Skip to content

Commit

Permalink
chore: access control interface to return error instead of boolean (#914
Browse files Browse the repository at this point in the history
)
  • Loading branch information
khorshuheng authored Oct 21, 2024
1 parent 5502c67 commit 9eb1c36
Show file tree
Hide file tree
Showing 15 changed files with 131 additions and 178 deletions.
2 changes: 1 addition & 1 deletion libs/access-control/src/casbin/access.rs
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ impl AccessControl {
uid: &i64,
obj: ObjectType<'_>,
act: ActionVariant<'_>,
) -> Result<bool, AppError> {
) -> Result<(), AppError> {
self
.enforcer
.enforce_policy(workspace_id, uid, obj, act)
Expand Down
8 changes: 4 additions & 4 deletions libs/access-control/src/casbin/collab.rs
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ impl CollabAccessControl for CollabAccessControlImpl {
uid: &i64,
oid: &str,
action: Action,
) -> Result<bool, AppError> {
) -> Result<(), AppError> {
self
.access_control
.enforce(
Expand All @@ -48,7 +48,7 @@ impl CollabAccessControl for CollabAccessControlImpl {
uid: &i64,
oid: &str,
access_level: AFAccessLevel,
) -> Result<bool, AppError> {
) -> Result<(), AppError> {
self
.access_control
.enforce(
Expand Down Expand Up @@ -120,7 +120,7 @@ impl RealtimeCollabAccessControlImpl {
oid: &str,
required_action: Action,
) -> Result<bool, AppError> {
let is_permitted = self
self
.access_control
.enforce(
workspace_id,
Expand All @@ -130,7 +130,7 @@ impl RealtimeCollabAccessControlImpl {
)
.await?;

Ok(is_permitted)
Ok(true)
}
}

Expand Down
127 changes: 73 additions & 54 deletions libs/access-control/src/casbin/enforcer.rs
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ where
uid: &i64,
obj: ObjectType<'_>,
act: ActionVariant<'_>,
) -> Result<bool, AppError> {
) -> Result<(), AppError> {
self
.metrics_state
.total_read_enforce_result
Expand Down Expand Up @@ -159,7 +159,11 @@ where
.map_err(|e| AppError::Internal(anyhow!("enforce: {e:?}")))?;
}

Ok(result)
if result {
Ok(())
} else {
Err(AppError::NotEnoughPermissions)
}
}

#[inline]
Expand Down Expand Up @@ -243,6 +247,7 @@ mod tests {
},
entity::ObjectType,
};
use app_error::ErrorCode;
use async_trait::async_trait;
use casbin::{function_map::OperatorFunction, prelude::*};
use database_entity::dto::{AFAccessLevel, AFRole};
Expand Down Expand Up @@ -298,9 +303,8 @@ mod tests {
ObjectType::Collab(object_1),
ActionVariant::FromAction(&action),
)
.await
.unwrap();
assert!(result);
.await;
assert!(result.is_ok());
}
}

Expand Down Expand Up @@ -329,9 +333,8 @@ mod tests {
ObjectType::Workspace(workspace_id),
ActionVariant::FromAction(&action),
)
.await
.unwrap();
assert!(result, "action={:?}", action);
.await;
assert!(result.is_ok(), "action={:?}", action);
}
}

Expand Down Expand Up @@ -361,9 +364,8 @@ mod tests {
ObjectType::Collab(object_1),
ActionVariant::FromAction(&action),
)
.await
.unwrap();
assert!(result, "action={:?}", action);
.await;
assert!(result.is_ok(), "action={:?}", action);
}
}

Expand Down Expand Up @@ -402,9 +404,8 @@ mod tests {
ObjectType::Collab(object_1),
ActionVariant::FromAction(&action),
)
.await
.unwrap();
assert!(result, "action={:?}", action);
.await;
assert!(result.is_ok(), "action={:?}", action);
}
}

Expand Down Expand Up @@ -443,9 +444,8 @@ mod tests {
ObjectType::Collab(object_1),
ActionVariant::FromAction(&action),
)
.await
.unwrap();
assert!(result, "action={:?}", action);
.await;
assert!(result.is_ok(), "action={:?}", action);
}
}

Expand Down Expand Up @@ -484,9 +484,8 @@ mod tests {
ObjectType::Collab(object_1),
ActionVariant::FromAction(&action),
)
.await
.unwrap();
assert!(result, "action={:?}", action);
.await;
assert!(result.is_ok(), "action={:?}", action);
}

let result = enforcer
Expand All @@ -496,9 +495,10 @@ mod tests {
ObjectType::Collab(object_1),
ActionVariant::FromAction(&Action::Delete),
)
.await
.unwrap();
assert!(!result, "only the owner can perform delete")
.await;
assert!(result.is_err(), "only the owner can perform delete");
let error_code = result.unwrap_err().code();
assert_eq!(error_code, ErrorCode::NotEnoughPermissions);
}

#[tokio::test]
Expand Down Expand Up @@ -530,9 +530,8 @@ mod tests {
ObjectType::Collab(object_1),
ActionVariant::FromAction(&action),
)
.await
.unwrap();
assert!(result, "action={:?}", action);
.await;
assert!(result.is_ok(), "action={:?}", action);
}

let result = enforcer
Expand All @@ -542,9 +541,10 @@ mod tests {
ObjectType::Collab(object_1),
ActionVariant::FromAction(&Action::Delete),
)
.await
.unwrap();
assert!(!result, "only the owner can perform delete")
.await;
assert!(result.is_err(), "only the owner can perform delete");
let error_code = result.unwrap_err().code();
assert_eq!(error_code, ErrorCode::NotEnoughPermissions);
}

