Add feature permission revoke for profiles (#549)

Author: danimhr

auction-server/api-types/src/profile.rs

@@ -60,6 +60,35 @@ pub struct Profile {
     pub role:  ProfileRole,
 }
 
+#[derive(Serialize, Deserialize, ToSchema, Clone, ToResponse)]
+#[serde(rename_all = "snake_case")]
+pub enum PrivilegeFeature {
+    /// The feature for which the privilege is for.
+    CancelQuote,
+}
+
+#[derive(Serialize, Deserialize, ToSchema, Clone, ToResponse)]
+#[serde(rename_all = "snake_case")]
+pub enum PrivilegeState {
+    /// The privilege is enabled.
+    Enabled,
+    /// The privilege is disabled.
+    Disabled,
+}
+
+#[derive(Serialize, Deserialize, ToSchema, Clone, ToResponse)]
+pub struct CreatePrivilege {
+    /// The id of the profile to create privilege for.
+    #[schema(example = "obo3ee3e-58cc-4372-a567-0e02b2c3d479", value_type = String)]
+    pub profile_id: ProfileId,
+    /// The feature which the privilege is for.
+    #[schema(example = "cancel_quote", value_type = PrivilegeFeature)]
+    pub feature:    PrivilegeFeature,
+    /// The state of the privilege.
+    #[schema(example = "disabled", value_type = PrivilegeState)]
+    pub state:      PrivilegeState,
+}
+
 #[derive(Serialize, Deserialize, ToSchema, Clone, ToResponse)]
 pub struct CreateAccessToken {
     /// The id of the profile to create token for.
@@ -85,6 +114,8 @@ pub enum Route {
     PostProfileAccessToken,
     #[strum(serialize = "access_tokens")]
     DeleteProfileAccessToken,
+    #[strum(serialize = "privileges")]
+    PostPrivilege,
 }
 
 impl Routable for Route {
@@ -118,6 +149,11 @@ impl Routable for Route {
                 method: http::Method::DELETE,
                 full_path,
             },
+            Route::PostPrivilege => crate::RouteProperties {
+                access_level: AccessLevel::Admin,
+                method: http::Method::POST,
+                full_path,
+            },
         }
     }
 }

auction-server/migrations/20250512094618_privilege.down.sql

@@ -0,0 +1,3 @@
+DROP TRIGGER IF EXISTS update_updated_at ON privilege;
+DROP TABLE IF EXISTS privilege;
+DROP TYPE IF EXISTS privilege_state;

auction-server/migrations/20250512094618_privilege.up.sql

@@ -0,0 +1,16 @@
+CREATE TYPE privilege_state AS ENUM ('enabled', 'disabled');
+
+CREATE TABLE privilege
+(
+    id         UUID             PRIMARY KEY,
+    profile_id UUID             NOT NULL REFERENCES profile(id) ON DELETE CASCADE,
+    feature    VARCHAR(255)     NOT NULL,
+    state      privilege_state NOT NULL,
+    created_at TIMESTAMP        NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP        NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE TRIGGER update_updated_at
+BEFORE UPDATE ON privilege
+FOR EACH ROW
+EXECUTE FUNCTION update_updated_at_column();

auction-server/src/api.rs

@@ -466,6 +466,8 @@ pub enum RestError {
     QuoteIsFinalized,
     /// Token mint is not allowed
     TokenMintNotAllowed(String, String),
+    /// Access to cancel quote feature is revoked
+    CancelQuoteAccessRevoked,
 }
 
 
@@ -603,6 +605,10 @@ impl RestError {
                 StatusCode::NOT_FOUND,
                 format!("Token mint address is not allowed for: {}, mint: {}", msg, mint)
             ),
+            RestError::CancelQuoteAccessRevoked => (
+                StatusCode::FORBIDDEN,
+                "Access to cancel quote feature is revoked".to_string(),
+            ),
         }
     }
 }
@@ -865,6 +871,7 @@ pub async fn start_api(
             ProfileRoute::DeleteProfileAccessToken,
             profile::delete_profile_access_token,
         )
+        .route(ProfileRoute::PostPrivilege, profile::post_privilege)
         .router;
 
     let routes = Router::new()

