Per document access control

rel/overlay/etc/default.ini

@@ -402,6 +402,10 @@ authentication_db = _users
 ; max_iterations, password_scheme, password_regexp, proxy_use_secret,
 ; public_fields, secret, users_db_public, cookie_domain, same_site
 
+; Per document access settings
+[per_doc_access]
+;enabled = false
+
 ; CSP (Content Security Policy) Support
 [csp]
 ;utils_enable = true

src/chttpd/src/chttpd.erl

@@ -1034,6 +1034,8 @@ error_info({bad_request, Error, Reason}) ->
     {400, couch_util:to_binary(Error), couch_util:to_binary(Reason)};
 error_info({query_parse_error, Reason}) ->
     {400, <<"query_parse_error">>, Reason};
+error_info(access) ->
+    {403, <<"forbidden">>, <<"access">>};
 error_info(database_does_not_exist) ->
     {404, <<"not_found">>, <<"Database does not exist.">>};
 error_info(not_found) ->

src/chttpd/src/chttpd_db.erl

@@ -958,16 +958,18 @@ view_cb(Msg, Acc) ->
     couch_mrview_http:view_cb(Msg, Acc).
 
 db_doc_req(#httpd{method = 'DELETE'} = Req, Db, DocId) ->
-    % check for the existence of the doc to handle the 404 case.
-    couch_doc_open(Db, DocId, nil, []),
-    case chttpd:qs_value(Req, "rev") of
+    % fetch the old doc revision, so we can compare access control
+    % in send_update_doc() later.
+    Doc0 = couch_doc_open(Db, DocId, nil, [{user_ctx, Req#httpd.user_ctx}]),
+    Revs = chttpd:qs_value(Req, "rev"),
+    case Revs of
         undefined ->
             Body = {[{<<"_deleted">>, true}]};
         Rev ->
             Body = {[{<<"_rev">>, ?l2b(Rev)}, {<<"_deleted">>, true}]}
     end,
-    Doc = couch_doc_from_req(Req, Db, DocId, Body),
-    send_updated_doc(Req, Db, DocId, Doc);
+    Doc = #doc{revs = Revs, body = Body, deleted = true, access = Doc0#doc.access},
+    send_updated_doc(Req, Db, DocId, couch_doc_from_req(Req, Db, DocId, Doc));
 db_doc_req(#httpd{method = 'GET', mochi_req = MochiReq} = Req, Db, DocId) ->
     #doc_query_args{
         rev = Rev0,
@@ -1417,6 +1419,8 @@ receive_request_data(Req, LenLeft) when LenLeft > 0 ->
 receive_request_data(_Req, _) ->
     throw(<<"expected more data">>).
 
+update_doc_result_to_json({#doc{id = Id, revs = Rev}, access}) ->
+    update_doc_result_to_json({{Id, Rev}, access});
 update_doc_result_to_json({error, _} = Error) ->
     {_Code, Err, Msg} = chttpd:error_info(Error),
     {[
@@ -1939,6 +1943,7 @@ parse_shards_opt(Req) ->
     [
         {n, parse_shards_opt("n", Req, config:get_integer("cluster", "n", 3))},
         {q, parse_shards_opt("q", Req, config:get_integer("cluster", "q", 2))},
+        {access, parse_shards_opt("access", Req, chttpd:qs_value(Req, "access", false))},
         {placement,
             parse_shards_opt(
                 "placement", Req, config:get("cluster", "placement")
@@ -1967,6 +1972,21 @@ parse_shards_opt("placement", Req, Default) ->
                     throw({bad_request, Err})
             end
     end;
+parse_shards_opt("access", Req, Value) when is_list(Value) ->
+    parse_shards_opt("access", Req, list_to_existing_atom(Value));
+parse_shards_opt("access", _Req, Value) when Value =:= true ->
+    case config:get_boolean("per_doc_access", "enabled", false) of
+        true ->
+            true;
+        false ->
+            Err = ?l2b(["The `access` option is not available on this CouchDB installation."]),
+            throw({bad_request, Err})
+    end;
+parse_shards_opt("access", _Req, Value) when Value =:= false ->
+    false;
+parse_shards_opt("access", _Req, _Value) ->
+    Err = ?l2b(["The `access` value should be a boolean."]),
+    throw({bad_request, Err});
 parse_shards_opt(Param, Req, Default) ->
     Val = chttpd:qs_value(Req, Param, Default),
     Err = ?l2b(["The `", Param, "` value should be a positive integer."]),

src/couch/include/couch_db.hrl

@@ -67,7 +67,8 @@
 -record(doc_info, {
     id = <<"">>,
     high_seq = 0,
-    revs = [] % rev_info
+    revs = [], % rev_info
+    access = []
 }).
 
 -record(size_info, {
@@ -80,7 +81,8 @@
     update_seq = 0,
     deleted = false,
     rev_tree = [],
-    sizes = #size_info{}
+    sizes = #size_info{},
+    access = []
 }).
 
 -record(httpd, {
@@ -124,7 +126,8 @@
 
     % key/value tuple of meta information, provided when using special options:
     % couch_db:open_doc(Db, Id, Options).
-    meta = []
+    meta = [],
+    access = []
 }).
 
