Today's adventures will take me back to #OnlyJunkFans land. I'll be working on some UI stuff to guide how I shape the backend later.
My hope is that by the end of the day, the deployed version will have a demo login that works.
Today, I will continue the adventures I were on yesterday, and do some OJF stuff.
As per usual, I'll start a new monster thread.
So, I'm playing with permissions. And one of the things I couldn't figure out last night was the demo account with permissions only.
With the permission set laid out last night, I could express most of it, but not the "can change hosts & whatnot, but they'll have no effect" part.
How about a "services:deploy" permission? That permission is required to activate the configured services.
That leaves only the forced password change as a thing I can't express as a permission. How about I deal with that later?
Holy fuck, getting permissions to be laid out nicely typed in both SQL and Rust was a colossal pain in the ass.
In hindsight, the implementation is straightforward, but figuring out how to get there... oof.
CREATE TYPE account_permission AS ENUM (
'profile-read',
'profile-write',
'profile-delete',
'hosts-read',
'hosts-write',
'hosts-create',
'hosts-delete',
'scripts-read',
'scripts-write',
'scripts-create',
'scripts-delete',
'services-activate'
);
CREATE TABLE IF NOT EXISTS account_permissions (
account_id bigint,
permission account_permission NOT NULL,
CONSTRAINT fk_account FOREIGN KEY (account_id)
REFERENCES accounts(id)
);
And on the Rust side:
#[derive(Debug, Clone, Eq, PartialEq, PartialOrd, Hash, sqlx::Type, Deserialize, Serialize)]
#[sqlx(type_name = "account_permission", rename_all = "kebab-case")]
pub enum Permission {
ProfileRead,
ProfileWrite,
ProfileDelete,
HostsRead,
HostsWrite,
HostsCreate,
HostsDelete,
ScriptsRead,
ScriptsWrite,
ScriptsCreate,
ScriptsDelete,
ServicesActivate,
}
impl AuthzBackend for Database {
type Permission = Permission;
async fn get_user_permissions(
&self,
user: &Self::User,
) -> Result<HashSet<Self::Permission>, Self::Error> {
#[derive(Debug, Clone, Serialize, Deserialize, FromRow)]
pub struct AccountPermissions {
permission: Permission,
}
let permissions: Vec<AccountPermissions> =
sqlx::query_as("SELECT DISTINCT permission FROM account_permissions WHERE account_id = $1")
.bind(user.id)
.fetch_all(&self.db)
.await?;
Ok(permissions.into_iter().map(|p| p.permission).collect())
}
}
Looks simple, yes, but getting here from SQLx's permissions example was non-trivial.
Why not use their method, of having a permissions table with string keys? Because that's bad typing, and would involve a join, and I hate it.
Now, this whole permission system is completely unused at the moment. I'll go about changing that in a bit.
But first: I need some admin commands for the CLI, so I can manage users without having to go directly into postgres.