-
Notifications
You must be signed in to change notification settings - Fork 33
/
iam.rs
100 lines (89 loc) · 3.04 KB
/
iam.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at https://mozilla.org/MPL/2.0/.
//! Built-ins and roles
use crate::authz;
use crate::context::OpContext;
use crate::db;
use crate::db::lookup::LookupPath;
use crate::db::model::Name;
use crate::external_api::shared;
use anyhow::Context;
use omicron_common::api::external::DataPageParams;
use omicron_common::api::external::Error;
use omicron_common::api::external::ListResultVec;
use omicron_common::api::external::LookupResult;
use omicron_common::api::external::UpdateResult;
impl super::Nexus {
// Global (fleet-wide) policy
pub async fn fleet_fetch_policy(
&self,
opctx: &OpContext,
) -> LookupResult<shared::Policy<authz::FleetRole>> {
let role_assignments = self
.db_datastore
.role_assignment_fetch_visible(opctx, &authz::FLEET)
.await?
.into_iter()
.map(|r| r.try_into().context("parsing database role assignment"))
.collect::<Result<Vec<_>, _>>()
.map_err(|error| Error::internal_error(&format!("{:#}", error)))?;
Ok(shared::Policy { role_assignments })
}
pub async fn fleet_update_policy(
&self,
opctx: &OpContext,
policy: &shared::Policy<authz::FleetRole>,
) -> UpdateResult<shared::Policy<authz::FleetRole>> {
let role_assignments = self
.db_datastore
.role_assignment_replace_visible(
opctx,
&authz::FLEET,
&policy.role_assignments,
)
.await?
.into_iter()
.map(|r| r.try_into())
.collect::<Result<Vec<_>, _>>()?;
Ok(shared::Policy { role_assignments })
}
// Built-in users
pub async fn users_builtin_list(
&self,
opctx: &OpContext,
pagparams: &DataPageParams<'_, Name>,
) -> ListResultVec<db::model::UserBuiltin> {
self.db_datastore.users_builtin_list_by_name(opctx, pagparams).await
}
pub async fn user_builtin_fetch(
&self,
opctx: &OpContext,
name: &Name,
) -> LookupResult<db::model::UserBuiltin> {
let (.., db_user_builtin) = LookupPath::new(opctx, &self.db_datastore)
.user_builtin_name(name)
.fetch()
.await?;
Ok(db_user_builtin)
}
// Built-in roles
pub async fn roles_builtin_list(
&self,
opctx: &OpContext,
pagparams: &DataPageParams<'_, (String, String)>,
) -> ListResultVec<db::model::RoleBuiltin> {
self.db_datastore.roles_builtin_list_by_name(opctx, pagparams).await
}
pub async fn role_builtin_fetch(
&self,
opctx: &OpContext,
name: &str,
) -> LookupResult<db::model::RoleBuiltin> {
let (.., db_role_builtin) = LookupPath::new(opctx, &self.db_datastore)
.role_builtin_name(name)
.fetch()
.await?;
Ok(db_role_builtin)
}
}