e;t      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmn o p q r s t u v w x y z { | } ~        !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ Safe-Inferred ;; ; Trustworthy;; Trustworthy<YBasic HTTP authentication middleware for development. Accepts any username and password.=0Authentica user with Mozilla's persona. If the X-Hails-Persona-Loginy header is set, this intercepts the request and verifies the supplied identity assertion, supplied in the request body.-If the authentication is successful, set the  _hails_user and _hails_user_hmac cookies to identify the user. The former contains the user email address, the latter contains the MAC that is used for verifications in later requests.If the X-Hails-Persona-LogoutT header is set, this intercepts the request and deletes the aforementioned cookies.7If the app wishes the user to authenticate (by setting  X-Hails-Login) this redirects to audience/login -- where the app can call navigator.request().>Perform OpenID authentication.? Executes the app and if the app  has header  X-Hails-Logine and the user is not logged in, respond with an authentication response (Basic Auth, redirect, etc.)>Helper method for implementing basic authentication. Given a K returns the usernamepair from the basic authentication header if present.gGiven a request and path, extract the scheme, hostname and port from the request and createand a URI scheme:/hostname[:port]path.@PUse an external authentication service that sets cookies. The cookie names are  _hails_user, whose contents contains the  user-name, and _hails_user_hmac, whose contents contains HMAC-SHA1(user-name). This function simply checks that the cookie exists and the MAC'd user name is correct. If this is the case, it returns a request with the cookie removed and  x-hails-user header set. Otherwies the original request is returned. The login service retuns a redirect (to the provided url). Additionally, cookie *_hails_refer$ is set to the current URL (scheme:/ domain:portpath@).<=>OpenID Provider ?@<=>?@?=>@<<=>?@ Trustworthy+A+Convenience type for middleware components.B6Base Hails type implemented by untrusted applications.C)The settings with which the app will run.E5The label of the browser the reponse will be sent to.FHThe label of the incoming request (with the logged in user's integrity).GA privilege minted for the app.HA response sent by the app.JResponse statusKResponse headersL Response bodyMA request sent by the end-user.OHTTP Request (e.g., GET, POST, etc.).P HTTP version (e.g., 1.1 or 1.0).Q*Extra path information sent by the client.RDIf no query string was specified, this should be empty. This value will^ include the leading question mark. Do not modify this raw value- modify queryString instead.SGenerally the host requested by the user via the Host request header. Backends are free to provide alternative values as necessary. This value should not be used to construct URLs.TThe request headers.U-Was this request made over an SSL connection?VThe client's host information.WvPath info in individual pieces- the url without a hostname/port and without a query string, split on forward slashes,XParsed query string informationY,Lazy ByteString containing the request body.ZTime request was received.['Get the request body type (copied from  wai-extra).\Add/replace a  to the M](Remove a header (if it exists) from the M^Add/replace a  to the H_(Remove a header (if it exists) from the HABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMN89:ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_"MNOPQRSTUVWXYZ[:89\]HIJKL^_BCDEFGA ABCDEFGHIJKLM NOPQRSTUVWXYZ[\]^_ Trustworthy OConvert a WAI  to a Hails M by consuming the body into a P. The Ze is set to the current time at the time this action is executed (which is when the app is invoked).`-Remove any unsafe headers, in this case only  X-Hails-User.QConvert a Hails H to a WAI aHails A that ensures the H from the application is readable by the client's browser (as determined by the result label of the app computation and the label of the browser). If the response is not readable by the browser, the middleware sends a 403 (unauthorized) response instead.bAdds the header Content-Security-PolicyW to the response, if the label of the computation does not flow to the public label, R. The  default-srcv directive is set to the secrecy component of the response label (if it is a disjunction of principals). Currently, self6 is always added to the whitelist. An example may be: WContent-Security-Policy: default-src 'self' http://google.com:80 https://a.lvh.me:3000;cqRemove anything from the response that could cause inadvertant declasification. Currently this only removes the  Set-Cookie header.S0Returns a secure Hails app such that the result Hz is guaranteed to be safe to transmit to the client's browser. The definition is straight forward from other middleware: secureApplication = 'browserLabelGuard' -- Return 403, if user should not read . 'sanitizeResp' -- Remove Cookies/CSP . 'guardSensitiveResp' -- Add CSP if not publicd9Catch all exceptions thrown by middleware and return 500.eExecute an application, safely filtering unsafe request headers, overriding method posts, catching all exceptions, and sanitizing responses.TSafely wraps a Hails B in a Wai UR that can be run by an application server. The application is executed with the S A. The function returns status 500 if the Hails application throws an exception and the label of the exception flows to the browser label (see a7); if the label does not flow, it responds with a 403.-All applications serve static content from a "static" directory.iNote: this function assumes that the request has already been sanitized. In most cases, you want to use e.VGet the browser label (secrecy of the user), request label (integrity of the user), and application privilege (minted with the app's cannonical name) O`QabcSdeTV      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMN89:ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdee`abcd O`QabcSdeTV Trustworthy2346 f%Reques type, wrapper for the conduit W.g!Perform a simple HTTP(S) request.hSame as g, but uses privileges.iSimple HTTP GET request.jSimple HTTP GET request.kSimple HTTP HEAD request.lSimple HTTP HEAD request.X6Check that current label can flow to label of request.YReturn the labels corresponding to the absolute URI of a request header. The created labels will have the scheme and authority (including port) in the secrecy componenet, and |True} in the integrity component for the read label (and the dual for write label). Specifically, the labels will have the form: =(< scheme://authority, |True >,< |True, scheme://authority >)EFor example, the read label of a request to "http://gitstar.com/" is: #< "http://gitstar.com:80" , |True>2while the read label of "https://gitstar.com:444/" %< "https://gitstar.com:444" , |True>aThis should be used for only for single-connection requests, where the absolute URL makes senes.mConvert a URL into a f.$This defaults some of the values in f%, such as setting method to GET and # to []. fgRequesth PrivilegeRequesti PrivilegeURLjk PrivilegeURLlXYmZ  !"