unclaimed

Author: epompeii

lib/api_run/src/run.rs

@@ -2,8 +2,9 @@ use bencher_endpoint::{CorsResponse, Endpoint, Post, ResponseCreated};
 use bencher_json::{JsonNewRun, JsonReport, ResourceName, RunContext, Slug};
 use bencher_rbac::project::Permission;
 use bencher_schema::{
+    conn_lock,
     context::ApiContext,
-    error::{bad_request_error, forbidden_error, issue_error},
+    error::{bad_request_error, unauthorized_error},
     model::{
         project::{report::QueryReport, QueryProject},
         user::auth::{AuthUser, PubBearerToken},
@@ -48,40 +49,29 @@ async fn post_inner(
     auth_user: Option<AuthUser>,
     json_run: JsonNewRun,
 ) -> Result<JsonReport, HttpError> {
-    let query_project = match (auth_user.as_ref(), json_run.project.as_ref()) {
-        (Some(auth_user), Some(project)) => {
-            QueryProject::get_or_create(log, context, auth_user, project)
-                .await
-                .map_err(|e| forbidden_error(e.to_string()))?
-        },
-        (Some(auth_user), None) => {
-            let project_name = project_name(&json_run)?;
-            let project_slug = project_slug(&json_run)?;
-            QueryProject::get_or_create_from_context(
-                log,
-                context,
-                auth_user,
-                project_name,
-                project_slug,
-            )
-            .await
-            .map_err(|e| forbidden_error(e.to_string()))?
-        },
-        _ => return Err(bad_request_error("Not yet supported")),
+    let project_name_fn = || project_name(&json_run);
+    let project_slug_fn = || project_slug(&json_run);
+    let query_project = if let Some(project) = json_run.project.as_ref() {
+        QueryProject::get_or_create(log, context, auth_user.as_ref(), project, project_name_fn)
+            .await?
+    } else {
+        QueryProject::get_or_create_from_context(
+            log,
+            context,
+            auth_user.as_ref(),
+            project_name_fn,
+            project_slug_fn,
+        )
+        .await?
     };
 
-    // Verify that the user is allowed
-    // This should always succeed if the logic above is correct
     if let Some(auth_user) = auth_user.as_ref() {
-        query_project
-            .try_allowed(&context.rbac, auth_user, Permission::Create)
-            .map_err(|e| {
-                issue_error(
-                    "Failed to check run permissions",
-                    "Failed check the run permissions before creating a report",
-                    e,
-                )
-            })?;
+        query_project.try_allowed(&context.rbac, auth_user, Permission::Create)?;
+    } else if !query_project.is_unclaimed(conn_lock!(context))? {
+        return Err(unauthorized_error(format!(
+            "This project ({}) has already been claimed.",
+            query_project.slug
+        )));
     }
     QueryReport::create(
         log,

lib/bencher_schema/src/model/organization/mod.rs

@@ -8,7 +8,7 @@ use bencher_json::{
     DateTime, JsonNewOrganization, JsonOrganization, Jwt, OrganizationUuid, ResourceId,
     ResourceName, Slug,
 };
-use bencher_rbac::Organization;
+use bencher_rbac::{organization::Permission, Organization};
 use diesel::{ExpressionMethods, QueryDsl, Queryable, RunQueryDsl};
 use dropshot::HttpError;
 use organization_role::{InsertOrganizationRole, QueryOrganizationRole};
@@ -62,6 +62,7 @@ impl QueryOrganization {
         if let Ok(query_organization) =
             Self::from_resource_id(conn_lock!(context), &user_slug.clone().into())
         {
+            query_organization.try_allowed(&context.rbac, auth_user, Permission::View)?;
             return Ok(query_organization);
         }
 
@@ -72,21 +73,17 @@ impl QueryOrganization {
         Self::create(context, auth_user, json_organization).await
     }
 
-    pub async fn get_or_create_from_context(
+    pub async fn get_or_create_from_project(
         context: &ApiContext,
         project_name: &ResourceName,
         project_slug: &Slug,
     ) -> Result<Self, HttpError> {
         if let Ok(query_organization) =
             Self::from_resource_id(conn_lock!(context), &project_slug.clone().into())
         {
-            // Get the total number of members for the organization
-            let total_members =
-                QueryOrganizationRole::count(conn_lock!(context), query_organization.id)?;
-            // If the project is part of an organization that has zero members,
+            // If the project is part of an organization that is unclaimed,
             // then the project can have anonymous reports.
-            // That is, the project has not yet been claimed.
-            return if total_members == 0 {
+            return if query_organization.is_unclaimed(conn_lock!(context))? {
                 Ok(query_organization)
             } else {
                 Err(unauthorized_error(format!(
@@ -147,7 +144,7 @@ impl QueryOrganization {
         rbac: &Rbac,
         organization: &ResourceId,
         auth_user: &AuthUser,
-        permission: bencher_rbac::organization::Permission,
+        permission: Permission,
     ) -> Result<Self, HttpError> {
         // Do not leak information about organizations.
         // Always return the same error.
@@ -161,7 +158,7 @@ impl QueryOrganization {
         rbac: &Rbac,
         organization: &ResourceId,
         auth_user: &AuthUser,
-        permission: bencher_rbac::organization::Permission,
+        permission: Permission,
     ) -> Result<Self, HttpError> {
         let query_organization = Self::from_resource_id(conn, organization)?;
         query_organization.try_allowed(rbac, auth_user, permission)?;
@@ -173,7 +170,7 @@ impl QueryOrganization {
         rbac: &Rbac,
         organization_id: OrganizationId,
         auth_user: &AuthUser,
-        permission: bencher_rbac::organization::Permission,
+        permission: Permission,
     ) -> Result<Self, HttpError> {
         // Do not leak information about organizations.
         // Always return the same error.
@@ -189,7 +186,7 @@ impl QueryOrganization {
         rbac: &Rbac,
         organization_id: OrganizationId,
         auth_user: &AuthUser,
-        permission: bencher_rbac::organization::Permission,
+        permission: Permission,
     ) -> Result<Self, HttpError> {
         let query_organization = Self::get(conn, organization_id)?;
         query_organization.try_allowed(rbac, auth_user, permission)?;
@@ -200,12 +197,18 @@ impl QueryOrganization {
         &self,
         rbac: &Rbac,
         auth_user: &AuthUser,
-        permission: bencher_rbac::organization::Permission,
+        permission: Permission,
     ) -> Result<(), HttpError> {
         rbac.is_allowed_organization(auth_user, permission, self)
             .map_err(forbidden_error)
     }
 
