Update key access control

Author: lucemans

engine/src/middlewares/auth.rs

@@ -10,14 +10,15 @@ use tracing::{info, info_span, Instrument};
 use tracing_opentelemetry::OpenTelemetrySpanExt;
 
 use crate::{
-    models::{session::Session, team::Team},
+    models::{keys::Key, session::Session, team::Team},
     routes::error::HttpError,
     state::State,
     utils::hash::hash_session,
 };
 
 pub enum UserAuth {
     User(Session, State),
+    Key(Key, State),
     None(State),
 }
 
@@ -60,39 +61,61 @@ impl<'a> ApiExtractor<'a> for UserAuth {
                 .map(|x| x.replace("Bearer ", ""));
 
             // Token could either be a session token or a pat token
-            if token.is_none() {
-                return Ok(UserAuth::None(state.clone()));
-            }
-
-            let token = token.unwrap();
-
-            let cache_key = format!("session:{}", token);
-
-            let is_user = state
-                .cache
-                .raw
-                .get_with(cache_key, async {
-                    // Use tracing events instead of spans to avoid Send issues
-                    info!("Cache miss for session: {}", token);
+            let token = match token {
+                Some(token) => token,
+                None => return Ok(UserAuth::None(state.clone())),
+            };
+
+            // check the token
+            if token.starts_with("se_") {
+                let cache_key = format!("session:{}", token);
+
+                let is_user = state
+                    .cache
+                    .raw
+                    .get_with(cache_key, async {
+                        // Use tracing events instead of spans to avoid Send issues
+                        info!("Cache miss for session: {}", token);
+
+                        // Hash the token
+                        let hash = hash_session(&token);
+
+                        // Check if active session exists with token
+                        let session = Session::try_access(&state.database, &hash)
+                            .await
+                            .unwrap()
+                            .ok_or(HttpError::Unauthorized)
+                            .unwrap();
+
+                        serde_json::to_value(session).unwrap()
+                    })
+                    .await;
+
+                let session: Option<Session> = serde_json::from_value(is_user).ok();
+
+                if let Some(session) = session {
+                    return Ok(UserAuth::User(session, state.clone()));
+                }
+            } else if token.starts_with("k_") {
+                let cache_key = format!("key:{}", token);
 
-                    // Hash the token
+                let is_key = state.cache.raw.get_with(cache_key, async {
                     let hash = hash_session(&token);
 
-                    // Check if active session exists with token
-                    let session = Session::try_access(&state.database, &hash)
+                    let key = Key::get_by_id(&state.database, hash.as_ref())
                         .await
                         .unwrap()
                         .ok_or(HttpError::Unauthorized)
                         .unwrap();
 
-                    serde_json::to_value(session).unwrap()
-                })
-                .await;
+                    serde_json::to_value(key).unwrap()
+                }).await;
 
-            let session: Option<Session> = serde_json::from_value(is_user).ok();
+                let key: Option<Key> = serde_json::from_value(is_key).ok();
 
-            if let Some(session) = session {
-                return Ok(UserAuth::User(session, state.clone()));
+                if let Some(key) = key {
+                    return Ok(UserAuth::Key(key, state.clone()));
+                }
             }
 
             Err(HttpError::Unauthorized.into())
@@ -124,23 +147,28 @@ impl<'a> ApiExtractor<'a> for UserAuth {
 }
 
 impl UserAuth {
-    pub fn ok(&self) -> Option<&Session> {
+    /// @deprecated
+    pub fn ok_session(&self) -> Option<&Session> {
         match self {
             UserAuth::User(session, _) => Some(session),
+            UserAuth::Key(_, _) => None,
             UserAuth::None(_) => None,
         }
     }
 
-    pub fn required(&self) -> Result<&Session> {
+    /// @deprecated
+    pub fn required_session(&self) -> Result<&Session> {
         match self {
             UserAuth::User(session, _) => Ok(session),
+            UserAuth::Key(_, _) => Err(HttpError::Unauthorized.into()),
             UserAuth::None(_) => Err(HttpError::Unauthorized.into()),
         }
     }
 
     pub fn user_id(&self) -> Option<&str> {
         match self {
             UserAuth::User(session, _) => Some(&session.user_id),
+            UserAuth::Key(_, __) => None,
             UserAuth::None(_) => None,
         }
     }
@@ -168,7 +196,10 @@ impl UserAuth {
                     }
 