#$%&'()      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNHIJKLfghijklm5f)('&%$#"! HIJKLmghjilk  fghijklXYmZ  Trustworthy [Type alias for \nCreates a 200 (OK) H/ with the given content-type and resposne body]6Helper to make responses with content-type "text/html"oCreates a 200 (OK) H; with content-type "text/html" and the given resposne bodyp.Given a URL returns a 301 (Moved Permanently) H redirecting to that URL.q&Given a URL returns a 303 (See Other) H redirecting to that URL.rReturns a 400 (Bad Request) H.s'Returns a 401 (Authorization Required) H4 requiring basic authentication in the given realm.tReturns a 403 (Forbidden) H.uReturns a 404 (Not Found) H.vReturns a 500 (Server Error) H. [n]opqrstuv nopqrstuv nopqrstuv [n]opqrstuv  Trustworthy24w Synonym for x3, the common case where the data parameter is '()'.xThe x type is a basic instance of z that simply holds the routing function and an arbitrary additional data parameter. In most cases this paramter is simply '()', hence we have a synonym for x '()' called w.. The power is derived from the instances of ^ and _S, which allow the simple construction of complex routing rules using either lists (_=) or do-notation. Moreover, because of it's simple type, any z can be used as a w (using } or by applying it to {G), making it possible to leverage the monadic or monoid syntax for any z.+Commonly, route functions that construct a w only inspect the M$ and other parameters. For example, ~ looks at the hostname:  routeHost :: Routeable r => S.ByteString -> r -> Route routeHost host route = Route func () where func req = if host == serverName req then runRoute route req else return Nothing 1However, because the result of a route is in the  ResourceT( monad, routes have all the power of an B and can make state-dependant decisions. For example, it is trivial to implement a route that succeeds for every other request (perhaps for A/B testing):  routeEveryOther :: (Routeable r1, Routeable r2) => MVar Int -> r1 -> r2 -> Route routeEveryOther counter r1 r2 = Route func () where func req = do i  -liftIO . modifyMVar $ i -Z let i' = i+1 in return (i', i') if i `N 2 == 0 then runRoute r1 req else runRoute r2 req zz4 types can be converted into a route function using {'. If the route is matched it returns a H , otherwise a. In general, zs are data-dependant (on the M&), but don't have to be. For example, B is an instance of z that always returns a H: X instance Routeable Application where runRoute app req = app req >>= return . Just { Run a routebjRoute handler is a fucntion from the path info, request configuration, and labeled request to a response.| Converts any z into an B. that can be passed directly to a WAI server.c'Create a route given the route handler.}5A route that always matches (useful for converting a z into a w).~!Matches on the hostname from the M.. The route only successeds on exact matches.?Matches if the path is empty. Note that this route checks that W_ is empty, so it works as expected when nested under namespaces or other routes that pop the W list.)Matches on the HTTP request method (e.g. , , )lRoutes the given URL pattern. Patterns can include directories as well as variable patterns (prefixed with :) to be added to X (see ) /posts/:id/posts/:id/new/:date/posts/:category/new=Matches if the first directory in the path matches the given  ByteString5Always matches if there is at least one directory in W but and adds a parameter to Xd where the key is the supplied variable name and the value is the directory consumed from the path.wxyz{b Path infoExtra query paramsRequest configurationLabeled request|c}~defghij wxyz{|}~ z{|wxy}~wxyz{b|c}~defghij  Trustworthyk Helper method/Matches the GET method on the given URL pattern0Matches the POST method on the given URL pattern/Matches the PUT method on the given URL pattern2Matches the DELETE method on the given URL pattern3Matches the OPTIONS method on the given URL patternkk  Trustworthy24 fMonad used to encode a REST controller incrementally. The return type is not used, hence always '()'.l5Monad used to encode a REST controller incrementally.m&Type used to encode a REST controller.nDefault state, returns 404 for all verbs.GET /POST / GET /:id/editGET /newGET /:idPUT /:id DELETE /:idlmopqrstuvnwx lmopqrstuvnwx Safe246 +A controller is simply a reader monad atop y with the z M as the environment.Get the underlying request.{Get the underlying request.;Get the query parameter mathing the supplied variable name.Produce a response.6Extract the body in the request (after unlabeling it).Get a request headerdRedirect back acording to the referer header. If the header is not present redirect to root (i.e., /).fRedirect back acording to the referer header. If the header is not present return the given response.{|}{|} Trustworthy User name.\Execute action with the current user's name. Otherwise, request that the user authenticate.Get the current user.Safe(nopqrstuvwxyz{|}~Unsafe+'Arbitrary binary blobA  PolicyLabeledS value can be either an unlabeled value for which the policy needs to be applied ( NeedPolicyTCB!), or an already labeled value ( HasPolicyTCB).  PolicyLabeled is a partially-opaque type; code should not be able to inspect the value of an unlabeleda value, but may inspect an already labeled value.Policy appliedPolicy was not applied An  HsonValue, is a top-level value that may either be a ; or a policy labeled value. The separation of values into  and c is solely due to the restriction that policy-labeled values may only occur at the top level and s may be nested (e.g. using  and ).Policy labeled value Bson valueA  BsonValue is a subset of BSON ( Data.Bson) values. Note that a  BsonValueO cannot contain any labeled values; all labeled values occur in a document as s. Correspondingly,  BsonValues may be arbitrarily nested.64-bit integer32-bit integerThe NULL valueTime stamp value Boolean valueObject Id valueBinary blob valueList of valuesInner document String value Float valueA field containing a named A field containing a named The name of a field.+A (possibly top-)level document containing s. A top-level document containing s.Strict ByeString~Convert  to a  Data.Bson Value . Note that  values are marshalled out as  Data.Bson  UserDefined values. This means that the  UserDefined0 type is reserved and exposing it as a type in : would potentially lead to leaks. Note that the label is NOT serialized, only the value. Hence, after marshalling such that back it is important that a policy is applied to label the field.Convert  to a  Data.Bson Value. Convert an  to a  Data.Bson Field.$Convert a top-level document (i.e., ) to a  Data.Bson Document3. This is the primary marshall-out function. All  values are marshalled out as  Data.Bson  UserDefined values. This means that the  UserDefined0 type is reserved and exposing it as a type in  would potentially lead to vulnerabilities in which labeled values can be marshalled in from well-crafted ByteStrings. Moreover, untrusted code should not have access to this function; having such access would allow it to inspect the serialized labeled values and thus violate IFC. Convert a  to a  Data.Bson Field. Convert a  to a  Data.Bson Document. Convert a  Data.Bson Field to . Convert a  Data.Bson Document to a .Convert  Data.Bson Value to a .Convert  Data.Bson Document to a . This is the top-level function that marshalls BSON documents to Hails documents. This function assumes that all documents have been marshalled out using . Otherwise, the  PolicyLabled: values that are created from the document may be forged. Convert a  Data.Bson Value to a . See .OHails internal field name for a policy labeled value (label part) (name part).