e=v      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~        !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstu Safe-Inferred v0wxyz{|}~0{|}~ v0wxyz{|}~ Trustworthy00 Trustworthy1KBasic HTTP authentication middleware for development. Accepts any username  and password. 2Authentica user with Mozilla' s persona.  If the X-Hails-Persona-Login$ header is set, this intercepts the G request and verifies the supplied identity assertion, supplied in the  request body. -If the authentication is successful, set the  _hails_user and  _hails_user_hmac* cookies to identify the user. The former F contains the user email address, the latter contains the MAC that is + used for verifications in later requests. If the X-Hails-Persona-Logout$ header is set, this intercepts the 1 request and deletes the aforementioned cookies. 7If the app wishes the user to authenticate (by setting  X-Hails-Login)  this redirects to audience/login -- where the app can call  navigator.request(). 3Perform OpenID authentication. 4 Executes the app and if the app  has header   X-Hails-Login0 and the user is not logged in, respond with an 6 authentication response (Basic Auth, redirect, etc.) "Get the hreaders from a response. =Helper method for implementing basic authentication. Given a  8 returns the usernamepair from the basic authentication  header if present. .Given a request and path, extract the scheme, 8 hostname and port from the request and createand a URI  scheme:hostname[:port]/path. 123OpenID Provider 4123442311234 Trustworthy5,Convenience type for middleware components. 67Base Hails type implemented by untrusted applications. 7*The settings with which the app will run. 96The label of the browser the reponse will be sent to. ::The label of the incoming request (with the logged in user's integrity). ; A privilege minted for the app. <A response sent by the app. >Response status ?Response headers @Response body A A request sent by the end-user. CHTTP Request (e.g., GET, POST , etc.). D!HTTP version (e.g., 1.1 or 1.0). E+Extra path information sent by the client. FCIf no query string was specified, this should be empty. This value  will$ include the leading question mark. ; Do not modify this raw value- modify queryString instead. GFGenerally the host requested by the user via the Host request header. J Backends are free to provide alternative values as necessary. This value ' should not be used to construct URLs. HCThe listening port that the server received this request on. It is I possible for a server to listen on a non-numeric port (i.e., Unix named ; socket), in which case this value will be arbitrary. Like G, 4 this value should not be used in URL construction. IThe request headers. J.Was this request made over an SSL connection? K The client's host information. L:Path info in individual pieces- the url without a hostname/port 7 and without a query string, split on forward slashes, M Parsed query string information N-Lazy ByteString containing the request body. OTime request was received. P'Get the request body type (copied from  wai-extra). QAdd/ replace a  to the < R(Remove a header (if it exists) from the < 56789:;<=>?@ABCDEFGHIJKLMNOPQR!-./56789:;<=>?@ABCDEFGHIJKLMNOPQR!ABCDEFGHIJKLMNOP/-.<=>?@QR6789:;556789:;<=>?@ABCDEFGHIJKLMNOPQR Trustworthy Convert a WAI  to a Hails A by consuming the  body into a . The O is set to the A current time at the time this action is executed (which is when  the app is invoked). Convert a Hails < to a WAI  SHails 5 that ensures the < from the & application is readable by the client' s browser (as determined by the G result label of the app computation and the label of the browser). If E the response is not readable by the browser, the middleware sends a & 403 (unauthorized) response instead. TAdds the header  X-Hails-Label to the response. If the = label of the computation does not flow to the public label,  , the JSON field isPublic is set to true , otherwise  it is set to true and the JSON label is set to the secrecy 9 component of the response label (if it is a disjunction - of principals is added). An example may be:  $ X-Hails-Label = { isPublic: true } or P X-Hails-Label = { isPublic: false, label : ["http://google.com:80", "alice"] } U?Remove anything from the response that could cause inadvertant 2 declasification. Currently this only removes the  Set-Cookie  header. 0Returns a secure Hails app such that the result < is guaranteed % to be safe to transmit to the client's browser. The definition is ) straight forward from other middleware: Q secureApplication = 'browserLabelGuard' -- Return 403, if user should not read Q . 'guardSensitiveResp' -- Add X-Hails-Sensitive if not public < . 'sanitizeResp' -- Remove Cookies V:Catch all exceptions thrown by middleware and return 500. WBA default Hails handler for development environments. Safely runs  a Hails 6&, using basic HTTP authentication for = authenticating users. Note: authentication will accept any  username/7password pair, it is solely used to set the user-name. XSafely wraps a Hails 6 in a Wai  that can G be run by an application server. The application is executed with the   5%. The function returns status 500 if @ the Hails application throws an exception and the label of the + exception flows to the browser label (see S ); if the . label does not flow, it responds with a 403. -All applications serve static content from a "static" directory. IGet the browser label (secrecy of the user), request label (integrity of : the user), and application privilege (minted with the app's cannonical name) STUVWX      !"#$%&'()*+,-./0123456789:;<=-./56789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXWXSTUV STUVWX Trustworthy Y%Reques type, wrapper for the conduit >. Z"Perform a simple HTTP(S) request. [Same as Z, but uses privileges. \Simple HTTP GET request. ]Simple HTTP GET request. ^Simple HTTP HEAD request. _Simple HTTP HEAD request. ?7Check that current label can flow to label of request. @IReturn the labels corresponding to the absolute URI of a request header. O The created labels will have the scheme and authority (including port) in the  secrecy componenet, and |True$ in the integrity component for the > read label (and the dual for write label). Specifically, the  labels will have the form:  ? (< scheme://authority, |True >,< |True, scheme://authority >) ,For example, the read label of a request to "http:// gitstar.com/" is:  % < "http://gitstar.com:80" , |True> while the read label of "https://gitstar.com:444/"  ' < "https://gitstar.com:444" , |True> GThis should be used for only for single-connection requests, where the  absolute URL makes senes. `Convert a URL into a Y. $This defaults some of the values in Y, such as setting  method to GET and  to []. YZRequest [ Privilege Request \ Privilege URL ]^ Privilege URL _?@`A       !"#$%&'()*+,-./0123456789:;<=<=>?@YZ[\]^_`*Y <=>?@`Z[]\_^ YZ[\]^_?