                     Ok(())
-                }
+                },
+                UserAuth::Key(key, _) => {
+                    Err(HttpError::Forbidden)
+                },
                 UserAuth::None(_) => Err(HttpError::Unauthorized),
             }
         }
@@ -190,7 +221,16 @@ impl UserAuth {
         async move {
             match self {
                 UserAuth::User(session, state) => match resource
-                    .has_access_to(state, &session.user_id)
+                    .has_access(state, "user", &session.user_id)
+                    .await
+                    .map_err(HttpError::from)
+                {
+                    Ok(true) => Ok(()),
+                    Ok(false) => Err(HttpError::Forbidden),
+                    Err(e) => Err(e),
+                },
+                UserAuth::Key(key, state) => match resource
+                    .has_access(state, &key.key_type, &key.key_resource)
                     .await
                     .map_err(HttpError::from)
                 {
@@ -207,9 +247,11 @@ impl UserAuth {
 }
 
 pub trait AccessibleResource: Debug {
-    fn has_access_to(
+    fn has_access(
         &self,
         state: &State,
-        user_id: &str,
+        // 'user' | 'site' | 'team'
+        resource: &str,
+        resource_id: &str,
     ) -> impl std::future::Future<Output = Result<bool, HttpError>> + Send;
 }

engine/src/models/session/mod.rs

@@ -140,7 +140,7 @@ impl Session {
         resource: &impl AccessibleResource,
     ) -> Result<(), HttpError> {
         resource
-            .has_access_to(state, &self.user_id)
+            .has_access(state, "user", &self.user_id)
             .await
             .map_err(HttpError::from)?;
         Ok(())

engine/src/models/site.rs

@@ -136,22 +136,46 @@ impl Site {
 pub struct SiteId<'a>(pub &'a str);
 
 impl<'a> AccessibleResource for SiteId<'a> {
-    #[tracing::instrument(name = "has_access_to", skip(state))]
-    async fn has_access_to(&self, state: &State, user_id: &str) -> Result<bool, HttpError> {
+    #[tracing::instrument(name = "has_access", skip(state))]
+    async fn has_access(
+        &self,
+        state: &State,
+        resource: &str,
+        resource_id: &str,
+    ) -> Result<bool, HttpError> {
         let cache_key = format!("site:{}", self.0);
 
         let part_of_site = state.cache.raw.get_with(cache_key, async {
-            // Verify that the user is a member of the team that owns the site
-            let part_of_site = query_scalar!(
-                "SELECT EXISTS (SELECT 1 FROM sites WHERE site_id = $1 AND team_id IN (SELECT team_id FROM user_teams WHERE user_id = $2) OR team_id IN (SELECT team_id FROM teams WHERE owner_id = $2))",
-                self.0,
-                user_id
-            )
-            .fetch_one(&state.database.pool)
-            .await;
-
-            let part_of_site = part_of_site.ok().flatten().unwrap_or(false);
-            serde_json::to_value(part_of_site).unwrap()
+            if resource == "user" {
+                // Verify that the user is a member of the team that owns the site
+                let part_of_site = query_scalar!(
+                    "SELECT EXISTS (SELECT 1 FROM sites WHERE site_id = $1 AND team_id IN (SELECT team_id FROM user_teams WHERE user_id = $2) OR team_id IN (SELECT team_id FROM teams WHERE owner_id = $2))",
+                    self.0,
+                    resource_id
+                )
+                .fetch_one(&state.database.pool)
+                .await;
+
+                let part_of_site = part_of_site.ok().flatten().unwrap_or(false);
+
+                serde_json::to_value(part_of_site).unwrap()
+            } else if resource == "site" {
+                if self.0 == resource_id {
+                    serde_json::to_value(true).unwrap()
+                } else {
+                    serde_json::to_value(false).unwrap()
+                }
+            } else if resource == "team" {
+                let site = Site::get_by_id(&state.database, resource_id).await.map_err(HttpError::from).ok();
+
+                let site_has_access = site
+                    .map(|s| s.team_id == resource_id)
+                    .unwrap_or(false);
+
+                serde_json::to_value(site_has_access).unwrap()
+            } else {
+                serde_json::to_value(false).unwrap()
+            }
         }).await;
 
         let part_of_site: bool = serde_json::from_value(part_of_site).unwrap_or_default();

engine/src/models/team/mod.rs

@@ -52,7 +52,10 @@ impl Team {
     }
 
     #[tracing::instrument(name = "get_by_id", skip(db))]
-    pub async fn get_by_id(db: &Database, team_id: impl AsRef<str> + Debug) -> Result<Self, sqlx::Error> {
+    pub async fn get_by_id(
+        db: &Database,
+        team_id: impl AsRef<str> + Debug,
+    ) -> Result<Self, sqlx::Error> {
         let span = info_span!("Team::get_by_id");
         span.set_parent(Context::current());
         let _guard = span.enter();
@@ -127,11 +130,18 @@ impl Team {
     ) -> Result<bool, sqlx::Error> {
         let cache_key = format!("team:{}:member:{}", team_id.as_ref(), user_id.as_ref());
 
