guard checker generation with an option flag

ymc9 · ymc9 · commit 8af5cddaa44d · 2024-05-07T16:55:14.000+08:00
diff --git a/packages/runtime/src/enhancements/policy/policy-utils.ts b/packages/runtime/src/enhancements/policy/policy-utils.ts
@@ -587,12 +587,17 @@ export class PolicyUtil extends QueryUtils {
         return provider({ user: this.user });
     }
 
-    private getModelChecker(model: string): PolicyDef['checker']['string'] {
+    private getModelChecker(model: string) {
         if (this.options.kinds && !this.options.kinds.includes('policy')) {
-            // policy enhancement not enabled, return a constant checker
+            // policy enhancement not enabled, return a constant true checker
             return { create: true, read: true, update: true, delete: true };
         } else {
-            return this.options.policy.checker?.[lowerCaseFirst(model)];
+            let result = this.options.policy.checker?.[lowerCaseFirst(model)];
+            if (!result) {
+                // checker generation not enabled, return constant false checker
+                result = { create: false, read: false, update: false, delete: false };
+            }
+            return result;
         }
     }
 
diff --git a/packages/runtime/src/enhancements/types.ts b/packages/runtime/src/enhancements/types.ts
@@ -122,7 +122,7 @@ export type PolicyDef = {
             }
     >;
 
-    checker: Record<string, Record<PolicyCrudKind, CheckerFunc | boolean>>;
+    checker?: Record<string, Record<PolicyCrudKind, CheckerFunc | boolean>>;
 
     // tracks which models have data validation rules
     validation: Record<string, { hasValidation: boolean }>;
diff --git a/packages/schema/src/plugins/enhancer/enhance/index.ts b/packages/schema/src/plugins/enhancer/enhance/index.ts
@@ -90,7 +90,7 @@ export class EnhancerGenerator {
         const authTypes = authModel ? generateAuthType(this.model, authModel) : '';
         const authTypeParam = authModel ? `auth.${authModel.name}` : 'AuthUser';
 
-        const checkerTypes = generateCheckerType(this.model);
+        const checkerTypes = this.generatePermissionChecker ? generateCheckerType(this.model) : '';
 
         const enhanceTs = this.project.createSourceFile(
             path.join(this.outDir, 'enhance.ts'),
@@ -131,15 +131,16 @@ import type * as _P from '${prismaImport}';
     }
 
     private createSimplePrismaEnhanceFunction(authTypeParam: string) {
+        const returnType = `DbClient${this.generatePermissionChecker ? ' & ModelCheckers' : ''}`;
         return `
-export function enhance<DbClient extends object>(prisma: DbClient, context?: EnhancementContext<${authTypeParam}>, options?: EnhancementOptions): DbClient & ModelCheckers {
+export function enhance<DbClient extends object>(prisma: DbClient, context?: EnhancementContext<${authTypeParam}>, options?: EnhancementOptions): ${returnType} {
     return createEnhancement(prisma, {
         modelMeta,
         policy,
         zodSchemas: zodSchemas as unknown as (ZodSchemas | undefined),
         prismaModule: Prisma,
         ...options
-    }, context) as DbClient & ModelCheckers;
+    }, context) as ${returnType};
 }         
             `;
     }
@@ -162,12 +163,16 @@ import type { Prisma, PrismaClient } from '${logicalPrismaClientDir}/index-fixed
 // overload for plain PrismaClient
 export function enhance<ExtArgs extends Record<string, any> & InternalArgs>(
     prisma: _PrismaClient<any, any, ExtArgs>,
-    context?: EnhancementContext<${authTypeParam}>, options?: EnhancementOptions): PrismaClient & ModelCheckers;
+    context?: EnhancementContext<${authTypeParam}>, options?: EnhancementOptions): PrismaClient${
+            this.generatePermissionChecker ? ' & ModelCheckers' : ''
+        };
     
 // overload for extended PrismaClient
 export function enhance<TypeMap extends TypeMapDef, TypeMapCb extends TypeMapCbDef, ExtArgs extends Record<string, any> & InternalArgs>(
     prisma: DynamicClientExtensionThis<TypeMap, TypeMapCb, ExtArgs>,
-    context?: EnhancementContext<${authTypeParam}>, options?: EnhancementOptions): DynamicClientExtensionThis<Prisma.TypeMap, Prisma.TypeMapCb, ExtArgs> & ModelCheckers;
+    context?: EnhancementContext<${authTypeParam}>, options?: EnhancementOptions): DynamicClientExtensionThis<Prisma.TypeMap, Prisma.TypeMapCb, ExtArgs>${
+            this.generatePermissionChecker ? ' & ModelCheckers' : ''
+        };
 