@`A  Trustworthy BType alias for C aCreates a 200 (OK) <* with the given content-type and resposne  body D+Helper to make responses with content-type "text/html" bCreates a 200 (OK) < with content-type "text/html" and the  given resposne body c.Given a URL returns a 301 (Moved Permanently) < redirecting to  that URL. d&Given a URL returns a 303 (See Other) < redirecting to that URL. eReturns a 400 (Bad Request) <. f'Returns a 401 (Authorization Required) < requiring basic $ authentication in the given realm. gReturns a 403 (Forbidden) <. hReturns a 404 (Not Found) <. iReturns a 500 (Server Error) <. BaDbcdefghi abcdefghi abcdefghi BaDbcdefghi  Trustworthyj Synonym for k., the common case where the data parameter is '()'. kThe k type is a basic instance of m that simply holds Dthe routing function and an arbitrary additional data parameter. In #most cases this paramter is simply '()', hence we have a synonym for k '()' called j!. The power is derived from the  instances of E and F&, which allow the simple construction -of complex routing rules using either lists (F) or do-notation. Moreover, because of it's simple type, any m can be used as a j (using p or by applying it to n ), making =it possible to leverage the monadic or monoid syntax for any m. +Commonly, route functions that construct a j only inspect the A #and other parameters. For example, q looks at the hostname:   9 routeHost :: Routeable r => S.ByteString -> r -> Route ' routeHost host route = Route func () / where func req = if host == serverName req / then runRoute route req + else return Nothing 1However, because the result of a route is in the  ResourceT( monad, routes have all the power of an 6 and can make Pstate-dependant decisions. For example, it is trivial to implement a route that /succeeds for every other request (perhaps for A/ B testing):  2 routeEveryOther :: (Routeable r1, Routeable r2) 3 => MVar Int -> r1 -> r2 -> Route 0 routeEveryOther counter r1 r2 = Route func ()  where func req = do  i  -liftIO . modifyMVar $ \i -  let i' = i+1  in return (i', i')  if i G 2 == 0 # then runRoute r1 req # else runRoute r2 req mm4 types can be converted into a route function using n. %If the route is matched it returns a < , otherwise H.  In general, ms are data-dependant (on the A ), but don't have to be. For example, 6 is an instance of m that always  returns a <:  ' instance Routeable Application where 1 runRoute app req = app req >>= return . Just n Run a route I8Route handler is a fucntion from the path info, request 3 configuration, and labeled request to a response. o Converts any m into an 6 that can be passed  directly to a WAI server. J(Create a route given the route handler. p5A route that always matches (useful for converting a m into a  j). q!Matches on the hostname from the A. The route only successeds on  exact matches. r?Matches if the path is empty. Note that this route checks that L I is empty, so it works as expected when nested under namespaces or other  routes that pop the L list. s)Matches on the HTTP request method (e.g. , , ) t3Routes the given URL pattern. Patterns can include 9 directories as well as variable patterns (prefixed with :) to be added  to M (see v)  /posts/:id  /posts/:id/new  /:date/posts/ :category/new u=Matches if the first directory in the path matches the given  ByteString v5Always matches if there is at least one directory in L but and  adds a parameter to M where the key is the supplied F variable name and the value is the directory consumed from the path. jklmnI Path info Request configuration Labeled request oJpqrstuvKLMNO jklmnopqrstuv mnojklpqrstuvjklmnIoJpqrstuvKLMNO  TrustworthyPHelper method w0Matches the GET method on the given URL pattern x1Matches the POST method on the given URL pattern y0Matches the PUT method on the given URL pattern z3Matches the DELETE method on the given URL pattern {4Matches the OPTIONS method on the given URL pattern Pwxyz{wxyz{wxyz{Pwxyz{  Trustworthy |6Monad used to encode a REST controller incrementally. + The return type is not used, hence always '()'. Q6Monad used to encode a REST controller incrementally. R'Type used to encode a REST controller. SDefault state, returns 404 for all verbs. }GET / ~POST / GET /:id/edit GET /new GET /:id PUT /:id DELETE /:id |QRTUVWXYZ[S}~\]|}~|}~ |QRTUVWXYZ[S}~\]  Trustworthy+A controller is simply a reader monad atop ^ with the _  A as the environment. Get the underlying request. <Get the query parameter mathing the supplied variable name. Produce a response. 7Extract the body in the request (after unlabeling it). Get a request header ?Redirect back acording to the referer header. If the header is % not present redirect to root (i.e., /). ?Redirect back acording to the referer header. If the header is ( not present return the given response. `a `a Trustworthy User name. $Execute action with the current user's name. Otherwise, request  that the user authenticate. Get the current user. Safe$abcdefghijklmnopqrstuvUnsafe'Arbitrary binary blob A  PolicyLabeled2 value can be either an unlabeled value for which ! the policy needs to be applied ( NeedPolicyTCB), or an already  labeled value ( HasPolicyTCB).  PolicyLabeled is a partially-opaque E type; code should not be able to inspect the value of an unlabeleda 2 value, but may inspect an already labeled value. Policy applied Policy was not applied An  HsonValue+ is a top-level value that may either be a  5 or a policy labeled value. The separation of values  into  and " is solely due to the restriction @ that policy-labeled values may only occur at the top level and  s may be nested (e.g. using  and ). Policy labeled value  Bson value A  BsonValue is a subset of BSON ( Data.Bson) values. Note that a   BsonValue7 cannot contain any labeled values; all labeled values  occur in a document as s. Correspondingly,  BsonValues  may be arbitrarily nested. 64-bit integer 32-bit integer The NULL value Time stamp value Boolean value Object Id value Binary blob value List of values Inner document  String value  Float value A field containing a named  A field containing a named  The name of a field. +A (possibly top-)level document containing s.  A top-level document containing s. Strict ByeString bConvert  to a  Data.Bson Value . Note that   values are marshalled out as  Data.Bson  UserDefined  values. This means that the  UserDefined type is reserved and  exposing it as a type in " would potentially lead to leaks.  Note that the label is NOT$ serialized, only the value. Hence, D after marshalling such that back it is important that a policy is  applied to label the field. cConvert  to a  Data.Bson Value. d Convert an  to a  Data.Bson Field. $Convert a top-level document (i.e., ) to a  Data.Bson  Document2. This is the primary marshall-out function. All   values are marshalled out as  Data.Bson  UserDefined  values. This means that the  UserDefined type is reserved and  exposing it as a type in  would potentially lead to C vulnerabilities in which labeled values can be marshalled in from D well-crafted ByteStrings. Moreover, untrusted code should not have ? access to this function; having such access would allow it to = inspect the serialized labeled values and thus violate IFC. e Convert a  to a  Data.Bson Field.  Convert a  to a  Data.Bson Document. f Convert a  Data.Bson Field to . g Convert a  Data.Bson Document to a . hConvert  Data.Bson Value to a . Convert  Data.Bson Document to a . This is the ; top-level function that marshalls BSON documents to Hails ? documents. This function assumes that all documents have been  marshalled out using . Otherwise, the   PolicyLabled2 values that are created from the document may be  forged.  