 
@@ -210,7 +213,8 @@
     ptr,
     seq,
     sizes = #size_info{},
-    atts = []
+    atts = [],
+    access = []
 }).
 
 -record (fabric_changes_acc, {

src/couch/src/couch_access_native_proc.erl

@@ -0,0 +1,139 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except in compliance with the License. You may obtain a copy of
+% the License at
+%
+% http://www.apache.org/licenses/LICENSE-2.0
+%
+% Unless required by applicable law or agreed to in writing, software
+% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+% License for the specific language governing permissions and limitations under
+% the License.
+
+-module(couch_access_native_proc).
+-behavior(gen_server).
+
+-export([
+    start_link/0,
+    set_timeout/2,
+    prompt/2
+]).
+
+-export([
+    init/1,
+    terminate/2,
+    handle_call/3,
+    handle_cast/2,
+    handle_info/2,
+    code_change/3
+]).
+
+-record(st, {
+    indexes = [],
+    % TODO: make configurable
+    timeout = 5000
+}).
+
+start_link() ->
+    gen_server:start_link(?MODULE, [], []).
+
+set_timeout(Pid, TimeOut) when is_integer(TimeOut), TimeOut > 0 ->
+    gen_server:call(Pid, {set_timeout, TimeOut}).
+
+prompt(Pid, Data) ->
+    gen_server:call(Pid, {prompt, Data}).
+
+init(_) ->
+    {ok, #st{}}.
+
+terminate(_Reason, _St) ->
+    ok.
+
+handle_call({set_timeout, TimeOut}, _From, St) ->
+    {reply, ok, St#st{timeout = TimeOut}};
+handle_call({prompt, [<<"reset">>]}, _From, St) ->
+    {reply, true, St#st{indexes = []}};
+handle_call({prompt, [<<"reset">>, _QueryConfig]}, _From, St) ->
+    {reply, true, St#st{indexes = []}};
+handle_call({prompt, [<<"add_fun">>, IndexInfo]}, _From, St) ->
+    {reply, true, St};
+handle_call({prompt, [<<"map_doc">>, Doc]}, _From, St) ->
+    {reply, map_doc(St, mango_json:to_binary(Doc)), St};
+handle_call({prompt, [<<"reduce">>, _, _]}, _From, St) ->
+    {reply, null, St};
+handle_call({prompt, [<<"rereduce">>, _, _]}, _From, St) ->
+    {reply, null, St};
+handle_call({prompt, [<<"index_doc">>, Doc]}, _From, St) ->
+    {reply, [[]], St};
+handle_call(Msg, _From, St) ->
+    {stop, {invalid_call, Msg}, {invalid_call, Msg}, St}.
+
+handle_cast(garbage_collect, St) ->
+    erlang:garbage_collect(),
+    {noreply, St};
+handle_cast(Msg, St) ->
+    {stop, {invalid_cast, Msg}, St}.
+
+handle_info(Msg, St) ->
+    {stop, {invalid_info, Msg}, St}.
+
+code_change(_OldVsn, St, _Extra) ->
+    {ok, St}.
+
+% Return value is an array of arrays, first dimension is the different indexes
+% [0] will be by-access-id // for this test, later we should make this by-access
+% -seq, since that one we will always need, and by-access-id can be opt-in.
+% the second dimension is the number of emit kv pairs:
+% [ // the return value
+%   [ // the first view
+%     ['k1', 'v1'], // the first k/v pair for the first view
+%     ['k2', 'v2']  // second, etc.
+%   ],
+%   [ // second view
+%     ['l1', 'w1'] // first k/v par in second view
+%   ]
+% ]
+% {"id":"account/bongel","key":"account/bongel","value":{"rev":"1-967a00dff5e02add41819138abb3284d"}},
+
+map_doc(_St, {Doc}) ->
+    case couch_util:get_value(<<"_access">>, Doc) of
+        undefined ->
+            % do not index this doc
+            [[], []];
+        Access when is_list(Access) ->
+            Id = couch_util:get_value(<<"_id">>, Doc),
+            Rev = couch_util:get_value(<<"_rev">>, Doc),
+            Seq = couch_util:get_value(<<"_seq">>, Doc),
+            Deleted = couch_util:get_value(<<"_deleted">>, Doc, false),
+            BodySp = couch_util:get_value(<<"_body_sp">>, Doc),
+            % by-access-id
+            ById =
+                case Deleted of
+                    false ->
+                        lists:map(
+                            fun(UserOrRole) ->
+                                [
+                                    [[UserOrRole, Id], Rev]
+                                ]
+                            end,
+                            Access
+                        );
+                    _True ->
+                        [[]]
+                end,
+
+            % by-access-seq
+            BySeq = lists:map(
+                fun(UserOrRole) ->
+                    [
+                        [[UserOrRole, Seq], [{rev, Rev}, {deleted, Deleted}, {body_sp, BodySp}]]
+                    ]
+                end,
+                Access
+            ),
+            ById ++ BySeq;
+        Else ->
+            % TODO: no comprende: should not be needed once we implement
+            % _access field validation
+            [[], []]
+    end.

