witmproxy 0.0.2-alpha

A WASM-in-the-middle proxy
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147

use salvo::handler;
use salvo::http::StatusCode;
use salvo::prelude::*;
use sqlx::SqlitePool;
use tracing::{debug, warn};

use crate::acl;
use crate::db::tenants::Tenant;

/// ACL middleware that checks if the authenticated tenant has permission
/// to access the requested resource. The resource string is injected
/// into the depot by the endpoint handler before this middleware runs,
/// or computed from the request path.
///
/// Usage: Add this handler after `jwt_auth` in the middleware chain.
/// The `tenant_id` must already be in the depot (set by jwt_auth).
#[handler]
pub async fn acl_check(
    req: &mut Request,
    depot: &mut Depot,
    res: &mut Response,
    ctrl: &mut FlowCtrl,
) {
    // If auth is disabled, skip ACL checks
    let _auth_config = match depot.obtain::<crate::config::AuthConfig>() {
        Ok(config) if config.enabled => config.clone(),
        _ => return,
    };

    let tenant_id = match depot.get::<String>("tenant_id") {
        Ok(id) => id.clone(),
        Err(_) => {
            // No tenant_id means jwt_auth didn't run or auth is disabled
            res.status_code(StatusCode::UNAUTHORIZED);
            res.render(Text::Plain("Authentication required"));
            ctrl.skip_rest();
            return;
        }
    };

    let pool = match depot.obtain::<SqlitePool>() {
        Ok(p) => p.clone(),
        Err(_) => {
            res.status_code(StatusCode::INTERNAL_SERVER_ERROR);
            res.render(Text::Plain("Database not available"));
            ctrl.skip_rest();
            return;
        }
    };

    // Load tenant and their permissions
    let tenant = match Tenant::by_id(&pool, &tenant_id).await {
        Ok(Some(t)) if t.enabled => t,
        Ok(Some(_)) => {
            res.status_code(StatusCode::FORBIDDEN);
            res.render(Text::Plain("Account disabled"));
            ctrl.skip_rest();
            return;
        }
        Ok(None) => {
            res.status_code(StatusCode::UNAUTHORIZED);
            res.render(Text::Plain("Tenant not found"));
            ctrl.skip_rest();
            return;
        }
        Err(e) => {
            warn!("Database error loading tenant: {}", e);
            res.status_code(StatusCode::INTERNAL_SERVER_ERROR);
            res.render(Text::Plain("Internal error"));
            ctrl.skip_rest();
            return;
        }
    };

    let permissions = match tenant.permissions(&pool).await {
        Ok(p) => p,
        Err(e) => {
            warn!("Failed to load permissions for tenant {}: {}", tenant_id, e);
            res.status_code(StatusCode::INTERNAL_SERVER_ERROR);
            res.render(Text::Plain("Internal error"));
            ctrl.skip_rest();
            return;
        }
    };

    // Derive resource string from the request path + method
    let resource = derive_resource_from_request(req);
    debug!(
        "ACL check: tenant={}, resource={}, permissions={}",
        tenant_id,
        resource,
        permissions.len()
    );

    if acl::evaluate(&permissions, &resource) {
        debug!("ACL granted: {} -> {}", tenant_id, resource);
        // Store permissions in depot for potential further use
        depot.insert("acl_permissions", permissions);
    } else {
        debug!("ACL denied: {} -> {}", tenant_id, resource);
        res.status_code(StatusCode::FORBIDDEN);
        res.render(Text::Plain("Insufficient permissions"));
        ctrl.skip_rest();
    }
}

/// Derive an ACL resource string from the request path and method.
/// Maps REST endpoints to colon-delimited resource patterns.
fn derive_resource_from_request(req: &Request) -> String {
    let path = req.uri().path();
    let method = req.method().as_str();

    let action = match method {
        "GET" | "HEAD" => "read",
        "POST" => "write",
        "PUT" | "PATCH" => "write",
        "DELETE" => "delete",
        _ => "read",
    };

    // Parse management API paths
    // /api/manage/tenants -> tenants:*:action
    // /api/manage/tenants/:id -> tenants:<id>:action
    // /api/manage/groups -> groups:*:action
    // /api/manage/groups/:id -> groups:<id>:action
    // /api/manage/groups/:id/members -> groups:<id>:manage
    // /api/manage/groups/:id/permissions -> groups:<id>:manage
    // /api/manage/tenants/:id/plugins/:ns/:name/... -> plugins:<ns>/<name>:configure

    let segments: Vec<&str> = path
        .trim_start_matches("/api/manage/")
        .split('/')
        .filter(|s| !s.is_empty())
        .collect();

    match segments.as_slice() {
        ["tenants"] => format!("tenants:*:{}", action),
        ["tenants", id] => format!("tenants:{}:{}", id, action),
        ["tenants", id, "plugins", ..] => format!("tenants:{}:configure", id),
        ["tenants", id, "ip-mappings", ..] => format!("tenants:{}:configure", id),
        ["groups"] => format!("groups:*:{}", action),
        ["groups", id] => format!("groups:{}:{}", id, action),
        ["groups", id, "members"] => format!("groups:{}:manage", id),
        ["groups", id, "permissions"] => format!("groups:{}:manage", id),
        _ => format!("unknown:*:{}", action),
    }
}