Convert a  Data.Bson Value to a . See  . iBHails internal field name for a policy labeled value (label part)  (name part). AHails internal prefix that is used to serialized labeled values. j Convert a  Data.Bson Document to a policy labeled value. .bcdefghijklm$$ bcdefghijklm Trustworthy#Class used to (de)construct s  Convert to   Convert from  Class used to (de)construct s  Convert to   Convert from  Class used to define fields. 2Given a name and Haskell value construct either a   or a  <Class used to implement operations on documents that return  Haskell values (as opposed to  or ). Same as , but returns " unwrapped" value. Same as , but returns " unwrapped" value. <Class used to implement operatoins on documents that return  s or (s. The main role of this function is to C impose the functional dependency between values and fields. As a  consequence ing up and getting  in a   (resp. ) will return a  (resp. ). E This eliminates the need to specify the end type of very query, but = forces the programmer to cast between Hson and Bson values. 4Find value of field in document, or fail not found. Same as , but ns if the value is not found. Class used to define fields. *Given a name and value construct either a  or   Get the field value. *Class for retrieving the name of a field. Get the name of a field.  Synonym for  1Create a policy labeled value given an unlabeled . (Create a policy labeled value a labeled . :Get the policy labeled value, only if the policy has been  applied. Only include fields specified. Exclude fields specified. BMerge documents with preference given to first one when both have  the same field name. 3Returns true if the document is composed solely of s. . This function is useful when converting from  to  . Convert  to  Convert  to  This is a relaxed version of  that only  converts fields containing s. In other words, the   values are dropped.  Convert an  to a . If any of the  fields contain  values (i.e., are   values) this function n&s, otherwise it returns the converted $ document. To check for failure use . oConvert  to  GConvert a labeled request to a labeled document. Values of fields that  have a name that ends with []! are converted to arrays and the  suffix [] is stripped from the name. Create a fresh ObjectId. pFrom  Data.Bson!: Cast number to end type, if it "fits". ^opqrstuvwxyz{|}~>>Qopqrstuvwxyz{|}~Unsafe%/Exceptions thrown by invalid database queries. Execution of action failed Policy module not found Collection does not exist A DBAction3 is the monad within which database actions can be B executed, and policy modules are defined. The monad is simply a  state monad with ^1 as monad as the underlying monad with access to " a database system configuration (', $, and  )). The value constructor is part of the TCB as to 9 disallow untrusted code from modifying the access mode. ?The database system state threaded within a Hails computation. #Pipe to underlying database system Types of reads/write to perform 4Database computation is currently executing against 1Privilege of the policy module related to the DB A Database8 is a MongoDB database with an associated label and set G of collections. The label is used to restrict access to the database. B Since collection policies are specified by policy modules, every  collection must always' be associated with some database (and - thereby, policy module); a policy module is not allowed to create a G collection (and specify policies on it) in an arbitrary database. We A allow for the existance of a collection to be secrect, and thus . protect the set of collections with a label. Database name Label of database %Collections associated with databsae  A labeled  set. The name of a database. A  FieldPolicy. is a security policy associated with fields.  SearchabelField3 specifies that the field can be referenced in the  selection clause of a Query*, and therefore only the collection label # protects such fields. Conversely,  specifies a labeling  policy for the field. Policy labeled field. Unlabeled, searchable field. ?A collection policy contains the policy for labeling documents  (*) at a coarse grained level, and a set of - policies for labeling fields of a document (). )Specific fields can be associated with a , which % allows the policy module to either: = Explicitly make a field publicly readable to anyone who can 8 access the collection by declaring the field to be a  , or , Label a field given the full documnet (see ). @Fields that do not have an associated policy are (conceputally) " labeled with the document label (). E Similarly, the labels on the label of a policy-labeled field is the  document label created with . Note: the  label on "s is solely the collection label. *The label on documents of the collection. .The policies associated with specific fields. A  Collection1 is a MongoDB collection name with an associated C label, clearance and labeling policy. Access to the collection is D restricted according to the collection label. Data inserted-to and @ retrieved-from the collection will be labeled according to the H collection policy, with the guarantee that no data more sensitive than ? the collection clearance can be inserted into the collection. Collection name Collection label Collection clearance Collection labeling policies The name of a collection.  Create a !, ignoring any IFC restrictions. Get the underlying state. Get the underlying state. 9Update the underlying state using the supplied function. Given a policy module'-s privileges, database name, pipe and access % mode create the initial state for a . The underlying F database is labeled with the supplied privileges: both components of < the label (secrecy and integrity) are set to the privilege C description. In other words, only code that owns the policy module's G privileges can modify the database configuration. Policy modules can  use setDatabaseLabelP, to change the label of their database, and  setCollectionMapLabelP, to change the label of the collection map. @Set the label of the underlying database to the supplied label,  ignoring IFC. @Set the label of the underlying database to the supplied label,  ignoring IFC. ?Associate a collection with underlying database, ignoring IFC. Lift a mongoDB action into the  monad. This function ! always executes the action with Database.MongoDB's access. If 0 the database action fails an exception of type  is thrown. /Collection name Collection label Collection clearance Collection policy New collection 2 !"#$'2'$!"#  Trustworthy3Arbitrary monad that can perform database actions. 0Lift a database action into the database monad.  A labeled . @Execute a database action returning the final result and state. % In general, code should instead use . This function A is primarily used by trusted code to initialize a policy module 2 which may have modified the underlying database. 6Execute a database action returning the final result. ;Get the underlying database. Must be able to read from the " database as enforced by applying  to the database label. : This is required because the database label protects the 5 label on collections which can be projected given a   value. Same as ', but uses privileges when raising the  current label.  !"#$'#'$!"# UnsafeA policy module action (PMAction) is simply a wrapper for  database action (#). The wrapper is used to restrict app ? code from specifying policies; only policy module may execute  PMAction5s, and thus create collections, set a label on their  databases, etc.          Trustworthy  Policy type name. Has the form: G <Policy module package>:<Fully qualified module>.