rise-deploy 0.16.4

A simple and powerful CLI for deploying containerized applications
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171

//! Platform access control
//!
//! Determines whether a user has access to Rise platform features (CLI/API/Dashboard)
//! vs application-only access (ingress auth).

use crate::db::models::User;
use crate::server::settings::{PlatformAccessConfig, PlatformAccessPolicy};

/// Trait for checking platform access permissions
pub trait PlatformAccessChecker {
    /// Check if a user has platform access based on email and IdP groups
    fn has_platform_access(&self, user: &User, idp_groups: Option<&[String]>) -> bool;
}

/// Config-based platform access checker
pub struct ConfigBasedAccessChecker<'a> {
    pub config: &'a PlatformAccessConfig,
    pub admin_users: &'a [String],
}

impl<'a> PlatformAccessChecker for ConfigBasedAccessChecker<'a> {
    fn has_platform_access(&self, user: &User, idp_groups: Option<&[String]>) -> bool {
        // Admin users always have platform access
        if super::admin::is_admin_user(self.admin_users, &user.email) {
            return true;
        }

        match self.config.policy {
            PlatformAccessPolicy::AllowAll => true,
            PlatformAccessPolicy::Restrictive => {
                // Check email allowlist
                if self
                    .config
                    .allowed_user_emails
                    .iter()
                    .any(|email| email.eq_ignore_ascii_case(&user.email))
                {
                    return true;
                }

                // Check IdP group allowlist
                if let Some(groups) = idp_groups {
                    if self.config.allowed_idp_groups.iter().any(|allowed_group| {
                        groups
                            .iter()
                            .any(|user_group| user_group.eq_ignore_ascii_case(allowed_group))
                    }) {
                        return true;
                    }
                }

                false
            }
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use uuid::Uuid;

    fn make_user(email: &str) -> User {
        User {
            id: Uuid::new_v4(),
            email: email.to_string(),
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        }
    }

    #[test]
    fn test_allow_all_policy() {
        let config = PlatformAccessConfig {
            policy: PlatformAccessPolicy::AllowAll,
            allowed_user_emails: vec![],
            allowed_idp_groups: vec![],
        };
        let checker = ConfigBasedAccessChecker {
            config: &config,
            admin_users: &[],
        };

        let user = make_user("anyone@example.com");
        assert!(checker.has_platform_access(&user, None));
    }

    #[test]
    fn test_admin_always_has_access() {
        let config = PlatformAccessConfig {
            policy: PlatformAccessPolicy::Restrictive,
            allowed_user_emails: vec![],
            allowed_idp_groups: vec![],
        };
        let checker = ConfigBasedAccessChecker {
            config: &config,
            admin_users: &["admin@example.com".to_string()],
        };

        let user = make_user("admin@example.com");
        assert!(checker.has_platform_access(&user, None));
    }

    #[test]
    fn test_restrictive_email_allowlist() {
        let config = PlatformAccessConfig {
            policy: PlatformAccessPolicy::Restrictive,
            allowed_user_emails: vec!["allowed@example.com".to_string()],
            allowed_idp_groups: vec![],
        };
        let checker = ConfigBasedAccessChecker {
            config: &config,
            admin_users: &[],
        };

        let allowed_user = make_user("allowed@example.com");
        assert!(checker.has_platform_access(&allowed_user, None));

        let denied_user = make_user("denied@example.com");
        assert!(!checker.has_platform_access(&denied_user, None));
    }

    #[test]
    fn test_restrictive_group_allowlist() {
        let config = PlatformAccessConfig {
            policy: PlatformAccessPolicy::Restrictive,
            allowed_user_emails: vec![],
            allowed_idp_groups: vec!["engineering".to_string()],
        };
        let checker = ConfigBasedAccessChecker {
            config: &config,
            admin_users: &[],
        };

        let user = make_user("user@example.com");

        // User with allowed group
        assert!(checker.has_platform_access(&user, Some(&["engineering".to_string()])));

        // User without allowed group
        assert!(!checker.has_platform_access(&user, Some(&["marketing".to_string()])));

        // User with no groups
        assert!(!checker.has_platform_access(&user, None));
    }

    #[test]
    fn test_case_insensitive_matching() {
        let config = PlatformAccessConfig {
            policy: PlatformAccessPolicy::Restrictive,
            allowed_user_emails: vec!["User@Example.Com".to_string()],
            allowed_idp_groups: vec!["Engineering".to_string()],
        };
        let checker = ConfigBasedAccessChecker {
            config: &config,
            admin_users: &["Admin@Example.Com".to_string()],
        };

        // Email case insensitive
        let user1 = make_user("user@example.com");
        assert!(checker.has_platform_access(&user1, None));

        // Admin case insensitive
        let user2 = make_user("admin@example.com");
        assert!(checker.has_platform_access(&user2, None));

        // Group case insensitive
        let user3 = make_user("other@example.com");
        assert!(checker.has_platform_access(&user3, Some(&["engineering".to_string()])));
    }
}