zino-auth 0.15.0

Authentication and authorization for zino.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262

use super::{AccessKeyId, SessionId};
use serde::{Deserialize, Serialize};
use std::str::FromStr;
use zino_core::{
    application::{Agent, Application},
    crypto::Digest,
};

#[cfg(feature = "jwt")]
use super::JwtClaims;

#[cfg(feature = "jwt")]
use zino_core::{error::Error, extension::JsonObjectExt, warn};

/// Role-based user sessions.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct UserSession<U, R = String, T = U> {
    /// User ID.
    user_id: U,
    /// Session ID.
    session_id: Option<SessionId>,
    /// Access key ID.
    access_key_id: Option<AccessKeyId>,
    /// A list of user roles.
    roles: Vec<R>,
    /// Tenant ID.
    tenant_id: Option<T>,
}

impl<U, R, T> UserSession<U, R, T> {
    /// Creates a new instance with empty roles.
    #[inline]
    pub fn new(user_id: U, session_id: impl Into<Option<SessionId>>) -> Self {
        Self {
            user_id,
            session_id: session_id.into(),
            access_key_id: None,
            roles: Vec::new(),
            tenant_id: None,
        }
    }

    /// Sets the session ID.
    #[inline]
    pub fn set_session_id(&mut self, session_id: SessionId) {
        self.session_id = Some(session_id);
    }

    /// Sets the access key ID.
    #[inline]
    pub fn set_access_key_id(&mut self, access_key_id: AccessKeyId) {
        if self.session_id.is_none() {
            let session_id = SessionId::new::<Digest>(Agent::domain(), access_key_id.as_ref());
            self.session_id = Some(session_id);
        }
        self.access_key_id = Some(access_key_id);
    }

    /// Sets the user roles.
    #[inline]
    pub fn set_roles(&mut self, roles: impl Into<Vec<R>>) {
        self.roles = roles.into();
    }

    /// Sets the tenant ID.
    #[inline]
    pub fn set_tenant_id(&mut self, tenant_id: T) {
        self.tenant_id = Some(tenant_id);
    }

    /// Returns the user ID.
    #[inline]
    pub fn user_id(&self) -> &U {
        &self.user_id
    }

    /// Returns the tenant ID.
    #[inline]
    pub fn tenant_id(&self) -> Option<&T> {
        self.tenant_id.as_ref()
    }

    /// Returns the session ID.
    #[inline]
    pub fn session_id(&self) -> Option<&SessionId> {
        self.session_id.as_ref()
    }

    /// Returns the access key ID.
    #[inline]
    pub fn access_key_id(&self) -> Option<&AccessKeyId> {
        self.access_key_id.as_ref()
    }

    /// Returns the roles.
    #[inline]
    pub fn roles(&self) -> &[R] {
        &self.roles
    }
}

impl<U, R, T> UserSession<U, R, T>
where
    U: FromStr,
    R: FromStr,
    T: FromStr,
    <U as FromStr>::Err: std::error::Error + Send + 'static,
{
    /// Attempts to construct an instance from a `JwtClaims`.
    #[cfg(feature = "jwt")]
    pub fn try_from_jwt_claims(claims: JwtClaims) -> Result<Self, Error> {
        let data = claims.data();
        let user_id = claims
            .subject()
            .map(|s| s.into())
            .or_else(|| data.parse_string("uid"))
            .ok_or_else(|| warn!("subject of a JWT token should be specified"))?
            .parse()?;
        let mut user_session = Self::new(user_id, None);
        if let Some(Ok(roles)) = data
            .parse_array("roles")
            .or_else(|| data.parse_array("role"))
        {
            user_session.set_roles(roles);
        }
        if let Some(tenant_id) = data
            .parse_string("tenant_id")
            .or_else(|| data.parse_string("tid"))
            .and_then(|s| s.parse().ok())
        {
            user_session.set_tenant_id(tenant_id);
        }
        Ok(user_session)
    }
}

impl<U, T> UserSession<U, String, T> {
    /// Returns `true` if the user has a role of `superuser`.
    #[inline]
    pub fn is_superuser(&self) -> bool {
        self.roles() == ["superuser"]
    }

    /// Returns `true` if the user has a role of `user`.
    #[inline]
    pub fn is_user(&self) -> bool {
        self.roles() == ["user"]
    }

    /// Returns `true` if the user has a role of `guest`.
    #[inline]
    pub fn is_guest(&self) -> bool {
        self.roles() == ["guest"]
    }

    /// Returns `true` if the user has a role of `agent`.
    #[inline]
    pub fn is_agent(&self) -> bool {
        self.roles() == ["agent"]
    }

    /// Returns `true` if the user has a role of `admin`.
    pub fn is_admin(&self) -> bool {
        let role = "admin";
        let role_prefix = format!("{role}:");
        for r in &self.roles {
            if r == role || r.starts_with(&role_prefix) {
                return true;
            }
        }
        false
    }

    /// Returns `true` if the user has a role of `worker`.
    pub fn is_worker(&self) -> bool {
        let role = "worker";
        let role_prefix = format!("{role}:");
        for r in &self.roles {
            if r == role || r.starts_with(&role_prefix) {
                return true;
            }
        }
        false
    }

    /// Returns `true` if the user has a role of `auditor`.
    pub fn is_auditor(&self) -> bool {
        let role = "auditor";
        let role_prefix = format!("{role}:");
        for r in &self.roles {
            if r == role || r.starts_with(&role_prefix) {
                return true;
            }
        }
        false
    }

    /// Returns `true` if the user has one of the roles: `superuser`, `user`,
    /// `admin`, `worker` and `auditor`.
    pub fn has_user_role(&self) -> bool {
        self.is_superuser()
            || self.is_user()
            || self.is_admin()
            || self.is_worker()
            || self.is_auditor()
    }

    /// Returns `true` if the user has a role of `superuser` or `admin`.
    pub fn has_admin_role(&self) -> bool {
        self.is_superuser() || self.is_admin()
    }

    /// Returns `true` if the user has a role of `superuser` or `worker`.
    pub fn has_worker_role(&self) -> bool {
        self.is_superuser() || self.is_worker()
    }

    /// Returns `true` if the user has a role of `superuser` or `auditor`.
    pub fn has_auditor_role(&self) -> bool {
        self.is_superuser() || self.is_auditor()
    }

    /// Returns `true` if the user has the specific `role`.
    pub fn has_role(&self, role: &str) -> bool {
        let length = role.len();
        for r in &self.roles {
            if r == role {
                return true;
            } else {
                let remainder = if r.len() > length {
                    r.strip_prefix(role)
                } else {
                    role.strip_prefix(r.as_str())
                };
                if remainder.is_some_and(|s| s.starts_with(':')) {
                    return true;
                }
            }
        }
        false
    }

    /// Returns `true` if the user has any of the specific `roles`.
    pub fn has_any_roles(&self, roles: &[&str]) -> bool {
        for role in roles {
            if self.has_role(role) {
                return true;
            }
        }
        false
    }

    /// Returns `true` if the user has all of the specific `roles`.
    pub fn has_all_roles(&self, roles: &[&str]) -> bool {
        for role in roles {
            if !self.has_role(role) {
                return false;
            }
        }
        true
    }
}