feat: [#615] added authorization for delete torrent action

mario-nt · mario-nt · commit 58a33e7dd42f · 2024-07-03T14:17:06.000+02:00
diff --git a/casbin/policy.csv b/casbin/policy.csv
@@ -3,4 +3,5 @@ p, true, DeleteCategory
 p, true, GetSettings
 p, true, GetSettingsSecret
 p, true, AddTag
-p, true, DeleteTag
+p, true, DeleteTag
+p, true, DeleteTorrent
diff --git a/src/app.rs b/src/app.rs
@@ -116,6 +116,7 @@ pub async fn run(configuration: Configuration, api_version: &Version) -> Running
         torrent_announce_url_repository.clone(),
         torrent_tag_repository.clone(),
         torrent_listing_generator.clone(),
+        authorization_service.clone(),
     ));
     let registration_service = Arc::new(user::RegistrationService::new(
         configuration.clone(),
diff --git a/src/services/authorization.rs b/src/services/authorization.rs
@@ -1,199 +1,92 @@
 //! Authorization service.
 use std::sync::Arc;
 
+use casbin::prelude::*;
+use serde::{Deserialize, Serialize};
+use tokio::sync::RwLock;
+
 use super::user::Repository;
 use crate::errors::ServiceError;
 use crate::models::user::{UserCompact, UserId};
 
+#[derive(Debug, Clone, Serialize, Deserialize, Hash)]
 pub enum ACTION {
     AddCategory,
     DeleteCategory,
     GetSettings,
     GetSettingsSecret,
     AddTag,
     DeleteTag,
+    DeleteTorrent,
+    BanUser,
 }
 
 pub struct Service {
     user_repository: Arc<Box<dyn Repository>>,
+    casbin_enforcer: Arc<CasbinEnforcer>,
 }
 
 impl Service {
     #[must_use]
-    pub fn new(user_repository: Arc<Box<dyn Repository>>) -> Self {
-        Self { user_repository }
+    pub fn new(user_repository: Arc<Box<dyn Repository>>, casbin_enforcer: Arc<CasbinEnforcer>) -> Self {
+        Self {
+            user_repository,
+            casbin_enforcer,
+        }
     }
 
+    /// It returns the compact user.
+    ///
     /// # Errors
     ///
-    /// Will return an error if:
+    /// It returns an error if there is a database error.
+    pub async fn get_user(&self, user_id: UserId) -> std::result::Result<UserCompact, ServiceError> {
+        self.user_repository.get_compact(&user_id).await
+    }
+
+    ///Allows or denies an user to perform an action based on the user's privileges
     ///
-    /// - There is not any user with the provided `UserId` (when the user id is some).
+    /// # Errors
+    ///
+    /// Will return an error if:
+    /// - There is no user_id found in the request
+    /// - The user_id is not found in the database
     /// - The user is not authorized to perform the action.
-    pub async fn authorize(&self, action: ACTION, maybe_user_id: Option<UserId>) -> Result<(), ServiceError> {
-        match action {
-            ACTION::AddCategory
-            | ACTION::DeleteCategory
-            | ACTION::GetSettings
-            | ACTION::GetSettingsSecret
-            | ACTION::AddTag
-            | ACTION::DeleteTag => match maybe_user_id {
-                Some(user_id) => {
-                    let user = self.get_user(user_id).await?;
-
-                    if !user.administrator {
-                        return Err(ServiceError::Unauthorized);
-                    }
-
-                    Ok(())
+    pub async fn authorize(&self, action: ACTION, maybe_user_id: Option<UserId>) -> std::result::Result<(), ServiceError> {
+        match maybe_user_id {
+            Some(user_id) => {
+                let user_guard = self.get_user(user_id).await.map_err(|_| ServiceError::UserNotFound);
+                // the user that wants to access a resource.
+                let role = user_guard.unwrap().administrator;
+
+                // the user that wants to access a resource.
+                let sub = role.to_string();
+
+                let act = action; // the operation that the user performs on the resource.
+
+                let enforcer = self.casbin_enforcer.enforcer.read().await;
+                /* let enforcer = self.casbin_enforcer.clone();
+                let enforcer_lock = enforcer.enforcer.read().await; */
+                let authorize = enforcer.enforce((sub, act)).unwrap();
+                match authorize {
+                    true => Ok(()),
+                    false => Err(ServiceError::Unauthorized),
                 }
-                None => Err(ServiceError::Unauthorized),
-            },
+            }
+            None => Err(ServiceError::Unauthorized),
         }
     }
-
-    async fn get_user(&self, user_id: UserId) -> Result<UserCompact, ServiceError> {
-        self.user_repository.get_compact(&user_id).await
-    }
 }
-#[allow(unused_imports)]
-#[cfg(test)]
-mod test {
-    use std::str::FromStr;
-    use std::sync::Arc;
 
