yeti_types/schema/

access.rs

//! Authorization declarations for tables (`@access` directive).
//!
//! Introduces `@access` as the dedicated authorization axis.
//! It owns the `public: [...]` allow-list and adds a per-op
//! `roles: { op: [role, ...] }` RBAC matrix.
//!
//! Extends the matrix to support both flat-list and
//! per-protocol shapes. See [`OpPolicy`] for the per-op shape.

use std::collections::HashMap;

/// Transport that delivered a request — the request-origin role of the
/// canonical [`Transport`](crate::transport::Transport). Used as a key in
/// the `@access(roles:)` per-protocol shape and as a field on `Context`
/// so the dispatch layer can match requests against per-protocol gates.
///
/// This is the SAME type as `@export`'s transport set; parse a key with
/// `Protocol::from_name`. Kept under the `Protocol` name for its
/// request-origin reading at call sites.
pub use crate::transport::Transport as Protocol;

/// Per-op policy in `@access(roles:)`.
///
/// `AnyProtocol(roles)` — the historical flat list shape; the role
/// list applies regardless of which transport delivered the request.
/// Parsed from `roles: { update: [admin, editor] }`.
///
/// `PerProtocol(map)` — gates by `(role, protocol)`; only the
/// roles listed for the originating transport are allowed. Parsed
/// from `roles: { update: { rest: [admin], mqtt: [client] } }`.
#[derive(Debug, Clone)]
pub enum OpPolicy {
    /// Flat list: the role list applies regardless of transport.
    /// Parsed from `roles: { update: [admin, editor] }`.
    AnyProtocol(Vec<String>),
    /// Per-protocol matrix: only roles listed for the originating
    /// transport are allowed. Parsed from
    /// `roles: { update: { rest: [admin], mqtt: [client] } }`.
    PerProtocol(HashMap<Protocol, Vec<String>>),
}

impl OpPolicy {
    /// Allowed roles for a request arriving on `protocol`. Returns
    /// an empty slice when the op-policy denies all roles on that
    /// protocol (per-protocol shape, protocol not listed).
    #[must_use]
    pub fn allowed_for(&self, protocol: Protocol) -> &[String] {
        match self {
            Self::AnyProtocol(roles) => roles.as_slice(),
            Self::PerProtocol(map) => map.get(&protocol).map_or(&[], Vec::as_slice),
        }
    }
}

/// Operations that can be declared publicly accessible via
/// `@access(public: [read, create, ...])`.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum PublicAccess {
    /// GET requests (`allow_read`)
    Read,
    /// POST requests (`allow_create`)
    Create,
    /// PUT/PATCH requests (`allow_update`)
    Update,
    /// DELETE requests (`allow_delete`)
    Delete,
    /// SSE subscriptions (`allow_subscribe`)
    Subscribe,
    /// WebSocket connections (`allow_connect`)
    Connect,
    /// Publish operations (`allow_publish`)
    Publish,
}

impl PublicAccess {
    /// Parse a public access operation from a string (case-insensitive).
    #[must_use]
    pub fn parse(s: &str) -> Option<Self> {
        match s.to_lowercase().as_str() {
            "read" => Some(Self::Read),
            "create" => Some(Self::Create),
            "update" => Some(Self::Update),
            "delete" => Some(Self::Delete),
            "subscribe" => Some(Self::Subscribe),
            "connect" => Some(Self::Connect),
            "publish" => Some(Self::Publish),
            _ => None,
        }
    }
}

/// `@access` directive — authorization axis.
///
/// Bare `@access` (no args) inherits the app's auth pipeline (current
/// default behavior). Set `public` to allow unauthenticated callers
/// to perform specific operations; set `roles` to require specific
/// roles per operation.
#[derive(Debug, Clone, Default)]
pub struct AccessConfig {
    /// Operations anyone can perform without authentication. Same
    /// semantics as the older `@export(public:)` allow-list.
    pub public: std::collections::HashSet<PublicAccess>,
    /// Per-op required roles + optional per-protocol gating.
    /// A request to operation `Op` arriving on
    /// transport `P` is allowed when the authenticated user holds at
    /// least one of `roles[&Op].allowed_for(P)`. Missing-from-the-map
    /// = no per-op role requirement; the app's auth pipeline decides.
    pub roles: HashMap<PublicAccess, OpPolicy>,
}