diff options
| author | benj <benj@rse8.com> | 2022-12-31 21:53:34 -0800 |
|---|---|---|
| committer | benj <benj@rse8.com> | 2022-12-31 21:53:34 -0800 |
| commit | 176aae037400b43cb3971cd968afe59c73b3097a (patch) | |
| tree | 3e54905d0e32b2f259ecc10d788791d85a77a96f | |
| parent | 8ca3433b2a4a82723e00e64b1e5aff0b1bed95b3 (diff) | |
| download | secdiam-176aae037400b43cb3971cd968afe59c73b3097a.tar secdiam-176aae037400b43cb3971cd968afe59c73b3097a.tar.gz secdiam-176aae037400b43cb3971cd968afe59c73b3097a.tar.bz2 secdiam-176aae037400b43cb3971cd968afe59c73b3097a.tar.lz secdiam-176aae037400b43cb3971cd968afe59c73b3097a.tar.xz secdiam-176aae037400b43cb3971cd968afe59c73b3097a.tar.zst secdiam-176aae037400b43cb3971cd968afe59c73b3097a.zip | |
cleanup authz
| -rw-r--r-- | crates/iam/src/main.rs | 25 | ||||
| -rw-r--r-- | crates/secd/src/auth/z.rs | 35 | ||||
| -rw-r--r-- | crates/secd/src/client/store/sql_db.rs | 4 | ||||
| -rw-r--r-- | crates/secd/src/lib.rs | 3 |
4 files changed, 45 insertions, 22 deletions
diff --git a/crates/iam/src/main.rs b/crates/iam/src/main.rs index c2ab5a3..ae44b46 100644 --- a/crates/iam/src/main.rs +++ b/crates/iam/src/main.rs @@ -58,7 +58,26 @@ async fn exec() -> Result<Option<String>> { std::env::set_var(ENV_SPICE_SERVER, "http://[::1]:50051"); let secd = Secd::init(Some( - "definition user {}\ndefinition organization {\n relation member: user \n }\n", + r#" +definition user {} + +definition organization { + relation r_member: user + relation r_admin: user + + permission member = r_admin + r_member + permission admin = r_admin +} + +definition plugin { + relation r_creator: user | organization#admin + relation r_editor: user + relation r_viewer: user + + permission creator = r_creator + r_creator->admin + permission editor = r_editor + r_creator + r_creator->admin + permission viewer = r_viewer + r_editor + r_creator + r_creator->admin +}"#, )) .await .map_err(|e| CliError::SecdInitializationFailure(e.to_string()))?; @@ -72,7 +91,7 @@ async fn exec() -> Result<Option<String>> { "organization".into(), Uuid::parse_str("862f38b5-7f88-4b55-800f-af8da059e3a7").unwrap(), ), - relation: "member".into(), + relation: "r_member".into(), }]) .await .unwrap(); @@ -87,7 +106,7 @@ async fn exec() -> Result<Option<String>> { "organization".into(), Uuid::parse_str("862f38b5-7f88-4b55-800f-af8da059e3a7").unwrap(), ), - relation: "memb".into(), + relation: "member".into(), }) .await { diff --git a/crates/secd/src/auth/z.rs b/crates/secd/src/auth/z.rs index 81c3639..31f449c 100644 --- a/crates/secd/src/auth/z.rs +++ b/crates/secd/src/auth/z.rs @@ -1,12 +1,6 @@ use uuid::Uuid; -use crate::{client::spice::SpiceError, Secd}; - -#[derive(Debug, thiserror::Error, derive_more::Display)] -pub enum AuthZError { - SpiceClient(#[from] SpiceError), - Todo, -} +use crate::{Secd, SecdError}; pub type Namespace = String; pub type Object = (Namespace, Uuid); @@ -15,7 +9,7 @@ pub type Relation = String; pub struct Relationship { pub subject: Subject, pub object: Object, - pub relation: String, + pub relation: Relation, } #[derive(Clone)] @@ -25,7 +19,7 @@ pub enum Subject { } impl Secd { - pub async fn check(&self, r: &Relationship) -> Result<bool, AuthZError> { + pub async fn check(&self, r: &Relationship) -> Result<bool, SecdError> { let spice = self .spice .clone() @@ -33,22 +27,35 @@ impl Secd { Ok(spice.check_permission(r).await?) } - pub async fn expand(&self) -> Result<(), AuthZError> { + pub async fn expand(&self) -> Result<(), SecdError> { todo!() } - pub async fn read(&self) -> Result<(), AuthZError> { + pub async fn read(&self) -> Result<(), SecdError> { todo!() } - pub async fn watch(&self) -> Result<(), AuthZError> { + pub async fn watch(&self) -> Result<(), SecdError> { unimplemented!() } - pub async fn write(&self, ts: &[Relationship]) -> Result<(), AuthZError> { + pub async fn write(&self, ts: &[Relationship]) -> Result<(), SecdError> { let spice = self .spice .clone() .expect("TODO: only supports postgres right now"); - spice.write_relationship(ts).await?; + // Since spice doesn't really have a great schema pattern, we + // prefix all incoming write relationships with an r_ to indicate + // they are "relationships" rather than what spice calls permissions + spice + .write_relationship( + &ts.into_iter() + .map(|r| Relationship { + subject: r.subject.clone(), + object: r.object.clone(), + relation: format!("r_{}", r.relation), + }) + .collect::<Vec<Relationship>>(), + ) + .await?; Ok(()) } } diff --git a/crates/secd/src/client/store/sql_db.rs b/crates/secd/src/client/store/sql_db.rs index 6d84301..ecb13be 100644 --- a/crates/secd/src/client/store/sql_db.rs +++ b/crates/secd/src/client/store/sql_db.rs @@ -430,10 +430,6 @@ where session_token_hash: &Option<Vec<u8>>, ) -> Result<Vec<Identity>, StoreError> { let sqls = get_sqls(&self.sqls_root, FIND_IDENTITY); - println!("{:?}", id); - println!("{:?}", address_value); - println!("{:?}", address_is_validated); - println!("{:?}", session_token_hash); let rs = sqlx::query_as::< _, ( diff --git a/crates/secd/src/lib.rs b/crates/secd/src/lib.rs index 15a92a8..15615b2 100644 --- a/crates/secd/src/lib.rs +++ b/crates/secd/src/lib.rs @@ -4,7 +4,7 @@ mod util; use client::{ email::{EmailMessenger, EmailMessengerError, LocalMailer}, - spice::Spice, + spice::{Spice, SpiceError}, store::{ sql_db::{PgClient, SqliteClient}, Store, StoreError, @@ -64,6 +64,7 @@ pub enum SecdError { FailedToDecodeInput(#[from] hex::FromHexError), AuthorizationNotSupported(String), + SpiceClient(#[from] SpiceError), Todo, } |