<Policy module type>  3A policy module is specified as an instance of the  PolicyModule ? class. The role of this class is to define an entry point for E policy modules. The policy module author should set up the database 3 labels and create all the database collections in  . B It is these collections and corresponding policies that apps and A other policy modules use when interacting with the policy module's  database using . 4The Hails runtime system relies on the policy module's type pm to  load the corresponding   when some code "invokes"  the policy module using . In fact when a piece of @ code wishes to execute a database action on the policy module,  ! first executes the policy module's    and passes the result (of type pm ) to the  invoking code.  Observe that   has access to the policy module's B privileges, which are passed in as an argument. This allows the 4 policy module to encapsulate its privileges in its pm type and allow G code it trusts to use its privileges when executing a database action  using .. Of course, untrusted code (which is usually 9 the case) should not be allow to inspect values of type pm to get  the encapsulated privileges. Consider the example below:  , module My.Policy ( MyPolicyModule ) where   import LIO  import LIO.DCLabel  import Data.Typeable  import Hails.PolicyModule  B -- | Handle to policy module, not exporting @MyPolicyModuleTCB@ C data MyPolicyModule = MyPolicyModuleTCB DCPriv deriving Typeable  - instance PolicyModule MyPolicyModule where  initPolicyModule priv = do . -- Get the policy module principal:  let this = privDesc priv  -- Create label: 6 l = dcLabel dcTrue -- Everybody can read A this -- Only policy module can modify , -- Label database and collection-set:  labelDatabaseP priv l l  -- Create collections: / createCollectionP priv "collection1" ... / createCollectionP priv "collection2" ...  .... / createCollectionP priv "collectionN" ... # -- Return the policy module: & return (MyPolicyModuleTCB priv) ?Here the policy module labels the database, labels the list of ! collections and finally creates N collections. The computation  returns a value of type MyPolicyModule which wraps the policy  module':s privileges. As a consequence, trustworthy code that has : access to the value constructor can use the policy module's  privileges:  8 -- Trustworthy code within the same module (My.Policy)  D alwaysInsert doc = withPolicyModule $ \(MyPolicyModuleTCB priv) -> ! insertP priv "collection1" doc Here  alwaysInsert uses the policy module's privileges to insert a  document into collection " collection1". As such, if doc is well-formed H the function always succeeds. (Of course, such functions should not be  exported.) DUntrusted code in a different module cannot, however use the policy  module' s privilege:  ( -- Untrusted code in a separate module  import My.Policy  M maybeInsertIntoDB appPriv doc = withPolicyModule $ (_ :: MyPolicyModule) -> $ insertP appPriv "collection1" doc &Depending on the privileges passed to maybeInsertIntoDB , and set 1 policies, the insertion may or may not succeed.  DEntry point for policy module. Before executing the entry function,  the current clearance is "raised"$ to the greatest lower bound of the ! current clearance and the label <"Policy module principal", |True>, H as to allow the policy module to read data labeled with its principal. BSet the label of the underlying database. The supplied label must > be bounded by the current label and clearance as enforced by  4. Moreover the current computation mut write to the " database, as enforce by applying  to the current D database label. The latter requirement suggests that every policy  module use  when first changing the label. Same as &, but uses privileges when performing D label comparisons. If a policy module wishes to allow other policy ? modules or apps to access the underlying databse it must use  setDatabaseLabelP to " downgrade" the database label, which by C default only allows the policy module itself to access any of the & contents (including collection-set). CThe collections label protects the collection-set of the database. F It is used to restrict who can name a collection in the database and G who can modify the underlying collection-set (e.g., by creating a new C collection). The policy module may change the default collections > label, which limits access to the policy module alone, using  setCollectionSetLabel. DThe new label must be bounded by the current label and clearance as  checked by /. Additionally, the current label must flow to ; the label of the database which protects the label of the / colleciton set. In most cases code should use . Same as #, but uses the supplied privileges $ when performing label comparisons. DThis is the first action that any policy module should execute. It  is simply a wrapper for  and  . Given the policy module's privilges, label 4 for the database, and label for the collection-set labelDatabaseP  accordingly sets the labels.  Create a - given a name, label, clearance, and policy. C Several IFC rules must be respected for this function to succeed:  ? The supplied collection label and clearance must be above the B current label and below the current clearance as enforced by  . ; The current computation must be able to read the database > collection-set protected by the database label. The guard  is ? used to guarantee this and raise the current label (to the A join of the current label and database label) appropriately. E The computation must be able to modify the database collection-set.  The guard - is used to guarantee that the current label 6 is essentially equal to the collection-set label. 4Note: the collection policy is modified to make the _id field  explicitly a . Same as &, but uses privileges when performing  IFC checks. Returns  if the field policy is a . 'Get the list of names corresponding to s. @This contains a map of all the policy modules. Specifically, it < maps the policy moule types to a pair of the policy module  principal and database name. For the trusted programmer: D The map itself is read from the file pointed to by the environment  variable DATABASE_CONFIG_FILE$. Each line in the file corresponds 8 to a policy module. The format of a line is as follows  l ("<Policy module package>:<Fully qualified module>.<Policy module type>", "<Policy module database name>") Example of valid line is:  9 ("my-policy-0.1.2.3:My.Policy.MyPolicyModule", "my_db") ;The principal used by Hails is the first projection with a "_" ; suffix. In the above, the principal assigned by Hails is: / "_my-policy-0.1.2.3:My.Policy.MyPolicyModule" @This function is the used to execute database queries on policy C module databases. The function firstly invokes the policy module,  determined from the type pm#, and creates a pipe to the policy  module'9s database. The supplied database query function is then @ applied to the policy module. In most cases, the value of type pm is C opaque and the query is executed without additionally privileges.  3 withPolicyModule $ \(_ :: SomePolicyModule) -> do C -- Perform database operations: insert, save, find, delete, etc. CTrustworthy code (as deemed by the policy module) may, however, be : passed in additional privileges by encapsulating them in pm (see   ). !Get the name of a policy module. Parse the access mode.  " slaveOk : slaveOk , unconfirmedWrites : UnconfirmedWrites @ onfirmWrites <options> : ConfirmWrites [corresponding-options] ! _ : master where options can be:   fsync | journal | writes=<N>  separated by ',', and N is an integer.  Example:  HAILS_MONGODB_MODE = "slaveOk" 9 HAILS_MONGODB_MODE = "confirmWrites: writes=3, journal"  HAILS_MONGODB_MODE = "master"    Set of privileges New database label Set of privileges New collections label Policy module privilges Database label Collections label Collection name Collection label Collection clearance Collection policy  Privileges Collection name Collection label Collection clearance Collection policy          Unsafe=A labeled cursor. The cursor is labeled with the join of the @ database and collection it reads from. The collection policies  are "carried") along since they are applied on-demand.  Cursor label Internal MongoDB cursor %Projector from query. Used to remove  fields after performing query. "Collection cursor is reading from  Trustworthy+ A document policy error. !Policy has been violated "Document is not " well-typed" #<Class used to generalize insertion and saving of documents. ? Specifically, it permits reusing function names when inserting/saving / both already-labeled and unlabeled documents.  Minimal definition: & and ). $/Insert document into collection and return its _id value. When  performing an insert- it is required that the computation be able < to write to both the database and collection. To this end, $  internally applies & on the database label and collection < label. Of course, the computation must be able to name the ? collection in the database, and thus must be able to read the 1 database collection map as verified by applying  to the  collections label. <When inserting an unlabeled document, all policies must be  succesfully applied using G and the document  must be " well-typed" (see G). AWhen inserting an already-labeled document, the labels on fields C and the document itself are compared against the policy-generated C labels. Note that this approach allows an untrusted piece of code A to insert a document it could not label according to the policy  module. %Same as $ except it does not return _id &Same as $(, but uses privileges when applying the , policies and performing label comparisons. 'Same as & except it does not return the _id. (#Update a document according to its _id value. The IFC requirements  subsume those of $*. Specifically, in addition to being able E to apply all the policies and requiring that the current label flow . to the label of the collection and database, save requires that > the current label flow to the label of the existing database 9 record (i.e, the existing document can be overwritten). )Same as ((, but uses privileges when applying the , policies and performing label comparisons. A Note that a find is performed if the provided document contains  an _id7 field. This lookup does _not_ leak timing information  since the _id, field is always searchable and thus solely = protected by the collection label (which the computation is  tainted by). *)Class used to simplicy the creation of a 'Selection'/'Query'.  Specifically, + can be used to create a Section in a ? straight foward manner, but similarly can be used to create a  1 with a set of default options. +.Given a selector and collection name create a 1. : The resultant type depends on the use case, for example,  in ? select mySel myCol is a 1 , but in E  it is a ,. ,A Section is a 0 query on a  . In other  words, a  Selection/ is the necessary information for performing a  database query. .Selection query. / Collection to perform query on. 0%Filter for a query, analogous to the WHERE clause in  SQL. []3 matches all documents in collection. For example,  [x  a, y  b] is analogous to  WHERE x = a AND y = b in SQL. Note: only s of s may be used in 4 selections, and thus all other fields are ignored. 1AUse select to create a basic query with defaults, then modify if  desired. Example: (select sel col) {limit =: 10}. For simplicity, C and since policies may be specified in terms of arbitrary fields,  The 4 and 8 fields are restricted to s,  or the _id field that is implicitly a . 3Query options, default []. 4WHERE clause,default [].  Non- s ignored. 5The fields to project. Default []  corresponds to all. 6(Number of documents to skip, default 0. 7/Max number of documents to return. Default, 0,  means no limit. 8$Sort result by given order, default [].  Non- s ignored. 9)The number of document to return in each ) batch response from the server. 0 means  MongoDB default. :)Force mongoDB to use this index, default [],  no hint.  Non- s ignored. ;Sorting fields in = ending or <ending order. <Descending order =Ascending order >!Get the field name in the order. >Save or insert document. This function is used to check that:  C The current computation can write to the database and collection. > The labeled document is properly labeled: all policy-labeled = fields have the label as if generated by the policy, the @ document label flows to the policy-generated label, and the = document is well-typed (i.e., searchables are not policy D labeled, etc.). Moreover all labels are checked to be below the  collection clearance by  withColletion. 8After the check the supplied function is applied to the C policy-labeled document (which should be the same as the supplied 4 document, except for possibly the document label.) ?,Fetch documents satisfying query. A labeled  is returned, * which can be used to retrieve the actual  s. For this G function to succeed the current computation must be able to read from 5 the database and collection (implicilty the database's 0 collection-set). This is satisfied by applying  to the join > join of the collection, database, and ccollection-set label. # The curor label is labeled by the  of the database and 4 collection labels and must be used within the same withPolicyModule  block. >Note that this function is quite permissive in the queries it  accepts. Specifically, any non- s used in 8,  order, or : are ignored (as opposed to throwing an  exception). @Same as ?,, but uses privileges when reading from the  collection and database. A Return next  in the query result, or H if H finished. Note that the current computation must be able to read from  the labeled . To enforce this, next uses  to raise 4 the current label to join of the current label and  'Cursor'\' s label. > The returned document is labeled according to the underlying   policy. BSame as A7, but usess privileges when raising the current label. C.Fetch the first document satisfying query, or H if not  documents matched the query. DSame as C,, but uses privileges when performing label  comparisons. E-Delete documents according to the selection. ; It must be that the current computation can overwrite the : existing documents. That is, the current label must flow ; to the label of each document that matches the selection. FSame as E, but uses privileges. #Convert a query to queries used by Database.Mongo )Convert a selection to selection used by Database.Mongo =Perform an action against a collection. The current label is = raised to the join of the current label, database label and 4 collection-set label before performing the action.  