flotte-user-management/src/database/roles.rs

//  flotte-user-management server for managing users, roles and permissions
//  Copyright (C) 2020 trivernis
//  See LICENSE for more information

use crate::database::models::Role;
use crate::database::role_permissions::RolePermissions;
use crate::database::{
    DatabaseResult, PostgresPool, Table, ADMIN_ROLE_NAME, DEFAULT_ADMIN_EMAIL, ENV_ADMIN_EMAIL,
};
use crate::utils::error::DBError;
use std::collections::HashSet;
use std::iter::FromIterator;

/// The role table that stores
/// all defined roles
#[derive(Clone)]
pub struct Roles {
    pool: PostgresPool,
    role_permission: RolePermissions,
}

impl Table for Roles {
    fn new(pool: PostgresPool) -> Self {
        Self {
            role_permission: RolePermissions::new(PostgresPool::clone(&pool)),
            pool,
        }
    }

    fn init(&self) -> DatabaseResult<()> {
        self.pool.get()?.batch_execute(
            "
            CREATE TABLE IF NOT EXISTS roles (
            id              SERIAL PRIMARY KEY,
            name            VARCHAR(128) UNIQUE NOT NULL,
            description     VARCHAR(512)
        );",
        )?;

        Ok(())
    }
}

impl Roles {
    /// Creates a new role with the given permissions
    /// that are then automatically assigned to the role
    ///
    /// The role is automatically assigned to the default admin user
    pub fn create_role(
        &self,
        name: String,
        description: Option<String>,
        permissions: Vec<i32>,
    ) -> DatabaseResult<Role> {
        let permissions: HashSet<i32> = HashSet::from_iter(permissions.into_iter());
        let mut connection = self.pool.get()?;
        let exists = connection.query_opt("SELECT id FROM roles WHERE name = $1", &[&name])?;

        if exists.is_some() {
            return Err(DBError::RecordExists);
        }

        log::trace!("Preparing transaction");
        let admin_email = dotenv::var(ENV_ADMIN_EMAIL).unwrap_or(DEFAULT_ADMIN_EMAIL.to_string());
        let mut transaction = connection.transaction()?;

        let row = transaction.query_one(
            "INSERT INTO roles (name, description) VALUES ($1, $2) RETURNING *",
            &[&name, &description],
        )?;
        let role: Role = serde_postgres::from_row(&row)?;
        for permission in permissions {
            transaction.execute(
                "INSERT INTO role_permissions (role_id, permission_id) VALUES ($1, $2);",
                &[&role.id, &permission],
            )?;
        }
        if let Err(e) = transaction.execute(
            "INSERT INTO user_roles (user_id, role_id) VALUES ((SELECT id FROM users WHERE email = $1), $2)",
            &[&admin_email, &role.id],
        ) {
            log::debug!("Failed to add role to admin user: {}", e);
        }

        transaction.commit()?;

        Ok(role)
    }

    /// Returns information for a role
    pub fn get_role(&self, name: String) -> DatabaseResult<Role> {
        let mut connection = self.pool.get()?;
        let result = connection.query_opt("SELECT * FROM roles WHERE roles.name = $1", &[&name])?;

        if let Some(row) = result {
            Ok(serde_postgres::from_row::<Role>(&row)?)
        } else {
            Err(DBError::RecordDoesNotExist)
        }
    }

    /// Returns a list of all roles
    pub fn get_roles(&self) -> DatabaseResult<Vec<Role>> {
        let mut connection = self.pool.get()?;
        let results = connection.query("SELECT * FROM roles", &[])?;
        let mut roles = Vec::new();

        for row in results {
            roles.push(serde_postgres::from_row::<Role>(&row)?);
        }

        Ok(roles)
    }

    pub fn update_role(
        &self,
        old_name: String,
        name: String,
        description: Option<String>,
        permissions: Vec<i32>,
    ) -> DatabaseResult<Role> {
        if old_name == ADMIN_ROLE_NAME {
            return Err(DBError::GenericError(
                "The admin role can't be altered!".to_string(),
            ));
        }
        let permissions = HashSet::from_iter(permissions.into_iter());
        let mut connection = self.pool.get()?;
        let mut transaction = connection.transaction()?;

        let id: i32 = transaction
            .query_opt("SELECT id FROM roles WHERE name = $1", &[&old_name])?
            .ok_or(DBError::RecordDoesNotExist)?
            .get(0);
        let name_exists =
            transaction.query_opt("SELECT id FROM roles WHERE name = $1", &[&name])?;
        if name_exists.is_some() {
            return Err(DBError::GenericError(format!(
                "A role with the name {} already exists!",
                name
            )));
        }
        let update_result = transaction.query_one(
            "UPDATE roles SET name = $3, description = $2 WHERE id = $1 RETURNING *",
            &[&id, &description, &name],
        )?;
        let current_permissions = transaction
            .query(
                "SELECT permission_id from role_permissions WHERE role_id = $1",
                &[&id],
            )?
            .into_iter()
            .map(|r| -> i32 { r.get(0) })
            .collect::<HashSet<i32>>();
        let new_permissions = permissions.difference(&current_permissions);
        let deleted_permissions = current_permissions.difference(&permissions);

        for new in new_permissions {
            transaction.query(
                "INSERT INTO role_permissions (role_id, permission_id) VALUES ($1, $2)",
                &[&id, new],
            )?;
        }
        for deleted in deleted_permissions {
            transaction.query(
                "DELETE FROM role_permissions WHERE role_id = $1 AND permission_id = $2",
                &[&id, deleted],
            )?;
        }
        transaction.commit()?;

