;; lib/acl/facts.sx — EDB fact constructors.
;;
;; Each constructor returns a Datalog fact tuple (a list whose head is the
;; predicate symbol). These are the only shapes lib/acl/engine.sx feeds to
;; lib/datalog/.
;;   Phase 1: actor/resource/grant/deny.
;;   Phase 2: member_of (subject -> group/role), child_of (resource -> parent),
;;            role_grant (role -> action,resource capability).

(define acl-actor (fn (id kind) (list (quote actor) id kind)))

(define acl-resource-fact (fn (id kind) (list (quote resource) id kind)))

(define acl-grant (fn (subj act res) (list (quote grant) subj act res)))

(define acl-deny (fn (subj act res) (list (quote deny) subj act res)))

;; subject S is a member of group/role G (one hop; transitivity is derived).
(define acl-member-of (fn (subj grp) (list (quote member_of) subj grp)))

;; resource R is a child of parent P (one hop; transitivity is derived).
(define acl-child-of (fn (res parent) (list (quote child_of) res parent)))

;; role confers capability (act on res) to every member of the role.
(define
  acl-role-grant
  (fn (role act res) (list (quote role_grant) role act res)))