auction-server/src/api/profile.rs

@@ -13,13 +13,18 @@ use {
             Query,
             State,
         },
+        http::StatusCode,
+        response::IntoResponse,
         Json,
     },
     express_relay_api_types::profile::{
         AccessToken,
         CreateAccessToken,
+        CreatePrivilege,
         CreateProfile,
         GetProfile,
+        PrivilegeFeature,
+        PrivilegeState,
         Profile,
         ProfileRole,
     },
@@ -142,3 +147,55 @@ pub async fn delete_profile_access_token(
         _ => Ok(()),
     }
 }
+
+impl From<models::PrivilegeFeature> for PrivilegeFeature {
+    fn from(feature: models::PrivilegeFeature) -> Self {
+        match feature {
+            models::PrivilegeFeature::CancelQuote => PrivilegeFeature::CancelQuote,
+        }
+    }
+}
+
+impl From<PrivilegeFeature> for models::PrivilegeFeature {
+    fn from(feature: PrivilegeFeature) -> Self {
+        match feature {
+            PrivilegeFeature::CancelQuote => models::PrivilegeFeature::CancelQuote,
+        }
+    }
+}
+
+impl From<models::PrivilegeState> for PrivilegeState {
+    fn from(state: models::PrivilegeState) -> Self {
+        match state {
+            models::PrivilegeState::Enabled => PrivilegeState::Enabled,
+            models::PrivilegeState::Disabled => PrivilegeState::Disabled,
+        }
+    }
+}
+
+impl From<PrivilegeState> for models::PrivilegeState {
+    fn from(state: PrivilegeState) -> Self {
+        match state {
+            PrivilegeState::Enabled => models::PrivilegeState::Enabled,
+            PrivilegeState::Disabled => models::PrivilegeState::Disabled,
+        }
+    }
+}
+
+/// Create a privilege for a profile.
+///
+/// Returns empty response.
+#[utoipa::path(post, path = "/v1/profiles/privileges",
+security(
+("bearerAuth" = []),
+),request_body = CreatePrivilege, responses(
+(status = 201, description = "The privilege successfully created"),
+(status = 400, response = ErrorBodyResponse),
+),)]
+pub async fn post_privilege(
+    State(store): State<Arc<StoreNew>>,
+    Json(params): Json<CreatePrivilege>,
+) -> Result<impl IntoResponse, RestError> {
+    store.store.create_privilege(params).await?;
+    Ok(StatusCode::CREATED)
+}

auction-server/src/auction/service/cancel_bid.rs

@@ -36,6 +36,17 @@ impl Service {
             return Err(RestError::Forbidden);
         }
 
+        if !self
+            .store
+            .has_privilege(
+                input.profile.id,
+                crate::models::PrivilegeFeature::CancelQuote,
+            )
+            .await?
+        {
+            return Err(RestError::CancelQuoteAccessRevoked);
+        }
+
         match bid.status.clone() {
             entities::BidStatusSvm::AwaitingSignature { auction } => {
                 let tx_hash = bid.chain_data.transaction.signatures[0];

auction-server/src/auction/service/mod.rs

@@ -12,6 +12,7 @@ use {
             db::DB,
             entities::ChainId,
         },
+        state::Store,
     },
     mockall_double::double,
     solana_client::{
@@ -93,6 +94,7 @@ pub struct Config {
 }
 
 pub struct ServiceInner {
+    store:               Arc<Store>,
     opportunity_service: Arc<OpportunityService>,
     config:              Config,
     repo:                Arc<Repository>,
@@ -111,13 +113,15 @@ impl std::ops::Deref for Service {
 
 impl Service {
     pub fn new(
+        store: Arc<Store>,
         db: DB,
         config: Config,
         opportunity_service: Arc<OpportunityService>,
         task_tracker: TaskTracker,
         event_sender: broadcast::Sender<UpdateEvent>,
     ) -> Self {
         Self(Arc::new(ServiceInner {
+            store,
             repo: Arc::new(repository::Repository::new(db, config.chain_id.clone())),
             config,
             opportunity_service,
@@ -254,11 +258,13 @@ pub mod tests {
             ServiceInner,
         },
         crate::{
+            api::ws,
             auction::repository::{
                 Database,
                 Repository,
             },
             kernel::{
+                db::DB,
                 entities::ChainId,
                 traced_sender_svm::{
                     tests::MockRpcClient,
@@ -270,14 +276,21 @@ pub mod tests {
                 get_submit_bid_instruction_account_positions,
                 get_swap_instruction_account_positions,
             },
+            state::Store,
         },
         solana_client::{
             nonblocking::rpc_client::RpcClient,
             rpc_client::RpcClientConfig,
         },
         solana_sdk::signature::Keypair,
-        std::sync::Arc,
-        tokio::sync::broadcast,
+        std::{
+            collections::HashMap,
+            sync::Arc,
+        },
+        tokio::sync::{
+            broadcast,
+            RwLock,
+        },
         tokio_util::task::TaskTracker,
     };
 
