diff options
| author | benj <benj@rse8.com> | 2022-12-31 21:53:34 -0800 |
|---|---|---|
| committer | benj <benj@rse8.com> | 2022-12-31 21:53:34 -0800 |
| commit | 176aae037400b43cb3971cd968afe59c73b3097a (patch) | |
| tree | 3e54905d0e32b2f259ecc10d788791d85a77a96f /crates/secd/src/auth | |
| parent | 8ca3433b2a4a82723e00e64b1e5aff0b1bed95b3 (diff) | |
| download | secdiam-176aae037400b43cb3971cd968afe59c73b3097a.tar secdiam-176aae037400b43cb3971cd968afe59c73b3097a.tar.gz secdiam-176aae037400b43cb3971cd968afe59c73b3097a.tar.bz2 secdiam-176aae037400b43cb3971cd968afe59c73b3097a.tar.lz secdiam-176aae037400b43cb3971cd968afe59c73b3097a.tar.xz secdiam-176aae037400b43cb3971cd968afe59c73b3097a.tar.zst secdiam-176aae037400b43cb3971cd968afe59c73b3097a.zip | |
cleanup authz
Diffstat (limited to 'crates/secd/src/auth')
| -rw-r--r-- | crates/secd/src/auth/z.rs | 35 |
1 files changed, 21 insertions, 14 deletions
diff --git a/crates/secd/src/auth/z.rs b/crates/secd/src/auth/z.rs index 81c3639..31f449c 100644 --- a/crates/secd/src/auth/z.rs +++ b/crates/secd/src/auth/z.rs @@ -1,12 +1,6 @@ use uuid::Uuid; -use crate::{client::spice::SpiceError, Secd}; - -#[derive(Debug, thiserror::Error, derive_more::Display)] -pub enum AuthZError { - SpiceClient(#[from] SpiceError), - Todo, -} +use crate::{Secd, SecdError}; pub type Namespace = String; pub type Object = (Namespace, Uuid); @@ -15,7 +9,7 @@ pub type Relation = String; pub struct Relationship { pub subject: Subject, pub object: Object, - pub relation: String, + pub relation: Relation, } #[derive(Clone)] @@ -25,7 +19,7 @@ pub enum Subject { } impl Secd { - pub async fn check(&self, r: &Relationship) -> Result<bool, AuthZError> { + pub async fn check(&self, r: &Relationship) -> Result<bool, SecdError> { let spice = self .spice .clone() @@ -33,22 +27,35 @@ impl Secd { Ok(spice.check_permission(r).await?) } - pub async fn expand(&self) -> Result<(), AuthZError> { + pub async fn expand(&self) -> Result<(), SecdError> { todo!() } - pub async fn read(&self) -> Result<(), AuthZError> { + pub async fn read(&self) -> Result<(), SecdError> { todo!() } - pub async fn watch(&self) -> Result<(), AuthZError> { + pub async fn watch(&self) -> Result<(), SecdError> { unimplemented!() } - pub async fn write(&self, ts: &[Relationship]) -> Result<(), AuthZError> { + pub async fn write(&self, ts: &[Relationship]) -> Result<(), SecdError> { let spice = self .spice .clone() .expect("TODO: only supports postgres right now"); - spice.write_relationship(ts).await?; + // Since spice doesn't really have a great schema pattern, we + // prefix all incoming write relationships with an r_ to indicate + // they are "relationships" rather than what spice calls permissions + spice + .write_relationship( + &ts.into_iter() + .map(|r| Relationship { + subject: r.subject.clone(), + object: r.object.clone(), + relation: format!("r_{}", r.relation), + }) + .collect::<Vec<Relationship>>(), + ) + .await?; Ok(()) } } |