bucketwarden-server 0.1.0

use super::*;

impl BucketWarden {
    pub fn console_api_admin_summary(
        &mut self,
        access_key_id: &str,
    ) -> Result<ConsoleApiAdminSummary, RuntimeError> {
        let principal = self.console_api_principal(access_key_id)?;
        self.require_operator_action(
            &principal,
            OperatorAction::ReadDiagnostics,
            "*",
            "ui:GetAdminSummary",
        )?;
        let report = self.ops_console_report(&principal, None)?;
        let mut tenant_ids = report
            .users
            .iter()
            .map(|user| user.tenant_id.clone())
            .collect::<Vec<_>>();
        tenant_ids.sort();
        tenant_ids.dedup();
        let selected_tenant_id = self.principal_tenant_id(&principal);
        let mut assignments = Vec::new();
        let mut role_counts = BTreeMap::<String, usize>::new();
        for user in &report.users {
            for assignment in self.auth.role_assignments(&user.principal_id) {
                let role = format!("{:?}", assignment.role);
                *role_counts.entry(role.clone()).or_default() += 1;
                assignments.push(ConsoleApiRoleAssignmentRow {
                    principal_id: assignment.principal_id,
                    role,
                    scope: assignment.scope,
                });
            }
        }
        let roles = role_counts
            .into_iter()
            .map(|(role, assignment_count)| ConsoleApiRoleRow {
                role,
                assignment_count,
                actions: effective_permission_actions(),
            })
            .collect();
        Ok(ConsoleApiAdminSummary {
            tenant_scope: ConsoleApiTenantScope {
                selected_tenant_id,
                tenant_ids,
                scoped_request_header: "x-bucketwarden-tenant-id".to_string(),
            },
            users: report.users,
            roles,
            assignments,
            effective_permissions: effective_permission_actions(),
        })
    }

    pub fn console_api_user_detail(
        &mut self,
        access_key_id: &str,
        principal_id: &str,
    ) -> Result<ConsoleApiUserDetail, RuntimeError> {
        let principal = self.console_api_principal(access_key_id)?;
        self.require_operator_action(
            &principal,
            OperatorAction::ReadDiagnostics,
            "*",
            "ui:GetUserDetail",
        )?;
        let report = self.ops_console_report(&principal, None)?;
        let user = report
            .users
            .into_iter()
            .find(|user| user.principal_id == principal_id)
            .ok_or_else(|| RuntimeError::InvalidListParameter {
                name: "principal_id".to_string(),
                value: principal_id.to_string(),
            })?;
        let assignments = self
            .auth
            .role_assignments(principal_id)
            .into_iter()
            .map(|assignment| ConsoleApiRoleAssignmentRow {
                principal_id: assignment.principal_id,
                role: format!("{:?}", assignment.role),
                scope: assignment.scope,
            })
            .collect();
        Ok(ConsoleApiUserDetail {
            principal_id: user.principal_id,
            tenant_id: user.tenant_id,
            kind: user.kind,
            enabled: user.enabled,
            assignments,
            effective_permissions: effective_permission_actions(),
        })
    }
}

fn effective_permission_actions() -> Vec<String> {
    [
        "AdministerCluster",
        "AdministerTenant",
        "AdministerBucket",
        "ReadDiagnostics",
        "ReadAudit",
        "ManageSecurity",
        "ManageCredentials",
        "SimulatePolicy",
    ]
    .into_iter()
    .map(str::to_string)
    .collect()
}