Expose guarded Datalog relation queries

tests/test-daemon-http-facts.c

@@ -133,6 +133,7 @@ grant_fact_http_authority (WylHandle *handle, const gchar *subject)
     "wr.graph.manage",
     "wr.schema.manage",
     "wr.fact.write",
+    "wr.datalog.query",
   };
   wyl_policy_store_t *store = wyl_handle_get_policy_store (handle);
   for (gsize i = 0; i < G_N_ELEMENTS (perms); i++) {
@@ -352,6 +353,107 @@ check_fact_http_contract (WylHandle *handle, const gchar *base_url)
   if (rc != 0)
     return rc;
 
+  g_clear_pointer (&body, g_free);
+  g_autofree gchar *datalog_query = g_strdup_printf ("tenant=%s&%s",
+      WYL_TENANT_DEFAULT, FACT_GUARD);
+  rc = send_raw (session, "POST", base_url,
+      "/datalog/__wr_default/orders/query", datalog_query, NULL,
+      "{\"query\":\"orders(O,A)\",\"output\":\"json\",\"limit\":10}",
+      &status, &body);
+  if (rc != 0)
+    return rc;
+  if (status != 401 || strstr (body, "\"datalog_auth_required\"") == NULL)
+    return 330;
+
+  g_clear_pointer (&body, g_free);
+  rc = send_raw (session, "POST", base_url,
+      "/datalog/__wr_default/orders/query", datalog_query, deny_token,
+      "{\"query\":\"orders(O,A)\",\"output\":\"json\",\"limit\":10}",
+      &status, &body);
+  if (rc != 0)
+    return rc;
+  if (status != 403 || strstr (body, "\"datalog_denied\"") == NULL)
+    return 331;
+
+  const gchar *invalid_datalog_bodies[] = {
+    "{\"query\":\"orders(O,A) :- orders(O,A)\",\"output\":\"json\"}",
+    "{\"query\":\".decl orders(O:symbol,A:int64)\",\"output\":\"json\"}",
+    "{\"query\":\"orders(O,A);orders(O,A)\",\"output\":\"json\"}",
+    "{\"query\":\"SELECT * FROM orders\",\"output\":\"json\"}",
+  };
+  for (gsize i = 0; i < G_N_ELEMENTS (invalid_datalog_bodies); i++) {
+    g_clear_pointer (&body, g_free);
+    rc = send_raw (session, "POST", base_url,
+        "/datalog/__wr_default/orders/query", datalog_query, admin_token,
+        invalid_datalog_bodies[i], &status, &body);
+    if (rc != 0)
+      return rc;
+    if (status != 400 || strstr (body, "\"invalid_datalog_request\"") == NULL)
+      return 340 + (gint) i;
+  }
+
+  g_clear_pointer (&body, g_free);
+  rc = send_raw (session, "POST", base_url,
+      "/datalog/__wr_default/orders/query", datalog_query, admin_token,
+      "{\"query\":\"orders(O,A)\",\"output\":\"json\",\"limit\":10}",
+      &status, &body);
+  if (rc != 0)
+    return rc;
+  if (status != 200 || strstr (body, "\"relation\":\"orders\"") == NULL ||
+      strstr (body, "\"columns\":[\"O\",\"A\"]") == NULL ||
+      strstr (body, "{\"O\":\"o-1\",\"A\":42}") == NULL ||
+      strstr (body, "facts.duckdb") != NULL)
+    return 332;
+
+  g_clear_pointer (&body, g_free);
+  rc = send_raw (session, "POST", base_url,
+      "/datalog/__wr_default/orders/query", datalog_query, admin_token,
+      "{\"query\":\"payments(P)\",\"output\":\"json\",\"limit\":10}",
+      &status, &body);
+  if (rc != 0)
+    return rc;
+  if (status != 403 || strstr (body, "\"datalog_relation_denied\"") == NULL)
+    return 333;
+
+  if (wyl_handle_replay_fact_graphs (handle, NULL) != WYRELOG_E_OK)
+    return 334;
+  g_clear_pointer (&body, g_free);
+  rc = send_raw (session, "POST", base_url,
+      "/datalog/__wr_default/orders/query", datalog_query, admin_token,
+      "{\"query\":\"orders(\\\"o-1\\\",A)\",\"output\":\"json\",\"limit\":10}",
+      &status, &body);
+  if (rc != 0)
+    return rc;
+  if (status != 200 || strstr (body, "{\"A\":42}") == NULL ||
+      strstr (body, "\"row_count\":1") == NULL)
+    return 335;
+
+  g_clear_pointer (&body, g_free);
+  g_autofree gchar *append_query_2 = g_strdup_printf
+      ("tenant=%s&namespace=shop&schema_version=1&batch_id=batch-7&"
+      "idempotency_key=key-7&%s", WYL_TENANT_DEFAULT, FACT_GUARD);
+  rc = send_raw (session, "POST", base_url,
+      "/facts/__wr_default/orders/orders:append", append_query_2,
+      admin_token, "order_id\tamount\no-2\t84\n", &status, &body);
+  if (rc != 0)
+    return rc;
+  if (status != 200 || strstr (body, "\"inserted\":true") == NULL)
+    return 336;
+  rc = check_fact_projection_row_count (handle, "orders", 2);
+  if (rc != 0)
+    return rc;
+
+  g_clear_pointer (&body, g_free);
+  rc = send_raw (session, "POST", base_url,
+      "/datalog/__wr_default/orders/query", datalog_query, admin_token,
+      "{\"query\":\"orders(O,A)\",\"output\":\"json\",\"limit\":1}",
+      &status, &body);
+  if (rc != 0)
+    return rc;
+  if (status != 200 || strstr (body, "\"row_count\":1") == NULL ||
+      strstr (body, "\"truncated\":true") == NULL)
+    return 337;
+
   g_clear_pointer (&body, g_free);
   g_autofree gchar *bad_append_query = g_strdup_printf
       ("tenant=%s&namespace=shop&schema_version=1&batch_id=batch-2&"
@@ -363,7 +465,7 @@ check_fact_http_contract (WylHandle *handle, const gchar *base_url)
     return rc;
   if (status != 400 || strstr (body, "\"invalid_fact_payload\"") == NULL)
     return 29;
-  rc = check_fact_projection_row_count (handle, "orders", 1);
+  rc = check_fact_projection_row_count (handle, "orders", 2);
   if (rc != 0)
     return rc;
 