src/couch/src/couch_bt_engine.erl

@@ -664,20 +664,24 @@ id_tree_split(#full_doc_info{} = Info) ->
         update_seq = Seq,
         deleted = Deleted,
         sizes = SizeInfo,
-        rev_tree = Tree
+        rev_tree = Tree,
+        access = Access
     } = Info,
-    {Id, {Seq, ?b2i(Deleted), split_sizes(SizeInfo), disk_tree(Tree)}}.
+    {Id, {Seq, ?b2i(Deleted), split_sizes(SizeInfo), disk_tree(Tree), split_access(Access)}}.
 
 id_tree_join(Id, {HighSeq, Deleted, DiskTree}) ->
     % Handle old formats before data_size was added
     id_tree_join(Id, {HighSeq, Deleted, #size_info{}, DiskTree});
 id_tree_join(Id, {HighSeq, Deleted, Sizes, DiskTree}) ->
+    id_tree_join(Id, {HighSeq, Deleted, Sizes, DiskTree, []});
+id_tree_join(Id, {HighSeq, Deleted, Sizes, DiskTree, Access}) ->
     #full_doc_info{
         id = Id,
         update_seq = HighSeq,
         deleted = ?i2b(Deleted),
         sizes = couch_db_updater:upgrade_sizes(Sizes),
-        rev_tree = rev_tree(DiskTree)
+        rev_tree = rev_tree(DiskTree),
+        access = join_access(Access)
     }.
 
 id_tree_reduce(reduce, FullDocInfos) ->
@@ -714,21 +718,27 @@ seq_tree_split(#full_doc_info{} = Info) ->
         update_seq = Seq,
         deleted = Del,
         sizes = SizeInfo,
-        rev_tree = Tree
+        rev_tree = Tree,
+        access = Access
     } = Info,
-    {Seq, {Id, ?b2i(Del), split_sizes(SizeInfo), disk_tree(Tree)}}.
+    {Seq, {Id, ?b2i(Del), split_sizes(SizeInfo), disk_tree(Tree), split_access(Access)}}.
 
 seq_tree_join(Seq, {Id, Del, DiskTree}) when is_integer(Del) ->
     seq_tree_join(Seq, {Id, Del, {0, 0}, DiskTree});
 seq_tree_join(Seq, {Id, Del, Sizes, DiskTree}) when is_integer(Del) ->
+    seq_tree_join(Seq, {Id, Del, Sizes, DiskTree, []});
+seq_tree_join(Seq, {Id, Del, Sizes, DiskTree, Access}) when is_integer(Del) ->
     #full_doc_info{
         id = Id,
         update_seq = Seq,
         deleted = ?i2b(Del),
         sizes = join_sizes(Sizes),
-        rev_tree = rev_tree(DiskTree)
+        rev_tree = rev_tree(DiskTree),
+        access = join_access(Access)
     };
 seq_tree_join(KeySeq, {Id, RevInfos, DeletedRevInfos}) ->
+    seq_tree_join(KeySeq, {Id, RevInfos, DeletedRevInfos, []});
+seq_tree_join(KeySeq, {Id, RevInfos, DeletedRevInfos, Access}) ->
     % Older versions stored #doc_info records in the seq_tree.
     % Compact to upgrade.
     Revs = lists:map(
@@ -746,7 +756,8 @@ seq_tree_join(KeySeq, {Id, RevInfos, DeletedRevInfos}) ->
     #doc_info{
         id = Id,
         high_seq = KeySeq,
-        revs = Revs ++ DeletedRevs
+        revs = Revs ++ DeletedRevs,
+        access = Access
     }.
 
 seq_tree_reduce(reduce, DocInfos) ->
@@ -755,6 +766,9 @@ seq_tree_reduce(reduce, DocInfos) ->
 seq_tree_reduce(rereduce, Reds) ->
     lists:sum(Reds).
 
+join_access(Access) -> Access.
+split_access(Access) -> Access.
+
 local_tree_split(#doc{revs = {0, [Rev]}} = Doc) when is_binary(Rev) ->
     #doc{
         id = Id,

src/couch/src/couch_btree.erl

@@ -16,6 +16,7 @@
 -export([fold/4, full_reduce/1, final_reduce/2, size/1, foldl/3, foldl/4]).
 -export([fold_reduce/4, lookup/2, get_state/1, set_options/2]).
 -export([extract/2, assemble/3, less/3]).
+-export([full_reduce_with_options/2]).
 
 -include_lib("couch/include/couch_db.hrl").
 
@@ -109,6 +110,12 @@ full_reduce(#btree{root = nil, reduce = Reduce}) ->
 full_reduce(#btree{root = Root}) ->
     {ok, element(2, Root)}.
 
+full_reduce_with_options(Bt, Options) ->
+    CountFun = fun(_SeqStart, PartialReds, 0) ->
+        {ok, couch_btree:final_reduce(Bt, PartialReds)}
+    end,
+    fold_reduce(Bt, CountFun, 0, Options).
+
 size(#btree{root = nil}) ->
     0;
 size(#btree{root = {_P, _Red}}) ->