Merge #703: Feat: allow overwriting casbin configuration

c1a5c25 feat: [#702] allow overwriting casbin configuration (Jose Celano)

Pull request description:

  This is an **unstable** feature. You can overwrite casbin configuration to change permissions for roles:  guest, registered and admin.

  You can do it by adding this new section to the TOML config file:

  ```toml
  [unstable.auth.casbin]
  model = """
  [request_definition]
  r = role, action

  [policy_definition]
  p = role, action

  [policy_effect]
  e = some(where (p.eft == allow))

  [matchers]
  m = r.role == p.role && r.action == p.action
  """

  policy = """
  admin, GetAboutPage
  admin, GetLicensePage
  admin, AddCategory
  admin, DeleteCategory
  admin, GetCategories
  admin, GetImageByUrl
  admin, GetSettings
  admin, GetSettingsSecret
  admin, GetPublicSettings
  admin, AddTag
  admin, DeleteTag
  admin, GetTags
  admin, AddTorrent
  admin, GetTorrent
  admin, DeleteTorrent
  admin, GetTorrentInfo
  admin, GenerateTorrentInfoListing
  admin, GetCanonicalInfoHash
  admin, ChangePassword
  admin, BanUser
  registered, GetAboutPage
  registered, GetLicensePage
  registered, GetCategories
  registered, GetImageByUrl
  registered, GetPublicSettings
  registered, GetTags
  registered, AddTorrent
  registered, GetTorrent
  registered, GetTorrentInfo
  registered, GenerateTorrentInfoListing
  registered, GetCanonicalInfoHash
  registered, ChangePassword
  guest, GetAboutPage
  guest, GetLicensePage
  guest, GetCategories
  guest, GetPublicSettings
  guest, GetTags
  guest, GetTorrent
  guest, GetTorrentInfo
  guest, GenerateTorrentInfoListing
  guest, GetCanonicalInfoHash
  """
  ```

  For example, if you want to force users to log in to see the torrent list, you can remove the following line from the policy:

  ```
  guest, GenerateTorrentInfoListing
  ```

  **NOTICE**: This is an unstable feature. It will panic with wrong casbin configuration, invalid roles, etcetera.

ACKs for top commit:
  josecelano:
    ACK c1a5c25

Tree-SHA512: 2bcc4bc69befd081aeef730768b4fa0f13bed14dc9c5f522ddbd0aa534b7679dc7adb870147e17120ff70af8e626b76b8662ea9d584ec4b1e11e9842f7fca8e4

Author: josecelano

project-words.txt

@@ -9,6 +9,7 @@ binascii
 btih
 buildx
 camino
+Casbin
 chrono
 clippy
 codecov
@@ -51,6 +52,7 @@ luckythelab
 mailcatcher
 mandelbrotset
 metainfo
+Mgmt
 migth
 nanos
 NCCA

src/app.rs

@@ -11,6 +11,7 @@ use crate::config::validator::Validator;
 use crate::config::Configuration;
 use crate::databases::database;
 use crate::services::authentication::{DbUserAuthenticationRepository, JsonWebToken, Service};
+use crate::services::authorization::{CasbinConfiguration, CasbinEnforcer};
 use crate::services::category::{self, DbCategoryRepository};
 use crate::services::tag::{self, DbTagRepository};
 use crate::services::torrent::{
@@ -62,6 +63,8 @@ pub async fn run(configuration: Configuration, api_version: &Version) -> Running
     // From [net] config
     let config_bind_address = settings.net.bind_address;
     let opt_net_tsl = settings.net.tsl.clone();
+    // Unstable config
+    let unstable = settings.unstable.clone();
 
