1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
use itertools::Itertools;
use serde::{Deserialize, Serialize};

use crate::{
    admin::{group, role},
    connection::{
        AsyncStorageConnection, Connection, IdentityReference, SensitiveString, StorageConnection,
    },
    define_basic_unique_mapped_view,
    document::{CollectionDocument, Emit, KeyId},
    permissions::Permissions,
    schema::{Collection, Nameable, NamedCollection, SerializedCollection},
};

/// A user that can authenticate with BonsaiDb.
#[derive(Clone, Debug, Serialize, Deserialize, Default, Collection)]
#[collection(name = "user", authority = "khonsulabs", views = [ByName])]
#[collection(encryption_key = Some(KeyId::Master), encryption_optional, core = crate)]
pub struct User {
    /// The name of the role. Must be unique.
    pub username: String,
    /// The IDs of the user groups this user belongs to.
    pub groups: Vec<u64>,
    /// The IDs of the roles this user has been assigned.
    pub roles: Vec<u64>,

    /// The user's stored password hash.
    ///
    /// This field is not feature gated to prevent losing stored passwords if
    /// the `password-hashing` feature is disabled and then re-enabled and user
    /// records are updated in the meantime.
    #[serde(default)]
    pub argon_hash: Option<SensitiveString>,
}

impl User {
    pub fn assume_identity<'name, Storage: StorageConnection>(
        name_or_id: impl Nameable<'name, u64>,
        storage: &Storage,
    ) -> Result<Storage::Authenticated, crate::Error> {
        storage.assume_identity(IdentityReference::User(name_or_id.name()?))
    }

    pub async fn assume_identity_async<'name, Storage: AsyncStorageConnection>(
        name_or_id: impl Nameable<'name, u64> + Send,
        storage: &Storage,
    ) -> Result<Storage::Authenticated, crate::Error> {
        storage
            .assume_identity(IdentityReference::User(name_or_id.name()?))
            .await
    }

    /// Returns a default user with the given username.
    pub fn default_with_username(username: impl Into<String>) -> Self {
        Self {
            username: username.into(),
            ..Self::default()
        }
    }

    /// Calculates the effective permissions based on the groups and roles this
    /// user is assigned.
    pub fn effective_permissions<C: Connection>(
        &self,
        admin: &C,
        inherit_permissions: &Permissions,
    ) -> Result<Permissions, crate::Error> {
        // List all of the groups that this user belongs to because of role associations.
        let role_groups = if self.roles.is_empty() {
            Vec::default()
        } else {
            let roles = role::Role::get_multiple(self.groups.iter(), admin)?;
            roles
                .into_iter()
                .flat_map(|doc| doc.contents.groups)
                .unique()
                .collect::<Vec<_>>()
        };
        // Retrieve all of the groups.
        let groups = if role_groups.is_empty() {
            group::PermissionGroup::get_multiple(self.groups.iter(), admin)?
        } else {
            let mut all_groups = role_groups;
            all_groups.extend(self.groups.iter().copied());
            all_groups.dedup();
            group::PermissionGroup::get_multiple(all_groups, admin)?
        };

        // Combine the permissions from all the groups into one.
        let merged_permissions = Permissions::merged(
            groups
                .into_iter()
                .map(|group| Permissions::from(group.contents.statements))
                .collect::<Vec<_>>()
                .iter()
                .chain(std::iter::once(inherit_permissions)),
        );

        Ok(merged_permissions)
    }
}

impl NamedCollection for User {
    type ByNameView = ByName;
}

define_basic_unique_mapped_view!(
    ByName,
    User,
    1,
    "by-name",
    String,
    |document: CollectionDocument<User>| { document.header.emit_key(document.contents.username) }
);