        Ok(serde_postgres::from_row::<Role>(&update_result)?)
    }

    /// Deletes a role if it exists
    pub fn delete_role(&self, name: &String) -> DatabaseResult<()> {
        if name == ADMIN_ROLE_NAME {
            return Err(DBError::GenericError(
                "The admin role can't be altered!".to_string(),
            ));
        }
        let mut connection = self.pool.get()?;
        let result = connection.query_opt("SELECT id FROM roles WHERE name = $1", &[name])?;

        if result.is_none() {
            Err(DBError::RecordDoesNotExist)
        } else {
            connection.query("DELETE FROM roles WHERE name = $1", &[name])?;

            Ok(())
        }
    }
}
Add copyright comments Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`// flotte-user-management server for managing users, roles and permissions`
			`// Copyright (C) 2020 trivernis`
			`// See LICENSE for more information`

Add method to create roles Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`use crate::database::models::Role;`
Add data models Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`use crate::database::role_permissions::RolePermissions;`
Add role delete and change update Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`use crate::database::{`
			`DatabaseResult, PostgresPool, Table, ADMIN_ROLE_NAME, DEFAULT_ADMIN_EMAIL, ENV_ADMIN_EMAIL,`
			`};`
Add getRoles method and return ttl for tokens Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`use crate::utils::error::DBError;`
Add path roles/update to update a specific role Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`use std::collections::HashSet;`
			`use std::iter::FromIterator;`
Add data models Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago
Add some comments and fix some style issues Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`/// The role table that stores`
			`/// all defined roles`
Add data models Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`#[derive(Clone)]`
			`pub struct Roles {`
Switch to pooled postgres client Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`pool: PostgresPool,`
Add data models Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`role_permission: RolePermissions,`
			`}`

Add function to create a user Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`impl Table for Roles {`
Switch to pooled postgres client Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`fn new(pool: PostgresPool) -> Self {`
Add data models Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`Self {`
Switch to pooled postgres client Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`role_permission: RolePermissions::new(PostgresPool::clone(&pool)),`
			`pool,`
Add data models Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`}`
			`}`

Add redis connection to all models Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`fn init(&self) -> DatabaseResult<()> {`
Change admin role and user handling Change the handling of the default admin role and the default admin user to be assigned roles based on their names instead of their id. Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`self.pool.get()?.batch_execute(`
			`"`
Add data models Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`CREATE TABLE IF NOT EXISTS roles (`
			`id SERIAL PRIMARY KEY,`
			`name VARCHAR(128) UNIQUE NOT NULL,`
			`description VARCHAR(512)`
			`);",`
Change admin role and user handling Change the handling of the default admin role and the default admin user to be assigned roles based on their names instead of their id. Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`)?;`

			`Ok(())`
Add data models Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`}`
			`}`
Add method to create roles Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago
			`impl Roles {`
Add some comments and fix some style issues Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`/// Creates a new role with the given permissions`
			`/// that are then automatically assigned to the role`
			`///`
			`/// The role is automatically assigned to the default admin user`
Add method to create roles Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`pub fn create_role(`
			`&self,`
			`name: String,`
			`description: Option<String>,`
			`permissions: Vec<i32>,`
			`) -> DatabaseResult<Role> {`
Add path roles/update to update a specific role Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`let permissions: HashSet<i32> = HashSet::from_iter(permissions.into_iter());`
Switch to pooled postgres client Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`let mut connection = self.pool.get()?;`
Add method to create roles Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`let exists = connection.query_opt("SELECT id FROM roles WHERE name = $1", &[&name])?;`

			`if exists.is_some() {`
			`return Err(DBError::RecordExists);`
			`}`
Add roles/create REST method Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago
Add method to create roles Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`log::trace!("Preparing transaction");`
Change admin role and user handling Change the handling of the default admin role and the default admin user to be assigned roles based on their names instead of their id. Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`let admin_email = dotenv::var(ENV_ADMIN_EMAIL).unwrap_or(DEFAULT_ADMIN_EMAIL.to_string());`
Add method to create roles Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`let mut transaction = connection.transaction()?;`
Change admin role and user handling Change the handling of the default admin role and the default admin user to be assigned roles based on their names instead of their id. Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago
Add path roles/update to update a specific role Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`let row = transaction.query_one(`
			`"INSERT INTO roles (name, description) VALUES ($1, $2) RETURNING *",`
			`&[&name, &description],`
			`)?;`
			`let role: Role = serde_postgres::from_row(&row)?;`
			`for permission in permissions {`
			`transaction.execute(`
			`"INSERT INTO role_permissions (role_id, permission_id) VALUES ($1, $2);",`
			`&[&role.id, &permission],`
Add method to create roles Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`)?;`
Change permission creation to return permissions even if they exist Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`}`
Add path roles/update to update a specific role Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`if let Err(e) = transaction.execute(`
			`"INSERT INTO user_roles (user_id, role_id) VALUES ((SELECT id FROM users WHERE email = $1), $2)",`
			`&[&admin_email, &role.id],`
			`) {`
			`log::debug!("Failed to add role to admin user: {}", e);`
			`}`

