editoast: add CLI to interact with roles

Signed-off-by: Leo Valais <[email protected]>

Author: leovalais

editoast/Cargo.lock

@@ -80,8 +80,7 @@ utoipa = { version = "4.2.3", features = ["chrono", "uuid"] }
 uuid = { version = "1.10.0", features = ["serde", "v4"] }
 
 [dependencies]
-# For batch dependency updates, see editoast/README.md
-
+anyhow = "1.0"
 async-trait = "0.1.82"
 axum = { version = "0.7.7", default-features = false, features = [
   "multipart",

editoast/Cargo.toml

@@ -1,13 +1,27 @@
 use serde::Deserialize;
 use serde::Serialize;
 use strum::AsRefStr;
+use strum::Display;
+use strum::EnumIter;
 use strum::EnumString;
 use utoipa::ToSchema;
 
 use crate::roles::BuiltinRoleSet;
 
 #[derive(
-    Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize, EnumString, AsRefStr, ToSchema,
+    Debug,
+    Clone,
+    Copy,
+    PartialEq,
+    Eq,
+    Hash,
+    Serialize,
+    Deserialize,
+    EnumString,
+    AsRefStr,
+    EnumIter,
+    Display,
+    ToSchema,
 )]
 pub enum BuiltinRole {
     /// A user with this role short-circuits all role and permission checks

editoast/editoast_authz/src/builtin_role.rs

@@ -1,5 +1,6 @@
 mod postgres_config;
 mod redis_config;
+pub mod roles;
 pub mod stdcm_search_env_commands;
 mod telemetry_config;
 
@@ -14,6 +15,7 @@ use derivative::Derivative;
 use editoast_derive::EditoastError;
 pub use postgres_config::PostgresConfig;
 pub use redis_config::RedisConfig;
+use roles::RolesCommand;
 use stdcm_search_env_commands::StdcmSearchEnvCommands;
 pub use telemetry_config::TelemetryConfig;
 pub use telemetry_config::TelemetryKind;
@@ -71,6 +73,8 @@ pub enum Commands {
         long_about = "STDCM search environment management commands"
     )]
     STDCMSearchEnv(StdcmSearchEnvCommands),
+    #[command(subcommand, about, long_about = "Roles related commands")]
+    Roles(RolesCommand),
 }
 
 #[derive(Subcommand, Debug)]

