New request guard: Authorization<Action, Scope>

Filter requests that don't have an API token authorized to read or write
a specific scope;
This commit is contained in:
Baptiste Gelez 2018-10-23 10:37:24 +01:00
parent cd4ae5b7f5
commit 31641b1ea1
4 changed files with 68 additions and 21 deletions

View File

@ -44,7 +44,7 @@ impl ApiToken {
insert!(api_tokens, NewApiToken); insert!(api_tokens, NewApiToken);
find_by!(api_tokens, find_by_value, value as String); find_by!(api_tokens, find_by_value, value as String);
fn can(&self, what: &'static str, scope: &'static str) -> bool { pub fn can(&self, what: &'static str, scope: &'static str) -> bool {
let full_scope = what.to_owned() + ":" + scope; let full_scope = what.to_owned() + ":" + scope;
for s in self.scopes.split('+') { for s in self.scopes.split('+') {
if s == what || s == full_scope { if s == what || s == full_scope {

57
src/api/authorization.rs Normal file
View File

@ -0,0 +1,57 @@
use rocket::{
Outcome,
http::Status,
request::{self, FromRequest, Request}
};
use plume_models::{self, api_tokens::ApiToken};
// Actions
pub trait Action {
fn to_str() -> &'static str;
}
pub struct Read;
impl Action for Read {
fn to_str() -> &'static str {
"read"
}
}
pub struct Write;
impl Action for Write {
fn to_str() -> &'static str {
"write"
}
}
// Scopes
pub trait Scope {
fn to_str() -> &'static str;
}
impl Scope for plume_models::posts::Post {
fn to_str() -> &'static str {
"posts"
}
}
// We have to use A and S in the struct definition
// otherwise rustc complains they are useless
//
// A nicer solution is probably possible.
pub struct Authorization<A, S> (Option<A>, Option<S>);
impl<'a, 'r, A, S> FromRequest<'a, 'r> for Authorization<A, S>
where A: Action,
S: Scope
{
type Error = ();
fn from_request(request: &'a Request<'r>) -> request::Outcome<Authorization<A, S>, ()> {
request.guard::<ApiToken>()
.map_failure(|_| (Status::Unauthorized, ()))
.and_then(|token| if token.can(A::to_str(), S::to_str()) {
Outcome::Success(Authorization(None, None))
} else {
Outcome::Failure((Status::Unauthorized, ()))
})
}
}

View File

@ -51,4 +51,5 @@ fn oauth(query: OAuthRequest, conn: DbConn) -> Json<serde_json::Value> {
} }
pub mod apps; pub mod apps;
pub mod authorization;
pub mod posts; pub mod posts;

View File

@ -7,31 +7,20 @@ use serde_qs;
use plume_api::posts::PostEndpoint; use plume_api::posts::PostEndpoint;
use plume_models::{ use plume_models::{
Connection, Connection,
api_tokens::ApiToken,
db_conn::DbConn, db_conn::DbConn,
posts::Post, posts::Post,
}; };
use api::authorization::*;
#[get("/posts/<id>")] #[get("/posts/<id>")]
fn get(id: i32, conn: DbConn, token: ApiToken) -> Json<serde_json::Value> { fn get(id: i32, conn: DbConn, _auth: Authorization<Read, Post>) -> Json<serde_json::Value> {
if token.can_read("posts") { let post = <Post as Provider<Connection>>::get(&*conn, id).ok();
let post = <Post as Provider<Connection>>::get(&*conn, id).ok(); Json(json!(post))
Json(json!(post))
} else {
Json(json!({
"error": "Unauthorized"
}))
}
} }
#[get("/posts")] #[get("/posts")]
fn list(conn: DbConn, uri: &Origin, token: ApiToken) -> Json<serde_json::Value> { fn list(conn: DbConn, uri: &Origin, _auth: Authorization<Read, Post>) -> Json<serde_json::Value> {
if token.can_read("posts") { let query: PostEndpoint = serde_qs::from_str(uri.query().unwrap_or("")).expect("api::list: invalid query error");
let query: PostEndpoint = serde_qs::from_str(uri.query().unwrap_or("")).expect("api::list: invalid query error"); let post = <Post as Provider<Connection>>::list(&*conn, query);
let post = <Post as Provider<Connection>>::list(&*conn, query); Json(json!(post))
Json(json!(post)) }
} else {
Json(json!({
"error": "Unauthorized"
}))
}}