adding stub authorization

Author: dsullivan7

src/authorization/mod.rs

@@ -1,21 +1,28 @@
 use mockall::*;
+use serde::{Deserialize, Serialize};
 use thiserror::Error;
 
-pub mod oso;
-
 #[derive(Error, Debug)]
 pub enum AuthorizationError {
     #[error("authorization error")]
     Error(anyhow::Error),
 }
 
+pub struct User {
+    pub user_id: String,
+    pub role: String,
+}
+
 #[automock]
-pub trait AuthorizationClient<T> {
-    fn allow_user_action_field(
-        &self,
-        actor: T,
-        action: String,
-        resource: T,
-        field: String,
-    ) -> Result<bool, AuthorizationError>;
+pub trait IAuthorization: Send + Sync {
+    fn is_action_allowed(&self, actor: User, action: String) -> Result<bool, AuthorizationError>;
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct Authorization;
+
+impl IAuthorization for Authorization {
+    fn is_action_allowed(&self, _actor: User, _action: String) -> Result<bool, AuthorizationError> {
+        Ok(true)
+    }
 }

src/errors.rs

@@ -24,6 +24,8 @@ pub enum ServerError {
     UnauthenticatedReason(anyhow::Error),
     #[error("unauthenticated")]
     Unauthenticated,
+    #[error("unauthorized")]
+    Unauthorized,
 }
 
 impl ServerError {
@@ -36,6 +38,7 @@ impl ServerError {
             Self::RequiredBodyParameter => "required_body_param".to_owned(),
             Self::UnauthenticatedReason(_) => "unauthenticated".to_owned(),
             Self::Unauthenticated => "unauthenticated".to_owned(),
+            Self::Unauthorized => "unauthorized".to_owned(),
         }
     }
     pub fn message(&self) -> String {
@@ -47,6 +50,7 @@ impl ServerError {
             Self::RequiredBodyParameter => "required body parameter".to_owned(),
             Self::UnauthenticatedReason(_) => "unauthenticated".to_owned(),
             Self::Unauthenticated => "unauthenticated".to_owned(),
+            Self::Unauthorized => "unauthorized".to_owned(),
         }
     }
 }
@@ -71,6 +75,7 @@ impl IntoResponse for ServerError {
             Self::BadReqest => StatusCode::BAD_REQUEST,
             Self::RequiredBodyParameter => StatusCode::BAD_REQUEST,
             Self::Unauthenticated => StatusCode::UNAUTHORIZED,
+            Self::Unauthorized => StatusCode::UNAUTHORIZED,
             Self::UnauthenticatedReason(_) => StatusCode::UNAUTHORIZED,
         };
 

src/handlers.rs

@@ -1,4 +1,5 @@
 mod authentication;
+mod authorization;
 mod health;
 mod routes;
 mod users;

src/handlers/authorization.rs

@@ -0,0 +1,27 @@
+use anyhow::anyhow;
+use axum::{body::Body, extract::Request, extract::State, http::Response, middleware::Next};
+
+use crate::{authorization::User, errors};
+
+use super::AppState;
+
+pub async fn is_user_action_allowed(
+    State(AppState { authorization, .. }): State<AppState>,
+    req: Request,
+    next: Next,
+) -> Result<Response<Body>, errors::ServerError> {
+    let is_authorized = authorization
+        .is_action_allowed(
+            User {
+                user_id: "random".to_owned(),
+                role: "random".to_owned(),
+            },
+            "list_users".to_owned(),
+        )
+        .map_err(|err| errors::ServerError::Internal(anyhow!(err)))?;
+
+    if is_authorized {
+        return Ok(next.run(req).await);
+    }
+    Err(errors::ServerError::Unauthorized)
+}

src/handlers/health_test.rs

@@ -1,24 +1,25 @@
-use crate::authentication;
-use crate::handlers::router;
-use crate::handlers::{health::HealthResponse, AppState};
-use axum::{
-    body::Body,
-    http::{Request, StatusCode},
-};
-use http_body_util::BodyExt;
-use sea_orm::{DatabaseBackend, MockDatabase};
-use tower::ServiceExt;
-
 #[cfg(test)]
 #[tokio::test]
 async fn test_health() {
+    use crate::authentication;
+    use crate::authorization;
+    use crate::handlers::router;
+    use crate::handlers::{health::HealthResponse, AppState};
+    use axum::{
+        body::Body,
+        http::{Request, StatusCode},
+    };
+    use http_body_util::BodyExt;
+    use sea_orm::{DatabaseBackend, MockDatabase};
     use std::sync::Arc;
+    use tower::ServiceExt;
 
     let conn = MockDatabase::new(DatabaseBackend::Postgres).into_connection();
 
     let my_router = router(AppState {
         conn: Arc::new(conn),
         authentication: Arc::new(authentication::MockIAuthentication::new()),
+        authorization: Arc::new(authorization::MockIAuthorization::new()),
     });
 
     let response = my_router

src/handlers/routes.rs

@@ -8,9 +8,11 @@ use axum::{middleware, Router};
 use sea_orm::DatabaseConnection;
 
 use crate::authentication;
+use crate::authorization;
 use tower::ServiceBuilder;
 
 use super::authentication as authentication_middleware;
+use super::authorization as authorization_middleware;
 
 use super::health;
 