-    use mockall::predicate;
-
-    use crate::databases::database;
-    use crate::errors::ServiceError;
-    use crate::models::user::{User, UserCompact};
-    use crate::services::authorization::{Service, ACTION};
-    use crate::services::user::{MockRepository, Repository};
-    use crate::web::api::client::v1::random::string;
-
-    #[tokio::test]
-    async fn a_guest_user_should_not_be_able_to_add_categories() {
-        let test_user_id = 1;
-
-        let mut mock_repository = MockRepository::new();
-        mock_repository
-            .expect_get_compact()
-            .with(predicate::eq(test_user_id))
-            .times(1)
-            .returning(|_| Err(ServiceError::UserNotFound));
-
-        let service = Service::new(Arc::new(Box::new(mock_repository)));
-        assert_eq!(
-            service.authorize(ACTION::AddCategory, Some(test_user_id)).await,
-            Err(ServiceError::UserNotFound)
-        );
-    }
-
-    #[tokio::test]
-    async fn a_registered_user_should_not_be_able_to_add_categories() {
-        let test_user_id = 2;
-
-        let mut mock_repository = MockRepository::new();
-        mock_repository
-            .expect_get_compact()
-            .with(predicate::eq(test_user_id))
-            .times(1)
-            .returning(move |_| {
-                Ok(UserCompact {
-                    user_id: test_user_id,
-                    username: "non_admin_user".to_string(),
-                    administrator: false,
-                })
-            });
-
-        let service = Service::new(Arc::new(Box::new(mock_repository)));
-        assert_eq!(
-            service.authorize(ACTION::AddCategory, Some(test_user_id)).await,
-            Err(ServiceError::Unauthorized)
-        );
-    }
-
-    #[tokio::test]
-    async fn an_admin_user_should_be_able_to_add_categories() {
-        let test_user_id = 3;
-
-        let mut mock_repository = MockRepository::new();
-        mock_repository
-            .expect_get_compact()
-            .with(predicate::eq(test_user_id))
-            .times(1)
-            .returning(move |_| {
-                Ok(UserCompact {
-                    user_id: test_user_id,
-                    username: "admin_user".to_string(),
-                    administrator: true,
-                })
-            });
-
-        let service = Service::new(Arc::new(Box::new(mock_repository)));
-        assert_eq!(service.authorize(ACTION::AddCategory, Some(test_user_id)).await, Ok(()));
-    }
-
-    #[tokio::test]
-    async fn a_guest_user_should_not_be_able_to_delete_categories() {
-        let test_user_id = 4;
-
-        let mut mock_repository = MockRepository::new();
-        mock_repository
-            .expect_get_compact()
-            .with(predicate::eq(test_user_id))
-            .times(1)
-            .returning(|_| Err(ServiceError::UserNotFound));
-
-        let service = Service::new(Arc::new(Box::new(mock_repository)));
-        assert_eq!(
-            service.authorize(ACTION::DeleteCategory, Some(test_user_id)).await,
-            Err(ServiceError::UserNotFound)
-        );
-    }
-
-    #[tokio::test]
-    async fn a_registered_user_should_not_be_able_to_delete_categories() {
-        let test_user_id = 5;
-
-        let mut mock_repository = MockRepository::new();
-        mock_repository
-            .expect_get_compact()
-            .with(predicate::eq(test_user_id))
-            .times(1)
-            .returning(move |_| {
-                Ok(UserCompact {
-                    user_id: test_user_id,
-                    username: "non_admin_user".to_string(),
-                    administrator: false,
-                })
-            });
-
-        let service = Service::new(Arc::new(Box::new(mock_repository)));
-        assert_eq!(
-            service.authorize(ACTION::DeleteCategory, Some(test_user_id)).await,
-            Err(ServiceError::Unauthorized)
-        );
-    }
-
-    #[tokio::test]
-    async fn an_admin_user_should_be_able_to_delete_categories() {
-        let test_user_id = 6;
-
-        let mut mock_repository = MockRepository::new();
-        mock_repository
-            .expect_get_compact()
-            .with(predicate::eq(test_user_id))
-            .times(1)
-            .returning(move |_| {
-                Ok(UserCompact {
-                    user_id: test_user_id,
-                    username: "admin_user".to_string(),
-                    administrator: true,
-                })
-            });
+pub struct CasbinEnforcer {
+    enforcer: Arc<RwLock<Enforcer>>, //Arc<tokio::sync::RwLock<casbin::Enforcer>>
+}
 
