activityforge 0.1.0-pre-alpha.2

ActivityForge federated git forges over ActivityPub
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

use crate::db::{Actor, Grant, TableEntry, TableType, Transaction, Uuid};
use crate::{Error, Result, Role, util};

use super::AppState;

impl AppState {
    /// Checks the database [Grant]s for an `actor` requesting `role` access to a `context` resource.
    pub async fn check_grants(&self, actor: &Actor, role: Role, context: TableEntry) -> Result<()> {
        let db = self.db().await;
        let pool = db.pool()?;
        let mut dbtx = pool.begin().await?;

        self.check_grants_tx(&mut dbtx, actor, role, context)
            .await?;

        dbtx.commit()
            .await
            .map(|_| ())
            .map_err(|err| Error::db(format!("app: {err}")))
    }

    /// Checks the database [Grant]s for an `actor` requesting `role` access to a `context` resource using a transaction.
    pub async fn check_grants_tx(
        &self,
        dbtx: &mut Transaction<'_>,
        actor: &Actor,
        role: Role,
        context: TableEntry,
    ) -> Result<()> {
        if role == Role::Public {
            return Ok(());
        } else if role == Role::Deny {
            return Err(Error::http(format!(
                "check_grants: access to {context} is denied"
            )));
        }

        let actor_entry = actor.table_entry();

        let grants = Grant::find_by_actor_tx(dbtx, &actor_entry)
            .await
            .map_err(|err| {
                Error::http(format!(
                    "check_grants: error retrieving grants for actor: {actor_entry}, error: {err}",
                ))
            })?;

        if grants.iter().any(|grant| {
            log::debug!("check_grants: checking grant: {grant}");
            grant.permits(actor.table_entry(), role, context)
        }) {
            Ok(())
        } else {
            Err(Error::http(format!(
                "check_grants: no `{role}` grant for {actor_entry} to {context}",
            )))
        }
    }

    /// Creates a new [Grant] record in the database.
    ///
    /// Grants an `actor` record `role` access to a `context` resource.
    pub async fn create_grant(
        &self,
        actor: &Actor,
        roles: &[Role],
        context: TableEntry,
    ) -> Result<Grant> {
        let db = self.db().await;
        let pool = db.pool()?;
        let mut dbtx = pool.begin().await?;

        let grant = self
            .create_grant_tx(&mut dbtx, actor, roles, context)
            .await?;

        dbtx.commit()
            .await
            .map(|_| grant)
            .map_err(|err| Error::db(format!("app: {err}")))
    }

    /// Creates a new [Grant] record in the database using a transaction.
    ///
    /// Grants an `actor` record `role` access to a `context` resource.
    pub async fn create_grant_tx(
        &self,
        dbtx: &mut Transaction<'_>,
        actor: &Actor,
        roles: &[Role],
        context: TableEntry,
    ) -> Result<Grant> {
        self.create_grant_with_uuid_tx(dbtx, util::rand_uuid(), actor, roles, context)
            .await
    }

    /// Creates a new [Grant] record in the database using a transaction.
    ///
    /// Grants an `actor` record `role` access to a `context` resource.
    pub async fn create_grant_with_uuid(
        &self,
        uuid: Uuid,
        actor: &Actor,
        roles: &[Role],
        context: TableEntry,
    ) -> Result<Grant> {
        let db = self.db().await;
        let pool = db.pool()?;
        let mut dbtx = pool.begin().await?;

        let grant = self
            .create_grant_with_uuid_tx(&mut dbtx, uuid, actor, roles, context)
            .await?;

        dbtx.commit()
            .await
            .map(|_| grant)
            .map_err(|err| Error::db(format!("app: {err}")))
    }

    /// Creates a new [Grant] record in the database using a transaction.
    ///
    /// Grants an `actor` record `role` access to a `context` resource.
    pub async fn create_grant_with_uuid_tx(
        &self,
        dbtx: &mut Transaction<'_>,
        uuid: Uuid,
        actor: &Actor,
        roles: &[Role],
        context: TableEntry,
    ) -> Result<Grant> {
        let id = TableType::Grant.id_from_uuid(self.uri(), uuid)?;

        let mut roles = roles.to_vec();
        roles.sort();
        roles.dedup();

        let mut grant = Grant::new()
            .with_uuid(uuid)
            .with_id(id)
            .with_actor(actor.table_entry())
            .with_context(context)
            .with_objects(roles)?;

        // add a Grant giving admin permissions to the person actor over the application.
        grant.find_or_create_tx(dbtx).await.map(|_| grant)
    }
}