ayb 0.1.12-rc.7

ayb makes it easy to create, host, and share embedded databases like SQLite and DuckDB
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

use crate::ayb_db::db_interfaces::AybDb;
use crate::ayb_db::models::{
    APIToken, EntityDatabaseSharingLevel, InstantiatedDatabase, InstantiatedEntity,
    PublicSharingLevel,
};
use crate::error::AybError;
use crate::hosted_db::QueryMode;
use actix_web::web;

fn is_owner(authenticated_entity: &InstantiatedEntity, database: &InstantiatedDatabase) -> bool {
    authenticated_entity.id == database.entity_id
}

pub fn can_create_database(
    authenticated_entity: &InstantiatedEntity,
    desired_entity: &InstantiatedEntity,
) -> bool {
    authenticated_entity.id == desired_entity.id
}

pub async fn can_discover_database(
    authenticated_entity: &InstantiatedEntity,
    database: &InstantiatedDatabase,
    ayb_db: &web::Data<Box<dyn AybDb>>,
) -> Result<bool, AybError> {
    let public_sharing_level = PublicSharingLevel::try_from(database.public_sharing_level)?;
    if is_owner(authenticated_entity, database)
        || public_sharing_level == PublicSharingLevel::ReadOnly
        || public_sharing_level == PublicSharingLevel::Fork
    {
        return Ok(true);
    }

    let permission = ayb_db
        .get_entity_database_permission(authenticated_entity, database)
        .await?;
    match permission {
        Some(permission) => match EntityDatabaseSharingLevel::try_from(permission.sharing_level)? {
            EntityDatabaseSharingLevel::Manager
            | EntityDatabaseSharingLevel::ReadWrite
            | EntityDatabaseSharingLevel::ReadOnly => Ok(true),
            _ => Ok(false),
        },
        None => Ok(false),
    }
}

pub async fn can_manage_database(
    authenticated_entity: &InstantiatedEntity,
    database: &InstantiatedDatabase,
    ayb_db: &web::Data<Box<dyn AybDb>>,
) -> Result<bool, AybError> {
    if is_owner(authenticated_entity, database) {
        return Ok(true);
    }

    let permission = ayb_db
        .get_entity_database_permission(authenticated_entity, database)
        .await?;
    match permission {
        Some(permission) => match EntityDatabaseSharingLevel::try_from(permission.sharing_level)? {
            EntityDatabaseSharingLevel::Manager => Ok(true),
            _ => Ok(false),
        },
        None => Ok(false),
    }
}

/// Check if a token can access a specific database.
/// Scoped tokens can only access the database they're scoped to.
/// Unscoped tokens can access any database the user has permission for.
pub fn can_token_access_database(token: &APIToken, database: &InstantiatedDatabase) -> bool {
    match token.database_id {
        Some(token_db_id) => token_db_id == database.id,
        None => true,
    }
}

/// Apply token permission restrictions to a user's permission level.
/// Returns the more restrictive of the two permission levels.
fn apply_token_permission_cap(
    user_permission: Option<QueryMode>,
    token: Option<&APIToken>,
) -> Result<Option<QueryMode>, AybError> {
    let Some(user_perm) = user_permission else {
        return Ok(None);
    };

    let Some(token) = token else {
        return Ok(Some(user_perm));
    };

    let Some(token_perm_level) = token.query_permission_level else {
        return Ok(Some(user_perm)); // No cap on token
    };

    let token_perm = QueryMode::try_from(token_perm_level)?;

    // Return the more restrictive permission
    Ok(match (user_perm, token_perm) {
        (QueryMode::ReadOnly, _) => Some(QueryMode::ReadOnly),
        (_, QueryMode::ReadOnly) => Some(QueryMode::ReadOnly),
        (QueryMode::ReadWrite, QueryMode::ReadWrite) => Some(QueryMode::ReadWrite),
    })
}

pub async fn highest_query_access_level(
    authenticated_entity: &InstantiatedEntity,
    database: &InstantiatedDatabase,
    token: Option<&APIToken>,
    ayb_db: &web::Data<Box<dyn AybDb>>,
) -> Result<Option<QueryMode>, AybError> {
    // If token is scoped to a different database, deny access
    if let Some(token) = token {
        if !can_token_access_database(token, database) {
            return Ok(None);
        }
    }

    let user_permission = if is_owner(authenticated_entity, database) {
        Some(QueryMode::ReadWrite)
    } else {
        let permission = ayb_db
            .get_entity_database_permission(authenticated_entity, database)
            .await?;
        match permission {
            Some(permission) => {
                match EntityDatabaseSharingLevel::try_from(permission.sharing_level)? {
                    EntityDatabaseSharingLevel::Manager | EntityDatabaseSharingLevel::ReadWrite => {
                        Some(QueryMode::ReadWrite)
                    }
                    EntityDatabaseSharingLevel::ReadOnly => Some(QueryMode::ReadOnly),
                    _ => None,
                }
            }
            None => None,
        }
    };

    // If user has explicit permission, apply token cap
    if user_permission.is_some() {
        return apply_token_permission_cap(user_permission, token);
    }

    // Check public sharing level
    if PublicSharingLevel::try_from(database.public_sharing_level)? == PublicSharingLevel::ReadOnly
    {
        return apply_token_permission_cap(Some(QueryMode::ReadOnly), token);
    }

    Ok(None)
}