@@ -20,12 +22,19 @@ use super::users;
 pub struct AppState {
     pub conn: Arc<DatabaseConnection>,
     pub authentication: Arc<dyn authentication::IAuthentication>,
+    pub authorization: Arc<dyn authorization::IAuthorization>,
 }
 
 pub fn router(app_state: AppState) -> Router {
     Router::new().route("/", get(health::get_health)).merge(
         Router::new()
-            .route("/users", get(users::list_users))
+            .route(
+                "/users",
+                get(users::list_users).layer(middleware::from_fn_with_state(
+                    app_state.clone(),
+                    authorization_middleware::is_user_action_allowed,
+                )),
+            )
             .route("/users/{user_id}", get(users::get_user))
             .route("/users", post(users::create_user))
             .route("/users/{user_id}", put(users::modify_user))

src/handlers/users_test.rs

@@ -13,6 +13,7 @@ mod tests {
     use uuid::Uuid;
 
     use crate::{
+        authorization,
         handlers::{router, users::UserResponse, AppState},
         models, test_utils,
     };
@@ -35,13 +36,15 @@ mod tests {
             .into_connection();
 
         let auth = test_utils::get_default_auth();
+        let authz = authorization::Authorization {};
 
         let (default_auth_header, default_auth_header_value) =
             test_utils::get_default_auth_header();
 
         let router = router(AppState {
             conn: Arc::new(conn),
             authentication: Arc::from(auth),
+            authorization: Arc::from(authz),
         });
 
         let response = router
@@ -94,13 +97,15 @@ mod tests {
             .into_connection();
 
         let auth = test_utils::get_default_auth();
+        let authz = authorization::Authorization {};
 
         let (default_auth_header, default_auth_header_value) =
             test_utils::get_default_auth_header();
 
         let router = router(AppState {
             conn: Arc::new(conn),
             authentication: Arc::from(auth),
+            authorization: Arc::from(authz),
         });
 
         let response = router
@@ -158,13 +163,15 @@ mod tests {
             .into_connection();
 
         let auth = test_utils::get_default_auth();
+        let authz = authorization::Authorization {};
 
         let (default_auth_header, default_auth_header_value) =
             test_utils::get_default_auth_header();
 
         let router = router(AppState {
             conn: Arc::new(conn),
             authentication: Arc::from(auth),
+            authorization: Arc::from(authz),
         });
 
         let body = serde_json::json!({
@@ -231,13 +238,15 @@ mod tests {
             .into_connection();
 
         let auth = test_utils::get_default_auth();
+        let authz = authorization::Authorization {};
 
         let (default_auth_header, default_auth_header_value) =
             test_utils::get_default_auth_header();
 
         let router = router(AppState {
             conn: Arc::new(conn),
             authentication: Arc::from(auth),
+            authorization: Arc::from(authz),
         });
 
         let body = serde_json::json!({
@@ -286,13 +295,15 @@ mod tests {
             .into_connection();
 
         let auth = test_utils::get_default_auth();
+        let authz = authorization::Authorization {};
 
         let (default_auth_header, default_auth_header_value) =
             test_utils::get_default_auth_header();
 
         let router = router(AppState {
             conn: Arc::new(conn),
             authentication: Arc::from(auth),
+            authorization: Arc::from(authz),
         });
 
         let response = router

src/main.rs

@@ -7,9 +7,8 @@ use tower_http::trace::TraceLayer;
 
 mod auth0;
 mod authentication;
-// mod authorization;
+mod authorization;
 mod errors;
-// mod extractors;
 mod handlers;
 mod models;
 
@@ -49,13 +48,16 @@ async fn main() -> anyhow::Result<(), anyhow::Error> {
         domain: auth0_domain,
     };
 
+    let authz = authorization::Authorization {};
+
     let port = std::env::var("PORT")
         .unwrap_or_else(|_| "7000".to_owned())
         .parse::<u16>()
         .expect("PORT must be a number");
 
     let app_state = AppState {
         authentication: Arc::new(auth),
+        authorization: Arc::new(authz),
         conn: Arc::new(conn),
     };
 
@@ -73,19 +75,4 @@ async fn main() -> anyhow::Result<(), anyhow::Error> {
     )
     .await
     .map_err(|err| anyhow!(err))
-
-    // HttpServer::new(move || {
-    //     let cors = Cors::permissive();
-
-    //     App::new()
-    //         .app_data(state.clone())
-    //         .wrap(middleware::Logger::default())
-    //         .wrap(cors)
-    //         .service(handlers::routes())
-    //         .service(handlers::health::get_health)
-    // })
-    // .bind(("0.0.0.0", port))?
-    // .run()
-    // .await
-    // .map_err(|err| anyhow!(err))
 }