try_allowed

Author: epompeii

lib/api_run/src/run.rs

@@ -1,9 +1,10 @@
 use bencher_endpoint::{CorsResponse, Endpoint, Post, ResponseCreated};
 use bencher_json::{project, system::auth, JsonNewRun, JsonReport, NameIdKind, ResourceName};
+use bencher_rbac::project::Permission;
 use bencher_schema::{
     conn_lock,
     context::ApiContext,
-    error::{bad_request_error, forbidden_error},
+    error::{bad_request_error, forbidden_error, issue_error},
     model::{
         organization::QueryOrganization,
         project::{report::QueryReport, QueryProject},
@@ -39,27 +40,41 @@ pub async fn run_post(
     body: TypedBody<JsonNewRun>,
 ) -> Result<ResponseCreated<JsonReport>, HttpError> {
     let auth_user = AuthUser::from_pub_token(rqctx.context(), bearer_token).await?;
-    let json = post_inner(&rqctx.log, rqctx.context(), body.into_inner(), auth_user).await?;
+    let json = post_inner(&rqctx.log, rqctx.context(), auth_user, body.into_inner()).await?;
     Ok(Post::auth_response_created(json))
 }
 
 async fn post_inner(
     log: &Logger,
     context: &ApiContext,
-    json_run: JsonNewRun,
     auth_user: Option<AuthUser>,
+    json_run: JsonNewRun,
 ) -> Result<JsonReport, HttpError> {
-    let query_project = QueryProject::get_or_create(
-        context,
+    let (auth_user, query_project) = match (
+        auth_user,
         json_run.organization.as_ref(),
         json_run.project.as_ref(),
-        auth_user.as_ref(),
-    )
-    .await?;
-    #[allow(clippy::unimplemented)]
-    let todo_pub_run_user = |_auth_user: Option<AuthUser>| -> Result<AuthUser, HttpError> {
-        Err(bad_request_error("pub run creation is not yet implemented"))
+    ) {
+        (Some(auth_user), Some(organization), Some(project)) => {
+            let query_project =
+                QueryProject::get_or_create(context, &auth_user, organization, project)
+                    .await
+                    .map_err(|e| forbidden_error(e.to_string()))?;
+            (auth_user, query_project)
+        },
+        _ => return Err(bad_request_error("Not yet supported")),
     };
-    let auth_user = todo_pub_run_user(auth_user)?;
+
+    // Verify that the user is allowed
+    // This should always succeed if the logic above is correct
+    query_project
+        .try_allowed(&context.rbac, &auth_user, Permission::Create)
+        .map_err(|e| {
+            issue_error(
+                "Failed to check run permissions",
+                "Failed check the run permissions before creating a report",
+                e,
+            )
+        })?;
     QueryReport::create(log, context, &query_project, json_run.into(), &auth_user).await
 }

lib/bencher_schema/src/model/organization/mod.rs

@@ -69,7 +69,8 @@ impl QueryOrganization {
         permission: bencher_rbac::organization::Permission,
     ) -> Result<Self, HttpError> {
         let query_organization = Self::from_resource_id(conn, organization)?;
-        query_organization.allowed(rbac, auth_user, permission)
+        query_organization.try_allowed(rbac, auth_user, permission)?;
+        Ok(query_organization)
     }
 
     pub fn is_allowed_id(
@@ -96,18 +97,18 @@ impl QueryOrganization {
         permission: bencher_rbac::organization::Permission,
     ) -> Result<Self, HttpError> {
         let query_organization = Self::get(conn, organization_id)?;
-        query_organization.allowed(rbac, auth_user, permission)
+        query_organization.try_allowed(rbac, auth_user, permission)?;
+        Ok(query_organization)
     }
 
