nodedb 0.2.1

Local-first, real-time, edge-to-cloud hybrid database for multi-modal workloads
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

// SPDX-License-Identifier: BUSL-1.1

//! OIDC provider catalog ops for `_system.oidc_providers`.
//!
//! Keyed by `provider_name` (string). Stores issuer, JWKS URI, audience, and
//! claim-mapping rules used by the OIDC verify path.

use redb::ReadableTable;

use super::tables::OIDC_PROVIDERS;
use super::types::{SystemCatalog, catalog_err};

/// A claim-mapping rule that maps a JWT claim value to NodeDB databases and roles.
#[derive(
    Debug,
    Clone,
    zerompk::ToMessagePack,
    zerompk::FromMessagePack,
    serde::Serialize,
    serde::Deserialize,
)]
#[msgpack(map, allow_unknown_fields)]
pub struct StoredClaimMappingRule {
    /// Name of the JWT claim to inspect (e.g. `"org_id"`, `"groups"`).
    pub claim_name: String,
    /// Expected claim value. Use `"*"` to match any non-empty value.
    pub claim_value: String,
    /// Default database ID for sessions matched by this rule. `None` = no override.
    #[msgpack(default)]
    pub default_database: Option<u64>,
    /// Additional database IDs accessible to sessions matched by this rule.
    #[msgpack(default)]
    pub add_databases: Vec<u64>,
    /// Additional role names granted to sessions matched by this rule.
    #[msgpack(default)]
    pub add_roles: Vec<String>,
}

/// Persisted OIDC provider record in `_system.oidc_providers`.
#[derive(
    Debug,
    Clone,
    zerompk::ToMessagePack,
    zerompk::FromMessagePack,
    serde::Serialize,
    serde::Deserialize,
)]
#[msgpack(map, allow_unknown_fields)]
pub struct StoredOidcProvider {
    /// Human-readable name; also the catalog key.
    pub provider_name: String,
    /// Expected `iss` claim value. Must be non-empty.
    pub issuer: String,
    /// JWKS endpoint URI. Fetched by `JwksRegistry`.
    pub jwks_uri: String,
    /// Expected `aud` claim value. `None` = skip audience validation.
    #[msgpack(default)]
    pub audience: Option<String>,
    /// Ordered claim-mapping rules evaluated at login to derive databases and roles.
    #[msgpack(default)]
    pub claim_mapping: Vec<StoredClaimMappingRule>,
    /// WAL LSN at which this provider was created or last altered.
    pub created_at_lsn: u64,
}

impl SystemCatalog {
    // ── oidc_providers ────────────────────────────────────────────────────

    /// Insert or overwrite an OIDC provider record.
    pub fn put_oidc_provider(&self, provider: &StoredOidcProvider) -> crate::Result<()> {
        let bytes = zerompk::to_msgpack_vec(provider)
            .map_err(|e| catalog_err("serialize StoredOidcProvider", e))?;
        let txn = self
            .db
            .begin_write()
            .map_err(|e| catalog_err("oidc_providers write txn", e))?;
        {
            let mut table = txn
                .open_table(OIDC_PROVIDERS)
                .map_err(|e| catalog_err("open oidc_providers", e))?;
            table
                .insert(provider.provider_name.as_str(), bytes.as_slice())
                .map_err(|e| catalog_err("insert oidc_providers", e))?;
        }
        txn.commit()
            .map_err(|e| catalog_err("oidc_providers commit", e))
    }

    /// Retrieve an OIDC provider record by name.
    pub fn get_oidc_provider(&self, name: &str) -> crate::Result<Option<StoredOidcProvider>> {
        let txn = self
            .db
            .begin_read()
            .map_err(|e| catalog_err("oidc_providers read txn", e))?;
        let table = txn
            .open_table(OIDC_PROVIDERS)
            .map_err(|e| catalog_err("open oidc_providers", e))?;
        match table
            .get(name)
            .map_err(|e| catalog_err("get oidc_providers", e))?
        {
            Some(v) => {
                let p: StoredOidcProvider = zerompk::from_msgpack(v.value())
                    .map_err(|e| catalog_err("deser StoredOidcProvider", e))?;
                Ok(Some(p))
            }
            None => Ok(None),
        }
    }

    /// List all OIDC providers.
    pub fn list_oidc_providers(&self) -> crate::Result<Vec<StoredOidcProvider>> {
        let txn = self
            .db
            .begin_read()
            .map_err(|e| catalog_err("oidc_providers read txn", e))?;
        let table = txn
            .open_table(OIDC_PROVIDERS)
            .map_err(|e| catalog_err("open oidc_providers", e))?;
        let mut out = Vec::new();
        for entry in table
            .iter()
            .map_err(|e| catalog_err("iter oidc_providers", e))?
        {
            let (_, v) = entry.map_err(|e| catalog_err("iter item oidc_providers", e))?;
            let p: StoredOidcProvider = zerompk::from_msgpack(v.value())
                .map_err(|e| catalog_err("deser StoredOidcProvider", e))?;
            out.push(p);
        }
        Ok(out)
    }

    /// Delete an OIDC provider record by name.
    pub fn delete_oidc_provider(&self, name: &str) -> crate::Result<()> {
        let txn = self
            .db
            .begin_write()
            .map_err(|e| catalog_err("oidc_providers write txn", e))?;
        {
            let mut table = txn
                .open_table(OIDC_PROVIDERS)
                .map_err(|e| catalog_err("open oidc_providers", e))?;
            table
                .remove(name)
                .map_err(|e| catalog_err("remove oidc_providers", e))?;
        }
        txn.commit()
            .map_err(|e| catalog_err("oidc_providers commit", e))
    }
}