ref: impl SQL helpers for User and Role

Author: Iron-E

src/api/schema/columns/mod.rs

@@ -0,0 +1,5 @@
+//! Contains extensions to [`winvoice_adapter::schema::columns`] specific to the [server](crate).
+
+mod user_columns;
+
+pub use user_columns::UserColumns;

src/api/schema/columns/user_columns.rs

@@ -0,0 +1,68 @@
+//! This module holds data for the columns of the [`User`](crate::api::schema::User) table.
+
+mod columns_to_sql;
+mod table_to_sql;
+
+use serde::{Deserialize, Serialize};
+use winvoice_adapter::fmt::{TableToSql, WithIdentifier};
+
+/// The names of the columns of the `timesheets` table.
+#[derive(Copy, Clone, Debug, Deserialize, Eq, Hash, Ord, PartialEq, PartialOrd, Serialize)]
+pub struct UserColumns<T>
+{
+	/// The name of the `employee_id` column of the `timesheets` table.
+	pub employee_id: T,
+
+	/// The name of the `id` column of the `timesheets` table.
+	pub id: T,
+}
+
+impl<T> UserColumns<T>
+{
+	/// Add a [scope](ExpenseColumns::scope) using the [default alias](TableToSql::default_alias)
+	///
+	/// # See also
+	///
+	/// * [`WithIdentifier`].
+	pub fn default_scope(self) -> UserColumns<WithIdentifier<char, T>>
+	{
+		self.scope(Self::DEFAULT_ALIAS)
+	}
+
+	/// Returns a [`UserColumns`] which modifies its fields' [`Display`]
+	/// implementation to output `{alias}.{column}`.
+	///
+	/// # See also
+	///
+	/// * [`WithIdentifier`]
+	#[allow(clippy::missing_const_for_fn)]
+	pub fn scope<Alias>(self, alias: Alias) -> UserColumns<WithIdentifier<Alias, T>>
+	where
+		Alias: Copy,
+	{
+		UserColumns {
+			employee_id: WithIdentifier(alias, self.employee_id),
+			id: WithIdentifier(alias, self.id),
+			job_id: WithIdentifier(alias, self.job_id),
+			time_begin: WithIdentifier(alias, self.time_begin),
+			time_end: WithIdentifier(alias, self.time_end),
+			work_notes: WithIdentifier(alias, self.work_notes),
+		}
+	}
+}
+
+impl UserColumns<&'static str>
+{
+	/// The names of the columns in `organizations` without any aliasing.
+	pub const fn default() -> Self
+	{
+		Self {
+			id: "id",
+			employee_id: "employee_id",
+			job_id: "job_id",
+			time_begin: "time_begin",
+			time_end: "time_end",
+			work_notes: "work_notes",
+		}
+	}
+}

src/api/schema/columns/user_columns/columns_to_sql.rs

@@ -0,0 +1,56 @@
+use core::fmt::Display;
+
+use sqlx::{Database, QueryBuilder};
+
+use super::TimesheetColumns;
+use crate::fmt::{ColumnsToSql, QueryBuilderExt};
+
+impl<Column> ColumnsToSql for TimesheetColumns<Column>
+where
+	Column: Copy + Display,
+{
+	fn push_to<Db>(&self, query: &mut QueryBuilder<Db>)
+	where
+		Db: Database,
+	{
+		query
+			.separated(',')
+			.push(self.employee_id)
+			.push(self.id)
+			.push(self.job_id)
+			.push(self.time_begin)
+			.push(self.time_end)
+			.push(self.work_notes);
+	}
+
+	fn push_set_to<Db, Values>(&self, query: &mut QueryBuilder<Db>, values_alias: Values)
+	where
+		Db: Database,
+		Values: Copy + Display,
+	{
+		let values_columns = self.scope(values_alias);
+		query
+			.push_equal(self.employee_id, values_columns.employee_id)
+			.push(',')
+			.push_equal(self.job_id, values_columns.job_id)
+			.push(',')
+			.push_equal(self.time_begin, values_columns.time_begin)
+			.push(',')
+			.push_equal(self.time_end, values_columns.time_end)
+			.push(',')
+			.push_equal(self.work_notes, values_columns.work_notes);
+	}
+
+	fn push_update_where_to<Db, Table, Values>(
+		&self,
+		query: &mut QueryBuilder<Db>,
+		table_alias: Table,
+		values_alias: Values,
+	) where
+		Db: Database,
+		Table: Copy + Display,
+		Values: Copy + Display,
+	{
+		query.push_equal(self.scope(table_alias).id, self.scope(values_alias).id);
+	}
+}

src/api/schema/columns/user_columns/table_to_sql.rs

@@ -0,0 +1,9 @@
+use winvoice_adapter::fmt::TableToSql;
+
+use super::UserColumns;
+
+impl<T> TableToSql for UserColumns<T>
+{
+	const DEFAULT_ALIAS: char = 'U';
+	const TABLE_NAME: &'static str = "users";
+}

src/api/schema/mod.rs

@@ -1,5 +1,8 @@
 //! Contains extensions to the [`winvoice_schema`] which are specific to the [server](crate).
 