If the isWrite0 flag, this action is taken as a database write  and 3 is applied to the database and collection labels. G?Apply a collection policy the given document, using privileges > when labeling the document and performing label comparisons. # The labeling proceeds as follows:  If two fields have the same , only the first is kept. 5 This filtering is only perfomed at the top level.  Each policy labeled value () is labled if the policy C has not been applied. If the value is already labeled, then the F label is checked to be equivalent to that generated by the policy. & In both cases a failure results in ! being thrown; ? the actual error must be hidden to retain the opaqueness of  . Note: For each  FieldNamed in the policy there must be a ; field in the document corresponding to it. Moreover its "type" 6 must be correct: all policy labeled values must be  , values and all searchable fields must be s. The _id  field is always treated as a . C The resulting document (from the above step) is labeled according  to the collection policy. The labels on ) values and the document must be bounded 2 by the current label and clearance as imposed by . E Additionally, these labels must flow to the label of the collection G clearance. (Of course, in both cases privileges are used to allow for  more permissive flows.) HThis function " type-checks"' a document against a set of policies. F Specifically, it checks that the set of policy labeled values is the A same between the policy and document, searchable fields are not # policy labeled, and all searchable/policy-labeled fields named in ? the collection policy are present in the document (except for _id). 2 !"#$%&'()*+,-./0123456789:;<=> Privileges Collection to insert/save to Original documentk Insert/ save action ?@ABCDEFG Privileges Collection and policies Document to apply policies to H6%&()*+, !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGH7#$%&'()*+,-./0123456789:,()*+%&;=<>?@ABCDFEG "!H "!#$%&'()*+,-./01 23456789:;=<>?@ABCDEFGH Trustworthy%&()*+, !"#$%&'()*+,-./0123456789:;<=?@ABCDEFN "!#$%&'()?@ABCD*+,-./0123456789:,()*+%&;=<EF Trustworthy0'Exception thrown if a policy cannot be "compiled" or if we  deternmine that it' s faulty at "runtime". $Policy expression composition monad 7Policy expression may contain a databse expression, or % a number of collection expressions. Internal state of policy Type representing a policy &Database expression composition monad >Collection expression may contain an access label expression, % a collection label expression, etc. Internal state of collection +Type representing a collection expression.  collection "w00t" $ do  access $ do " readers ==> "Alice" \/ "Bob" # writers ==> "Alice"  clearance $ do  secrecy ==> "Users" % integrity ==> "Alice"  document $ \doc -> do  readers ==> anybody 9 writers ==> "Alice" \/ (("name" `at`doc) :: String)  field "name" searchable + field "password" $ labeled $ \doc -> do . readers ==> (("name" `at`doc) :: String) . writers ==> (("name" `at`doc) :: String) $Field expression composition monad. ,Labeled field expression composition monad. ?Labeled field expression solely contains a list of components. 8Type representing a collection field policy expression.  field "name" searchable ) field "password" $ labeled $ \doc -> do 5 readers ==> (((T.pack "name") `at`doc) :: String) 5 writers ==> (((T.pack "name") `at`doc) :: String) &Document expression composition monad :Document expression solely contains a list of components. 'A Label expression has two components. :Type representing a collection document label expression.  document $ \doc -> do  readers ==> "Alice" \/ "Bob"  writers ==> "Alice" &Database expression composition monad 8Clress expression solely contains a list of components. ;Type representing a collection clearance label expression.  clearance $ do  readers ==> "Alice" \/ "Bob"  writers ==> "Alice" $Access expression composition monad 8Access expression solely contains a list of components. 8Type representing a collection access label expression.  access $ do  readers ==> "Alice" \/ "Bob"  writers ==> "Alice" &Database expression composition monad :Database expression solely contains a list of components. *Type representing a database expression.  database $ do  readers ==> "Alice" \/ "Bob"  writers ==> "Alice"  admins ==> "Alice" (Class used for creating micro policies. Ir ==> c effectively states that role r (i.e., K,  M, O must imply label component c). J:Inverse implication. Purely provided for readability. The ; direction is not relevant to the internal representation. IUsed when setting integrity component of the collection-set label, i.e.,  the principals/)administrators that can modify a database' s underlying  collections. Type denoting writers. Type denoting readers. KBSet secrecy component of the label, i.e., the principals that can  read. LBSet secrecy component of the label, i.e., the principals that can  read. MDSet integrity component of the label, i.e., the principals that can  write. NDSet integrity component of the label, i.e., the principals that can  write. O Synonym for . P@Create a database lebeling policy The policy must set the label  of the database, i.e., the K and M. Additionally it  must state the O0 that can modify the underlying collection-set For example, the policy   database $ do - readers ==> "Alice" \/ "Bob" \/ "Clarice"  writers ==> "Alice" \/ "Bob"  admins ==> "Alice" @states that Alice, Bob, and Clarice can read from the database, 0 including the collections in the database (the K is used as C the secrecy component in the collection-set label). Only Alice or B Bob may, however, write to the database. Finally, only Alice can 7 add additional collections in the policy module code. Q1Set the underlying field to be a searchable key.  field "name" searchable R Synonym for Q S"Set data-dependent document label + field "password" $ labeled $ \doc -> do . readers ==> (("name" `at`doc) :: String) . writers ==> (("name" `at`doc) :: String) T.Set the collection access label. For example,   collection "w00t" $ do  ...  access $ do " readers ==> "Alice" \/ "Bob"  writers ==> "Alice" Bstates that Alice and Bob can read documents from the collection, B but only Alice can insert new documents or modify existing ones. U+Set the collection clearance. For example,   collection "w00t" $ do  ...  clearance $ do " secrecy ==> "Alice" \/ "Bob"  integrity ==> "Alice" Cstates that all data in the collection is always readable by Alice > and Bob, and no more trustworthy than data Alice can create. V0Set data-dependent document label. For example,   collection "w00t" $ do  ...  document $ \doc -> do  readers ==> anybody 9 writers ==> "Alice" \/ (("name" `at`doc) :: String) Estates that every document in the collection is readable by anybody, . and only Alice or the principal named by the name value in the * document can modify or insert such data. W2Set field policy. A field can be declared to be a Q  key or a S value. Declaring a field to be a Q key is straight forward:   collection "w00t" $ do  ...  