use dino-park-trust/guard for scope checking

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "dino-park-packs"
-version = "0.2.0"
+version = "0.3.0"
 authors = ["Florian Merz <flomerz@gmail.com>"]
 edition = "2018"
 
@@ -11,7 +11,9 @@ localuserscope = ["dino_park_gate/localuserscope"]
 [dependencies]
 cis_client = { git = "https://github.com/mozilla-iam/cis_client-rust", branch = "0.4.0", version = "0.4.0" }
 cis_profile = { git = "https://github.com/mozilla-iam/cis_profile-rust", branch = "0.3.1", version = "0.3.1", features = ["aws", "vendored"] }
-dino_park_gate = { git = "https://github.com/mozilla-iam/dino-park-gate", tag = "0.3.1", version = "0.3.1" }
+dino_park_gate = { git = "https://github.com/mozilla-iam/dino-park-gate", tag = "0.4.0", version = "0.4.0" }
+dino_park_trust = { git = "https://github.com/mozilla-iam/dino-park-trust", tag = "0.0.4", version = "0.0.4" }
+dino_park_guard = { git = "https://github.com/mozilla-iam/dino-park-guard", tag = "0.0.1", version = "0.0.1" }
 diesel = { version = "1.4", features = ["postgres", "uuidv07", "r2d2", "chrono", "serde_json"] }
 diesel_migrations = "1.4"
 actix-web = "2.0"

src/api/admins.rs

@@ -23,6 +23,7 @@ pub struct DowngradeAdmin {
     group_expiration: Option<i32>,
 }
 
+#[guard(Ndaed)]
 async fn add_admin(
     pool: web::Data<Pool>,
     group_name: web::Path<String>,
@@ -47,6 +48,7 @@ async fn add_admin(
     Ok(HttpResponse::Ok().finish())
 }
 
+#[guard(Ndaed)]
 pub async fn downgrade(
     pool: web::Data<Pool>,
     path: web::Path<(String, Uuid)>,

src/api/current.rs

@@ -18,6 +18,7 @@ struct ForceLeave {
     force: Option<bool>,
 }
 
+#[guard(Authenticated)]
 async fn join(
     _: HttpRequest,
     pool: web::Data<Pool>,
@@ -39,6 +40,7 @@ async fn join(
     Ok(HttpResponse::Ok().finish())
 }
 
+#[guard(Authenticated)]
 async fn leave(
     _: HttpRequest,
     pool: web::Data<Pool>,
@@ -58,6 +60,7 @@ async fn leave(
     Ok(HttpResponse::Ok().finish())
 }
 
+#[guard(Authenticated)]
 async fn reject(
     _: HttpRequest,
     pool: web::Data<Pool>,
@@ -70,6 +73,7 @@ async fn reject(
     }
 }
 
+#[guard(Authenticated)]
 async fn invitations(pool: web::Data<Pool>, scope_and_user: ScopeAndUser) -> impl Responder {
     let user = operations::users::user_by_id(&pool.clone(), &scope_and_user.user_id)?;
     match operations::invitations::pending_invitations_for_user(&pool, &scope_and_user, &user) {

src/api/error.rs

@@ -2,6 +2,8 @@ use crate::error::PacksError;
 use crate::rules::error::RuleError;
 use actix_web::error::ResponseError;
 use actix_web::HttpResponse;
+use dino_park_trust::GroupsTrustError;
+use dino_park_trust::TrustError;
 use log::warn;
 use serde_json::json;
 use serde_json::Value;
@@ -19,12 +21,28 @@ pub enum ApiError {
     PacksError(PacksError),
     #[fail(display = "Rule Error: {}", _0)]
     RuleError(RuleError),
+    #[fail(display = "Scope Error: {}", _0)]
+    ScopeError(TrustError),
+    #[fail(display = "Groups scope Error: {}", _0)]
+    GroupsScopeError(GroupsTrustError),
 }
 
 fn to_json_error(e: &impl Display) -> Value {
     json!({ "error": e.to_string() })
 }
 