@Hails internal prefix that is used to serialized labeled values. Convert a  Data.Bson Document to a policy labeled value..~$$ ~ Trustworthy &+23468M#Class used to (de)construct s Convert to  Convert from Class used to (de)construct s Convert to  Convert from Class used to define fields.2Given a name and Haskell value construct either a  or a [Class used to implement operations on documents that return Haskell values (as opposed to  or ).Same as  , but returns "unwrapped" value.Same as  , but returns "unwrapped" value.=Class used to implement operatoins on documents that return s or xs. The main role of this function is to impose the functional dependency between values and fields. As a consequence ing up and getting  in a  (resp. ) will return a  (resp. ). This eliminates the need to specify the end type of very query, but forces the programmer to cast between Hson and Bson values.3Find value of field in document, or fail not found.Same as , but s if the value is not found.Class used to define fields.*Given a name and value construct either a  or Get the field value.)Class for retrieving the name of a field.Get the name of a field. Synonym for 1Create a policy labeled value given an unlabeled .(Create a policy labeled value a labeled .CGet the policy labeled value, only if the policy has been applied.Only include fields specified.Exclude fields specified.WMerge documents with preference given to first one when both have the same field name.3Returns true if the document is composed solely of 1s. This function is useful when converting from  to .Convert  to Convert  to This is a relaxed version of ' that only converts fields containing s. In other words, the  values are dropped. Convert an  to a  . If any of the fields contain  values (i.e., are  values) this function Js, otherwise it returns the converted document. To check for failure use .Convert  to cConvert a labeled request to a labeled document. Values of fields that have a name that ends with []) are converted to arrays and the suffix [] is stripped from the name.Create a fresh ObjectId.From  Data.Bson(: Cast number to end type, if it "fits".^>>QUnsafe*+26B%.Exceptions thrown by invalid database queries.Execution of action failedPolicy module not foundCollection does not existA DBAction is the monad within which database actions can be executed, and policy modules are defined. The monad is simply a state monad with yS as monad as the underlying monad with access to a database system configuration (2, /, and )). The value constructor is part of the TCB? as to disallow untrusted code from modifying the access mode.>The database system state threaded within a Hails computation."Pipe to underlying database systemTypes of reads/write to perform3Database computation is currently executing against0Privilege of the policy module related to the DBA Database is a MongoDB database with an associated label and set of collections. The label is used to restrict access to the database. Since collection policies are specified by policy modules, every collection must alwaysT be associated with some database (and thereby, policy module); a policy module is not allowed to create a collection (and specify policies on it) in an arbitrary database. We allow for the existance of a collection to be secrect, and thus protect the set of collections with a label. Database nameLabel of database$Collections associated with databsae A labeled  set.The name of a database.A  FieldPolicy/ is a security policy associated with fields. SearchabelFieldJ specifies that the field can be referenced in the selection clause of a QueryM, and therefore only the collection label protects such fields. Conversely, , specifies a labeling policy for the field.Policy labeled field.Unlabeled, searchable field.AA collection policy contains the policy for labeling documents (W) at a coarse grained level, and a set of policies for labeling fields of a document ().)Specific fields can be associated with a ,, which allows the policy module to either:wExplicitly make a field publicly readable to anyone who can access the collection by declaring the field to be a , or+Label a field given the full documnet (see ).bFields that do not have an associated policy are (conceputally) labeled with the document label (e). Similarly, the labels on the label of a policy-labeled field is the document label created with . Note: the label on !s is solely the collection label.)The label on documents of the collection.-The policies associated with specific fields.A  Collection~ is a MongoDB collection name with an associated label, clearance and labeling policy. Access to the collection is restricted according to the collection label. Data inserted-to and retrieved-from the collection will be labeled according to the collection policy, with the guarantee that no data more sensitive than the collection clearance can be inserted into the collection.Collection nameCollection labelCollection clearanceCollection labeling policiesThe name of a collection.  Create a  , ignoring any IFC restrictions. Get the underlying state. Get the underlying state. 8Update the underlying state using the supplied function. hGiven a policy module's privileges, database name, pipe and access mode create the initial state for a %. The underlying database is labeled with the supplied privileges: both components of the label (secrecy and integrity) are set to the privilege description. In other words, only code that owns the policy module's privileges can modify the database configuration. Policy modules can use setDatabaseLabelP- to change the label of their database, and setCollectionMapLabelP+ to change the label of the collection map.NSet the label of the underlying database to the supplied label, ignoring IFC.NSet the label of the underlying database to the supplied label, ignoring IFC.>Associate a collection with underlying database, ignoring IFC.Lift a mongoDB action into the 7 monad. This function always executes the action with Database.MongoDB's access5. If the database action fails an exception of type  is thrown./ Collection nameCollection labelCollection clearanceCollection policy    New collection2*+,-./2     2     2/,-.+*      Trustworthy2Arbitrary monad that can perform database actions./Lift a database action into the database monad. A labeled .eExecute a database action returning the final result and state. In general, code should instead use . This function is primarily used by trusted code to initialize a policy module which may have modified the underlying database.5Execute a database action returning the final result.1Execute a database action with a "stack" context.]Get the underlying database. Must be able to read from the database as enforced by applying  to the database label. This is required because the database label protects the label on collections which can be projected given a  value.Same as 6, but uses privileges when raising the current label. *+,-./2$2/,-.+*Unsafe6BA policy module action (PMAction,) is simply a wrapper for database action (#). The wrapper is used to restrict appA code from specifying policies; only policy module may execute PMActionEs, and thus create collections, set a label on their databases, etc. Trustworthy3MPolicy type name. Has the form: E<Policy module package>:<Fully qualified module>.