-        let is_member = state.cache.raw.get_with(cache_key.clone(), async {
-            let member = Team::_is_member(state.clone(), team_id, user_id).await.ok().unwrap_or(false);
+        let is_member = state
+            .cache
+            .raw
+            .get_with(cache_key.clone(), async {
+                let member = Team::_is_member(state.clone(), team_id, user_id)
+                    .await
+                    .ok()
+                    .unwrap_or(false);
 
-            serde_json::Value::from(member)
-        }).await;
+                serde_json::Value::from(member)
+            })
+            .await;
 
         let is_member: bool = serde_json::from_value(is_member).unwrap_or(false);
 
@@ -175,31 +185,51 @@ impl Team {
         .await
     }
 
-    pub async fn add_member(db: &Database, team_id: impl AsRef<str>, user_id: impl AsRef<str>) -> Result<(), sqlx::Error> {
+    pub async fn add_member(
+        db: &Database,
+        team_id: impl AsRef<str>,
+        user_id: impl AsRef<str>,
+    ) -> Result<(), sqlx::Error> {
         let span = info_span!("Team::add_member");
         span.set_parent(Context::current());
         let _guard = span.enter();
 
-        query!("INSERT INTO user_teams (team_id, user_id) VALUES ($1, $2)", team_id.as_ref(), user_id.as_ref())
-            .execute(&db.pool)
-            .await?;
+        query!(
+            "INSERT INTO user_teams (team_id, user_id) VALUES ($1, $2)",
+            team_id.as_ref(),
+            user_id.as_ref()
+        )
+        .execute(&db.pool)
+        .await?;
 
         Ok(())
     }
 
-    pub async fn update_name(db: &Database, team_id: impl AsRef<str>, name: impl AsRef<str>) -> Result<(), sqlx::Error> {
+    pub async fn update_name(
+        db: &Database,
+        team_id: impl AsRef<str>,
+        name: impl AsRef<str>,
+    ) -> Result<(), sqlx::Error> {
         let span = info_span!("Team::update_name");
         span.set_parent(Context::current());
         let _guard = span.enter();
 
-        query!("UPDATE teams SET name = $2 WHERE team_id = $1", team_id.as_ref(), name.as_ref())
-            .execute(&db.pool)
-            .await?;
+        query!(
+            "UPDATE teams SET name = $2 WHERE team_id = $1",
+            team_id.as_ref(),
+            name.as_ref()
+        )
+        .execute(&db.pool)
+        .await?;
 
         Ok(())
     }
 
-    pub async fn update_avatar(db: &Database, team_id: impl AsRef<str>, avatar_url: impl AsRef<str>) -> Result<Team, sqlx::Error> {
+    pub async fn update_avatar(
+        db: &Database,
+        team_id: impl AsRef<str>,
+        avatar_url: impl AsRef<str>,
+    ) -> Result<Team, sqlx::Error> {
         let span = info_span!("Team::update_avatar");
         span.set_parent(Context::current());
         let _guard = span.enter();
@@ -219,11 +249,26 @@ impl Team {
 pub struct TeamId<'a>(pub &'a str);
 
 impl<'a> AccessibleResource for TeamId<'a> {
-    async fn has_access_to(&self, state: &State, user_id: &str) -> Result<bool, HttpError> {
-        let x = Team::is_member(&state, self.0, user_id)
-            .await
-            .map_err(HttpError::from)?;
-
-        Ok(x)
+    async fn has_access(
+        &self,
+        state: &State,
+        resource: &str,
+        resource_id: &str,
+    ) -> Result<bool, HttpError> {
+        if resource == "user" {
+            let x = Team::is_member(&state, self.0, resource_id)
+                .await
+                .map_err(HttpError::from)?;
+
+            Ok(x)
+        } else if resource == "team" {
+            if self.0 == resource_id {
+                Ok(true)
+            } else {
+                Ok(false)
+            }
+        } else {
+            Ok(false)
+        }
     }
 }

engine/src/routes/invite/mod.rs

@@ -94,7 +94,7 @@ impl InviteApi {
     ) -> Result<PlainText<String>> {
         info!("Accepting invite: {:?}", invite_id.0);
 
-        let user = user.required()?;
+        let user = user.required_session()?;
 
         let invite = UserTeamInvite::get_by_invite_id(&state.database, &invite_id.0)
             .await

engine/src/routes/mod.rs

@@ -13,7 +13,6 @@ use poem::{
 };
 use poem_openapi::{OpenApi, OpenApiService, Tags};
 use serde_json::{self, Value};
-use team::TeamApi;
 use tracing::info;
 use user::UserApi;