#[tokio::test]
Expand All @@ -571,9 +571,8 @@ mod tests {
ObjectType::Collab(object_1),
ActionVariant::FromAction(&action),
)
.await
.unwrap();
assert!(result, "action={:?}", action);
.await;
assert!(result.is_ok(), "action={:?}", action);
}
}

Expand All @@ -598,9 +597,10 @@ mod tests {
ObjectType::Collab(object_1),
ActionVariant::FromAction(&action),
)
.await
.unwrap();
assert!(!result, "action={:?}", action);
.await;
assert!(result.is_err(), "action={:?}", action);
let error_code = result.unwrap_err().code();
assert_eq!(error_code, ErrorCode::NotEnoughPermissions);
}
}

Expand Down Expand Up @@ -630,7 +630,7 @@ mod tests {
ActionVariant::FromRole(&role),
)
.await
.unwrap());
.is_ok());
assert!(enforcer
.enforce_policy(
workspace_id,
Expand All @@ -639,7 +639,7 @@ mod tests {
ActionVariant::FromRole(&role),
)
.await
.unwrap());
.is_ok());
}
}

Expand All @@ -662,25 +662,29 @@ mod tests {

for role in [AFRole::Owner, AFRole::Member, AFRole::Guest] {
if role == AFRole::Owner {
assert!(!enforcer
let result = enforcer
.enforce_policy(
workspace_id,
&uid,
ObjectType::Workspace(workspace_id),
ActionVariant::FromRole(&role),
)
.await
.unwrap());
.await;
assert!(result.is_err());
let error_code = result.unwrap_err().code();
assert_eq!(error_code, ErrorCode::NotEnoughPermissions);

assert!(!enforcer
let result = enforcer
.enforce_policy(
workspace_id,
&uid,
ObjectType::Collab(object_1),
ActionVariant::FromRole(&role),
)
.await
.unwrap());
.await;
assert!(result.is_err());
let error_code = result.unwrap_err().code();
assert_eq!(error_code, ErrorCode::NotEnoughPermissions);
} else {
assert!(enforcer
.enforce_policy(
Expand All @@ -690,7 +694,7 @@ mod tests {
ActionVariant::FromRole(&role),
)
.await
.unwrap());
.is_ok());
assert!(enforcer
.enforce_policy(
workspace_id,
Expand All @@ -699,7 +703,7 @@ mod tests {
ActionVariant::FromRole(&role),
)
.await
.unwrap());
.is_ok());
}
}
}
Expand All @@ -723,15 +727,17 @@ mod tests {

for role in [AFRole::Owner, AFRole::Member, AFRole::Guest] {
if role == AFRole::Owner || role == AFRole::Member {
assert!(!enforcer
let result = enforcer
.enforce_policy(
workspace_id,
&uid,
ObjectType::Collab(object_1),
ActionVariant::FromRole(&role),
)
.await
.unwrap());
.await;
assert!(result.is_err());
let error_code = result.unwrap_err().code();
assert_eq!(error_code, ErrorCode::NotEnoughPermissions);
} else {
assert!(enforcer
.enforce_policy(
Expand All @@ -741,7 +747,7 @@ mod tests {
ActionVariant::FromRole(&role),
)
.await
.unwrap());
.is_ok());
}
}
}
Expand Down Expand Up @@ -775,7 +781,7 @@ mod tests {
ActionVariant::FromAccessLevel(&level),
)
.await
.unwrap());
.is_ok());
}
}

Expand Down Expand Up @@ -809,17 +815,30 @@ mod tests {
ActionVariant::FromAccessLevel(&level),
)
.await
.unwrap());
.is_ok());
} else {
assert!(!enforcer
let result = enforcer
.enforce_policy(
workspace_id,
&uid,
ObjectType::Collab(object_1),
ActionVariant::FromAccessLevel(&level),
)
.await
.unwrap());
.await;
assert!(result.is_err());
let error_code = result.unwrap_err().code();
assert_eq!(error_code, ErrorCode::NotEnoughPermissions);
let result = enforcer
.enforce_policy(
workspace_id,
&uid,
ObjectType::Collab(object_1),
ActionVariant::FromAccessLevel(&level),
)
.await;
assert!(result.is_err());
let error_code = result.unwrap_err().code();
assert_eq!(error_code, ErrorCode::NotEnoughPermissions);
}
}
}
Expand Down
4 changes: 2 additions & 2 deletions libs/access-control/src/casbin/workspace.rs
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ impl WorkspaceAccessControl for WorkspaceAccessControlImpl {
uid: &i64,
workspace_id: &str,
role: AFRole,
) -> Result<bool, AppError> {
) -> Result<(), AppError> {
self
.access_control
.enforce(
Expand All @@ -44,7 +44,7 @@ impl WorkspaceAccessControl for WorkspaceAccessControlImpl {
uid: &i64,
workspace_id: &str,
action: Action,
) -> Result<bool, AppError> {
) -> Result<(), AppError> {
self
.access_control
.enforce(
Expand Down
Loading

0 comments on commit 9eb1c36

Please sign in to comment.