diff options
| author | benj <benj@rse8.com> | 2023-04-24 13:24:45 -0700 |
|---|---|---|
| committer | benj <benj@rse8.com> | 2023-04-24 13:24:45 -0700 |
| commit | eb92f823c31a5e702af7005231f0d6915aad3342 (patch) | |
| tree | bb624786a47accb2dfcfe95d20c00c9624c28a9c /crates/secd/src/auth/z/mod.rs | |
| parent | 176aae037400b43cb3971cd968afe59c73b3097a (diff) | |
| download | secdiam-eb92f823c31a5e702af7005231f0d6915aad3342.tar secdiam-eb92f823c31a5e702af7005231f0d6915aad3342.tar.gz secdiam-eb92f823c31a5e702af7005231f0d6915aad3342.tar.bz2 secdiam-eb92f823c31a5e702af7005231f0d6915aad3342.tar.lz secdiam-eb92f823c31a5e702af7005231f0d6915aad3342.tar.xz secdiam-eb92f823c31a5e702af7005231f0d6915aad3342.tar.zst secdiam-eb92f823c31a5e702af7005231f0d6915aad3342.zip | |
email templates, sendgrid, creds, and some experimental things
Started playing with namespace configs and integrating with zanzibar impls. Still lot's of experimenting and dead code going on.
Diffstat (limited to 'crates/secd/src/auth/z/mod.rs')
| -rw-r--r-- | crates/secd/src/auth/z/mod.rs | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/crates/secd/src/auth/z/mod.rs b/crates/secd/src/auth/z/mod.rs new file mode 100644 index 0000000..b364583 --- /dev/null +++ b/crates/secd/src/auth/z/mod.rs @@ -0,0 +1,88 @@ +mod graph; + +use crate::{Authorization, Secd, SecdError}; +use async_trait::async_trait; +use uuid::Uuid; + +pub type Namespace = String; +pub type Object = (Namespace, Uuid); +pub type Relation = String; + +pub struct Relationship { + pub subject: Subject, + pub object: Object, + pub relation: Relation, +} + +#[derive(Clone)] +pub enum Subject { + User(Object), + UserSet { user: Object, relation: Relation }, +} + +#[async_trait] +impl Authorization for Secd { + async fn check(&self, r: &Relationship) -> Result<bool, SecdError> { + let spice = self + .spice + .clone() + .expect("TODO: only supports postgres right now"); + + Ok(spice.check_permission(r).await?) + } + async fn expand(&self) -> Result<(), SecdError> { + todo!() + } + async fn read(&self) -> Result<(), SecdError> { + todo!() + } + async fn watch(&self) -> Result<(), SecdError> { + unimplemented!() + } + async fn write(&self, ts: &[Relationship]) -> Result<(), SecdError> { + let spice = self + .spice + .clone() + .expect("TODO: only supports postgres right now"); + + // Since spice doesn't really have a great schema pattern, we + // prefix all incoming write relationships with an r_ to indicate + // they are "relationships" rather than what spice calls permissions + spice + .write_relationship( + &ts.into_iter() + .map(|r| Relationship { + subject: r.subject.clone(), + object: r.object.clone(), + relation: format!("r_{}", r.relation), + }) + .collect::<Vec<Relationship>>(), + ) + .await?; + Ok(()) + } +} + +enum RelationToken { + Start, + Or, + And, + Exclude, +} +struct RelationContainer { + name: Relation, + bins: Vec<(RelationToken, Relation)>, +} + +struct NamespaceContainer { + relations: Vec<RelationContainer>, +} + +impl Secd { + async fn write_namespace(&self, ns: &NamespaceContainer) -> Result<(), SecdError> { + todo!() + } + async fn read_namespace(&self) -> Result<NamespaceContainer, SecdError> { + todo!() + } +} |