+pub mod columns;
+mod role;
 mod user;
 
+pub use role::Role;
 pub use user::User;

src/api/schema/role.rs

@@ -0,0 +1,52 @@
+//! Contains information about the [`Role`] of a [`User`](super::User).
+
+use core::time::Duration;
+
+use serde::{Deserialize, Serialize};
+use winvoice_schema::Id;
+
+/// Corresponds to the `users` table in the [`winvoice-server`](crate) database.
+#[derive(Clone, Debug, Default, Deserialize, Eq, Hash, Ord, PartialEq, PartialOrd, Serialize)]
+#[cfg_attr(feature = "bin", derive(sqlx::FromRow))]
+pub struct Role
+{
+	/// The unique identity of the [`Role`].
+	id: Id,
+
+	/// The name of the [`Role`].
+	name: String,
+
+	/// How frequent password rotation must occur for [`User`](super::User) with this [`Role`].
+	///
+	/// [`None`] indicates that the password lasts forever.
+	password_ttl: Option<Duration>,
+}
+
+impl Role
+{
+	/// Create a new [`Role`].
+	pub fn new(id: Id, name: String, password_ttl: Option<Duration>) -> Self
+	{
+		Self { id, name, password_ttl }
+	}
+
+	/// The unique identity of the [`Role`].
+	pub fn id(&self) -> i64
+	{
+		self.id
+	}
+
+	/// The name of the [`Role`].
+	pub fn name(&self) -> &str
+	{
+		self.name.as_ref()
+	}
+
+	/// How frequent password rotation must occur for [`User`](super::User) with this [`Role`].
+	///
+	/// [`None`] indicates that the password lasts forever.
+	pub fn password_ttl(&self) -> Option<Duration>
+	{
+		self.password_ttl
+	}
+}

src/api/schema/user.rs

@@ -4,11 +4,15 @@
 
 mod auth_user;
 
-use sqlx::FromRow;
-use winvoice_schema::Id;
+use serde::{Deserialize, Serialize};
+use winvoice_schema::{
+	chrono::{DateTime, Utc},
+	Id,
+};
 
 /// Corresponds to the `users` table in the [`winvoice-server`](crate) database.
-#[derive(Clone, Debug, Default, Eq, FromRow, Hash, Ord, PartialEq, PartialOrd)]
+#[derive(Clone, Debug, Default, Deserialize, Eq, Hash, Ord, PartialEq, PartialOrd, Serialize)]
+#[cfg_attr(feature = "bin", derive(sqlx::FromRow))]
 pub struct User
 {
 	/// The [`User`]'s [`Employee`](winvoice_schema::Employee) [`Id`], if they are employed.
@@ -23,6 +27,9 @@ pub struct User
 	/// Get the [`User`]'s [`argon2`]-hashed password.
 	password: String,
 
+	/// The [`DateTime`] that the `password` was set. Used to enforce password rotation.
+	password_expires: Option<DateTime<Utc>>,
+
 	/// Get the [`User`]'s username.
 	username: String,
 }
@@ -35,10 +42,11 @@ impl User
 		id: Id,
 		role: String,
 		password: String,
+		password_expires: Option<DateTime<Utc>>,
 		username: String,
 	) -> Self
 	{
-		Self { employee_id, id, role, password, username }
+		Self { employee_id, id, role, password, password_expires, username }
 	}
 
 	/// The [`User`]'s [`Employee`](winvoice_schema::Employee) [`Id`], if they are employed.
@@ -65,6 +73,12 @@ impl User
 		self.password.as_ref()
 	}
 
+	/// Get the [`DateTime`] that the `password` was set. Used to enforce password rotation.
+	pub fn password_expires(&self) -> Option<DateTime<Utc>>
+	{
+		self.password_set
+	}
+
 	/// Get the [`User`]'s username.
 	pub fn username(&self) -> &str
 	{

src/args.rs

@@ -149,7 +149,10 @@ impl Args
 			RustlsConfig::from_pem_file(self.certificate, self.key).err_into::<DynError>(),
 		)?;
 
