crates/tranquil-pds/src/auth/scope_check.rs at main · lewis.moe/bspds-sandbox

lewis.moe / bspds-sandbox
this repo has no description
bspds-sandbox / crates / tranquil-pds / src / auth / scope_check.rs
at main 2.4 kB view raw
 1#![allow(clippy::result_large_err)]
 2
 3use axum::response::{IntoResponse, Response};
 4
 5use crate::api::error::ApiError;
 6use crate::oauth::scopes::{
 7    AccountAction, AccountAttr, IdentityAttr, RepoAction, ScopePermissions,
 8};
 9
10use super::SCOPE_ACCESS;
11
12fn has_custom_scope(scope: Option<&str>) -> bool {
13    match scope {
14        None => false,
15        Some(s) => s != SCOPE_ACCESS,
16    }
17}
18
19pub fn check_repo_scope(
20    is_oauth: bool,
21    scope: Option<&str>,
22    action: RepoAction,
23    collection: &str,
24) -> Result<(), Response> {
25    if !is_oauth && !has_custom_scope(scope) {
26        return Ok(());
27    }
28
29    let permissions = ScopePermissions::from_scope_string(scope);
30    permissions
31        .assert_repo(action, collection)
32        .map_err(|e| ApiError::InsufficientScope(Some(e.to_string())).into_response())
33}
34
35pub fn check_blob_scope(is_oauth: bool, scope: Option<&str>, mime: &str) -> Result<(), Response> {
36    if !is_oauth && !has_custom_scope(scope) {
37        return Ok(());
38    }
39
40    let permissions = ScopePermissions::from_scope_string(scope);
41    permissions
42        .assert_blob(mime)
43        .map_err(|e| ApiError::InsufficientScope(Some(e.to_string())).into_response())
44}
45
46pub fn check_rpc_scope(
47    is_oauth: bool,
48    scope: Option<&str>,
49    aud: &str,
50    lxm: &str,
51) -> Result<(), Response> {
52    if !is_oauth && !has_custom_scope(scope) {
53        return Ok(());
54    }
55
56    let permissions = ScopePermissions::from_scope_string(scope);
57    permissions
58        .assert_rpc(aud, lxm)
59        .map_err(|e| ApiError::InsufficientScope(Some(e.to_string())).into_response())
60}
61
62pub fn check_account_scope(
63    is_oauth: bool,
64    scope: Option<&str>,
65    attr: AccountAttr,
66    action: AccountAction,
67) -> Result<(), Response> {
68    if !is_oauth && !has_custom_scope(scope) {
69        return Ok(());
70    }
71
72    let permissions = ScopePermissions::from_scope_string(scope);
73    permissions
74        .assert_account(attr, action)
75        .map_err(|e| ApiError::InsufficientScope(Some(e.to_string())).into_response())
76}
77
78pub fn check_identity_scope(
79    is_oauth: bool,
80    scope: Option<&str>,
81    attr: IdentityAttr,
82) -> Result<(), Response> {
83    if !is_oauth && !has_custom_scope(scope) {
84        return Ok(());
85    }
86
87    let permissions = ScopePermissions::from_scope_string(scope);
88    permissions
89        .assert_identity(attr)
90        .map_err(|e| ApiError::InsufficientScope(Some(e.to_string())).into_response())
91}