			`transaction.commit()?;`

			`Ok(role)`
Add method to create roles Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`}`
Add path to get information about a role Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago
			`/// Returns information for a role`
			`pub fn get_role(&self, name: String) -> DatabaseResult<Role> {`
			`let mut connection = self.pool.get()?;`
			`let result = connection.query_opt("SELECT * FROM roles WHERE roles.name = $1", &[&name])?;`

			`if let Some(row) = result {`
			`Ok(serde_postgres::from_row::<Role>(&row)?)`
			`} else {`
			`Err(DBError::RecordDoesNotExist)`
			`}`
			`}`
Add path to view all roles Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago
			`/// Returns a list of all roles`
			`pub fn get_roles(&self) -> DatabaseResult<Vec<Role>> {`
			`let mut connection = self.pool.get()?;`
			`let results = connection.query("SELECT * FROM roles", &[])?;`
			`let mut roles = Vec::new();`

			`for row in results {`
			`roles.push(serde_postgres::from_row::<Role>(&row)?);`
			`}`

			`Ok(roles)`
			`}`
Add path roles/update to update a specific role Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago
			`pub fn update_role(`
			`&self,`
Add role delete and change update Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`old_name: String,`
Add path roles/update to update a specific role Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`name: String,`
			`description: Option<String>,`
			`permissions: Vec<i32>,`
			`) -> DatabaseResult<Role> {`
Add role delete and change update Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`if old_name == ADMIN_ROLE_NAME {`
			`return Err(DBError::GenericError(`
			`"The admin role can't be altered!".to_string(),`
			`));`
			`}`
Add path roles/update to update a specific role Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`let permissions = HashSet::from_iter(permissions.into_iter());`
			`let mut connection = self.pool.get()?;`
			`let mut transaction = connection.transaction()?;`

			`let id: i32 = transaction`
Add role delete and change update Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`.query_opt("SELECT id FROM roles WHERE name = $1", &[&old_name])?`
Add path roles/update to update a specific role Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`.ok_or(DBError::RecordDoesNotExist)?`
			`.get(0);`
Add role delete and change update Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`let name_exists =`
			`transaction.query_opt("SELECT id FROM roles WHERE name = $1", &[&name])?;`
			`if name_exists.is_some() {`
			`return Err(DBError::GenericError(format!(`
			`"A role with the name {} already exists!",`
			`name`
			`)));`
			`}`
Add path roles/update to update a specific role Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`let update_result = transaction.query_one(`
Add role delete and change update Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`"UPDATE roles SET name = $3, description = $2 WHERE id = $1 RETURNING *",`
			`&[&id, &description, &name],`
Add path roles/update to update a specific role Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`)?;`
			`let current_permissions = transaction`
			`.query(`
			`"SELECT permission_id from role_permissions WHERE role_id = $1",`
			`&[&id],`
			`)?`
			`.into_iter()`
			`.map(\|r\| -> i32 { r.get(0) })`
			`.collect::<HashSet<i32>>();`
			`let new_permissions = permissions.difference(&current_permissions);`
			`let deleted_permissions = current_permissions.difference(&permissions);`

			`for new in new_permissions {`
			`transaction.query(`
			`"INSERT INTO role_permissions (role_id, permission_id) VALUES ($1, $2)",`
			`&[&id, new],`
			`)?;`
			`}`
			`for deleted in deleted_permissions {`
			`transaction.query(`
			`"DELETE FROM role_permissions WHERE role_id = $1 AND permission_id = $2",`
			`&[&id, deleted],`
			`)?;`
			`}`
			`transaction.commit()?;`

			`Ok(serde_postgres::from_row::<Role>(&update_result)?)`
			`}`
Add role delete and change update Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago
			`/// Deletes a role if it exists`
			`pub fn delete_role(&self, name: &String) -> DatabaseResult<()> {`
			`if name == ADMIN_ROLE_NAME {`
			`return Err(DBError::GenericError(`
			`"The admin role can't be altered!".to_string(),`
			`));`
			`}`
			`let mut connection = self.pool.get()?;`
			`let result = connection.query_opt("SELECT id FROM roles WHERE name = $1", &[name])?;`

			`if result.is_none() {`
			`Err(DBError::RecordDoesNotExist)`
			`} else {`
			`connection.query("DELETE FROM roles WHERE name = $1", &[name])?;`

			`Ok(())`
			`}`
			`}`
Add method to create roles Signed-off-by: trivernis <trivernis@protonmail.com> 4 years ago			`}`