Enhance permission resolution to allow partial condition resolves

This will allow complex condition expressions
to be simplified based on a resolution of certain conditions within the expression.

This allows us to emit condition string for each transition
by resolving only that one condition.

i.e.
`(Member AND Transition { Approve }) OR Sens Low`
becomes
`Member OR Sens Low`

`(Member OR Transition { Approve }) AND Sens Low`
becomes
`Sens Low`

Author: CarsonF

src/components/authorization/policy/conditions/condition-visitor.ts

@@ -0,0 +1,14 @@
+import { AggregateConditions } from './aggregate.condition';
+import { Condition } from './condition.interface';
+
+export const visitCondition = (
+  condition: Condition,
+  iteratee: (node: Condition) => void,
+): void => {
+  iteratee(condition);
+  if (condition instanceof AggregateConditions) {
+    for (const c of condition.conditions) {
+      visitCondition(c, iteratee);
+    }
+  }
+};

src/components/authorization/policy/executor/policy-executor.ts

@@ -6,7 +6,16 @@ import { QueryFragment } from '~/core/database/query';
 import { withoutScope } from '../../dto';
 import { RoleCondition } from '../../policies/conditions/role.condition';
 import { Permission } from '../builder/perm-granter';
-import { all, any, CalculatedCondition, OrConditions } from '../conditions';
+import {
+  AggregateConditions,
+  all,
+  AndConditions,
+  any,
+  CalculatedCondition,
+  Condition,
+  OrConditions,
+} from '../conditions';
+import { visitCondition } from '../conditions/condition-visitor';
 import { PolicyFactory } from '../policy.factory';
 import { ConditionOptimizer } from './condition-optimizer';
 
@@ -17,6 +26,10 @@ export interface ResolveParams {
   prop?: string;
   calculatedAsCondition?: boolean;
   optimizeConditions?: boolean;
+  /**
+   * A function to partially resolve conditions.
+   */
+  conditionResolver?: (condition: Condition) => boolean | undefined;
 }
 
 export interface FilterOptions {
@@ -38,6 +51,7 @@ export class PolicyExecutor {
     prop,
     calculatedAsCondition,
     optimizeConditions = false,
+    conditionResolver,
   }: ResolveParams): Permission {
     if (action !== 'read') {
       if (prop) {
@@ -80,12 +94,20 @@ export class PolicyExecutor {
     if (conditions.length === 0) {
       return false;
     }
-    const merged = OrConditions.fromAll(conditions, {
+    let condition = OrConditions.fromAll(conditions, {
       optimize: optimizeConditions,
     });
-    return optimizeConditions
-      ? this.conditionOptimizer.optimize(merged)
-      : merged;
+    if (conditionResolver) {
+      const resolved = this.partialResolve(condition, conditionResolver);
+      if (typeof resolved === 'boolean') {
+        return resolved;
+      }
+      condition = resolved;
+    }
+    if (optimizeConditions) {
+      condition = this.conditionOptimizer.optimize(condition);
+    }
+    return condition;
   }
 
   forEdgeDB({
@@ -178,6 +200,54 @@ export class PolicyExecutor {
     };
   }
 
+  private partialResolve(
+    condition: Condition,
+    resolver: (condition: Condition) => boolean | undefined,
+  ): Permission {
+    const partialResolutions = new Map<Condition, boolean>();
+    visitCondition(condition, (cc) => {
+      const result = resolver(cc);
+      if (result != null) {
+        partialResolutions.set(cc, result);
+      }
+    });
+
+    const walkAndReform = (c: Condition): Permission => {
+      if (partialResolutions.has(c)) {
+        return partialResolutions.get(c)!;
+      }
+
+      if (!(c instanceof AggregateConditions)) {
+        return c;
+      }
+
+      let changed = false;
+      const children = c.conditions.map((sub) => {
+        const next = walkAndReform(sub);
+        if (next !== sub) {
+          changed = true;
+        }
+        return next;
+      });
+      // Only change aggregate identity if children have changed
+      if (!changed) {
+        return c;
+      }
+      if (c instanceof AndConditions) {
+        return children.some((perm) => perm === false)
+          ? false
+          : all(...children.filter((perm): perm is Condition => perm !== true));
+      } else {
+        return children.some((perm) => perm === true)
+          ? true
+          : any(
+              ...children.filter((perm): perm is Condition => perm !== false),
+            );
+      }
+    };
+    return walkAndReform(condition);
+  }
+
   @CachedByArg({ weak: true })
   getPolicies(session: Session) {
     const policies = this.policyFactory.getPolicies().filter((policy) => {

src/components/workflow/permission.serializer.ts

@@ -2,7 +2,6 @@ import { setOf } from '@seedcompany/common';
 import { DateTime } from 'luxon';
 import { ID, Role, Session } from '~/common';
 import { Privileges, UserResourcePrivileges } from '../authorization';
-import { Permission } from '../authorization/policy/builder/perm-granter';
 import { Condition } from '../authorization/policy/conditions';
 import { Workflow } from './define-workflow';
 import { SerializedWorkflowTransitionPermission as SerializedTransitionPermission } from './dto/serialized-workflow.dto';
@@ -47,22 +46,15 @@ const resolve = (
   p: UserResourcePrivileges<any>,
   action: string,
   transitionKey: ID,
-): Permission => {
-  const c = p.resolve({
+) =>
+  p.resolve({
     action,
-    calculatedAsCondition: true,
     optimizeConditions: true,
+    conditionResolver: (condition) =>
+      condition instanceof TransitionCondition
+        ? condition.allowedTransitionKeys.has(transitionKey)
+        : undefined,
   });
 
-  if (typeof c === 'boolean') {
-    return c;
-  }
-  // Cheaply resolve transition condition.
-  if (c instanceof TransitionCondition) {
-    return c.allowedTransitionKeys.has(transitionKey);
-  }
-
-  return c;
-};
 const renderCondition = (c: boolean | Condition) =>
   typeof c === 'boolean' ? undefined : Condition.id(c);