raisfast 0.2.19

The last backend you'll ever need. Rust-powered headless CMS with built-in blog, ecommerce, wallet, payment and 4 plugin engines.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

//! RBAC permission guard middleware
//!
//! Replaces hardcoded `role == "admin"` checks with fine-grained authorization
//! via the permissions table. Retains existing `AuthUser` / `AdminUser` / `AuthorUser`
//! extractors as convenience entry points, and adds `PermissionGuard` for scenarios
//! requiring dynamic permission checks.

use std::collections::HashMap;

use axum::extract::FromRequestParts;
use axum::http::request::Parts;
use serde_json::Value;

use crate::AppState;
use crate::errors::app_error::AppError;
use crate::services::rbac::RbacService;
use crate::utils::auth::extract_claims;

/// RBAC permission guard extractor
///
/// Extracts user info from JWT, then checks whether the user's role has permission
/// to perform the specified action.
///
/// # Usage
///
/// ```ignore
/// async fn create_post(
///     guard: PermissionGuard,
///     State(state): State<AppState>,
/// ) -> ... {
///     // guard has passed permission check
///     guard.user_id  // current user ID
/// }
/// ```
#[derive(Debug, Clone)]
pub struct PermissionGuard {
    pub user_id: String,
    pub role: crate::models::user::UserRole,
    pub tenant_id: String,
}

impl PermissionGuard {
    /// Public method for checking permissions, usable within handlers
    pub async fn check(
        &self,
        rbac: &RbacService,
        action: &str,
        subject: &str,
    ) -> Result<(), AppError> {
        let role_id = rbac
            .get_role_id_by_name(self.role.as_str())
            .await?
            .map(|id| id.to_string())
            .unwrap_or_else(|| self.role.as_str().to_string());

        rbac.check_permission(&role_id, action, subject, None).await
    }

    pub async fn check_with_context(
        &self,
        rbac: &RbacService,
        action: &str,
        subject: &str,
        context: &HashMap<String, Value>,
    ) -> Result<(), AppError> {
        let role_id = rbac
            .get_role_id_by_name(self.role.as_str())
            .await?
            .map(|id| id.to_string())
            .unwrap_or_else(|| self.role.as_str().to_string());

        rbac.check_permission(&role_id, action, subject, Some(context))
            .await
    }
}

/// When `PermissionGuard` is used as an extractor, it only performs JWT authentication
/// (does not automatically check permissions). Permission checking is done by calling
/// `guard.check()` within the handler.
impl FromRequestParts<AppState> for PermissionGuard {
    type Rejection = AppError;

    fn from_request_parts(
        parts: &mut Parts,
        state: &AppState,
    ) -> impl std::future::Future<Output = Result<Self, Self::Rejection>> + Send {
        let result = extract_claims(parts, state);
        async move {
            let claims = result?;
            Ok(PermissionGuard {
                user_id: claims.sub,
                role: claims.role,
                tenant_id: claims.tenant_id,
            })
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::models::user::UserRole;

    #[test]
    fn construction_fields_match() {
        let guard = PermissionGuard {
            user_id: "user-123".to_string(),
            role: UserRole::Author,
            tenant_id: "tenant-1".to_string(),
        };
        assert_eq!(guard.user_id, "user-123");
        assert_eq!(guard.role, UserRole::Author);
        assert_eq!(guard.tenant_id, "tenant-1");
    }

    #[test]
    fn admin_role_field() {
        let guard = PermissionGuard {
            user_id: "admin-1".to_string(),
            role: UserRole::Admin,
            tenant_id: "t1".to_string(),
        };
        assert_eq!(guard.role, UserRole::Admin);
        assert_eq!(guard.role.as_str(), "admin");
    }

    #[test]
    fn clone_and_debug() {
        let guard = PermissionGuard {
            user_id: "u1".to_string(),
            role: UserRole::Reader,
            tenant_id: "t1".to_string(),
        };
        let cloned = guard.clone();
        assert_eq!(cloned.user_id, guard.user_id);
        assert_eq!(cloned.role.as_str(), guard.role.as_str());
        assert_eq!(cloned.tenant_id, guard.tenant_id);
        let debug_str = format!("{guard:?}");
        assert!(debug_str.contains("u1"));
    }
}