<Policy module type>3A policy module is specified as an instance of the  PolicyModule class. The role of this class is to define an entry point for policy modules. The policy module author should set up the database labels and create all the database collections in . It is these collections and corresponding policies that apps and other policy modules use when interacting with the policy module's database using *.<The Hails runtime system relies on the policy module's type pm to load the corresponding 3 when some code "invokes" the policy module using *\. In fact when a piece of code wishes to execute a database action on the policy module, *% first executes the policy module's  and passes the result (of type pm) to the invoking code. Observe that  has access to the policy module's privileges, which are passed in as an argument. This allows the policy module to encapsulate its privileges in its pm^ type and allow code it trusts to use its privileges when executing a database action using *g. Of course, untrusted code (which is usually the case) should not be allow to inspect values of type pm% to get the encapsulated privileges.Consider the example below: d module My.Policy ( MyPolicyModule ) where import LIO import LIO.DCLabel import Data.Typeable import Hails.PolicyModule -- | Handle to policy module, not exporting @MyPolicyModuleTCB@ data MyPolicyModule = MyPolicyModuleTCB DCPriv deriving Typeable instance PolicyModule MyPolicyModule where initPolicyModule priv = do -- Get the policy module principal: let this = privDesc priv -- Create label: l = dcLabel dcTrue -- Everybody can read this -- Only policy module can modify -- Label database and collection-set: labelDatabaseP priv l l -- Create collections: createCollectionP priv "collection1" ... createCollectionP priv "collection2" ... .... createCollectionP priv "collectionN" ... -- Return the policy module: return (MyPolicyModuleTCB priv)`Here the policy module labels the database, labels the list of collections and finally creates N8 collections. The computation returns a value of type MyPolicyModule which wraps the policy module's privileges. As a consequence, trustworthy code that has access to the value constructor can use the policy module's privileges: -- Trustworthy code within the same module (My.Policy) alwaysInsert doc = withPolicyModule $ \(MyPolicyModuleTCB priv) -> insertP priv "collection1" docHere  alwaysInsertf uses the policy module's privileges to insert a document into collection "collection1". As such, if docc is well-formed the function always succeeds. (Of course, such functions should not be exported.)XUntrusted code in a different module cannot, however use the policy module's privilege: -- Untrusted code in a separate module import My.Policy maybeInsertIntoDB appPriv doc = withPolicyModule $ (_ :: MyPolicyModule) -> insertP appPriv "collection1" doc&Depending on the privileges passed to maybeInsertIntoDB:, and set policies, the insertion may or may not succeed.Entry point for policy module. Before executing the entry function, the current clearance is "raised" to the greatest lower bound of the current clearance and the label "<"Policy module principal", |True>I, as to allow the policy module to read data labeled with its principal. Set the label of the underlying database. The supplied label must be bounded by the current label and clearance as enforced by V. Moreover the current computation mut write to the database, as enforce by applying ` to the current database label. The latter requirement suggests that every policy module use ! when first changing the label.!Same as  , but uses privileges when performing label comparisons. If a policy module wishes to allow other policy modules or apps to access the underlying databse it must use setDatabaseLabelP to "downgrade" the database label, which by default only allows the policy module itself to access any of the contents (including collection-set)."RThe collections label protects the collection-set of the database. It is used to restrict who can name a collection in the database and who can modify the underlying collection-set (e.g., by creating a new collection). The policy module may change the default collections label, which limits access to the policy module alone, using setCollectionSetLabel.PThe new label must be bounded by the current label and clearance as checked by . Additionally, the current label must flow to the label of the database which protects the label of the colleciton set. In most cases code should use #.#Same as "F, but uses the supplied privileges when performing label comparisons.$]This is the first action that any policy module should execute. It is simply a wrapper for ! and #b. Given the policy module's privilges, label for the database, and label for the collection-set labelDatabaseP accordingly sets the labels.% Create a o given a name, label, clearance, and policy. Several IFC rules must be respected for this function to succeed: The supplied collection label and clearance must be above the current label and below the current clearance as enforced by .xThe current computation must be able to read the database collection-set protected by the database label. The guard  is used to guarantee this and raise the current label (to the join of the current label and database label) appropriately.RThe computation must be able to modify the database collection-set. The guard b is used to guarantee that the current label is essentially equal to the collection-set label.4Note: the collection policy is modified to make the _id field explicitly a .&Same as %2, but uses privileges when performing IFC checks.'Returns  if the field policy is a .('Get the list of names corresponding to s.)This contains a map of all the policy modules. Specifically, it maps the policy moule types to a pair of the policy module principal and database name.For the trusted programmer:O The map itself is read from the file pointed to by the environment variable DATABASE_CONFIG_FILE[. Each line in the file corresponds to a policy module. The format of a line is as follows j("<Policy module package>:<Fully qualified module>.<Policy module type>", "<Policy module database name>")Example of valid line is: 7("my-policy-0.1.2.3:My.Policy.MyPolicyModule", "my_db");The principal used by Hails is the first projection with a "_"; suffix. In the above, the principal assigned by Hails is: -"_my-policy-0.1.2.3:My.Policy.MyPolicyModule"*This function is the used to execute database queries on policy module databases. The function firstly invokes the policy module, determined from the type pm, and creates a pipe to the policy module's database. The supplied database query function is then applied to the policy module. In most cases, the value of type pmF is opaque and the query is executed without additionally privileges. swithPolicyModule $ \(_ :: SomePolicyModule) -> do -- Perform database operations: insert, save, find, delete, etc.}Trustworthy code (as deemed by the policy module) may, however, be passed in additional privileges by encapsulating them in pm (see ).,1Execute a database action with a "stack" context.