1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
use async_trait::async_trait;
use serde::{Deserialize, Serialize};
use crate::{
admin::{group, role},
connection::{Connection, SensitiveString},
define_basic_unique_mapped_view,
document::{CollectionDocument, Document, KeyId},
permissions::Permissions,
schema::{Collection, CollectionName, DefaultSerialization, NamedCollection, Schematic},
Error, ENCRYPTION_ENABLED,
};
#[derive(Debug, Serialize, Deserialize, Default)]
pub struct User {
pub username: String,
pub groups: Vec<u64>,
pub roles: Vec<u64>,
#[serde(default)]
pub argon_hash: Option<SensitiveString>,
}
impl User {
pub fn default_with_username(username: impl Into<String>) -> Self {
Self {
username: username.into(),
..Self::default()
}
}
pub async fn effective_permissions<C: Connection>(
&self,
admin: &C,
) -> Result<Permissions, crate::Error> {
let role_groups = if self.roles.is_empty() {
Vec::default()
} else {
let roles = admin.get_multiple::<role::Role>(&self.groups).await?;
let role_groups = roles
.into_iter()
.map(|doc| doc.contents::<role::Role>().map(|role| role.groups))
.collect::<Result<Vec<Vec<u64>>, _>>()?;
role_groups
.into_iter()
.flat_map(Vec::into_iter)
.collect::<Vec<u64>>()
};
let groups = if role_groups.is_empty() {
admin
.get_multiple::<group::PermissionGroup>(&self.groups)
.await?
} else {
let mut all_groups = role_groups;
all_groups.extend(self.groups.iter().copied());
all_groups.dedup();
admin
.get_multiple::<group::PermissionGroup>(&all_groups)
.await?
};
let merged_permissions = Permissions::merged(
groups
.into_iter()
.map(|group| {
group
.contents::<group::PermissionGroup>()
.map(|group| Permissions::from(group.statements))
})
.collect::<Result<Vec<_>, _>>()?
.iter(),
);
Ok(merged_permissions)
}
}
#[async_trait]
impl Collection for User {
fn encryption_key() -> Option<KeyId> {
if ENCRYPTION_ENABLED {
Some(KeyId::Master)
} else {
None
}
}
fn collection_name() -> CollectionName {
CollectionName::new("khonsulabs", "user")
}
fn define_views(schema: &mut Schematic) -> Result<(), Error> {
schema.define_view(ByName)
}
}
impl DefaultSerialization for User {}
impl NamedCollection for User {
type ByNameView = ByName;
}
define_basic_unique_mapped_view!(
ByName,
User,
1,
"by-name",
String,
|document: CollectionDocument<User>| { document.header.emit_key(document.contents.username) }
);