+impl From<TrustError> for ApiError {
+    fn from(e: TrustError) -> Self {
+        ApiError::ScopeError(e)
+    }
+}
+
+impl From<GroupsTrustError> for ApiError {
+    fn from(e: GroupsTrustError) -> Self {
+        ApiError::GroupsScopeError(e)
+    }
+}
+
 impl From<failure::Error> for ApiError {
     fn from(e: failure::Error) -> Self {
         let e = match e.downcast::<PacksError>() {
@@ -48,6 +66,8 @@ impl ResponseError for ApiError {
             }
             Self::PacksError(ref e) => HttpResponse::BadRequest().json(to_json_error(e)),
             Self::RuleError(ref e) => HttpResponse::Forbidden().json(to_json_error(e)),
+            Self::ScopeError(ref e) => HttpResponse::Forbidden().json(to_json_error(e)),
+            Self::GroupsScopeError(ref e) => HttpResponse::Forbidden().json(to_json_error(e)),
             Self::InvalidGroupName => HttpResponse::BadRequest().json(to_json_error(self)),
             _ => HttpResponse::InternalServerError().finish(),
         }

src/api/groups.rs

@@ -24,6 +24,7 @@ async fn get_group(pool: web::Data<Pool>, group_name: web::Path<String>) -> impl
         .map_err(ApiError::GenericBadRequest)
 }
 
+#[guard(Ndaed)]
 async fn update_group(
     pool: web::Data<Pool>,
     scope_and_user: ScopeAndUser,
@@ -40,6 +41,7 @@ async fn update_group(
     .map_err(ApiError::GenericBadRequest)
 }
 
+#[guard(Staff, Creator)]
 async fn add_group(
     cis_client: web::Data<Arc<CisClient>>,
     pool: web::Data<Pool>,
@@ -67,6 +69,7 @@ async fn delete_group(
     Ok(HttpResponse::Created().finish())
 }
 
+#[guard(Authenticated)]
 async fn group_details(
     pool: web::Data<Pool>,
     group_name: web::Path<String>,

src/api/invitations.rs

@@ -27,6 +27,7 @@ pub struct Invitation {
     group_expiration: Option<i32>,
 }
 
+#[guard(Ndaed)]
 async fn delete_invitation(
     _: HttpRequest,
     pool: web::Data<Pool>,
@@ -48,6 +49,7 @@ async fn delete_invitation(
     }
 }
 
+#[guard(Ndaed)]
 async fn update_invitation(
     _: HttpRequest,
     pool: web::Data<Pool>,
@@ -75,6 +77,7 @@ async fn update_invitation(
     }
 }
 
+#[guard(Ndaed)]
 async fn invite_member(
     _: HttpRequest,
     pool: web::Data<Pool>,
@@ -103,6 +106,7 @@ async fn invite_member(
     }
 }
 
+#[guard(Ndaed)]
 async fn pending(
     _: HttpRequest,
     pool: web::Data<Pool>,

src/api/members.rs

@@ -46,6 +46,7 @@ pub struct GetMembersQuery {
     s: Option<i64>,
 }
 
+#[guard(Authenticated)]
 async fn get_members(
     _: HttpRequest,
     pool: web::Data<Pool>,
@@ -73,6 +74,7 @@ async fn get_members(
     }
 }
 
+#[guard(Ndaed)]
 async fn remove_member(
     pool: web::Data<Pool>,
     path: web::Path<(String, Uuid)>,
@@ -94,6 +96,7 @@ async fn remove_member(
     Ok(HttpResponse::Ok().finish())
 }
 
+#[guard(Ndaed)]
 async fn renew_member(
     pool: web::Data<Pool>,
     path: web::Path<(String, Uuid)>,

src/api/sudo.rs

@@ -20,6 +20,7 @@ pub struct AddMember {
     group_expiration: Option<i32>,
 }
 
+#[guard(Staff, Admin)]
 async fn add_member(
     pool: web::Data<Pool>,
     group_name: web::Path<String>,
@@ -42,6 +43,7 @@ async fn add_member(
     Ok(HttpResponse::Ok().finish())
 }
 
+#[guard(Staff, Admin)]
 async fn all_raw_logs(pool: web::Data<Pool>, scope_and_user: ScopeAndUser) -> impl Responder {
     let user = operations::users::user_by_id(&pool.clone(), &scope_and_user.user_id)?;
     match operations::logs::raw_logs(&pool, &scope_and_user, &user) {

src/api/terms.rs

@@ -15,13 +15,15 @@ pub struct TermsUpdate {
     text: String,
 }
 
+#[guard(Authenticated)]
 async fn view_terms(pool: web::Data<Pool>, group_name: web::Path<String>) -> impl Responder {
     match operations::terms::get_terms(&pool, &group_name) {
         Ok(terms) => Ok(HttpResponse::Ok().json(terms)),
         Err(e) => Err(ApiError::GenericBadRequest(e)),
     }
 }
 