editoast/src/client/mod.rs

@@ -0,0 +1,159 @@
+use std::{collections::HashSet, fmt::Display};
+
+use anyhow::{anyhow, bail};
+use clap::{Args, Subcommand};
+use editoast_authz::{
+    authorizer::{StorageDriver, UserInfo},
+    roles::BuiltinRoleSet,
+    BuiltinRole,
+};
+use editoast_models::DbConnection;
+use itertools::Itertools as _;
+use strum::IntoEnumIterator;
+use tracing::info;
+
+use crate::models::auth::PgAuthDriver;
+
+#[derive(Debug, Subcommand)]
+pub enum RolesCommand {
+    /// Lists the builtin roles supported by editoast
+    ListRoles,
+    /// Lists the roles assigned to a subject
+    List(ListArgs),
+    /// Grants builtin roles to a subject
+    Add(AddArgs),
+    /// Revokes builtin roles from a subject
+    Remove(RemoveArgs),
+}
+
+#[derive(Debug, Args)]
+pub struct ListArgs {
+    /// A subject ID or user identity
+    subject: String,
+}
+
+#[derive(Debug, Args)]
+pub struct AddArgs {
+    /// A subject ID or user identity
+    subject: String,
+    /// A non-empty list of builtin roles
+    roles: Vec<String>,
+}
+
+#[derive(Debug, Args)]
+pub struct RemoveArgs {
+    /// A subject ID or user identity
+    subject: String,
+    /// A non-empty list of builtin roles
+    roles: Vec<String>,
+}
+
+pub fn list_roles() {
+    BuiltinRole::iter().for_each(|role| println!("{role}"));
+}
+
+#[derive(Debug)]
+struct Subject {
+    id: i64,
+    info: UserInfo,
+}
+
+impl Display for Subject {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let Self {
+            id,
+            info: UserInfo { identity, name },
+        } = self;
+        write!(f, "{identity}#{id} ({name})")
+    }
+}
+
+async fn parse_and_fetch_subject(
+    subject: &String,
+    driver: &PgAuthDriver<BuiltinRole>,
+) -> anyhow::Result<Subject> {
+    let id = if let Ok(id) = subject.parse::<i64>() {
+        id
+    } else {
+        let uid = driver.get_user_id(subject).await?;
+        uid.ok_or_else(|| anyhow!("No subject with identity '{subject}' found"))?
+    };
+    if let Some(info) = driver.get_user_info(id).await? {
+        let subject = Subject { id, info };
+        info!("Subject {subject}");
+        Ok(subject)
+    } else {
+        bail!("No subject found with ID {id}");
+    }
+}
+
+pub async fn list_subject_roles(
+    ListArgs { subject }: ListArgs,
+    conn: DbConnection,
+) -> anyhow::Result<()> {
+    let driver = PgAuthDriver::<BuiltinRole>::new(conn);
+    let subject = parse_and_fetch_subject(&subject, &driver).await?;
+    let roles = driver.fetch_subject_roles(subject.id).await?;
+    if roles.is_empty() {
+        println!("{subject} has no roles assigned");
+        return Ok(());
+    }
+    for role in roles {
+        println!("{role}");
+    }
+    Ok(())
+}
+
+fn parse_role_case_insensitive(tag: &String) -> anyhow::Result<BuiltinRole> {
+    let tag = tag.to_lowercase();
+    for role in BuiltinRole::iter() {
+        if role.as_str().to_lowercase() == tag {
+            return Ok(role);
+        }
+    }
+    bail!("Invalid role tag '{tag}'");
+}
+
+pub async fn add_roles(
+    AddArgs { subject, roles }: AddArgs,
+    conn: DbConnection,
+) -> anyhow::Result<()> {
+    let driver = PgAuthDriver::<BuiltinRole>::new(conn);
+    let subject = parse_and_fetch_subject(&subject, &driver).await?;
+    let roles = roles
+        .iter()
+        .map(parse_role_case_insensitive)
+        .collect::<Result<HashSet<_>, _>>()?;
+    info!(
+        "Adding roles {} to {subject}",
+        roles
+            .iter()
+            .map(|role| role.to_string())
+            .collect_vec()
+            .join(", "),
+    );
+    driver.ensure_subject_roles(subject.id, roles).await?;
+    Ok(())
+}
+
+pub async fn remove_roles(
+    RemoveArgs { subject, roles }: RemoveArgs,
+    conn: DbConnection,
+) -> anyhow::Result<()> {
+    let driver = PgAuthDriver::<BuiltinRole>::new(conn);
+    let subject = parse_and_fetch_subject(&subject, &driver).await?;
+    let roles = roles
+        .iter()
+        .map(parse_role_case_insensitive)
+        .collect::<Result<HashSet<_>, _>>()?;
+    info!(
+        "Removing roles {} from {subject}",
+        roles
+            .iter()
+            .map(|role| role.to_string())
+            .collect_vec()
+            .join(", "),
+    );
+    driver.remove_subject_roles(subject.id, roles).await?;
+    Ok(())
+}

editoast/src/client/roles.rs

@@ -20,6 +20,8 @@ use axum::{Router, ServiceExt};
 use axum_tracing_opentelemetry::middleware::OtelAxumLayer;
 use chashmap::CHashMap;
 use clap::Parser;
+use client::roles;
+use client::roles::RolesCommand;
 use client::stdcm_search_env_commands::handle_stdcm_search_env_command;
 use client::{
     ClearArgs, Client, Color, Commands, DeleteProfileSetArgs, ElectricalProfilesCommands,
@@ -245,6 +247,25 @@ async fn run() -> Result<(), Box<dyn Error + Send + Sync>> {
         Commands::STDCMSearchEnv(subcommand) => {
             handle_stdcm_search_env_command(subcommand, db_pool).await
         }
+        Commands::Roles(roles_command) => match roles_command {
+            RolesCommand::ListRoles => {
+                roles::list_roles();
+                Ok(())
+            }
+            RolesCommand::List(list_args) => {
+                roles::list_subject_roles(list_args, db_pool.get().await?)
+                    .await
+                    .map_err(Into::into)
+            }
+            RolesCommand::Add(add_args) => roles::add_roles(add_args, db_pool.get().await?)
+                .await
+                .map_err(Into::into),
+            RolesCommand::Remove(remove_args) => {
+                roles::remove_roles(remove_args, db_pool.get().await?)
+                    .await
+                    .map_err(Into::into)
+            }
+        },
     }
 }
 
@@ -892,6 +913,15 @@ impl CliError {
     }
 }
 
+impl From<anyhow::Error> for CliError {
+    fn from(err: anyhow::Error) -> Self {
+        CliError {
+            exit_code: 1,
+            message: format!("❌ {err}"),
+        }
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;