-		init_watchman(permissions.clone(), model_path, policy_path).await?;
+		if let Err(e) = init_watchman(permissions.clone(), model_path, policy_path).await
+		{
+			tracing::error!("Failed to enable hot-reloading permissions: {e}");
+		}
 
 		match self.command
 		{
@@ -215,7 +218,7 @@ fn leak_string(s: String) -> &'static str
 ///
 /// This allows [`winvoice-server`](crate)'s permissions to be hot-reloaded while the server is
 /// running.
-#[instrument(level = Level::INFO, fields(permissions, model_path, policy_path))]
+#[instrument(level = "trace")]
 async fn init_watchman(
 	permissions: Lock<Enforcer>,
 	model_path: Option<&'static str>,
@@ -252,36 +255,44 @@ async fn init_watchman(
 			tracing::info!("Watching for file changes");
 			loop
 			{
-				match subscription.next().await?
+				match subscription.next().await
 				{
-					SubscriptionData::Canceled =>
+					Ok(SubscriptionData::Canceled) =>
 					{
-						tracing::info!(
+						tracing::error!(
 							"Watchman stopped unexpectedly. Hot reloading permissions is disabled."
 						);
 						break;
 					},
-					SubscriptionData::FilesChanged(query) =>
+					Ok(SubscriptionData::FilesChanged(query)) =>
 					{
-						tracing::trace!("Notified of file change: {query:#?}");
+						tracing::debug!("Notified of file change: {query:#?}");
 						let mut p = permissions.write().await;
 						*p = match Enforcer::new(model_path, policy_path).await
 						{
 							Ok(e) => e,
 							Err(e) =>
 							{
-								tracing::debug!("Could not reload permissions: {e}");
+								tracing::info!("Could not reload permissions: {e}");
 								continue;
 							},
 						};
 					},
-					_ => (),
+					Ok(event) => tracing::trace!("Notified of ignored event: {event}"),
+					Err(e) =>
+					{
+						tracing::error!(
+							"Encountered an error while watching for file changes: {e}. Hot \
+							 reloading permissions is disabled"
+						);
+						break;
+					},
 				}
 			}
 
 			Ok::<_, watchman_client::Error>(())
 		}
-		.instrument(tracing::info_span!("hot_reload_permissions")),
+		.instrument(tracing::error_span!("hot_reload_permissions")),
 	);
 
 	Ok(())

src/server/auth/init_users_table.rs

@@ -1,35 +1,41 @@
 //! Contains the [`InitUsersTable`] trait, and implementations for various [`Database`]s.
 
-use sqlx::{Database, Executor, Result};
+use sqlx::{Database, Pool, Result};
 
 /// Initialize the `users`
 #[async_trait::async_trait]
 pub trait InitUsersTable: Database
 {
 	/// Initialize the `users` table on the [`Database`]
-	async fn init_users_table<'conn, C>(connection: C) -> Result<()>
-	where
-		C: Executor<'conn, Database = Self>;
+	async fn init_users_table(pool: &Pool<Db>) -> Result<()>;
 }
 
 #[cfg(feature = "postgres")]
 #[async_trait::async_trait]
 impl InitUsersTable for sqlx::Postgres
 {
-	async fn init_users_table<'conn, C>(connection: C) -> Result<()>
-	where
-		C: Executor<'conn, Database = Self>,
+	async fn init_users_table(pool: &Pool<Db>) -> Result<()>
 	{
 		sqlx::query!(
 			"CREATE TABLE IF NOT EXISTS users
 			(
 				employee_id bigint REFERENCES employees(id),
 				id bigint PRIMARY KEY GENERATED ALWAYS AS IDENTITY,
-				role text DEFAULT 'guest',
 				password text NOT NULL,
-				username text NOT NULL,
+				password_expires timestamptz,
+				role text DEFAULT 'guest',
+				username text NOT NULL UNIQUE,
+			);"
+		)
+		.execute(connection)
+		.await?;
 
-				CONSTRAINT users__username_uq UNIQUE (username)
+		sqlx::query!(
+			"CREATE TABLE IF NOT EXISTS roles
+			(
+				id bigint PRIMARY KEY GENERATED ALWAYS AS IDENTITY,
+				name text NOT NULL UNIQUE,
+				password_ttl interval,
 			);"
 		)
 		.execute(connection)