- Get the name of a policy module.Parse the access mode. slaveOk : slaveOk unconfirmedWrites : UnconfirmedWrites onfirmWrites <options> : ConfirmWrites [corresponding-options] _ : masterwhere options can be: fsync | journal | writes=<N>separated by ',', and N is an integer. Example: tHAILS_MONGODB_MODE = "slaveOk" HAILS_MONGODB_MODE = "confirmWrites: writes=3, journal" HAILS_MONGODB_MODE = "master" !Set of privilegesNew database label"#Set of privilegesNew collections label$Policy module privilgesDatabase labelCollections label%Collection nameCollection labelCollection clearanceCollection policy& PrivilegesCollection nameCollection labelCollection clearanceCollection policy'()*+,- !"#$%&'()*+,-,+$ !"#%&'(*-) !"#$%&'()*+,-Unsafe.A labeled cursor. The cursor is labeled with the join of the database and collection it reads from. The collection policies are "carried" along since they are applied on-demand.0 Cursor label1Internal MongoDB cursor2DProjector from query. Used to remove fields after performing query.3!Collection cursor is reading from./0123./0123./0123./0123 Trustworthy&+234M+4A document policy error.5Policy has been violated6Document is not "well-typed"7Class used to generalize insertion and saving of documents. Specifically, it permits reusing function names when inserting/saving both already-labeled and unlabeled documents. Minimal definition: : and =.8/Insert document into collection and return its _id value. When performing an inserti it is required that the computation be able to write to both the database and collection. To this end, 8 internally applies  on the database label and collection label. Of course, the computation must be able to name the collection in the database, and thus must be able to read the database collection map as verified by applying  to the collections label.WWhen inserting an unlabeled document, all policies must be succesfully applied using [- and the document must be "well-typed" (see [).When inserting an already-labeled document, the labels on fields and the document itself are compared against the policy-generated labels. Note that this approach allows an untrusted piece of code to insert a document it could not label according to the policy module.9Same as 8 except it does not return _id:Same as 8S, but uses privileges when applying the policies and performing label comparisons.;Same as : except it does not return the _id.<#Update a document according to its _id/ value. The IFC requirements subsume those of 8. Specifically, in addition to being able to apply all the policies and requiring that the current label flow to the label of the collection and database, save requires that the current label flow to the label of the existing database record (i.e, the existing document can be overwritten).=Same as <, but uses privileges when applying the policies and performing label comparisons. Note that a find is performed if the provided document contains an _idB field. This lookup does _not_ leak timing information since the _idv field is always searchable and thus solely protected by the collection label (which the computation is tainted by).>)Class used to simplicy the creation of a 'Selection'/'Query'. Specifically, ? can be used to create a SectionF in a straight foward manner, but similarly can be used to create a E with a set of default options.?.Given a selector and collection name create a E@. The resultant type depends on the use case, for example, in S select mySel myCol is a E , but in Y it is a @.@A Section is a D query on a . In other words, a  Selection? is the necessary information for performing a database query.BSelection query.CCollection to perform query on.D%Filter for a query, analogous to the WHERE clause in SQL. []4 matches all documents in collection. For example, [x  a, y  b] is analogous to WHERE x = a AND y = b in SQL.Note: only s of Ds may be used in selections, and thus all other fields are ignored.ETUse select to create a basic query with defaults, then modify if desired. Example: (select sel col) {limit =: 10}Z. For simplicity, and since policies may be specified in terms of arbitrary fields, The H and L fields are restricted to  s, or the "_id" field that is implicitly a .GQuery options, default [].HWHERE clause,default []. Non- s ignored.IThe fields to project. Default [] corresponds to all.J'Number of documents to skip, default 0.K?Max number of documents to return. Default, 0, means no limit.L$Sort result by given order, default []. Non- s ignored.McThe number of document to return in each batch response from the server. 0 means MongoDB default.N)Force mongoDB to use this index, default [], no hint. Non- s ignored.OSorting fields in Q ending or P ending order.PDescending orderQAscending orderR Get the field name in the order.=Save or insert document. This function is used to check that: AThe current computation can write to the database and collection.WThe labeled document is properly labeled: all policy-labeled fields have the label as if generated by the policy, the document label flows to the policy-generated label, and the document is well-typed (i.e., searchables are not policy labeled, etc.). Moreover all labels are checked to be below the collection clearance by  withColletion.After the check the supplied function is applied to the policy-labeled document (which should be the same as the supplied document, except for possibly the document label.)S,Fetch documents satisfying query. A labeled .8 is returned, which can be used to retrieve the actual s. For this function to succeed the current computation must be able to read from the database and collection (implicilty the database's collection-set). This is satisfied by applying n to the join join of the collection, database, and ccollection-set label. The curor label is labeled by the  upperBoundI of the database and collection labels and must be used within the same withPolicyModule block.^Note that this function is quite permissive in the queries it accepts. Specifically, any non- s used in L, order, or N are ignored( (as opposed to throwing an exception).TSame as SE, but uses privileges when reading from the collection and database.U Return next  in the query result, or aY if finished. Note that the current computation must be able to read from the labeled .. To enforce this, next uses > to raise the current label to join of the current label and  'Cursor'\'Hs label. The returned document is labeled according to the underlying  policy.VSame as U6, but usess privileges when raising the current label.W.Fetch the first document satisfying query, or a% if not documents matched the query.XSame as W9, but uses privileges when performing label comparisons.YDelete documents according to the selection. It must be that the current computation can overwrite the existing documents. That is, the current label must flow to the label of each document that matches the selection.ZSame as Y, but uses privileges.#Convert a query to queries used by Database.Mongo)Convert a selection to selection used by Database.MongoPerform an action against a collection. The current label is raised to the join of the current label, database label and collection-set label before performing the action. If the isWrite5 flag, this action is taken as a database write and 2 is applied to the database and collection labels.