src/auth/scope_check.rs at bc8890ef9fdc6a29b38a0c7173f01d253804e7c0 · lewis.moe/bspds-sandbox

lewis.moe / bspds-sandbox
this repo has no description
bspds-sandbox / src / auth / scope_check.rs
at bc8890ef9fdc6a29b38a0c7173f01d253804e7c0 3.2 kB view raw
  1#![allow(clippy::result_large_err)]
  2
  3use axum::http::StatusCode;
  4use axum::response::{IntoResponse, Response};
  5use serde_json::json;
  6
  7use crate::oauth::scopes::{
  8    AccountAction, AccountAttr, IdentityAttr, RepoAction, ScopePermissions,
  9};
 10
 11use super::token::SCOPE_ACCESS;
 12
 13fn has_custom_scope(scope: Option<&str>) -> bool {
 14    match scope {
 15        None => false,
 16        Some(s) => s != SCOPE_ACCESS,
 17    }
 18}
 19
 20pub fn check_repo_scope(
 21    is_oauth: bool,
 22    scope: Option<&str>,
 23    action: RepoAction,
 24    collection: &str,
 25) -> Result<(), Response> {
 26    if !is_oauth && !has_custom_scope(scope) {
 27        return Ok(());
 28    }
 29
 30    let permissions = ScopePermissions::from_scope_string(scope);
 31    permissions.assert_repo(action, collection).map_err(|e| {
 32        (
 33            StatusCode::FORBIDDEN,
 34            axum::Json(json!({
 35                "error": "InsufficientScope",
 36                "message": e.to_string()
 37            })),
 38        )
 39            .into_response()
 40    })
 41}
 42
 43pub fn check_blob_scope(is_oauth: bool, scope: Option<&str>, mime: &str) -> Result<(), Response> {
 44    if !is_oauth && !has_custom_scope(scope) {
 45        return Ok(());
 46    }
 47
 48    let permissions = ScopePermissions::from_scope_string(scope);
 49    permissions.assert_blob(mime).map_err(|e| {
 50        (
 51            StatusCode::FORBIDDEN,
 52            axum::Json(json!({
 53                "error": "InsufficientScope",
 54                "message": e.to_string()
 55            })),
 56        )
 57            .into_response()
 58    })
 59}
 60
 61pub fn check_rpc_scope(
 62    is_oauth: bool,
 63    scope: Option<&str>,
 64    aud: &str,
 65    lxm: &str,
 66) -> Result<(), Response> {
 67    if !is_oauth && !has_custom_scope(scope) {
 68        return Ok(());
 69    }
 70
 71    let permissions = ScopePermissions::from_scope_string(scope);
 72    permissions.assert_rpc(aud, lxm).map_err(|e| {
 73        (
 74            StatusCode::FORBIDDEN,
 75            axum::Json(json!({
 76                "error": "InsufficientScope",
 77                "message": e.to_string()
 78            })),
 79        )
 80            .into_response()
 81    })
 82}
 83
 84pub fn check_account_scope(
 85    is_oauth: bool,
 86    scope: Option<&str>,
 87    attr: AccountAttr,
 88    action: AccountAction,
 89) -> Result<(), Response> {
 90    if !is_oauth && !has_custom_scope(scope) {
 91        return Ok(());
 92    }
 93
 94    let permissions = ScopePermissions::from_scope_string(scope);
 95    permissions.assert_account(attr, action).map_err(|e| {
 96        (
 97            StatusCode::FORBIDDEN,
 98            axum::Json(json!({
 99                "error": "InsufficientScope",
100                "message": e.to_string()
101            })),
102        )
103            .into_response()
104    })
105}
106
107pub fn check_identity_scope(
108    is_oauth: bool,
109    scope: Option<&str>,
110    attr: IdentityAttr,
111) -> Result<(), Response> {
112    if !is_oauth && !has_custom_scope(scope) {
113        return Ok(());
114    }
115
116    let permissions = ScopePermissions::from_scope_string(scope);
117    permissions.assert_identity(attr).map_err(|e| {
118        (
119            StatusCode::FORBIDDEN,
120            axum::Json(json!({
121                "error": "InsufficientScope",
122                "message": e.to_string()
123            })),
124        )
125            .into_response()
126    })
127}