Use typed UUIDs for silo user and group #8803
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit changes SiloUser and SiloGroup to use typed UUIDs.
The biggest reason that this couldn't happen without a bunch of work was
the `lookup_resource` macro: for a resource like SshKey, it looked like
```
lookup_resource! {
name = "SshKey",
ancestors = [ "Silo", "SiloUser" ],
lookup_by_name = true,
soft_deletes = true,
primary_key_columns = [ { column_name = "id", rust_type = Uuid } ]
}
```
One of the methods that the `lookup_resource` macro generates will
create a lookup for ancestors of the resource, and this was one using
the type returned from the corresponding authz resource's `id` method:
```
quote! { .filter(dsl::#parent_id.eq(#parent_authz_name.id())) },
```
Changing SiloUser to use a typed UUID in the authz resource:
```
authz_resource! {
name = "SiloUser",
parent = "Silo",
primary_key = { uuid_kind = SiloUserKind }, <-- here
roles_allowed = false,
polar_snippet = Custom,
}
```
and changing the `SiloUser` db model to use `DbTypedUuid` meant that
a call to `to_db_typed_uuid` was required. The lookup_resource macro has
no type information from the string "SiloUser", so this PR adds a check:
if the ancestor string is suffixed with a '*', then the lookup_resource
macro should assume that the `parent_id` is a typed UUID, and generate
the call to `to_db_typed_uuid`.
Most of the work after that was mechanical, changing Uuid to their typed
equivalent, changing method argument types, etc etc.
Some other related things made it into this PR:
- UserBuiltIn now also uses a typed UUID as well, distinguishing them
from silo users
- Actor no longer has the `actor_id` method, instead requiring call
sites to check which variant of Actor is being used
- AuthenticatedActor stores the full Actor instead of only the actor id,
leading to typed comparisons in its oso::PolarClass impl
- User and Group path params are now typed
|
Can't wait to resolve the conflicts with #7339! I just put that on auto merge, happy to handle rebasing this on top of that when it's in. |
No no, definitely land that one first! :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit changes SiloUser and SiloGroup to use typed UUIDs.
The biggest reason that this couldn't happen without a bunch of work was the
lookup_resourcemacro: for a resource like SshKey, it looked likeOne of the methods that the
lookup_resourcemacro generates will create a lookup for ancestors of the resource, and this was one using the type returned from the corresponding authz resource'sidmethod:Changing SiloUser to use a typed UUID in the authz resource:
and changing the
SiloUserdb model to useDbTypedUuidmeant that a call toto_db_typed_uuidwas required. The lookup_resource macro has no type information from the string "SiloUser", so this PR adds a check: if the ancestor string is suffixed with a '*', then the lookup_resource macro should assume that theparent_idis a typed UUID, and generate the call toto_db_typed_uuid.Most of the work after that was mechanical, changing Uuid to their typed equivalent, changing method argument types, etc etc.
Some other related things made it into this PR:
UserBuiltIn now also uses a typed UUID as well, distinguishing them from silo users
Actor no longer has the
actor_idmethod, instead requiring call sites to check which variant of Actor is being usedAuthenticatedActor stores the full Actor instead of only the actor id, leading to typed comparisons in its oso::PolarClass impl
User and Group path params are now typed