[Apply a collection policy the given document, using privileges when labeling the document and performing label comparisons. The labeling proceeds as follows:If two fields have the same N, only the first is kept. This filtering is only perfomed at the top level.Each policy labeled value () is labled if the policy has not been applied. If the value is already labeled, then the label is checked to be equivalent to that generated by the policy. In both cases a failure results in 5Q being thrown; the actual error must be hidden to retain the opaqueness of .Note: For each  FieldNamed in the policy there must~ be a field in the document corresponding to it. Moreover its "type" must be correct: all policy labeled values must be - values and all searchable fields must be s. The _id! field is always treated as a .^The resulting document (from the above step) is labeled according to the collection policy.The labels on [ values and the document must be bounded by the current label and clearance as imposed by . Additionally, these labels must flow to the label of the collection clearance. (Of course, in both cases privileges are used to allow for more permissive flows.)\KThis function "type-checks" a document against a set of policies. Specifically, it checks that the set of policy labeled values is the same between the policy and document, searchable fields are not policy labeled, and all searchable/policy-labeled fields named in the collection policy are present in the document (except for _id).2456789:;<=>?@ABCDEFGHIJKLMNOPQR PrivilegesCollection to insert/save toOriginal documentkInsert/save actionSTUVWXYZ[ PrivilegesCollection and policiesDocument to apply policies to\60134567.0456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\7789:;<=>?@ABCDEFGHIJKLMN7345601OQPR.00STUVWXZY[465\465789:;<=>?@ABCDE FGHIJKLMNOQPRSTUVWXYZ[\ Trustworthy0134567*.0456789:;<=>?@ABCDEFGHIJKLMNOPQSTUVWXYZO*465789:;<=STUVWX.00>?@ABCDEFGHIJKLMN7345601OQPYZ Trustworthy+2468B0eException thrown if a policy cannot be "compiled" or if we deternmine that it's faulty at "runtime".#Policy expression composition monad[Policy expression may contain a databse expression, or a number of collection expressions.Internal state of policyType representing a policy%Database expression composition monadbCollection expression may contain an access label expression, a collection label expression, etc.Internal state of collection*Type representing a collection expression. collection "w00t" $ do access $ do readers ==> "Alice" \/ "Bob" writers ==> "Alice" clearance $ do secrecy ==> "Users" integrity ==> "Alice" document $ \doc -> do readers ==> unrestricted writers ==> "Alice" \/ (("name" `at`doc) :: String) field "name" searchable field "password" $ labeled $ \doc -> do readers ==> (("name" `at`doc) :: String) writers ==> (("name" `at`doc) :: String)#Field expression composition monad.+Labeled field expression composition monad.>Labeled field expression solely contains a list of components.7Type representing a collection field policy expression. field "name" searchable field "password" $ labeled $ \doc -> do readers ==> (((T.pack "name") `at`doc) :: String) writers ==> (((T.pack "name") `at`doc) :: String)%Document expression composition monad9Document expression solely contains a list of components.&A Label expression has two components.9Type representing a collection document label expression. Jdocument $ \doc -> do readers ==> "Alice" \/ "Bob" writers ==> "Alice"%Database expression composition monad7Clress expression solely contains a list of components.:Type representing a collection clearance label expression. Cclearance $ do readers ==> "Alice" \/ "Bob" writers ==> "Alice"#Access expression composition monad7Access expression solely contains a list of components.7Type representing a collection access label expression. @access $ do readers ==> "Alice" \/ "Bob" writers ==> "Alice"%Database expression composition monad9Database expression solely contains a list of components.)Type representing a database expression. Xdatabase $ do readers ==> "Alice" \/ "Bob" writers ==> "Alice" admins ==> "Alice"'Class used for creating micro policies.]r ==> c effectively states that role r (i.e., _, a, c must imply label component c).^tInverse implication. Purely provided for readability. The direction is not relevant to the internal representation.Used when setting integrity component of the collection-set label, i.e., the principals/administrators that can modify a database's underlying collections.Type denoting writers.Type denoting readers._HSet secrecy component of the label, i.e., the principals that can read.`HSet secrecy component of the label, i.e., the principals that can read.aKSet integrity component of the label, i.e., the principals that can write.bKSet integrity component of the label, i.e., the principals that can write.c Synonym for .d\Create a database lebeling policy The policy must set the label of the database, i.e., the _ and a". Additionally it must state the c/ that can modify the underlying collection-set For example, the policy ndatabase $ do readers ==> "Alice" \/ "Bob" \/ "Clarice" writers ==> "Alice" \/ "Bob" admins ==> "Alice"pstates that Alice, Bob, and Clarice can read from the database, including the collections in the database (the _ is used as the secrecy component in the collection-set label). Only Alice or Bob may, however, write to the database. Finally, only Alice can add additional collections in the policy module code.e0Set the underlying field to be a searchable key.  field "name" searchablef Synonym for eg!Set data-dependent document label  field "password" $ labeled $ \doc -> do readers ==> (("name" `at`doc) :: String) writers ==> (("name" `at`doc) :: String)h-Set the collection access label. For example, ccollection "w00t" $ do ... access $ do readers ==> "Alice" \/ "Bob" writers ==> "Alice"states that Alice and Bob can read documents from the collection, but only Alice can insert new documents or modify existing ones.i*Set the collection clearance. For example, hcollection "w00t" $ do ... clearance $ do secrecy ==> "Alice" \/ "Bob" integrity ==> "Alice"states that all data in the collection is always readable by Alice and Bob, and no more trustworthy than data Alice can create.j/Set data-dependent document label. For example, collection "w00t" $ do ... document $ \doc -> do readers ==> 'unrestricted' writers ==> "Alice" \/ (("name" `at`doc) :: String)sstates that every document in the collection is readable by anybody, and only Alice or the principal named by the name7 value in the document can modify or insert such data.k2Set field policy. A field can be declared to be a e key or a g value.Declaring a field to be a e key is straight forward: 6collection "w00t" $ do ... field "name" searchableThe g% field declaration is similar to the j= policy, but sets the label of a specific field. For example collection "w00t" $ do ... field "password" $ labeled $ \doc -> do let user = "name" `at` doc :: String readers ==> user writers ==> userstates that every passwordN field in the is readable and writable only by or the principal named by the name7 value of the document can modify or insert such data.l-Set the collection labels and policies. Each  collection", must at least specify who can h the collection, what the i+ of the data in the collection is, and how j9s are labeled. Below is an example that also labels the password field and declares name a searchable key. collection "w00t" $ do access $ do readers ==> "Alice" \/ "Bob" writers ==> "Alice" clearance $ do secrecy ==> "Users" integrity ==> "Alice" document $ \doc -> do readers ==> 'unrestricted' writers ==> "Alice" \/ (("name" `at`doc) :: String) field "name" searchable field "password" $ labeled $ \doc -> do readers ==> (("name" `at`doc) :: String) writers ==> (("name" `at`doc) :: String)Compile a policy.m0High level function used to set the policy in a _. This function takes the policy module's privileges and a policy expression, and produces a  that sets the policy._     ]^_`abcdefghijklmn !"