field "name" searchable The S% field declaration is similar to the V policy, but 1 sets the label of a specific field. For example   collection "w00t" $ do  ... + field "password" $ labeled $ \doc -> do * let user = "name" `at` doc :: String  readers ==> user  writers ==> user states that every password' field in the is readable and writable ' only by or the principal named by the name value of the document can  modify or insert such data. X-Set the collection labels and policies. Each  collection, must  at least specify who can T the collection, what the  U+ of the data in the collection is, and how Vs 7 are labeled. Below is an example that also labels the password  field and declares name a searchable key.  collection "w00t" $ do  access $ do " readers ==> "Alice" \/ "Bob" # writers ==> "Alice"  clearance $ do  secrecy ==> "Users" % integrity ==> "Alice"  document $ \doc -> do  readers ==> anybody 9 writers ==> "Alice" \/ (("name" `at`doc) :: String)  field "name" searchable + field "password" $ labeled $ \doc -> do . readers ==> (("name" `at`doc) :: String) . writers ==> (("name" `at`doc) :: String) Compile a policy. Y0High level function used to set the policy in a  . & This function takes the policy module's privileges and a policy  expression, and produces a  that sets the policy. ^IJKLMNOPQRSTUVWXY     IJKLMNOPQRSTUVWXYYKLMNOIJPXTUVWQRS@IJKLMNOPQRSTUVWXY      Trustworthy[8Typically, the action should expand a principal such as #group to  list of group members  [alice, bob]. ];Given the policy module (which is used to invoke the right  [: function) and labeled value, relabel the value according  to the Z4 of the policy module. Note that the first argument < may be bottom since it is solely used for typing purposes. Z[Unused type-enforcing param Policy module privs Group (Policy module, group members) B | Endorse the implementation of this instance. Note that this is 5 reduced to WHNF to catch invalid instances that use . Example implementation: P groupsInstanceEndorse _ = MyPolicyModuleTCB {- Leave other values undefined -} \]Policy module Label Z[\]Z[\]Z[\] Trustworthy^AClass used by a policy module to translate a labeled record to a ? labeled document. Since the insert and save functions use the  policy module'/s privileges, only the policy module should be E allowed to create an instance of this class. Thus, we leverage the ' fact that the value constructor for a   is not exposed B to untrusted code and require the policy module to create such a  value in c&. The minimal implementation needs to  define c. _+Insert a labeled record into the database. `*Insert a labeled record into the database aSame as _!, but using explicit privileges. bSame as `!, but using explicit privileges. c?Endorse the implementation of this instance. Note that this is 5 reduced to WHNF to catch invalid instances that use . Example implementation: N endorseInstance _ = MyPolicyModuleTCB {- May leave other values undefined -} dClass for converting from " structured" records to documents 2 (and vice versa). Minimal definition consists of f,  e, and g. All database operations ( performed on the collection defined by g. eConvert a document to a record fConvert a record to a document g'Get the collection name for the record h=Find an object with matching value for the given key. If the A object does not exist or cannot be read (its label is above the  clearance), this returns H. i Find an object with given query j"Insert a record into the database k Update a record in the database lSame as h, but uses privileges. mSame as i, but uses privileges. nSame as j, but uses privileges. oSame as k, but uses privileges. pAFind all records that satisfy the query and can be read, subject  to the current clearance. qSame as p, but uses privileges. r,Convert labeled record to labeled document. sUses the policy modules')s privileges to convert a labeled record D to a labeled document, if the policy module created an instance of  ^. t+Convert labeled document to labeled record uUses the policy modules'+s privileges to convert a labeled document B to a labeled record, if the policy module created an instance of  ^. Get the type of a  value ^_`abcdefghijklmnopqrsLabeled record tu^_`abcdefghijklmnopqrstudefghijklmnopq^_`abcrtsu ^_`abcd efghijklmnopqrstu !"!#!$!%!&!'!(!)!*!+!,!-!.!/!0!1!2!3!4!5!6!7!8!9!:!;!<!=>?@>?A>?B>?C>?D>?E>?F>?G>HI>HJ>HK>HL>HM>HNOPQOPROPSTUVWXYZ[[\]^__`abccdefghi'jkl(&mnopqrstuvcwxyz{|} ~                !"#$%&'()*+,-./0123456789:;<=>?@@ABCDDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~_cZ      !"#$%&'()*+,-./0123456678797:7;7<7=7>7?7@7A7B7C7D7E7F7G7H7I7J7D7K7L7MNONPNQNRNSNTNT!cUVW XY Z[\][^_[`a[bc d e f g h i j k l m n m o p q r s t u v wxyz{ | }~[\>?      !"[#$%x&' hails-0.9.2.1Hails.Data.Hson.TCBHails.HttpClientHails.Database.TCBHails.Database.QueryHails.HttpServer.Types Hails.VersionHails.HttpServer.AuthHails.HttpServerHails.Web.ResponsesHails.Web.RouterHails.Web.FrankHails.Web.RESTHails.Web.ControllerHails.Web.UserHails.Data.HsonHails.Database.CoreHails.PolicyModule.TCBHails.PolicyModuleHails.Database.Query.TCBHails.PolicyModule.DSLHails.PolicyModule.GroupsHails.Database.Structured Paths_hails Hails.WebHails.Database bson-0.2.1 Data.BsonOidObjectIdhttp-conduit-1.9.0Network.HTTP.Conduit.RequestapplyBasicAuthNetwork.HTTP.Conduit.Types checkStatus redirectCount decompressrawBody requestBodyrequestHeaders queryStringpathporthostsecuremethodStatusCodeExceptionInvalidUrlExceptionTooManyRedirectsUnparseableRedirectTooManyRetriesHttpParserExceptionHandshakeFailedOverlongHeadersResponseTimeoutFailedConnectionExceptionExpectedBlankAfter100ContinueInvalidStatusLine InvalidHeaderInternalIOExceptionProxyConnectException HttpException mongoDB-1.3.2Database.MongoDB.QueryslaveOkmaster ReadStaleOkUnconfirmedWrites ConfirmWrites AccessModeLimit BatchSize"Database.MongoDB.Internal.ProtocolPipeTailableCursorNoCursorTimeout AwaitDataPartial QueryOptionwai-extra-1.3.2.4Network.Wai.Parse UrlEncoded MultipartRequestBodyTypeversion devBasicAuth personaAuth openIdAuthrequireLoginMiddleware Middleware Application RequestConfig browserLabel requestLabel appPrivilegeResponse respStatus respHeadersrespBodyRequest requestMethod httpVersion rawPathInforawQueryString serverName serverPortisSecure remoteHostpathInfo requestTimegetRequestBodyTypeaddResponseHeaderremoveResponseHeaderbrowserLabelGuardguardSensitiveResp sanitizeRespcatchAllExceptionsdevHailsApplicationhailsApplicationToWai simpleHttp simpleHttpPsimpleGetHttpP simpleGetHttpsimpleHeadHttpPsimpleHeadHttpparseUrlokokHtmlmovedTo redirectTo badRequestrequireBasicAuth forbiddennotFound serverErrorRouteRouteM RouteablerunRoutemkRouterrouteAll routeHostrouteTop routeMethod routePattern routeNamerouteVargetpostputdeleteoptionsRESTControllerindexcreateeditnewshowupdate ControllerControllerState csRequestrequest queryParamrespondbody requestHeader redirectBackredirectBackOrUserNamewithUserOrDoAuth getHailsUserBinaryunBinary PolicyLabeled HasPolicyTCB NeedPolicyTCB HsonValue HsonLabeled BsonValue BsonInt64 BsonInt32BsonNullBsonUTCBsonBool BsonObjIdBsonBlob BsonArrayBsonDoc BsonString BsonFloat HsonField BsonField FieldName BsonDocument HsonDocumentS8hsonDocToDataBsonDocTCBbsonDocToDataBsonDocTCBdataBsonDocToHsonDocTCBdataBsonValueToHsonValueTCBadd__hails_prefixHsonVal toHsonValue fromHsonValueBsonVal toBsonValue fromBsonValueGenField-: DocValOpslookupatDocOpslookvalueAt serializeField=: fieldValueIsField fieldNameDocument needPolicy hasPolicygetPolicyLabeledincludeexcludemerge isBsonDocbsonDocToHsonDocbsonFieldToHsonFieldhsonDocToBsonDochsonDocToBsonDocStrictlabeledRequestToHson genObjectIdDBError ExecFailureUnknownPolicyModuleUnknownCollectionDBAction DBActionTCB unDBAction DBActionStateDBActionStateTCB dbActionPipe dbActionMode dbActionDB dbActionPrivDatabase DatabaseTCB databaseName