-        let service = Service::new(Arc::new(Box::new(mock_repository)));
-        assert_eq!(service.authorize(ACTION::DeleteCategory, Some(test_user_id)).await, Ok(()));
+impl CasbinEnforcer {
+    pub async fn new() -> Self {
+        let enforcer = Enforcer::new("casbin/model.conf", "casbin/policy.csv").await.unwrap();
+        let enforcer = Arc::new(RwLock::new(enforcer));
+        //casbin_enforcer.enable_log(true);
+        Self { enforcer }
     }
 }
diff --git a/src/services/torrent.rs b/src/services/torrent.rs
@@ -5,6 +5,7 @@ use serde_derive::{Deserialize, Serialize};
 use tracing::debug;
 use url::Url;
 
+use super::authorization::{self, ACTION};
 use super::category::DbCategoryRepository;
 use crate::config::{Configuration, TrackerMode};
 use crate::databases::database::{Database, Error, Sorting};
@@ -34,6 +35,7 @@ pub struct Index {
     torrent_announce_url_repository: Arc<DbTorrentAnnounceUrlRepository>,
     torrent_tag_repository: Arc<DbTorrentTagRepository>,
     torrent_listing_generator: Arc<DbTorrentListingGenerator>,
+    authorization_service: Arc<authorization::Service>,
 }
 
 pub struct AddTorrentRequest {
@@ -90,6 +92,7 @@ impl Index {
         torrent_announce_url_repository: Arc<DbTorrentAnnounceUrlRepository>,
         torrent_tag_repository: Arc<DbTorrentTagRepository>,
         torrent_listing_repository: Arc<DbTorrentListingGenerator>,
+        authorization_service: Arc<authorization::Service>,
     ) -> Self {
         Self {
             configuration,
@@ -104,6 +107,7 @@ impl Index {
             torrent_announce_url_repository,
             torrent_tag_repository,
             torrent_listing_generator: torrent_listing_repository,
+            authorization_service,
         }
     }
 
@@ -289,13 +293,9 @@ impl Index {
     /// * Unable to get the torrent listing from it's ID.
     /// * Unable to delete the torrent from the database.
     pub async fn delete_torrent(&self, info_hash: &InfoHash, user_id: &UserId) -> Result<DeletedTorrentResponse, ServiceError> {
-        let user = self.user_repository.get_compact(user_id).await?;
-
-        // Only administrator can delete torrents.
-        // todo: move this to an authorization service.
-        if !user.administrator {
-            return Err(ServiceError::Unauthorized);
-        }
+        self.authorization_service
+            .authorize(ACTION::DeleteTorrent, Some(*user_id))
+            .await?;
 
         let torrent_listing = self.torrent_listing_generator.one_torrent_by_info_hash(info_hash).await?;
 