#$%&'()*+,-./]^_`abcdefghijklmnm_`abnc]^dlhijkefgA     ]^_`abcdefghijklmn !"#$%&'()*+,-./]^ TrustworthyMp8Typically, the action should expand a principal such as #group to list of group members  [alice, bob].r<Given the policy module (which is used to invoke the right pB function) and labeled value, relabel the value according to the oo of the policy module. Note that the first argument may be bottom since it is solely used for typing purposes.opUnused type-enforcing paramPolicy module privsGroup(Policy module, group members) | Endorse the implementation of this instance. Note that this is reduced to WHNF to catch invalid instances that use 0.Example implementation: NgroupsInstanceEndorse _ = MyPolicyModuleTCB {- Leave other values undefined -}qr Policy moduleLabelopqropqropqr Trustworthy23468Ms*Class used by a policy module to translate a labeled record to a labeled document. Since the insert and save functions use the policy module's privileges, only the policy module should be allowed to create an instance of this class. Thus, we leverage the fact that the value constructor for a \ is not exposed to untrusted code and require the policy module to create such a value in x.. The minimal implementation needs to define x.t*Insert a labeled record into the database.u)Insert a labeled record into the databasevSame as t , but using explicit privileges.wSame as u , but using explicit privileges.xtEndorse the implementation of this instance. Note that this is reduced to WHNF to catch invalid instances that use 0.Example implementation: LendorseInstance _ = MyPolicyModuleTCB {- May leave other values undefined -}ynClass for converting from "structured" records to documents (and vice versa). Minimal definition consists of {, z, and |B. All database operations performed on the collection defined by |.zConvert a document to a record{Convert a record to a document|&Get the collection name for the record}Find an object with matching value for the given key. If the object does not exist or cannot be read (its label is above the clearance), this returns a.~Find an object with given query!Insert a record into the databaseUpdate a record in the databaseSame as }, but uses privileges. Same as ~, but uses privileges. Same as , but uses privileges. Same as , but uses privileges. [Find all records that satisfy the query and can be read, subject to the current clearance.Same as , but uses privileges.+Convert labeled record to labeled document.Uses the policy modules's privileges to convert a labeled record to a labeled document, if the policy module created an instance of s.*Convert labeled document to labeled recordUses the policy modules's privileges to convert a labeled document to a labeled record, if the policy module created an instance of s.1Get the type of a 2 valuestuvwxyz{|}~Labeled record1stuvwxyz{|}~yz{|}~stuvwx stuvwxy z{|}~13 !"!#!$!%!&!'!(!)!*!+!,!-!.!/!0!1!2!3!4!5!6!7!8!9!:!;!<!=!>!?!@!A!B!C!D!E!F!G!HIJKIJLIJMIJNIJOIJPIJQIJRISTISUISVISWISXISYZ[\Z[]Z[^_`abcdefgghijkklmnoopqrstBuvwCAxyz{|}~o               !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTTUVWXXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ko      !"#$%&'()*+,-./0123456789:;<=>?@ABCCDEDFDGDHDIDJDKDLDMDNDODPDQDRDSDTDUDVDWDXDXDYDZD[\]\^\_\`\a\b\bcdefghijklmfn!oopq rdsf tuvwuxyuz{u|} ~                      hih   uvIJhhhhh      !"#$%&'(   )*+,-./0123456789:;<u=>?hi@Ahails-0.11.2.1Hails.Data.Hson.TCBHails.HttpClientHails.Database.TCBHails.Database.QueryHails.HttpServer.Types Hails.VersionHails.HttpServer.AuthHails.HttpServerHails.Web.ResponsesHails.Web.RouterHails.Web.FrankHails.Web.RESTHails.Web.ControllerHails.Web.UserHails.Data.HsonHails.Database.CoreHails.PolicyModule.TCBHails.PolicyModuleHails.Database.Query.TCBHails.PolicyModule.DSLHails.PolicyModule.GroupsHails.Database.Structured Paths_hails Hails.WebHails.Database bson-0.3.1 Data.BsonOidObjectIdhttp-client-0.4.11.1Network.HTTP.Client.RequestapplyBasicAuthNetwork.HTTP.Client.TypesStatusCodeExceptionInvalidUrlExceptionTooManyRedirectsUnparseableRedirectTooManyRetriesHttpParserExceptionHandshakeFailedOverlongHeadersResponseTimeoutFailedConnectionExceptionFailedConnectionException2ExpectedBlankAfter100ContinueInvalidStatusLine InvalidHeaderInternalIOExceptionProxyConnectExceptionNoResponseDataReceived TlsExceptionTlsNotSupportedResponseBodyTooShortInvalidChunkHeadersIncompleteHeadersInvalidDestinationHostHttpZlibExceptionInvalidProxyEnvironmentVariable!ResponseLengthAndChunkingBothUsed HttpException checkStatus redirectCount decompressrawBody requestBodyrequestHeaders queryStringpathporthostsecuremethod mongoDB-2.0.4Database.MongoDB.QueryslaveOkmaster ReadStaleOkUnconfirmedWrites ConfirmWrites AccessModeLimit BatchSize"Database.MongoDB.Internal.ProtocolPipeTailableCursorNoCursorTimeout AwaitDataPartial QueryOptionwai-extra-2.1.1.3Network.Wai.Parse UrlEncoded MultipartRequestBodyTypeversion devBasicAuth personaAuth openIdAuthrequireLoginMiddleware externalAuth Middleware Application RequestConfig browserLabel requestLabel appPrivilegeResponse respStatus respHeadersrespBodyRequest requestMethod httpVersion rawPathInforawQueryString serverNameisSecure remoteHostpathInfo requestTimegetRequestBodyTypeaddRequestHeaderremoveRequestHeaderaddResponseHeaderremoveResponseHeadersanitizeReqMiddlewarebrowserLabelGuardguardSensitiveResp sanitizeRespcatchAllExceptionsexecHailsApplication simpleHttp simpleHttpPsimpleGetHttpP simpleGetHttpsimpleHeadHttpPsimpleHeadHttpparseUrlokokHtmlmovedTo redirectTo badRequestrequireBasicAuth forbiddennotFound serverErrorRouteRouteM RouteablerunRoutemkRouterrouteAll routeHostrouteTop routeMethod routePattern routeNamerouteVargetpostputdeleteoptionsRESTControllerindexcreateeditnewshowupdate ControllerControllerState csRequest csPathParams csReqConfigrequest requestConfigappPriv queryParamrespondbody requestHeader redirectBackredirectBackOrUserNamewithUserOrDoAuth getHailsUserBinaryunBinary PolicyLabeled HasPolicyTCB NeedPolicyTCB HsonValue HsonLabeled BsonValue BsonInt64 BsonInt32BsonNullBsonUTCBsonBool BsonObjIdBsonBlob BsonArrayBsonDoc BsonString BsonFloat HsonField BsonField FieldName BsonDocument HsonDocumentS8hsonDocToDataBsonDocTCBbsonDocToDataBsonDocTCBdataBsonDocToHsonDocTCBdataBsonValueToHsonValueTCBadd__hails_prefixHsonVal toHsonValue fromHsonValueBsonVal toBsonValue fromBsonValueGenField-: DocValOpslookupatDocOpslookvalueAt serializeField=: fieldValueIsField fieldNameDocument needPolicy hasPolicygetPolicyLabeledincludeexcludemerge isBsonDocbsonDocToHsonDocbsonFieldToHsonFieldhsonDocToBsonDochsonDocToBsonDocStrictlabeledRequestToHson genObjectIdDBError ExecFailureUnknownPolicyModuleUnknownCollectionDBAction DBActionTCB unDBAction DBActionStateDBActionStateTCB dbActionPipe dbActionMode dbActionDB dbActionPrivDatabase DatabaseTCB databaseName databaseLabeldatabaseCollections CollectionSet DatabaseName FieldPolicySearchableFieldCollectionPolicydocumentLabelPolicyfieldLabelPolicies