 export function enhance(prisma: any, context?: EnhancementContext<${authTypeParam}>, options?: EnhancementOptions): any {
     return createEnhancement(prisma, {
@@ -627,4 +632,8 @@ export function enhance(prisma: any, context?: EnhancementContext<${authTypePara
             await sf.save();
         }
     }
+
+    private get generatePermissionChecker() {
+        return this.options.generatePermissionChecker === true;
+    }
 }
diff --git a/packages/schema/src/plugins/enhancer/policy/policy-guard-generator.ts b/packages/schema/src/plugins/enhancer/policy/policy-guard-generator.ts
@@ -94,10 +94,14 @@ export class PolicyGenerator {
             policyMap[model.name] = await this.generateQueryGuardForModel(model, sf);
         }
 
+        const generatePermissionChecker = options.generatePermissionChecker === true;
+
         // CRUD checker functions
         const checkerMap: Record<string, Record<string, string | boolean>> = {};
-        for (const model of models) {
-            checkerMap[model.name] = await this.generateCheckerForModel(model, sf);
+        if (generatePermissionChecker) {
+            for (const model of models) {
+                checkerMap[model.name] = await this.generateCheckerForModel(model, sf);
+            }
         }
 
         const authSelector = this.generateAuthSelector(models);
@@ -128,19 +132,21 @@ export class PolicyGenerator {
                             });
                             writer.writeLine(',');
 
-                            writer.write('checker:');
-                            writer.inlineBlock(() => {
-                                for (const [model, map] of Object.entries(checkerMap)) {
-                                    writer.write(`${lowerCaseFirst(model)}:`);
-                                    writer.inlineBlock(() => {
-                                        Object.entries(map).forEach(([op, func]) => {
-                                            writer.write(`${op}: ${func},`);
+                            if (generatePermissionChecker) {
+                                writer.write('checker:');
+                                writer.inlineBlock(() => {
+                                    for (const [model, map] of Object.entries(checkerMap)) {
+                                        writer.write(`${lowerCaseFirst(model)}:`);
+                                        writer.inlineBlock(() => {
+                                            Object.entries(map).forEach(([op, func]) => {
+                                                writer.write(`${op}: ${func},`);
+                                            });
                                         });
-                                    });
-                                    writer.writeLine(',');
-                                }
-                            });
-                            writer.writeLine(',');
+                                        writer.writeLine(',');
+                                    }
+                                });
+                                writer.writeLine(',');
+                            }
 
                             writer.write('validation:');
                             writer.inlineBlock(() => {
diff --git a/tests/integration/tests/enhancements/with-policy/checker.test.ts b/tests/integration/tests/enhancements/with-policy/checker.test.ts
@@ -1,8 +1,44 @@
-import { loadSchema } from '@zenstackhq/testtools';
+import { SchemaLoadOptions, loadSchema } from '@zenstackhq/testtools';
 
 describe('Permission checker', () => {
-    it('empty rules', async () => {
+    const PRELUDE = `
+        datasource db {
+            provider = 'sqlite'
+            url = 'file:./dev.db'
+        }
+
+        generator js {
+            provider = 'prisma-client-js'
+        }
+
+        plugin enhancer {
+            provider = '@core/enhancer'
+            generatePermissionChecker = true
+        }
+    `;
+
+    const load = (schema: string, options?: SchemaLoadOptions) =>
+        loadSchema(`${PRELUDE}\n${schema}`, {
+            ...options,
+            addPrelude: false,
+        });
+
+    it('checker generation not enabled', async () => {
         const { enhance } = await loadSchema(
+            `
+            model Model {
+                id Int @id @default(autoincrement())
+                value Int
+                @@allow('all', true)
+            }
+            `
+        );
+        const db = enhance();
+        await expect(db.model.check('read')).toResolveFalsy();
+    });
+
+    it('empty rules', async () => {
+        const { enhance } = await load(
             `
             model Model {
                 id Int @id @default(autoincrement())
@@ -16,7 +52,7 @@ describe('Permission checker', () => {
     });
 
     it('unconditional allow', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model Model {
                 id Int @id @default(autoincrement())
@@ -31,7 +67,7 @@ describe('Permission checker', () => {
     });
 
     it('deny rule', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model Model {
                 id Int @id @default(autoincrement())
@@ -49,7 +85,7 @@ describe('Permission checker', () => {
     });
 
     it('int field condition', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model Model {
                 id Int @id @default(autoincrement())
@@ -82,7 +118,7 @@ describe('Permission checker', () => {
     });
 
