beep-authz 0.4.0

Authorization library for Beep services
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167

use crate::authzed::api::v1::ObjectReference;

type ObjectId = String;

/// Represents different types of objects in the SpiceDB authorization system.
///
/// `SpiceDbObject` is used to identify resources and subjects when performing
/// permission checks. Each variant represents a different type of entity in your
/// application's domain model.
///
/// # Object Types
///
/// - **Server** - A server/workspace that contains channels, users, and roles
/// - **Channel** - A communication channel within a server
/// - **User** - A user/subject that can have permissions
/// - **PermissionOverride** - A permission override rule
///
/// # Examples
///
/// ```no_run
/// use authz::{SpiceDbObject, SpiceDbRepository, Permissions};
///
/// # async fn example(repo: SpiceDbRepository) {
/// // Check if a user can view a channel
/// let result = repo.check_permissions(
///     SpiceDbObject::Channel("general-chat".to_string()),
///     Permissions::ViewChannels,
///     SpiceDbObject::User("user-123".to_string()),
/// ).await;
///
/// // Check if a user is a server admin
/// let is_admin = repo.check_permissions(
///     SpiceDbObject::Server("my-server".to_string()),
///     Permissions::Administrator,
///     SpiceDbObject::User("user-456".to_string()),
/// ).await.has_permissions();
/// # }
/// ```
///
/// # SpiceDB Integration
///
/// Each `SpiceDbObject` is converted into a SpiceDB `ObjectReference` when
/// communicating with the SpiceDB API. The object type determines the namespace
/// used in SpiceDB's schema.
pub enum SpiceDbObject {
    /// A server object identified by its unique ID.
    ///
    /// Servers are top-level containers that can have channels, users, roles,
    /// and other resources. They correspond to the "server" object type in SpiceDB.
    ///
    /// # Example
    ///
    /// ```
    /// use authz::SpiceDbObject;
    ///
    /// let server = SpiceDbObject::Server("server-abc-123".to_string());
    /// ```
    Server(ObjectId),

    /// A channel object identified by its unique ID.
    ///
    /// Channels are communication spaces within a server where users can view
    /// and send messages. They correspond to the "channel" object type in SpiceDB.
    ///
    /// # Example
    ///
    /// ```
    /// use authz::SpiceDbObject;
    ///
    /// let channel = SpiceDbObject::Channel("channel-xyz-789".to_string());
    /// ```
    Channel(ObjectId),

    /// A user object identified by its unique ID.
    ///
    /// Users are subjects that can have permissions on resources. They correspond
    /// to the "user" object type in SpiceDB.
    ///
    /// # Example
    ///
    /// ```
    /// use authz::SpiceDbObject;
    ///
    /// let user = SpiceDbObject::User("user-def-456".to_string());
    /// ```
    User(ObjectId),

    /// A permission override object identified by its unique ID.
    ///
    /// Permission overrides allow fine-grained control over access rules.
    /// They correspond to the "permission_override" object type in SpiceDB.
    ///
    /// # Example
    ///
    /// ```
    /// use authz::SpiceDbObject;
    ///
    /// let override_rule = SpiceDbObject::PermissionOverride("override-001".to_string());
    /// ```
    PermissionOverride(ObjectId),
}

impl SpiceDbObject {
    /// Returns the object's unique identifier.
    ///
    /// Extracts the ID string from the object, regardless of its type.
    pub(crate) fn id(&self) -> ObjectId {
        match self {
            SpiceDbObject::Server(id) => id.clone(),
            SpiceDbObject::Channel(id) => id.clone(),
            SpiceDbObject::User(id) => id.clone(),
            SpiceDbObject::PermissionOverride(id) => id.clone(),
        }
    }

    /// Returns the SpiceDB object type name.
    ///
    /// This corresponds to the object type namespace defined in your SpiceDB schema.
    ///
    /// # Returns
    ///
    /// - `"server"` for `SpiceDbObject::Server`
    /// - `"channel"` for `SpiceDbObject::Channel`
    /// - `"user"` for `SpiceDbObject::User`
    /// - `"permission_override"` for `SpiceDbObject::PermissionOverride`
    pub(crate) fn object_name(&self) -> String {
        match self {
            SpiceDbObject::Server(_) => "server".to_string(),
            SpiceDbObject::Channel(_) => "channel".to_string(),
            SpiceDbObject::User(_) => "user".to_string(),
            SpiceDbObject::PermissionOverride(_) => "permission_override".to_string(),
        }
    }

    /// Returns the object type for tracing purposes.
    pub(crate) fn get_object_type(&self) -> &str {
        match self {
            SpiceDbObject::Server(_) => "server",
            SpiceDbObject::Channel(_) => "channel",
            SpiceDbObject::User(_) => "user",
            SpiceDbObject::PermissionOverride(_) => "permission_override",
        }
    }

    /// Returns the object ID for tracing purposes.
    pub(crate) fn get_object_id(&self) -> &str {
        match self {
            SpiceDbObject::Server(id) => id,
            SpiceDbObject::Channel(id) => id,
            SpiceDbObject::User(id) => id,
            SpiceDbObject::PermissionOverride(id) => id,
        }
    }
}

/// Converts a `SpiceDbObject` into a SpiceDB `ObjectReference`.
///
/// This implementation allows `SpiceDbObject` to be used directly in permission
/// check operations. The conversion maps the object to SpiceDB's wire format.
impl Into<ObjectReference> for SpiceDbObject {
    fn into(self) -> ObjectReference {
        ObjectReference {
            object_type: self.object_name(),
            object_id: self.id(),
        }
    }
}