-    fn allowed(
-        self,
+    fn try_allowed(
+        &self,
         rbac: &Rbac,
         auth_user: &AuthUser,
         permission: bencher_rbac::organization::Permission,
-    ) -> Result<Self, HttpError> {
-        rbac.is_allowed_organization(auth_user, permission, &self)
-            .map_err(forbidden_error)?;
-        Ok(self)
+    ) -> Result<(), HttpError> {
+        rbac.is_allowed_organization(auth_user, permission, self)
+            .map_err(forbidden_error)
     }
 
     pub fn into_json(self) -> JsonOrganization {

lib/bencher_schema/src/model/project/mod.rs

@@ -13,9 +13,8 @@ use crate::{
     conn_lock,
     context::{DbConnection, Rbac},
     error::{
-        assert_parentage, bad_request_error, conflict_error, forbidden_error,
-        resource_conflict_err, resource_not_found_err, resource_not_found_error,
-        unauthorized_error, BencherResource,
+        assert_parentage, bad_request_error, forbidden_error, resource_conflict_err,
+        resource_not_found_error, unauthorized_error, BencherResource,
     },
     macros::{
         fn_get::{fn_from_uuid, fn_get, fn_get_uuid},
@@ -75,23 +74,13 @@ impl QueryProject {
 
     pub async fn get_or_create(
         context: &ApiContext,
+        auth_user: &AuthUser,
         organization: &ResourceId,
         project: &NameId,
-        auth_user: &AuthUser,
-    ) -> Result<ProjectId, HttpError> {
+    ) -> Result<Self, HttpError> {
         let query_organization =
             QueryOrganization::from_resource_id(conn_lock!(context), organization)?;
-        let query_project =
-            Self::get_or_create_inner(context, &query_organization, project, auth_user).await?;
-        Ok(query_project.id)
-    }
 
-    async fn get_or_create_inner(
-        context: &ApiContext,
-        query_organization: &QueryOrganization,
-        project: &NameId,
-        auth_user: &AuthUser,
-    ) -> Result<Self, HttpError> {
         let Ok(kind) = NameIdKind::<ResourceName>::try_from(project) else {
             return Err(bad_request_error(format!(
                 "Project ({project}) must be a valid UUID, slug, or name"
@@ -115,7 +104,7 @@ impl QueryProject {
                         url: None,
                         visibility: None,
                     };
-                    Self::create(context, query_organization, new_project, auth_user).await?
+                    Self::create(context, &query_organization, new_project, auth_user).await?
                 }
             },
             NameIdKind::Name(name) => {
@@ -132,7 +121,7 @@ impl QueryProject {
                         url: None,
                         visibility: None,
                     };
-                    Self::create(context, query_organization, new_project, auth_user).await?
+                    Self::create(context, &query_organization, new_project, auth_user).await?
                 }
             },
         };
@@ -202,8 +191,7 @@ impl QueryProject {
         permission: Permission,
     ) -> Result<Self, HttpError> {
         let query_project = Self::from_resource_id(conn, project)?;
-        rbac.is_allowed_project(auth_user, permission, &query_project)
-            .map_err(forbidden_error)?;
+        query_project.try_allowed(rbac, auth_user, permission)?;
         Ok(query_project)
     }
 
@@ -234,14 +222,23 @@ impl QueryProject {
         } else if let Some(auth_user) = auth_user {
             // If there is an `AuthUser` then validate access
             // Verify that the user is allowed
-            rbac.is_allowed_project(auth_user, Permission::View, &query_project)
-                .map_err(forbidden_error)?;
+            query_project.try_allowed(rbac, auth_user, Permission::View)?;
             Ok(query_project)
         } else {
             Err(unauthorized_error(project))
         }
     }
 
+    pub fn try_allowed(
+        &self,
+        rbac: &Rbac,
+        auth_user: &AuthUser,
+        permission: Permission,
+    ) -> Result<(), HttpError> {
+        rbac.is_allowed_project(auth_user, permission, self)
+            .map_err(forbidden_error)
+    }
+
     #[cfg(feature = "plus")]
     pub fn perf_url(&self, console_url: &url::Url) -> Result<Option<url::Url>, HttpError> {
         if !self.is_public() {