+    pub fn is_unclaimed(&self, conn: &mut DbConnection) -> Result<bool, HttpError> {
+        let total_members = QueryOrganizationRole::count(conn, self.id)?;
+        // If the organization that has zero members, then it is unclaimed.
+        Ok(total_members == 0)
+    }
+
     pub fn into_json(self) -> JsonOrganization {
         let Self {
             uuid,

lib/bencher_schema/src/model/project/mod.rs

@@ -89,12 +89,16 @@ impl QueryProject {
             .map_err(resource_not_found_err!(Project, slug.clone()))
     }
 
-    pub async fn get_or_create(
+    pub async fn get_or_create<NameFn>(
         log: &Logger,
         context: &ApiContext,
-        auth_user: &AuthUser,
+        auth_user: Option<&AuthUser>,
         project: &ResourceId,
-    ) -> Result<Self, HttpError> {
+        project_name_fn: NameFn,
+    ) -> Result<Self, HttpError>
+    where
+        NameFn: FnOnce() -> Result<ResourceName, HttpError>,
+    {
         let query_project = Self::from_resource_id(conn_lock!(context), project);
 
         let http_error = match query_project {
@@ -105,35 +109,52 @@ impl QueryProject {
         let Ok(kind) = ResourceIdKind::try_from(project) else {
             return Err(http_error);
         };
-        let slug = match kind {
+        let project_slug = match kind {
             ResourceIdKind::Uuid(_) => return Err(http_error),
             ResourceIdKind::Slug(slug) => slug,
         };
 
-        let query_organization =
-            QueryOrganization::get_or_create_from_user(context, auth_user).await?;
-        let json_project = JsonNewProject {
-            name: slug.clone().into(),
-            slug: Some(slug.clone()),
-            url: None,
-            visibility: None,
-        };
-        Self::create(log, context, auth_user, &query_organization, json_project).await
+        Self::get_or_create_inner(log, context, auth_user, project_name_fn, project_slug).await
     }
 
-    pub async fn get_or_create_from_context(
+    pub async fn get_or_create_from_context<NameFn, SlugFn>(
         log: &Logger,
         context: &ApiContext,
-        auth_user: &AuthUser,
-        project_name: ResourceName,
-        project_slug: Slug,
-    ) -> Result<Self, HttpError> {
+        auth_user: Option<&AuthUser>,
+        project_name_fn: NameFn,
+        project_slug_fn: SlugFn,
+    ) -> Result<Self, HttpError>
+    where
+        NameFn: FnOnce() -> Result<ResourceName, HttpError>,
+        SlugFn: FnOnce() -> Result<Slug, HttpError>,
+    {
+        let project_slug = project_slug_fn()?;
         if let Ok(query_project) = Self::from_slug(conn_lock!(context), &project_slug) {
             return Ok(query_project);
         }
 
-        let query_organization =
-            QueryOrganization::get_or_create_from_user(context, auth_user).await?;
+        Self::get_or_create_inner(log, context, auth_user, project_name_fn, project_slug).await
+    }
+
+    async fn get_or_create_inner<NameFn>(
+        log: &Logger,
+        context: &ApiContext,
+        auth_user: Option<&AuthUser>,
+        project_name_fn: NameFn,
+        project_slug: Slug,
+    ) -> Result<Self, HttpError>
+    where
+        NameFn: FnOnce() -> Result<ResourceName, HttpError>,
+    {
+        let project_name = project_name_fn()?;
+        let query_organization = if let Some(auth_user) = auth_user {
+            QueryOrganization::get_or_create_from_user(context, auth_user).await?
+        } else {
+            QueryOrganization::get_or_create_from_project(context, &project_name, &project_slug)
+                .await?
+        };
+        // The choice was either to relax the schema constraint to allow duplicate project names
+        // or to append a number to the project name to ensure uniqueness.
         let name = Self::unique_name(context, &query_organization, project_name).await?;
         let json_project = JsonNewProject {
             name,
@@ -142,7 +163,11 @@ impl QueryProject {
             visibility: None,
         };
 
-        Self::create(log, context, auth_user, &query_organization, json_project).await
+        if let Some(auth_user) = auth_user {
+            Self::create(log, context, auth_user, &query_organization, json_project).await
+        } else {
+            Self::create_inner(log, context, &query_organization, json_project).await
+        }
     }
 
     async fn unique_name(
@@ -368,6 +393,11 @@ impl QueryProject {
             .map_err(forbidden_error)
     }
 
+    pub fn is_unclaimed(&self, conn: &mut DbConnection) -> Result<bool, HttpError> {
+        let query_organization = QueryOrganization::get(conn, self.organization_id)?;
+        query_organization.is_unclaimed(conn)
+    }
+
     #[cfg(feature = "plus")]
     pub fn perf_url(&self, console_url: &url::Url) -> Result<Option<url::Url>, HttpError> {
         if !self.is_public() {