4 files changed, 45 insertions, 22 deletions

diff --git a/crates/iam/src/main.rs b/crates/iam/src/main.rs
index c2ab5a3..ae44b46 100644
--- a/crates/iam/src/main.rs
+++ b/crates/iam/src/main.rs
@@ -58,7 +58,26 @@ async fn exec() -> Result<Option<String>> {
             std::env::set_var(ENV_SPICE_SERVER, "http://[::1]:50051");
 
             let secd = Secd::init(Some(
-                "definition user {}\ndefinition organization {\n relation member: user \n }\n",
+                r#"
+definition user {}
+
+definition organization {
+    relation r_member: user
+    relation r_admin: user
+
+    permission member = r_admin + r_member
+    permission admin = r_admin
+}
+
+definition plugin {
+    relation r_creator: user | organization#admin
+    relation r_editor: user
+    relation r_viewer: user
+
+    permission creator =                    r_creator + r_creator->admin
+    permission editor =           r_editor + r_creator + r_creator->admin
+    permission viewer = r_viewer + r_editor + r_creator + r_creator->admin
+}"#,
             ))
             .await
             .map_err(|e| CliError::SecdInitializationFailure(e.to_string()))?;
@@ -72,7 +91,7 @@ async fn exec() -> Result<Option<String>> {
                     "organization".into(),
                     Uuid::parse_str("862f38b5-7f88-4b55-800f-af8da059e3a7").unwrap(),
                 ),
-                relation: "member".into(),
+                relation: "r_member".into(),
             }])
             .await
             .unwrap();
@@ -87,7 +106,7 @@ async fn exec() -> Result<Option<String>> {
                         "organization".into(),
                         Uuid::parse_str("862f38b5-7f88-4b55-800f-af8da059e3a7").unwrap(),
                     ),
-                    relation: "memb".into(),
+                    relation: "member".into(),
                 })
                 .await
             {
diff --git a/crates/secd/src/auth/z.rs b/crates/secd/src/auth/z.rs
index 81c3639..31f449c 100644
--- a/crates/secd/src/auth/z.rs
+++ b/crates/secd/src/auth/z.rs
@@ -1,12 +1,6 @@
 use uuid::Uuid;
 
-use crate::{client::spice::SpiceError, Secd};
-
-#[derive(Debug, thiserror::Error, derive_more::Display)]
-pub enum AuthZError {
-    SpiceClient(#[from] SpiceError),
-    Todo,
-}
+use crate::{Secd, SecdError};
 
 pub type Namespace = String;
 pub type Object = (Namespace, Uuid);
@@ -15,7 +9,7 @@ pub type Relation = String;
 pub struct Relationship {
     pub subject: Subject,
     pub object: Object,
-    pub relation: String,
+    pub relation: Relation,
 }
 
 #[derive(Clone)]
@@ -25,7 +19,7 @@ pub enum Subject {
 }
 
 impl Secd {
-    pub async fn check(&self, r: &Relationship) -> Result<bool, AuthZError> {
+    pub async fn check(&self, r: &Relationship) -> Result<bool, SecdError> {
         let spice = self
             .spice
             .clone()
@@ -33,22 +27,35 @@ impl Secd {
 
         Ok(spice.check_permission(r).await?)
     }
-    pub async fn expand(&self) -> Result<(), AuthZError> {
+    pub async fn expand(&self) -> Result<(), SecdError> {
         todo!()
     }
-    pub async fn read(&self) -> Result<(), AuthZError> {
+    pub async fn read(&self) -> Result<(), SecdError> {
         todo!()
     }
-    pub async fn watch(&self) -> Result<(), AuthZError> {
+    pub async fn watch(&self) -> Result<(), SecdError> {
         unimplemented!()
     }
-    pub async fn write(&self, ts: &[Relationship]) -> Result<(), AuthZError> {
+    pub async fn write(&self, ts: &[Relationship]) -> Result<(), SecdError> {
         let spice = self
             .spice
             .clone()
             .expect("TODO: only supports postgres right now");
 
-        spice.write_relationship(ts).await?;
+        // Since spice doesn't really have a great schema pattern, we
+        // prefix all incoming write relationships with an r_ to indicate
+        // they are "relationships" rather than what spice calls permissions
+        spice
+            .write_relationship(
+                &ts.into_iter()
+                    .map(|r| Relationship {
+                        subject: r.subject.clone(),
+                        object: r.object.clone(),
+                        relation: format!("r_{}", r.relation),
+                    })
+                    .collect::<Vec<Relationship>>(),
+            )
+            .await?;
         Ok(())
     }
 }
diff --git a/crates/secd/src/client/store/sql_db.rs b/crates/secd/src/client/store/sql_db.rs
index 6d84301..ecb13be 100644
--- a/crates/secd/src/client/store/sql_db.rs
+++ b/crates/secd/src/client/store/sql_db.rs
@@ -430,10 +430,6 @@ where
         session_token_hash: &Option<Vec<u8>>,
     ) -> Result<Vec<Identity>, StoreError> {
         let sqls = get_sqls(&self.sqls_root, FIND_IDENTITY);
-        println!("{:?}", id);
-        println!("{:?}", address_value);
-        println!("{:?}", address_is_validated);
-        println!("{:?}", session_token_hash);
         let rs = sqlx::query_as::<
             _,
             (
diff --git a/crates/secd/src/lib.rs b/crates/secd/src/lib.rs
index 15a92a8..15615b2 100644
--- a/crates/secd/src/lib.rs
+++ b/crates/secd/src/lib.rs
@@ -4,7 +4,7 @@ mod util;
 
 use client::{
     email::{EmailMessenger, EmailMessengerError, LocalMailer},
-    spice::Spice,
+    spice::{Spice, SpiceError},
     store::{
         sql_db::{PgClient, SqliteClient},
         Store, StoreError,
@@ -64,6 +64,7 @@ pub enum SecdError {
     FailedToDecodeInput(#[from] hex::FromHexError),
 
     AuthorizationNotSupported(String),
+    SpiceClient(#[from] SpiceError),
     Todo,
 }