Skip to content

Commit cd51391

Browse files
Sh099078Khoyo
andcommitted
editoast: merge middleware authorization extensions
Remove several middleware extensions that were used for authorization. Replace them on call sites by the updated `State` middleware extension that should contain all the information required. Add some quality of life methods for `State` to make its usage simpler. Co-authored-by: Younes Khoudli <younes.khoudli@epita.fr> Signed-off-by: Younes Khoudli <younes.khoudli@epita.fr> Signed-off-by: Loup Federico <16464925+Sh099078@users.noreply.github.com>
1 parent 2e09376 commit cd51391

6 files changed

Lines changed: 188 additions & 282 deletions

File tree

editoast/src/authentication.rs

Lines changed: 29 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -23,10 +23,7 @@ pub enum Mode {
2323
impersonator_name: String,
2424
impersonated_identity: String,
2525
},
26-
Skip {
27-
identity: Option<String>,
28-
name: Option<String>,
29-
},
26+
Skip,
3027
}
3128

3229
#[derive(Debug, Default)]
@@ -43,10 +40,11 @@ impl Mode {
4340
let authn = match params {
4441
AuthenticationParameters {
4542
skip: true,
46-
identity,
47-
name,
48-
..
49-
} => Self::Skip { identity, name },
43+
identity: None,
44+
name: None,
45+
impersonate: None,
46+
} => Self::Skip,
47+
AuthenticationParameters { skip: true, .. } => return Err(params),
5048
AuthenticationParameters {
5149
impersonate: Some(impersonated_identity),
5250
identity: Some(impersonator_identity),
@@ -76,19 +74,30 @@ impl Mode {
7674

7775
#[derive(Debug, Clone)]
7876
pub enum State {
79-
Skip {
80-
#[expect(unused)]
81-
user: Option<authz::User>,
82-
#[expect(unused)]
83-
roles: Vec<Role>,
84-
},
85-
Authenticated {
86-
user: authz::User,
87-
roles: Vec<Role>,
88-
},
77+
Skip,
78+
Authenticated { user: authz::User, roles: Vec<Role> },
8979
}
9080

9181
impl State {
82+
/// The authenticated user if authorization is **not** skipped
83+
///
84+
/// If this function returns a user, then it is subject to permissions,
85+
/// otherwise they likely can be bypassed.
86+
pub fn regular_user(&self) -> Option<authz::User> {
87+
match self {
88+
State::Skip => None,
89+
State::Authenticated { user, .. } => Some(*user),
90+
}
91+
}
92+
93+
pub fn roles(&self) -> &[Role] {
94+
static EMPTY_ROLES: [Role; 0] = [];
95+
match self {
96+
State::Skip => &EMPTY_ROLES,
97+
State::Authenticated { roles, .. } => roles,
98+
}
99+
}
100+
92101
pub fn authorizer<'a>(
93102
&self,
94103
openfga: &'a fga::Client,
@@ -98,7 +107,7 @@ impl State {
98107
State::Authenticated { user, roles } => {
99108
itertools::Either::Left(UserAuthorizer::new(*user, roles.clone(), openfga, conn))
100109
}
101-
State::Skip { .. } => itertools::Either::Right(SystemAuthorizer {
110+
State::Skip => itertools::Either::Right(SystemAuthorizer {
102111
openfga,
103112
conn: conn.clone(),
104113
}),
@@ -121,7 +130,7 @@ impl State {
121130
let user = user.expect("providing the request user is required when Mode::Authenticated or Mode::Impersonating");
122131
Ok(State::Authenticated { user, roles })
123132
}
124-
Mode::Skip { .. } => Ok(State::Skip { user, roles }),
133+
Mode::Skip => Ok(State::Skip),
125134
}
126135
}
127136
}

0 commit comments

Comments
 (0)