p s ()Source
Given a query, delete first object in selection. In addition to being able to read the object, write to the database and collection, it must be that the current label flow to the label of the existing document.
deleteOneP :: (LabelState l p s, Serialize l) => p -> Selection l -> Action l p s ()Source
Same as deleteOne
, but uses privileges when performing label
comparisons.
findP :: (Serialize l, LabelState l p s) => p -> Query l -> Action l p s (Cursor l)Source
Same as find
, but uses privileges when raising the current
label
findOne :: (LabelState l p s, Serialize l) => Query l -> Action l p s (Maybe (LabeledDocument l))Source
Fetch the first document satisfying query, or Nothing
if not
documents matched the query.
findOneP :: (LabelState l p s, Serialize l) => p -> Query l -> Action l p s (Maybe (LabeledDocument l))Source
Same as findOne
, but uses privileges when performing label
comparisons.
next :: (LabelState l p s, Serialize l) => Cursor l -> Action l p s (Maybe (LabeledDocument l))Source
Return next document in query result, or Nothing
if finished.
The current label is raised to join of the current label and
Cursor
label. The document is labeled according to the
underlying 'Collection'\'s policies.
nextP :: (LabelState l p s, Serialize l) => p -> Cursor l -> Action l p s (Maybe (LabeledDocument l))Source
Same as next
, but usess privileges raising the current label.
select :: (Select selectionOrQuery, Label l) => Selector l -> CollectionName -> selectionOrQuery lSource
Misc
data Failure
A connection failure, or a read or write exception like cursor expired or inserting a duplicate key.
Note, unexpected data from the server is not a Failure, rather it is a programming error (you should call error
in this case) because the client and server are incompatible and requires a programming change.
labeledDocI :: LabelState l p s => HttpReq a -> Labeled l ByteString -> LIO l p s (Labeled l (Document l))Source
Trusted transformer that takes a Labeled
tuple with HttpReq
and the request body as a ByteString
and returns a Labeled
Document
with keys and values corresponding to the form fields
from the request. The label on the Labeled
result is the same as
input. Arguments values are parsed in to BSON Strings except if the
key is of the form "key_name[]" in which case all such arguments
will be combined into an array of Strings.