diff --git a/migrations/2021-03-26-164945_create_users/down.sql b/migrations/2021-03-26-164945_create_users/down.sql index aa0235f..32dbc6c 100644 --- a/migrations/2021-03-26-164945_create_users/down.sql +++ b/migrations/2021-03-26-164945_create_users/down.sql @@ -1,4 +1,5 @@ -- This file should undo anything in `up.sql` DROP TABLE localuser; DROP TABLE user; +DROP TABLE zone; DROP TABLE user_zone; diff --git a/migrations/2021-03-26-164945_create_users/up.sql b/migrations/2021-03-26-164945_create_users/up.sql index 152e834..de90533 100644 --- a/migrations/2021-03-26-164945_create_users/up.sql +++ b/migrations/2021-03-26-164945_create_users/up.sql @@ -1,19 +1,25 @@ -- Your SQL goes here CREATE TABLE localuser ( - user_id VARCHAR NOT NULL PRIMARY KEY, - username VARCHAR NOT NULL UNIQUE, - password VARCHAR NOT NULL, + `user_id` VARCHAR NOT NULL PRIMARY KEY, + `username` VARCHAR NOT NULL UNIQUE, + `password` VARCHAR NOT NULL, + `role` TEXT CHECK(role IN ('admin', 'zoneadmin')) NOT NULL, -- note: migrate to postgres so enum are actually a thing FOREIGN KEY(user_id) REFERENCES user(id) ); CREATE TABLE user ( - id VARCHAR NOT NULL PRIMARY KEY, - role TEXT CHECK(role IN ('admin', 'zoneadmin')) NOT NULL -- note: migrate to postgres so enum are actually a thing + `id` VARCHAR NOT NULL PRIMARY KEY ); CREATE TABLE user_zone ( - user_id VARCHAR NOT NULL, - zone VARCHAR NOT NULL, - PRIMARY KEY(user_id, zone), - FOREIGN KEY(user_id) REFERENCES user(id) -) + `user_id` VARCHAR NOT NULL, + `zone_id` VARCHAR NOT NULL, + PRIMARY KEY(user_id, zone_id), + FOREIGN KEY(user_id) REFERENCES user(id), + FOREIGN KEY(zone_id) REFERENCES zone(id) +); + +CREATE TABLE zone ( + `id` VARCHAR NOT NULL PRIMARY KEY, + `name` VARCHAR NOT NULL UNIQUE +); diff --git a/src/main.rs b/src/main.rs index efd3513..c9cc829 100644 --- a/src/main.rs +++ b/src/main.rs @@ -24,5 +24,10 @@ async fn rocket() -> rocket::Rocket { rocket::ignite() .manage(app_config) .attach(DbConn::fairing()) - .mount("/api/v1", routes![get_zone_records, create_auth_token, create_user]) + .mount("/api/v1", routes![ + get_zone_records, + create_user_zone, + create_auth_token, + create_user + ]) } diff --git a/src/models/dns.rs b/src/models/dns.rs index 9e632c7..2bb22b9 100644 --- a/src/models/dns.rs +++ b/src/models/dns.rs @@ -5,7 +5,7 @@ use std::ops::{Deref, DerefMut}; use rocket::{Request, State, http::Status, request::{FromParam, FromRequest, Outcome}}; -use serde::{Serialize, Deserialize}; +use serde::{Deserialize, Deserializer, Serialize}; use tokio::{net::TcpStream as TokioTcpStream, task}; @@ -16,7 +16,6 @@ use trust_dns_proto::iocompat::AsyncIoTokioAsStd; use super::trust_dns_types::{self, Name}; use crate::config::Config; -use crate::models::errors::make_500; #[derive(Deserialize, Serialize)] @@ -251,13 +250,14 @@ impl From for Record { } } +#[derive(Debug)] pub struct AbsoluteName(Name); impl<'r> FromParam<'r> for AbsoluteName { type Error = ProtoError; fn from_param(param: &'r str) -> Result { - let mut name = Name::from_utf8(¶m).unwrap(); + let mut name = Name::from_utf8(¶m)?; if !name.is_fqdn() { name.set_fqdn(true); } @@ -265,6 +265,21 @@ impl<'r> FromParam<'r> for AbsoluteName { } } +impl<'de> Deserialize<'de> for AbsoluteName { + fn deserialize(deserializer: D) -> Result + where + D: Deserializer<'de> + { + use serde::de::Error; + + String::deserialize(deserializer) + .and_then(|string| + AbsoluteName::from_param(&string) + .map_err(|e| Error::custom(e.to_string())) + ) + } +} + impl Deref for AbsoluteName { type Target = Name; fn deref(&self) -> &Self::Target { @@ -272,6 +287,7 @@ impl Deref for AbsoluteName { } } + pub struct DnsClient(AsyncClient); impl Deref for DnsClient { diff --git a/src/models/errors.rs b/src/models/errors.rs index c20cf43..589d10d 100644 --- a/src/models/errors.rs +++ b/src/models/errors.rs @@ -56,12 +56,14 @@ impl<'r> Responder<'r, 'static> for ErrorResponse { impl From for ErrorResponse { fn from(e: UserError) -> Self { match e { - UserError::NotFound => ErrorResponse::new(Status::Unauthorized, "Provided credentials or token do not match any existing user".into()), - UserError::UserExists => ErrorResponse::new(Status::Conflict, "User already exists".into()), + UserError::BadCreds => ErrorResponse::new(Status::Unauthorized, "Provided credentials or token do not match any existing user".into()), + UserError::UserConflict => ErrorResponse::new(Status::Conflict, "This user already exists".into()), + UserError::NotFound => ErrorResponse::new(Status::NotFound, "User does not exist".into()), UserError::BadToken => ErrorResponse::new(Status::BadRequest, "Malformed token".into()), UserError::ExpiredToken => ErrorResponse::new(Status::Unauthorized, "The provided token has expired".into()), UserError::MalformedHeader => ErrorResponse::new(Status::BadRequest, "Malformed authorization header".into()), UserError::PermissionDenied => ErrorResponse::new(Status::Forbidden, "Bearer is not authorized to access the resource".into()), + UserError::ZoneNotFound => ErrorResponse::new(Status::NotFound, "DNS zone does not exist".into()), UserError::DbError(e) => make_500(e), UserError::PasswordError(e) => make_500(e) } diff --git a/src/models/users.rs b/src/models/users.rs index 21e4c7f..71def04 100644 --- a/src/models/users.rs +++ b/src/models/users.rs @@ -21,6 +21,7 @@ use crate::schema::*; use crate::DbConn; use crate::config::Config; use crate::models::errors::{ErrorResponse, make_500}; +use crate::models::dns::AbsoluteName; const BEARER: &str = "Bearer "; @@ -42,7 +43,6 @@ pub enum Role { #[table_name = "user"] pub struct User { pub id: String, - pub role: Role, } #[derive(Debug, Queryable, Identifiable, Insertable)] @@ -52,6 +52,22 @@ pub struct LocalUser { pub user_id: String, pub username: String, pub password: String, + pub role: Role, +} + +#[derive(Debug, Queryable, Identifiable, Insertable)] +#[table_name = "user_zone"] +#[primary_key(user_id, zone_id)] +pub struct UserZone { + pub user_id: String, + pub zone_id: String, +} + +#[derive(Debug, Queryable, Identifiable, Insertable)] +#[table_name = "zone"] +pub struct Zone { + pub id: String, + pub name: String, } #[derive(Debug, Deserialize)] @@ -62,6 +78,11 @@ pub struct CreateUserRequest { pub role: Option } +#[derive(Debug, Deserialize)] +pub struct CreateUserZoneRequest { + pub zone: AbsoluteName, +} + // pub struct LdapUserAssociation { // user_id: Uuid, // ldap_id: String @@ -95,6 +116,68 @@ pub struct UserInfo { pub username: String, } +impl UserInfo { + pub fn is_admin(&self) -> bool { + matches!(self.role, Role::Admin) + } + + pub fn check_admin(&self) -> Result<(), UserError> { + if self.is_admin() { + Ok(()) + } else { + Err(UserError::PermissionDenied) + } + } + + pub fn get_zone(&self, conn: &diesel::SqliteConnection, zone_name: &str) -> Result { + use crate::schema::user_zone::dsl::*; + use crate::schema::zone::dsl::*; + + let (res_zone, _): (Zone, UserZone) = zone.inner_join(user_zone) + .filter(name.eq(zone_name)) + .filter(user_id.eq(&self.id)) + .get_result(conn) + .map_err(|e| match e { + DieselError::NotFound => UserError::ZoneNotFound, + other => UserError::DbError(other) + })?; + + Ok(res_zone) + } + + pub fn add_zone(&self, conn: &diesel::SqliteConnection, request: CreateUserZoneRequest) -> Result { + use crate::schema::user_zone::dsl::*; + use crate::schema::zone::dsl::*; + + let zone_name = request.zone.to_utf8(); + let