authly_common/
document.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
//! Authly document type definitions.

use std::collections::BTreeMap;

use serde::Deserialize;
use toml::Spanned;
use uuid::Uuid;

use crate::{id::Eid, property::QualifiedAttributeName};

/// The deserialized representation of an authly document.
#[derive(Deserialize)]
#[serde(deny_unknown_fields)]
#[allow(missing_docs)]
pub struct Document {
    /// Metadata about the document
    #[serde(rename = "authly-document")]
    pub authly_document: AuthlyDocument,

    /// Collection of settings for the local authly cluster
    #[serde(default, rename = "local-settings")]
    pub local_settings: Option<BTreeMap<Spanned<String>, Spanned<String>>>,

    #[serde(default)]
    pub entity: Vec<Entity>,

    #[serde(default, rename = "service-entity")]
    pub service_entity: Vec<Entity>,

    #[serde(default)]
    pub email: Vec<Email>,

    #[serde(default, rename = "password-hash")]
    pub password_hash: Vec<PasswordHash>,

    #[serde(default)]
    pub members: Vec<Members>,

    #[serde(default, rename = "entity-attribute-binding")]
    pub entity_attribute_binding: Vec<EntityAttributeBinding>,

    #[serde(default, rename = "entity-property")]
    pub entity_property: Vec<EntityProperty>,

    #[serde(default, rename = "resource-property")]
    pub resource_property: Vec<ResourceProperty>,

    #[serde(default)]
    pub policy: Vec<Policy>,

    #[serde(default, rename = "policy-binding")]
    pub policy_binding: Vec<PolicyBinding>,
}

/// The authly document header
#[derive(Deserialize)]
#[serde(deny_unknown_fields)]
pub struct AuthlyDocument {
    /// The ID of this document as an Authly authority
    pub id: Spanned<Uuid>,
}

/// An entity definition
#[derive(Deserialize, Debug)]
#[serde(deny_unknown_fields)]
pub struct Entity {
    /// The eid of this entity.
    pub eid: Spanned<Eid>,

    /// A label for the entity visible in the document namespace.
    #[serde(default)]
    pub label: Option<Spanned<String>>,

    /// Attributes bound to the entity.
    #[serde(default)]
    pub attributes: Vec<Spanned<QualifiedAttributeName>>,

    /// List of usernames.
    #[serde(default)]
    pub username: Option<Spanned<String>>,

    /// List of email addresses.
    #[serde(default)]
    pub email: Vec<Spanned<String>>,

    /// List of password hashes.
    #[serde(default, rename = "password-hash")]
    pub password_hash: Vec<String>,

    /// An optional kubernetes account.
    #[serde(default, rename = "kubernetes-account")]
    pub kubernetes_account: Option<KubernetesAccount>,
}

/// An email address assignment.
#[derive(Deserialize, Debug)]
#[serde(deny_unknown_fields)]
pub struct Email {
    /// The label of the entity that is assigned this address.
    pub entity: Spanned<String>,

    /// The address itself.
    pub value: Spanned<String>,
}

/// An password hash assignment.
#[derive(Deserialize, Debug)]
#[serde(deny_unknown_fields)]
pub struct PasswordHash {
    /// The label of the entity that is assigned this password hash.
    pub entity: Spanned<String>,

    /// The password hash itself.
    pub hash: String,
}

/// A members assignment.
///
/// In the authly model, any kind of entity may have members.
#[derive(Deserialize, Debug)]
#[serde(deny_unknown_fields)]
pub struct Members {
    /// The label of the entity that members is assigned to.
    pub entity: Spanned<String>,

    /// Entity labels of the members.
    pub members: Vec<Spanned<String>>,
}

/// A definition of an entity property.
#[derive(Deserialize)]
#[serde(deny_unknown_fields)]
pub struct EntityProperty {
    /// The label of the service which defines this entity property.
    #[serde(default)]
    pub service: Option<Spanned<String>>,

    /// The property label.
    pub label: Spanned<String>,

    /// The list of attributes of the property.
    #[serde(default)]
    pub attributes: Vec<Spanned<String>>,
}

/// A kubernetes account definition.
#[derive(Default, Deserialize, Debug)]
#[serde(deny_unknown_fields)]
pub struct KubernetesAccount {
    /// The kubernetes namespace.
    pub namespace: String,

    /// The account name.
    pub name: String,
}

/// A definition of a resource property.
#[derive(Deserialize)]
#[serde(deny_unknown_fields)]
pub struct ResourceProperty {
    /// The label of the service which defines this resource property.
    pub service: Spanned<String>,

    /// The property label.
    pub label: Spanned<String>,

    /// The list of attributes of the property.
    #[serde(default)]
    pub attributes: Vec<Spanned<String>>,
}

/// A policy definition.
///
/// A policy must contain either an `allow` or `deny` expression.
#[derive(Deserialize)]
#[serde(deny_unknown_fields)]
pub struct Policy {
    /// The label of the service this policy belongs to.
    pub service: Spanned<String>,

    /// The policy label.
    pub label: Spanned<String>,

    /// An allow expression.
    #[serde(default)]
    pub allow: Option<Spanned<String>>,

    /// An deny expression.
    #[serde(default)]
    pub deny: Option<Spanned<String>>,
}

/// A policy binding.
#[derive(Deserialize)]
pub struct PolicyBinding {
    /// The label of the service the binding applies to.
    pub service: Spanned<String>,

    /// The attribute set which will trigger the policy set.
    pub attributes: Vec<Spanned<QualifiedAttributeName>>,

    /// A set of policies triggered.
    pub policies: Vec<Spanned<String>>,
}

/// An entity attribute binding, which assigns attributes to entities.
#[derive(Deserialize)]
pub struct EntityAttributeBinding {
    /// The id identifying the entity
    pub eid: Option<Spanned<Eid>>,

    /// A label identifying the entity
    pub label: Option<Spanned<String>>,

    /// The attributes assigned to the entity.
    pub attributes: Vec<Spanned<QualifiedAttributeName>>,
}

impl Document {
    /// Deserialize document from `toml` format.
    pub fn from_toml(toml: &str) -> anyhow::Result<Self> {
        Ok(preprocess(toml::from_str(toml)?))
    }
}

fn preprocess(mut doc: Document) -> Document {
    for user in &mut doc.entity {
        let label = user
            .label
            .get_or_insert_with(|| Spanned::new(0..0, Uuid::new_v4().to_string()));

        for email in std::mem::take(&mut user.email) {
            doc.email.push(Email {
                entity: label.clone(),
                value: email,
            });
        }

        for pw_hash in std::mem::take(&mut user.password_hash) {
            doc.password_hash.push(PasswordHash {
                entity: label.clone(),
                hash: pw_hash,
            });
        }
    }

    doc
}