+#[guard(Ndaed)]
 async fn delete_terms(
     pool: web::Data<Pool>,
     group_name: web::Path<String>,
@@ -33,6 +35,7 @@ async fn delete_terms(
     }
 }
 
+#[guard(Ndaed)]
 async fn update_terms(
     pool: web::Data<Pool>,
     group_name: web::Path<String>,

src/api/users.rs

@@ -18,6 +18,8 @@ struct SearchUsersQuery {
     t: TrustType,
     g: Option<String>,
 }
+
+#[guard(Ndaed)]
 async fn search_users(
     pool: web::Data<Pool>,
     scope_and_user: ScopeAndUser,

src/db/error.rs

@@ -3,5 +3,5 @@ pub enum DBError {
     #[fail(display = "User profile v2 is invalid")]
     InvalidProfile,
     #[fail(display = "Trust level not supported is invalid")]
-    InvalidTurstLevel,
+    InvalidTrustLevel,
 }

src/db/internal/user.rs

@@ -1,4 +1,3 @@
-use crate::db::error::DBError;
 use crate::db::internal;
 use crate::db::schema;
 use crate::db::types::TrustType;
@@ -279,7 +278,6 @@ pub fn search_users_for_group(
             limit,
             connection
         ),
-        _ => Err(DBError::InvalidTurstLevel.into()),
     }
 }
 
@@ -312,6 +310,5 @@ pub fn search_users(
         TrustType::Public => {
             scoped_search_users!(users_public, UsersPublic, q, trust, limit, connection)
         }
-        _ => Err(DBError::InvalidTurstLevel.into()),
     }
 }

src/db/operations/invitations.rs

@@ -10,6 +10,7 @@ use chrono::NaiveDateTime;
 use cis_client::CisClient;
 use cis_profile::schema::Profile;
 use dino_park_gate::scope::ScopeAndUser;
+use dino_park_trust::Trust;
 use failure::Error;
 use serde_derive::Serialize;
 use std::sync::Arc;
@@ -128,12 +129,12 @@ pub fn pending_invitations(
         &host.user_uuid,
     ))?;
     let connection = pool.get()?;
-    match scope_and_user.scope.as_str() {
-        "staff" => staff_scoped_invitations_and_host(&connection, group_name),
-        "ndaed" => ndaed_scoped_invitations_and_host(&connection, group_name),
-        "vouched" => vouched_scoped_invitations_and_host(&connection, group_name),
-        "authenticated" => authenticated_scoped_invitations_and_host(&connection, group_name),
-        _ => public_scoped_invitations_and_host(&connection, group_name),
+    match scope_and_user.scope {
+        Trust::Staff => staff_scoped_invitations_and_host(&connection, group_name),
+        Trust::Ndaed => ndaed_scoped_invitations_and_host(&connection, group_name),
+        Trust::Vouched => vouched_scoped_invitations_and_host(&connection, group_name),
+        Trust::Authenticated => authenticated_scoped_invitations_and_host(&connection, group_name),
+        Trust::Public => public_scoped_invitations_and_host(&connection, group_name),
     }
 }
 
@@ -143,12 +144,14 @@ pub fn pending_invitations_for_user(
     user: &User,
 ) -> Result<Vec<DisplayInvitation>, Error> {
     let connection = pool.get()?;
-    match scope_and_user.scope.as_str() {
-        "staff" => staff_scoped_invitations_and_host_for_user(&connection, user),
-        "ndaed" => ndaed_scoped_invitations_and_host_for_user(&connection, user),
-        "vouched" => vouched_scoped_invitations_and_host_for_user(&connection, user),
-        "authenticated" => authenticated_scoped_invitations_and_host_for_user(&connection, user),
-        _ => public_scoped_invitations_and_host_for_user(&connection, user),
+    match scope_and_user.scope {
+        Trust::Staff => staff_scoped_invitations_and_host_for_user(&connection, user),
+        Trust::Ndaed => ndaed_scoped_invitations_and_host_for_user(&connection, user),
+        Trust::Vouched => vouched_scoped_invitations_and_host_for_user(&connection, user),
+        Trust::Authenticated => {
+            authenticated_scoped_invitations_and_host_for_user(&connection, user)
+        }
+        Trust::Public => public_scoped_invitations_and_host_for_user(&connection, user),
     }
 }