current_zone: Zone = zone.filter(name.eq(zone_name)) + .get_result(conn) + .map_err(|e| match e { + DieselError::NotFound => UserError::ZoneNotFound, + other => UserError::DbError(other) + })?; + + let new_user_zone = UserZone { + zone_id: current_zone.id.clone(), + user_id: self.id.clone() + }; + + let res = diesel::insert_into(user_zone) + .values(new_user_zone) + .execute(conn); + + match res { + // If user has already access to the zone, safely ignore the conflit + // TODO: use 'on conflict do nothing' in postgres when we get there + Err(DieselError::DatabaseError(diesel::result::DatabaseErrorKind::UniqueViolation, _)) => (), + Err(e) => return Err(e.into()), + Ok(_) => () + }; + + Ok(current_zone) + } +} + #[rocket::async_trait] impl<'r> FromRequest<'r> for UserInfo { type Error = ErrorResponse; @@ -140,8 +223,10 @@ impl<'r> FromRequest<'r> for UserInfo { #[derive(Debug)] pub enum UserError { + ZoneNotFound, NotFound, - UserExists, + UserConflict, + BadCreds, BadToken, ExpiredToken, MalformedHeader, @@ -150,22 +235,18 @@ pub enum UserError { PasswordError(HasherError), } -impl From for UserError { - fn from(e: DieselError) -> Self { - match e { - DieselError::NotFound => UserError::NotFound, - DieselError::DatabaseError(diesel::result::DatabaseErrorKind::UniqueViolation, _) => UserError::UserExists, - other => UserError::DbError(other) - } - } -} - impl From for UserError { fn from(e: HasherError) -> Self { UserError::PasswordError(e) } } +impl From for UserError { + fn from(e: DieselError) -> Self { + UserError::DbError(e) + } +} + impl LocalUser { pub fn create_user(conn: &diesel::SqliteConnection, user_request: CreateUserRequest) -> Result { use crate::schema::localuser::dsl::*; @@ -175,19 +256,19 @@ impl LocalUser { let new_user = User { id: new_user_id.clone(), - // TODO: Use role from request - role: Role::ZoneAdmin, }; let new_localuser = LocalUser { user_id: new_user_id, username: user_request.username.clone(), password: make_password_with_algorithm(&user_request.password, Algorithm::Argon2), + // TODO: Use role from request + role: Role::ZoneAdmin, }; let res = UserInfo { id: new_user.id.clone(), - role: new_user.role.clone(), + role: new_localuser.role.clone(), username: new_localuser.username.clone(), }; @@ -201,6 +282,9 @@ impl LocalUser { .execute(conn)?; Ok(()) + }).map_err(|e| match e { + DieselError::DatabaseError(diesel::result::DatabaseErrorKind::UniqueViolation, _) => UserError::UserConflict, + other => UserError::DbError(other) })?; Ok(res) @@ -217,15 +301,19 @@ impl LocalUser { let (client_user, client_localuser): (User, LocalUser) = user.inner_join(localuser) .filter(username.eq(request_username)) - .get_result(conn)?; + .get_result(conn) + .map_err(|e| match e { + DieselError::NotFound => UserError::BadCreds, + other => UserError::DbError(other) + })?; if !check_password(&request_password, &client_localuser.password)? { - return Err(UserError::NotFound); + return Err(UserError::BadCreds); } Ok(UserInfo { id: client_user.id, - role: client_user.role, + role: client_localuser.role, username: client_localuser.username, }) } @@ -236,11 +324,15 @@ impl LocalUser { let (client_user, client_localuser): (User, LocalUser) = user.inner_join(localuser) .filter(id.eq(request_user_id)) - .get_result(conn)?; + .get_result(conn) + .map_err(|e| match e { + DieselError::NotFound => UserError::NotFound, + other => UserError::DbError(other) + })?; Ok(UserInfo { id: client_user.id, - role: client_user.role, + role: client_localuser.role, username: client_localuser.username, }) } diff --git a/src/routes/users.rs b/src/routes/users.rs index d4c65a3..9626531 100644 --- a/src/routes/users.rs +++ b/src/routes/users.rs @@ -5,7 +5,15 @@ use rocket::http::Status; use crate::config::Config; use crate::DbConn; use crate::models::errors::{ErrorResponse, make_500}; -use crate::models::users::{LocalUser, CreateUserRequest, AuthClaims, AuthTokenRequest, AuthTokenResponse}; +use crate::models::users::{ + UserInfo, + LocalUser, + CreateUserRequest, + CreateUserZoneRequest, + AuthClaims, + AuthTokenRequest, + AuthTokenResponse +}; #[post("/users/me/token", data = "")] @@ -27,9 +35,9 @@ pub async fn create_auth_token( } #[post("/users", data = "")] -pub async fn create_user<'r>(conn: DbConn, user_request: Json) -> Result, ErrorResponse>{ +pub async fn create_user<'r>(conn: DbConn, user_request: Json) -> Result, ErrorResponse> { // TODO: Check current user if any to check if user has permission to create users (with or without role) - let _user_info = conn.run(|c| { + conn.run(|c| { LocalUser::create_user(&c, user_request.into_inner()) }).await?; @@ -37,3 +45,22 @@ pub async fn create_user<'r>(conn: DbConn, user_request: Json .status(Status::Created) .ok() } + +#[post("/users//zones", data = "")] +pub async fn create_user_zone<'r>( + conn: DbConn, + user_info: Result, + user_id: String, + user_zone_request: Json +) -> Result, ErrorResponse>{ + user_info?.check_admin()?; + + conn.run(move |c| { + let user_info = LocalUser::get_user_by_uuid(&c, user_id)?; + user_info.add_zone(&c, user_zone_request.into_inner()) + }).await?; + + Response::build() + .status(Status::Created) + .ok() +} diff --git a/src/routes/zones.rs b/src/routes/zones.rs index 93ce3d8..c872d72 100644 --- a/src/routes/zones.rs +++ b/src/routes/zones.rs @@ -3,10 +3,10 @@ use rocket::http::Status; use rocket_contrib::json::Json; use trust_dns_client::client::ClientHandle; -use trust_dns_client::op::{DnsResponse, ResponseCode}; +use trust_dns_client::op::ResponseCode; use trust_dns_client::rr::{DNSClass, RecordType}; -use crate::models::dns; +use crate::{DbConn, models::dns}; use crate::models::errors::{ErrorResponse, make_500}; use crate::models::users::UserInfo; @@ -14,13 +14,22 @@ use crate::models::users::UserInfo; #[get("/zones//records")] pub async fn get_zone_records( mut client: dns::DnsClient, + conn: DbConn, user_info: Result, zone: dns::AbsoluteName ) -> Result>, ErrorResponse> { - println!("{:#?}", user_info?); - let response: DnsResponse = { - let query = client.query((*zone).clone(), DNSClass::IN, RecordType::AXFR); + let user_info = user_info?; + + if !user_info.is_admin() { + let zone_name = zone.clone().to_string(); + conn.run(move |c| { + dbg!(user_info.get_zone(c, &zone_name)) + }).await?; + } + + let response = { + let query = client.query(zone.clone(), DNSClass::IN, RecordType::AXFR); query.await.map_err(make_500)? }; diff --git a/src/schema.rs b/src/schema.rs index 2e8d5ac..775c738 100644 --- a/src/schema.rs +++ b/src/schema.rs @@ -1,19 +1,11 @@ table! { use diesel::sql_types::*; + use crate::models::users::*; localuser (user_id) { user_id -> Text, username -> Text, password -> Text, - } -} - -table! { - use diesel::sql_types::*; - use crate::models::users::*; - - user (id) { - id -> Text, role -> RoleMapping, } } @@ -21,17 +13,36 @@ table! { table! { use diesel::sql_types::*; - user_zone (user_id, zone) { + user (id) { + id -> Text, + } +} + +table! { + use diesel::sql_types::*; + + user_zone (user_id, zone_id) { user_id -> Text, - zone -> Text, + zone_id -> Text, + } +} + +table! { + use diesel::sql_types::*; + + zone (id) { + id -> Text, + name -> Text, } } joinable!(localuser -> user (user_id)); joinable!(user_zone -> user (user_id)); +joinable!(user_zone -> zone (zone_id)); allow_tables_to_appear_in_same_query!( localuser, user, user_zone, + zone, );