databaseLabeldatabaseCollections CollectionSet DatabaseName FieldPolicySearchableFieldCollectionPolicydocumentLabelPolicyfieldLabelPolicies Collection CollectionTCBcolNamecolLabel colClearance colPolicyCollectionName collectionTCBgetActionStateTCBputActionStateTCBupdateActionStateTCBmakeDBActionStateTCBsetDatabaseLabelTCBsetCollectionSetLabelTCBassociateCollectionTCBexecMongoActionTCBMonadDBliftDBLabeledHsonDocument runDBAction evalDBAction getDatabase getDatabasePPMAction PMActionTCB unPMActionTCBTypeName PolicyModuleinitPolicyModulesetDatabaseLabelsetDatabaseLabelPsetCollectionSetLabelsetCollectionSetLabelPlabelDatabasePcreateCollectioncreateCollectionPisSearchableFieldsearchableFieldsavailablePolicyModuleswithPolicyModulepolicyModuleTypeNameCursor CursorTCBcurLabel curInternal curProject curCollection PolicyErrorPolicyViolation TypeError InsertLikeinsertinsert_insertPinsertP_savesavePSelectselect SelectionselectionSelectorselectionCollectionSelectorQuery selectionprojectskiplimitsort batchSizehintOrderDescAsc orderNamefindfindPnextnextPfindOnefindOnePdeletePapplyCollectionPolicyPtypeCheckDocument==><==readerssecrecywriters integrityadminsdatabase searchablekeylabeledaccess clearancedocumentfield collection setPolicyGroupsgroupsgroupsInstanceEndorse labelRewriteDCLabeledRecordinsertLabeledRecordsaveLabeledRecordinsertLabeledRecordPsaveLabeledRecordPendorseInstanceDCRecord fromDocument toDocumentrecordCollectionfindBy findWhere insertRecord saveRecordfindByP findWhereP insertRecordP saveRecordPfindAllfindAllPtoLabeledDocumenttoLabeledDocumentPfromLabeledDocumentfromLabeledDocumentPcatchIObindirlibdirdatadir libexecdir getBinDir getLibDir getDataDir getLibexecDirgetDataFileName wai-1.4.0 Network.WairesponseHeadersgetBasicAuthUser requestToUrihttp-types-0.8.0Network.HTTP.Types.HeaderHeader waiToHailsReqbytestring-0.10.0.2Data.ByteString.Lazy.Internal ByteStringhailsToWaiResponse lio-0.9.2.2LIO.DCLabel.CoredcPubsecureApplicationgetRequestConfrenderByteRangesrenderByteRangesBuilderrenderByteRangerenderByteRangeBuilder hUserAgenthServerhRefererhRange hLocation hLastModifiedhIfRangehIfModifiedSincehDatehCookie hContentType hContentMD5hContentLengthhContentEncoding hConnection hCacheControlhAuthorizationhAcceptLanguagehAccept HeaderNameRequestHeadersResponseHeaders ByteRangeFromByteRangeFromToByteRangeSuffix ByteRange ByteRangesNetwork.HTTP.Types.MethodrenderStdMethod renderMethod parseMethod methodOptions methodConnect methodTrace methodDelete methodPut methodHead methodPost methodGetMethodGETPOSTHEADPUTDELETETRACECONNECTOPTIONSPATCH StdMethodNetwork.HTTP.Types.QueryLiketoQuery QueryLikeNetwork.HTTP.Types.StatusstatusIsServerErrorstatusIsClientErrorstatusIsRedirectionstatusIsSuccessfulstatusIsInformationalhttpVersionNotSupported505 status505gatewayTimeout504 status504serviceUnavailable503 status503 badGateway502 status502notImplemented501 status501internalServerError500 status500 imATeaPot418 status418expectationFailed417 status417requestedRangeNotSatisfiable416 status416unsupportedMediaType415 status415requestURITooLong414 status414requestEntityTooLarge413 status413preconditionFailed412 status412lengthRequired411 status411gone410 status410 conflict409 status409requestTimeout408 status408proxyAuthenticationRequired407 status407notAcceptable406 status406methodNotAllowed405 status405 notFound404 status404 forbidden403 status403paymentRequired402 status402unauthorized401 status401 badRequest400 status400temporaryRedirect307 status307 useProxy305 status305notModified304 status304 seeOther303 status303found302 status302movedPermanently301 status301multipleChoices300 status300partialContent206 status206resetContent205 status205 noContent204 status204nonAuthoritative203 status203 accepted202 status202 created201 status201ok200 status200switchingProtocols101 status101 continue100 status100mkStatus statusMessage statusCodeStatusNetwork.HTTP.Types.URI decodePath encodePathdecodePathSegmentsencodePathSegmentsRelativeencodePathSegments urlDecode urlEncodeurlEncodeBuilderparseSimpleQuery parseQueryrenderSimpleQuery renderQueryrenderQueryBuildersimpleQueryToQueryparseQueryTextqueryToQueryTextrenderQueryTextqueryTextToQuery QueryItem QueryTextSimpleQueryItem SimpleQueryNetwork.HTTP.Types.Versionhttp11http10http09 httpMinor httpMajor HttpVersionguardWriteURLP labelOfReq $fFailureeLIO ContentTypeData.ByteString.InternalmkHtmlResponsebaseGHC.BaseMonad Data.MonoidMonoidGHC.Realmod Data.MaybeNothing RouteHandlermroute$fRouteableRouteM$fMonoidRouteM $fMonadRouteM$fRouteableResponse$fRouteable(->) frankMethodRESTControllerMRESTControllerStatedefaultRESTControllerState restIndexrestShow restCreate restUpdate restDeleterestEditrestNew$fRouteableStateT$fRouteableRESTControllerState LIO.DCLabelDCLIO.Labeled.TCBLabeled$fRouteableReaderT$fMonadLIODCLabelReaderThsonToDataBsonTCBbsonToDataBsonTCBhsonFieldToDataBsonFieldTCBbsonFieldToDataBsonFieldTCBdataBsonFieldToBsonFieldTCBdataBsonDocToBsonDocTCBdataBsonToBsonTCB__hails_HsonLabeled_valuemaybePolicyLabeledTCB$fShowPolicyLabeled$fOrdPolicyLabeled$fEqPolicyLabeledfailhsonFieldToBsonFieldfitInt$fHsonValLabeled $fShowLabeled$fHsonValPolicyLabeled$fHsonValBsonValue$fHsonValInteger $fHsonValInt$fHsonValInt64$fHsonValInt32$fHsonValMaybe$fHsonValMaybe0$fHsonValUTCTime $fHsonValBool$fHsonValObjectId$fHsonValBinary $fHsonVal[] $fHsonVal[]0 $fHsonVal[]1 $fHsonVal[]2 $fHsonValText$fHsonValFloat$fHsonValDouble$fHsonValHsonValue$fBsonValInteger $fBsonValInt$fBsonValInt64$fBsonValInt32$fBsonValMaybe$fBsonValMaybe0$fBsonValUTCTime $fBsonValBool$fBsonValObjectId$fBsonValBinary $fBsonVal[] $fBsonVal[]0 $fBsonVal[]1$fBsonValByteString$fBsonValByteString0 $fBsonVal[]2 $fBsonValText$fBsonValFloat$fBsonValDouble$fGenFieldvHsonField$fGenFieldvBsonField$fDocValOps[]v$fDocValOps[]v0$fDocOpsBsonValueBsonField$fDocOpsHsonValueHsonField$fShowTCBPolicyLabeled$fShowTCBHsonValue$fShowHsonValue$fShowBsonValue$fFieldHsonValueHsonField$fFieldBsonValueHsonField$fFieldBsonValueBsonField$fIsFieldHsonField$fIsFieldBsonField$fShowHsonField$fShowBsonFieldFailure$fExceptionDBError$fMonadLIODCLabelDBAction$fOrdCollection$fEqCollectionLIO.Coretaint$fMonadDBDBAction$fMonadDBPMAction$fMonadLIODCLabelPMAction guardAlloc guardWriteghc-prim GHC.TypesTrue parseModegle_opts gle_opt_fsyncgle_opt_journal gle_opt_write$guardInsertOrSaveLabeledHsonDocument LIO.Label upperBoundqueryToMongoQueryTCBselectionToMongoSelectionTCBwithCollection guardWriteP guardAllocP$fExceptionPolicyError$fInsertLikeLabeled$fInsertLike[] $fSelectQuery$fSelectSelectionPolicySpecificiationError PolicyExpM PolicyExpS PolicyExpT PolicyExpColExpMColExpSColExpTColExp ColFieldExpMColLabFieldExpMColLabFieldExpS ColFieldExp ColDocExpM ColDocExpSLabelExp ColDocExp ColClrExpM ColClrExpS ColClrExp ColAccExpM ColAccExpS ColAccExpDBExpMDBExpSDBExpRoleAdminsWritersReaders runPolicyPolicyRuntimeErrorPolicyCompileError PolicyColExpT PolicyDBExpTColFldTColDocTColClrTColAccTColLabFieldExpColFieldSearchable fromRight$$fExceptionPolicySpecificiationError$fRoleWritersMapColLabFieldExpM$fRoleReadersMapColLabFieldExpM$fShowColFieldExp$fRoleWritersMapColDocExpM$fRoleReadersMapColDocExpM$fShowColDocExp$fRoleWritersMapColClrExpM$fRoleReadersMapColClrExpM$fRoleWritersMapColAccExpM$fRoleReadersMapColAccExpM$fRoleAdminsMapDBExpM$fRoleWritersMapDBExpM$fRoleReadersMapDBExpM $fShowAdmins $fShowWriters $fShowReadersGHC.Err undefined forceType DCLabeled