dwctl 8.39.0

The Doubleword Control Layer - A self-hostable observability and analytics platform for LLM applications
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

//! Common type definitions and permission system types.
//!
//! This module defines:
//! - Type aliases for entity IDs (UserId, GroupId, etc.)
//! - Permission and authorization types
//! - Resource and operation enums for access control
//!
//! # ID Types
//!
//! All entity IDs are UUIDs wrapped in type aliases for better type safety:
//!
//! - [`UserId`]: User account identifier
//! - [`ApiKeyId`]: API key identifier
//! - [`DeploymentId`]: Model deployment identifier
//! - [`GroupId`]: Group identifier
//! - [`InferenceEndpointId`]: Backend endpoint identifier
//!
//! # Permission System
//!
//! The permission system is based on three core types:
//!
//! - [`Resource`]: What entity type is being accessed (Users, Groups, Models, etc.)
//! - [`Operation`]: What action is being performed (Read, Create, Update, Delete)
//! - [`Permission`]: Authorization requirement combining resource and operation
//!
//! ## Operations
//!
//! Operations come in two flavors:
//! - **All**: Unrestricted access to all entities (e.g., `ReadAll`, `DeleteAll`)
//! - **Own**: Restricted to user's own entities (e.g., `ReadOwn`, `UpdateOwn`)
//!
//! ## Example Permission Check
//!
//! ```ignore
//! use dwctl::types::{Permission, Resource, Operation};
//!
//! let required = Permission::Allow(Resource::Users, Operation::ReadAll);
//! // Check if user has this permission...
//! ```
//!
//! # Utility Functions
//!
//! - [`abbrev_uuid`]: Abbreviate UUIDs to first 8 chars for logging

use serde::Deserialize;
use std::fmt;
use uuid::Uuid;

// Type aliases for IDs
pub type UserId = Uuid;
pub type ApiKeyId = Uuid;
pub type DeploymentId = Uuid;
pub type GroupId = Uuid;
pub type InferenceEndpointId = Uuid;
#[allow(dead_code)] // TODO: Remove if not needed (currently using fusillade::FileId instead)
pub type FileId = Uuid;

/// Abbreviate a UUID to its first 8 characters for more readable logs and traces
/// Example: "550e8400-e29b-41d4-a716-446655440000" -> "550e8400"
pub fn abbrev_uuid(uuid: &Uuid) -> String {
    uuid.to_string().chars().take(8).collect()
}

// Common types for path parameters
#[derive(Debug, Clone, Deserialize)]
pub enum CurrentKeyword {
    #[serde(rename = "current")]
    Current,
}

/// Designed to allow routes like /api-keys/current and /api-keys/{user_id} to hit the same
/// handler.
#[derive(Debug, Clone, Deserialize)]
#[serde(untagged)]
pub enum UserIdOrCurrent {
    Current(CurrentKeyword),
    Id(UserId),
}

// Operations that can be performed on resources
// *-All means unrestricted access, *-Own means restricted to own resources
// Generics like Create, are justed used for return objects
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum Operation {
    // Create,
    CreateAll,
    CreateOwn,
    // Read,
    ReadAll,
    ReadOwn,
    // Update,
    UpdateAll,
    UpdateOwn,
    // Delete,
    DeleteAll,
    DeleteOwn,
    // System
    SystemAccess, // Access to system-level data (like deleted models)
}

// Resources that can be operated on
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum Resource {
    Users,
    Groups,
    Models,
    CompositeModels,
    Endpoints,
    ApiKeys,
    Analytics,
    Requests,
    Pricing,
    ModelRateLimits,
    Credits,
    Probes,
    Files,
    Batches,
    Webhooks,
    System,
    Organizations,
    ToolSources,
    Connections,
}

// Permission types for authorization
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum Permission {
    /// Simple permission: (Resource, Operation)
    Allow(Resource, Operation),
    /// User must have been granted access to a specific resource instance
    Granted,
    /// Logical combinators
    Any(Vec<Permission>),
    // All(Vec<Permission>),
}

// Add this Display implementation for Operation
impl fmt::Display for Operation {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Operation::CreateAll | Operation::CreateOwn => write!(f, "Create"),
            Operation::ReadAll | Operation::ReadOwn => write!(f, "Read"),
            Operation::UpdateAll | Operation::UpdateOwn => write!(f, "Update"),
            Operation::DeleteAll | Operation::DeleteOwn => write!(f, "Delete"),
            Operation::SystemAccess => write!(f, "Access"),
        }
    }
}