     it('boolean field toplevel condition', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model Model {
                 id Int @id @default(autoincrement())
@@ -99,7 +135,7 @@ describe('Permission checker', () => {
     });
 
     it('boolean field condition', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model Model {
                 id Int @id @default(autoincrement())
@@ -131,7 +167,7 @@ describe('Permission checker', () => {
     });
 
     it('string field condition', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model Model {
                 id Int @id @default(autoincrement())
@@ -148,7 +184,7 @@ describe('Permission checker', () => {
     });
 
     it('function noop', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model Model {
                 id Int @id @default(autoincrement())
@@ -169,7 +205,7 @@ describe('Permission checker', () => {
     });
 
     it('relation noop', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model Model {
                 id Int @id @default(autoincrement())
@@ -194,7 +230,7 @@ describe('Permission checker', () => {
     });
 
     it('collection predicate noop', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model Model {
                 id Int @id @default(autoincrement())
@@ -219,7 +255,7 @@ describe('Permission checker', () => {
     });
 
     it('field complex condition', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model Model {
                 id Int @id @default(autoincrement())
@@ -252,7 +288,7 @@ describe('Permission checker', () => {
     });
 
     it('field condition unsolvable', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model Model {
                 id Int @id @default(autoincrement())
@@ -272,7 +308,7 @@ describe('Permission checker', () => {
     });
 
     it('simple auth condition', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model User {
                 id Int @id @default(autoincrement())
@@ -307,7 +343,7 @@ describe('Permission checker', () => {
     });
 
     it('auth compared with relation field', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model User {
                 id Int @id @default(autoincrement())
@@ -349,7 +385,7 @@ describe('Permission checker', () => {
     });
 
     it('auth null check', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model User {
                 id Int @id @default(autoincrement())
@@ -379,7 +415,7 @@ describe('Permission checker', () => {
     });
 
     it('auth with relation access', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model User {
                 id Int @id @default(autoincrement())
@@ -408,7 +444,7 @@ describe('Permission checker', () => {
     });
 
     it('nullable field', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model Model {
                 id Int @id @default(autoincrement())
@@ -427,7 +463,7 @@ describe('Permission checker', () => {
     });
 
     it('compilation', async () => {
-        await loadSchema(
+        await load(
             `
             model Model {
                 id Int @id @default(autoincrement())
@@ -456,7 +492,7 @@ describe('Permission checker', () => {
     });
 
     it('invalid filter', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model Model {
                 id Int @id @default(autoincrement())
@@ -498,7 +534,7 @@ describe('Permission checker', () => {
     });
 
     it('float field ignored', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model Model {
                 id Int @id @default(autoincrement())
@@ -513,7 +549,7 @@ describe('Permission checker', () => {
     });
 
     it('float value ignored', async () => {
-        const { enhance } = await loadSchema(
+        const { enhance } = await load(
             `
             model Model {
                 id Int @id @default(autoincrement())

Original file line number	Diff line number	Diff line change
`@@ -587,12 +587,17 @@ export class PolicyUtil extends QueryUtils {`
`587`	`587`	`return provider({ user: this.user });`
`588`	`588`	`}`
`589`	`589`
`590`		`- private getModelChecker(model: string): PolicyDef['checker']['string'] {`
	`590`	`+ private getModelChecker(model: string) {`
`591`	`591`	`if (this.options.kinds && !this.options.kinds.includes('policy')) {`
`592`		`- // policy enhancement not enabled, return a constant checker`
	`592`	`+ // policy enhancement not enabled, return a constant true checker`
`593`	`593`	`return { create: true, read: true, update: true, delete: true };`
`594`	`594`	`} else {`
`595`		`- return this.options.policy.checker?.[lowerCaseFirst(model)];`
	`595`	`+ let result = this.options.policy.checker?.[lowerCaseFirst(model)];`
	`596`	`+ if (!result) {`
	`597`	`+ // checker generation not enabled, return constant false checker`
	`598`	`+ result = { create: false, read: false, update: false, delete: false };`
	`599`	`+ }`
	`600`	`+ return result;`
`596`	`601`	`}`
`597`	`602`	`}`
`598`	`603`
Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,7 @@ export type PolicyDef = {`
`122`	`122`	`}`
`123`	`123`	`>;`
`124`	`124`
`125`		`- checker: Record<string, Record<PolicyCrudKind, CheckerFunc \| boolean>>;`
	`125`	`+ checker?: Record<string, Record<PolicyCrudKind, CheckerFunc \| boolean>>;`
`126`	`126`
`127`	`127`	`// tracks which models have data validation rules`
`128`	`128`	`validation: Record<string, { hasValidation: boolean }>;`