tests/test-wyctl-policy-daemon.c

@@ -93,6 +93,7 @@ grant_fact_authority (WylHandle *handle, const gchar *subject)
     "wr.graph.manage",
     "wr.schema.manage",
     "wr.fact.write",
+    "wr.datalog.query",
   };
   wyl_policy_store_t *store = wyl_handle_get_policy_store (handle);
   for (gsize i = 0; i < G_N_ELEMENTS (perms); i++) {
@@ -271,6 +272,27 @@ assert_wyctl_stdout (gchar **argv, const gchar *expected_stdout)
   g_assert_cmpstr (stdout_buf, ==, expected_stdout);
   g_assert_cmpstr (stderr_buf, ==, "");
 }
+
+static void
+assert_wyctl_stdout_contains (gchar **argv, const gchar *needle)
+{
+  g_autofree gchar *stdout_buf = NULL;
+  g_autofree gchar *stderr_buf = NULL;
+  gint wait_status = 0;
+  g_autoptr (GError) error = NULL;
+
+  run_wyctl (argv, &stdout_buf, &stderr_buf, &wait_status);
+
+  if (!g_spawn_check_wait_status (wait_status, &error)) {
+    g_printerr ("wyctl exited with status %d\nstdout: %s\nstderr: %s\n",
+        wait_status, stdout_buf ? stdout_buf : "(null)",
+        stderr_buf ? stderr_buf : "(null)");
+    g_clear_error (&error);
+    g_assert_not_reached ();
+  }
+  g_assert_nonnull (strstr (stdout_buf, needle));
+  g_assert_cmpstr (stderr_buf, ==, "");
+}
 #endif
 
 int
@@ -506,6 +528,23 @@ main (void)
   assert_wyctl_stdout (fact_put_argv, "inserted\n");
   if (check_fact_projection_count (handle, 1) != 0)
     return 104;
+  gchar *datalog_query_argv[] = {
+    (gchar *) WYL_TEST_WYCTL_PATH,
+    "--daemon-url", (gchar *) base_url,
+    "datalog", "query",
+    "--tenant", (gchar *) WYL_TENANT_DEFAULT,
+    "--graph", "orders",
+    "--query", "orders(O,A)",
+    "--output", "json",
+    "--limit", "10",
+    "--access-token-file", token_path,
+    "--guard-timestamp", "123",
+    "--guard-loc-class", "trusted",
+    "--guard-risk", "29",
+    NULL,
+  };
+  assert_wyctl_stdout_contains (datalog_query_argv,
+      "\"rows\":[{\"O\":\"o-1\",\"A\":42}]");
   assert_wyctl_stdout (fact_put_argv, "duplicate\n");
   if (check_fact_projection_count (handle, 1) != 0)
     return 105;

wyrelog/client.h

@@ -169,6 +169,13 @@ wyrelog_error_t wyl_client_fact_put_batch (WylClient * client,
     gint64 guard_timestamp,
     const gchar * guard_loc_class,
     gint64 guard_risk, WylClientFactAppendResult ** out_result);
+wyrelog_error_t wyl_client_datalog_query_json (WylClient * client,
+    const gchar * tenant,
+    const gchar * graph,
+    const gchar * query,
+    guint limit,
+    gint64 guard_timestamp,
+    const gchar * guard_loc_class, gint64 guard_risk, gchar ** out_json);
 void wyl_client_fact_append_result_free (WylClientFactAppendResult * result);
 gboolean wyl_client_fact_append_result_get_inserted
     (const WylClientFactAppendResult * result);