🤮: add check_list_namespaces as a temporary hack while using spice

author: benj <benj@rse8.com> 2023-06-12 15:39:10 -0700
committer: benj <benj@rse8.com> 2023-06-12 15:39:10 -0700
commit: 3406b370fe290559ff2445097a380d6f48d0f9af (patch)
tree: 3e62ca57d6426fd2507950a4fe434fc06491fcd6 /crates/secd
parent: b3ba31a1572ecec38115385fafe4a4e87ca39361 (diff)
download: secdiam-3406b370fe290559ff2445097a380d6f48d0f9af.tar
secdiam-3406b370fe290559ff2445097a380d6f48d0f9af.tar.gz
secdiam-3406b370fe290559ff2445097a380d6f48d0f9af.tar.bz2
secdiam-3406b370fe290559ff2445097a380d6f48d0f9af.tar.lz
secdiam-3406b370fe290559ff2445097a380d6f48d0f9af.tar.xz
secdiam-3406b370fe290559ff2445097a380d6f48d0f9af.tar.zst
secdiam-3406b370fe290559ff2445097a380d6f48d0f9af.zip
3 files changed, 61 insertions, 12 deletions
diff --git a/crates/secd/src/auth/z/mod.rs b/crates/secd/src/auth/z/mod.rs
index d663e65..d64f674 100644
--- a/crates/secd/src/auth/z/mod.rs
+++ b/crates/secd/src/auth/z/mod.rs
@@ -32,13 +32,24 @@ impl Authorization for Secd {
 
         Ok(spice.check_permission(r).await?)
     }
-    async fn expand(&self) -> Result<(), SecdError> {
-        todo!()
-    }
-    async fn read(&self) -> Result<(), SecdError> {
-        todo!()
+    async fn check_list_namespaces(
+        &self,
+        ns: &Namespace,
+        subj: &Subject,
+        relation: &Relation,
+    ) -> Result<Vec<Uuid>, SecdError> {
+        let spice = self
+            .spice
+            .clone()
+            .expect("TODO: only supports postgres right now");
+        Ok(spice
+            .lookup_resources(ns, relation, subj)
+            .await?
+            .iter()
+            .map(|e| Uuid::parse_str(e).unwrap())
+            .collect())
     }
-    async fn watch(&self) -> Result<(), SecdError> {
+    async fn check_list_subjects(&self) -> Result<Vec<i32>, SecdError> {
         unimplemented!()
     }
     async fn write(&self, ts: &[Relationship]) -> Result<(), SecdError> {
diff --git a/crates/secd/src/client/spice/mod.rs b/crates/secd/src/client/spice/mod.rs
index 67965d7..f24a512 100644
--- a/crates/secd/src/client/spice/mod.rs
+++ b/crates/secd/src/client/spice/mod.rs
@@ -14,7 +14,7 @@ use spice::WriteSchemaRequest;
 use std::matches;
 use tonic::metadata::MetadataValue;
 use tonic::transport::Channel;
-use tonic::{Request, Status};
+use tonic::{Request, Response, Status, Streaming};
 
 use crate::auth::z::{self, Subject};
 use crate::client::spice::spice::{
@@ -22,7 +22,10 @@ use crate::client::spice::spice::{
 };
 
 use self::spice::check_permission_response::Permissionship;
-use self::spice::{consistency, CheckPermissionRequest, Consistency, WriteRelationshipsRequest};
+use self::spice::{
+    consistency, CheckPermissionRequest, Consistency, LookupResourcesRequest,
+    LookupResourcesResponse, WriteRelationshipsRequest,
+};
 
 #[derive(Debug, thiserror::Error, derive_more::Display)]
 pub enum SpiceError {
@@ -46,6 +49,37 @@ impl Spice {
         Spice { channel, secret }
     }
 
+    pub async fn lookup_resources(
+        &self,
+        ns: &str,
+        relation: &str,
+        subj: &Subject,
+    ) -> Result<Vec<String>, SpiceError> {
+        let mut client =
+            PermissionsServiceClient::with_interceptor(self.channel.clone(), |req: Request<()>| {
+                self.intercept(req)
+            });
+
+        let request = tonic::Request::new(LookupResourcesRequest {
+            consistency: Some(Consistency {
+                requirement: Some(consistency::Requirement::MinimizeLatency(true)),
+            }),
+            resource_object_type: ns.to_string(),
+            permission: relation.to_string(),
+            subject: Some(SubjectReference::from(subj)),
+            context: None,
+        });
+
+        let mut res = vec![];
+        let mut response: Streaming<LookupResourcesResponse> =
+            client.lookup_resources(request).await?.into_inner();
+        if let Some(d) = response.message().await? {
+            res.push(d.resource_object_id);
+        }
+
+        Ok(res)
+    }
+
     pub async fn check_permission(&self, r: &z::Relationship) -> Result<bool, SpiceError> {
         let mut client =
             PermissionsServiceClient::with_interceptor(self.channel.clone(), |req: Request<()>| {
diff --git a/crates/secd/src/lib.rs b/crates/secd/src/lib.rs
index eb5d33d..c84ce44 100644
--- a/crates/secd/src/lib.rs
+++ b/crates/secd/src/lib.rs
@@ -3,7 +3,7 @@ mod client;
 mod util;
 
 use async_trait::async_trait;
-use auth::z::Relationship;
+use auth::z::{Namespace, Relation, Relationship, Subject};
 use client::{
     email::{EmailMessenger, EmailMessengerError, LocalMailer, Sendgrid},
     spice::{Spice, SpiceError},
@@ -145,9 +145,13 @@ pub trait Authentication {
 #[async_trait]
 pub trait Authorization {
     async fn check(&self, r: &Relationship) -> Result<bool, SecdError>;
-    async fn expand(&self) -> Result<(), SecdError>;
-    async fn read(&self) -> Result<(), SecdError>;
-    async fn watch(&self) -> Result<(), SecdError>;
+    async fn check_list_namespaces(
+        &self,
+        ns: &Namespace,
+        subj: &Subject,
+        relation: &Relation,
+    ) -> Result<Vec<Uuid>, SecdError>;
+    async fn check_list_subjects(&self) -> Result<Vec<i32>, SecdError>;
     async fn write(&self, relationships: &[Relationship]) -> Result<(), SecdError>;
 }
author	benj <benj@rse8.com>	2023-06-12 15:39:10 -0700
committer	benj <benj@rse8.com>	2023-06-12 15:39:10 -0700
commit	3406b370fe290559ff2445097a380d6f48d0f9af (patch)
tree	3e62ca57d6426fd2507950a4fe434fc06491fcd6 /crates/secd
parent	b3ba31a1572ecec38115385fafe4a4e87ca39361 (diff)
download	secdiam-3406b370fe290559ff2445097a380d6f48d0f9af.tar secdiam-3406b370fe290559ff2445097a380d6f48d0f9af.tar.gz secdiam-3406b370fe290559ff2445097a380d6f48d0f9af.tar.bz2 secdiam-3406b370fe290559ff2445097a380d6f48d0f9af.tar.lz secdiam-3406b370fe290559ff2445097a380d6f48d0f9af.tar.xz secdiam-3406b370fe290559ff2445097a380d6f48d0f9af.tar.zst secdiam-3406b370fe290559ff2445097a380d6f48d0f9af.zip