@@ -289,9 +302,18 @@ pub mod tests {
             rpc_client: MockRpcClient,
             broadcaster_client: MockRpcClient,
         ) -> Self {
+            let store = Arc::new(Store {
+                db:            DB::connect_lazy("https://test").unwrap(),
+                chains_svm:    HashMap::new(),
+                ws:            ws::WsState::new("X-Forwarded-For".to_string(), 100),
+                secret_key:    "test".to_string(),
+                access_tokens: RwLock::new(HashMap::new()),
+                privileges:    RwLock::new(HashMap::new()),
+            });
             Service(Arc::new(ServiceInner {
+                store,
                 opportunity_service: Arc::new(opportunity_service),
-                config:              Config {
+                config: Config {
                     chain_id:     chain_id.clone(),
                     chain_config: ConfigSvm {
                         client:                        RpcClient::new_sender(
@@ -322,9 +344,9 @@ pub mod tests {
                         prioritization_fee_percentile: None,
                     },
                 },
-                repo:                Arc::new(Repository::new(db, chain_id.clone())),
-                task_tracker:        TaskTracker::new(),
-                event_sender:        broadcast::channel(1).0,
+                repo: Arc::new(Repository::new(db, chain_id.clone())),
+                task_tracker: TaskTracker::new(),
+                event_sender: broadcast::channel(1).0,
             }))
         }
     }

auction-server/src/models.rs

@@ -62,3 +62,50 @@ pub enum ChainType {
     Evm,
     Svm,
 }
+
+pub type PrivilegeId = Uuid;
+
+#[derive(Clone, Debug, PartialEq, PartialOrd, Hash, Eq, sqlx::Type)]
+#[sqlx(rename_all = "snake_case")]
+pub enum PrivilegeFeature {
+    CancelQuote,
+}
+
+impl TryFrom<String> for PrivilegeFeature {
+    type Error = sqlx::error::BoxDynError;
+
+    fn try_from(value: String) -> Result<Self, Self::Error> {
+        match value.as_str() {
+            "cancel_quote" => Ok(PrivilegeFeature::CancelQuote),
+            _ => Err(sqlx::error::BoxDynError::from("Invalid privilege feature")),
+        }
+    }
+}
+
+impl PrivilegeFeature {
+    pub fn as_str(&self) -> &'static str {
+        match self {
+            PrivilegeFeature::CancelQuote => "cancel_quote",
+        }
+    }
+}
+
+#[derive(Clone, Debug, sqlx::Type, PartialEq, PartialOrd)]
+#[sqlx(type_name = "privilege_state", rename_all = "snake_case")]
+pub enum PrivilegeState {
+    Enabled,
+    Disabled,
+}
+
+#[derive(Clone, FromRow, Debug, PartialEq)]
+pub struct Privilege {
+    pub id: PrivilegeId,
+
+    #[sqlx(try_from = "String")]
+    pub feature:    PrivilegeFeature,
+    pub profile_id: ProfileId,
+    pub state:      PrivilegeState,
+
+    pub created_at: PrimitiveDateTime,
+    pub updated_at: PrimitiveDateTime,
+}

auction-server/src/opportunity/service/mod.rs

@@ -238,6 +238,7 @@ pub mod tests {
                 ws:            ws::WsState::new("X-Forwarded-For".to_string(), 100),
                 secret_key:    "test".to_string(),
                 access_tokens: RwLock::new(HashMap::new()),
+                privileges:    RwLock::new(HashMap::new()),
             });
 
             let ws_receiver = store.ws.broadcast_receiver.resubscribe();