Collection CollectionTCBcolNamecolLabel colClearance colPolicyCollectionName collectionTCBgetActionStateTCBputActionStateTCBupdateActionStateTCBmakeDBActionStateTCBsetDatabaseLabelTCBsetCollectionSetLabelTCBassociateCollectionTCBexecMongoActionTCBMonadDBliftDBLabeledHsonDocument runDBAction evalDBAction withDBContext getDatabase getDatabasePPMAction PMActionTCB unPMActionTCBTypeName PolicyModuleinitPolicyModulesetDatabaseLabelsetDatabaseLabelPsetCollectionSetLabelsetCollectionSetLabelPlabelDatabasePcreateCollectioncreateCollectionPisSearchableFieldsearchableFieldsavailablePolicyModuleswithPolicyModulewithPMClearanceP withPMContextpolicyModuleTypeNameCursor CursorTCBcurLabel curInternal curProject curCollection PolicyErrorPolicyViolation TypeError InsertLikeinsertinsert_insertPinsertP_savesavePSelectselect SelectionselectionSelectorselectionCollectionSelectorQuery selectionprojectskiplimitsort batchSizehintOrderDescAsc orderNamefindfindPnextnextPfindOnefindOnePdeletePapplyCollectionPolicyPtypeCheckDocument==><==readerssecrecywriters integrityadminsdatabase searchablekeylabeledaccess clearancedocumentfield collection setPolicy unrestrictedGroupsgroupsgroupsInstanceEndorse labelRewriteDCLabeledRecordinsertLabeledRecordsaveLabeledRecordinsertLabeledRecordPsaveLabeledRecordPendorseInstanceDCRecord fromDocument toDocumentrecordCollectionfindBy findWhere insertRecord saveRecordfindByP findWhereP insertRecordP saveRecordPfindAllfindAllPtoLabeledDocumenttoLabeledDocumentPfromLabeledDocumentfromLabeledDocumentPcatchIObindirlibdirdatadir libexecdir sysconfdir getBinDir getLibDir getDataDir getLibexecDir getSysconfDirgetDataFileName wai-2.1.0.3Network.Wai.InternalgetBasicAuthUser requestToUrihttp-types-0.8.6Network.HTTP.Types.HeaderHeaderrenderByteRangesrenderByteRangesBuilderrenderByteRangerenderByteRangeBuilder hUserAgenthServerhRefererhRange hLocation hLastModifiedhIfRangehIfModifiedSincehDatehCookie hContentType hContentMD5hContentLengthhContentEncoding hConnection hCacheControlhAuthorizationhAcceptLanguagehAccept HeaderNameRequestHeadersResponseHeaders ByteRangeFromByteRangeFromToByteRangeSuffix ByteRange ByteRangesNetwork.HTTP.Types.MethodrenderStdMethod renderMethod parseMethod methodPatch methodOptions methodConnect methodTrace methodDelete methodPut methodHead methodPost methodGetMethodGETPOSTHEADPUTDELETETRACECONNECTOPTIONSPATCH StdMethodNetwork.HTTP.Types.QueryLiketoQuery QueryLikeNetwork.HTTP.Types.StatusstatusIsServerErrorstatusIsClientErrorstatusIsRedirectionstatusIsSuccessfulstatusIsInformationalhttpVersionNotSupported505 status505gatewayTimeout504 status504serviceUnavailable503 status503 badGateway502 status502notImplemented501 status501internalServerError500 status500 imATeaPot418 status418expectationFailed417 status417requestedRangeNotSatisfiable416 status416unsupportedMediaType415 status415requestURITooLong414 status414requestEntityTooLarge413 status413preconditionFailed412 status412lengthRequired411 status411gone410 status410 conflict409 status409requestTimeout408 status408proxyAuthenticationRequired407 status407notAcceptable406 status406methodNotAllowed405 status405 notFound404 status404 forbidden403 status403paymentRequired402 status402unauthorized401 status401 badRequest400 status400temporaryRedirect307 status307 useProxy305 status305notModified304 status304 seeOther303 status303found302 status302movedPermanently301 status301multipleChoices300 status300partialContent206 status206resetContent205 status205 noContent204 status204nonAuthoritative203 status203 accepted202 status202 created201 status201ok200 status200switchingProtocols101 status101 continue100 status100mkStatus statusMessage statusCodeStatusNetwork.HTTP.Types.URI decodePath encodePath extractPathdecodePathSegmentsencodePathSegmentsRelativeencodePathSegments urlDecode urlEncodeurlEncodeBuilderparseSimpleQuery parseQueryrenderSimpleQuery renderQueryrenderQueryBuildersimpleQueryToQueryparseQueryTextqueryToQueryTextrenderQueryTextqueryTextToQuery QueryItem QueryTextSimpleQueryItem SimpleQueryNetwork.HTTP.Types.Versionhttp11http10http09 httpMinor httpMajor HttpVersion waiToHailsReqbytestring-0.10.4.0Data.ByteString.Lazy.Internal ByteStringhailsToWaiResponse lio-0.11.5.0 LIO.DCLabeldcPublicsecureApplicationhailsApplicationToWai Network.WaigetRequestConfguardWriteURLP labelOfReq$fMonadThrowLIO ContentTypeData.ByteString.InternalmkHtmlResponsebaseGHC.BaseMonad Data.MonoidMonoidGHC.Realmod Data.MaybeNothing RouteHandlermroute$fRouteableRouteM$fMonoidRouteM$fApplicativeRouteM$fFunctorRouteM $fMonadRouteM$fRouteableResponse$fRouteable(->) frankMethodRESTControllerMRESTControllerStatedefaultRESTControllerState restIndexrestShow restCreate restUpdate restDeleterestEditrestNew$fRouteableStateT$fRouteableRESTControllerStateDCLIO.TCBLabeled pathParams$fRouteableReaderT$fMonadLIODCLabelReaderThsonToDataBsonTCBbsonToDataBsonTCBhsonFieldToDataBsonFieldTCBbsonFieldToDataBsonFieldTCBdataBsonFieldToBsonFieldTCBdataBsonDocToBsonDocTCBdataBsonToBsonTCB__hails_HsonLabeled_valuemaybePolicyLabeledTCB$fShowPolicyLabeled$fOrdPolicyLabeled$fEqPolicyLabeledfailhsonFieldToBsonFieldfitInt$fHsonValLabeled $fShowLabeled$fHsonValPolicyLabeled$fHsonValBsonValue$fHsonValInteger $fHsonValInt$fHsonValInt64$fHsonValInt32$fHsonValMaybe$fHsonValMaybe0$fHsonValUTCTime $fHsonValBool$fHsonValObjectId$fHsonValBinary $fHsonVal[] $fHsonVal[]0 $fHsonVal[]1 $fHsonVal[]2 $fHsonValText$fHsonValFloat$fHsonValDouble$fHsonValHsonValue$fBsonValInteger $fBsonValInt$fBsonValInt64$fBsonValInt32$fBsonValMaybe$fBsonValMaybe0$fBsonValUTCTime $fBsonValBool$fBsonValObjectId$fBsonValBinary $fBsonVal[] $fBsonVal[]0 $fBsonVal[]1$fBsonValByteString$fBsonValByteString0 $fBsonVal[]2 $fBsonValText$fBsonValFloat$fBsonValDouble$fGenFieldvHsonField$fGenFieldvBsonField$fDocValOps[]v$fDocValOps[]v0$fDocOpsBsonValueBsonField$fDocOpsHsonValueHsonField$fShowTCBPolicyLabeled$fShowTCBHsonValue$fShowHsonValue$fShowBsonValue$fFieldHsonValueHsonField$fFieldBsonValueHsonField$fFieldBsonValueBsonField$fIsFieldHsonField$fIsFieldBsonField$fShowHsonField$fShowBsonFieldFailure$fExceptionDBError$fMonadLIODCLabelDBAction$fOrdCollection$fEqCollectionLIO.Coretaint$fMonadDBDBAction$fMonadDBPMAction$fMonadLIODCLabelPMAction guardAlloc guardWriteghc-prim GHC.TypesTrue parseModegle_opts gle_opt_fsyncgle_opt_journal gle_opt_write$guardInsertOrSaveLabeledHsonDocumentqueryToMongoQueryTCBselectionToMongoSelectionTCBwithCollection guardWriteP guardAllocP$fExceptionPolicyError$fInsertLikeLabeled$fInsertLike[] $fSelectQuery$fSelectSelectionPolicySpecificiationError PolicyExpM PolicyExpS PolicyExpT PolicyExpColExpMColExpSColExpTColExp ColFieldExpMColLabFieldExpMColLabFieldExpS ColFieldExp ColDocExpM ColDocExpSLabelExp ColDocExp ColClrExpM ColClrExpS ColClrExp ColAccExpM ColAccExpS ColAccExpDBExpMDBExpSDBExpRoleAdminsWritersReaders runPolicyPolicyRuntimeErrorPolicyCompileError PolicyColExpT PolicyDBExpTColFldTColDocTColClrTColAccTColLabFieldExpColFieldSearchable fromRight$$fExceptionPolicySpecificiationError$fRoleWritersMapColLabFieldExpM$fRoleReadersMapColLabFieldExpM$fShowColFieldExp$fRoleWritersMapColDocExpM$fRoleReadersMapColDocExpM$fShowColDocExp$fRoleWritersMapColClrExpM$fRoleReadersMapColClrExpM$fRoleWritersMapColAccExpM$fRoleReadersMapColAccExpM$fRoleAdminsMapDBExpM$fRoleWritersMapDBExpM$fRoleReadersMapDBExpM $fShowAdmins $fShowWriters $fShowReadersGHC.Err undefined forceType DCLabeled