     // IMPORTANT: drop settings before starting server to avoid read locks that
     // leads to requests hanging.
@@ -87,7 +90,19 @@ pub async fn run(configuration: Configuration, api_version: &Version) -> Running
     let torrent_tag_repository = Arc::new(DbTorrentTagRepository::new(database.clone()));
     let torrent_listing_generator = Arc::new(DbTorrentListingGenerator::new(database.clone()));
     let banned_user_list = Arc::new(DbBannedUserList::new(database.clone()));
-    let casbin_enforcer = Arc::new(authorization::CasbinEnforcer::new().await);
+    let casbin_enforcer = Arc::new(
+        if let Some(casbin) = unstable
+            .as_ref()
+            .and_then(|u| u.auth.as_ref())
+            .and_then(|auth| auth.casbin.as_ref())
+        {
+            println!("loading custom");
+            CasbinEnforcer::with_configuration(CasbinConfiguration::new(&casbin.model, &casbin.policy)).await
+        } else {
+            println!("loading default");
+            CasbinEnforcer::with_default_configuration().await
+        },
+    );
 
     // Services
     let authorization_service = Arc::new(authorization::Service::new(user_repository.clone(), casbin_enforcer.clone()));

src/config/v2/mod.rs

@@ -8,11 +8,13 @@ pub mod net;
 pub mod registration;
 pub mod tracker;
 pub mod tracker_statistics_importer;
+pub mod unstable;
 pub mod website;
 
 use logging::Logging;
 use registration::Registration;
 use serde::{Deserialize, Serialize};
+use unstable::Unstable;
 
 use self::api::Api;
 use self::auth::{Auth, ClaimTokenPepper};
@@ -76,6 +78,10 @@ pub struct Settings {
     /// The tracker statistics importer job configuration.
     #[serde(default = "Settings::default_tracker_statistics_importer")]
     pub tracker_statistics_importer: TrackerStatisticsImporter,
+
+    /// The unstable configuration.
+    #[serde(default = "Settings::default_unstable")]
+    pub unstable: Option<Unstable>,
 }
 
 impl Default for Settings {
@@ -93,6 +99,7 @@ impl Default for Settings {
             api: Self::default_api(),
             registration: Self::default_registration(),
             tracker_statistics_importer: Self::default_tracker_statistics_importer(),
+            unstable: Self::default_unstable(),
         }
     }
 }
@@ -174,6 +181,10 @@ impl Settings {
     fn default_tracker_statistics_importer() -> TrackerStatisticsImporter {
         TrackerStatisticsImporter::default()
     }
+
+    fn default_unstable() -> Option<Unstable> {
+        None
+    }
 }
 
 impl Validator for Settings {

src/config/v2/unstable.rs

@@ -0,0 +1,55 @@
+use serde::{Deserialize, Serialize};
+
+/// Unstable configuration options.
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct Unstable {
+    /// The casbin configuration used for authorization.
+    #[serde(default = "Unstable::default_auth")]
+    pub auth: Option<Auth>,
+}
+
+impl Default for Unstable {
+    fn default() -> Self {
+        Self {
+            auth: Self::default_auth(),
+        }
+    }
+}
+
+impl Unstable {
+    fn default_auth() -> Option<Auth> {
+        None
+    }
+}
+
+/// Unstable auth configuration options.
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct Auth {
+    /// The casbin configuration used for authorization.
+    #[serde(default = "Auth::default_casbin")]
+    pub casbin: Option<Casbin>,
+}
+
+impl Default for Auth {
+    fn default() -> Self {
+        Self {
+            casbin: Self::default_casbin(),
+        }
+    }
+}
+
+impl Auth {
+    fn default_casbin() -> Option<Casbin> {
+        None
+    }
+}
+
+/// Authentication options.
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct Casbin {
+    /// The model. See <https://casbin.org>.
+    pub model: String,
+
+    /// The policy. See <https://casbin.org>.
+    pub policy: String,
+}

src/services/authorization.rs

@@ -132,40 +132,84 @@ pub struct CasbinEnforcer {
 impl CasbinEnforcer {
     /// # Panics
     ///
-    /// It panics if the policy and/or model file cannot be loaded
-    pub async fn new() -> Self {
-        let casbin_configuration = CasbinConfiguration::new();
+    /// Will panic if:
+    ///
+    /// - The enforcer can't be created.
+    /// - The policies can't be loaded.
+    pub async fn with_default_configuration() -> Self {
+        let casbin_configuration = CasbinConfiguration::default();
 
-        let model = DefaultModel::from_str(&casbin_configuration.model)
+        let mut enforcer = Enforcer::new(casbin_configuration.default_model().await, ())
             .await
-            .expect("Error loading the model");
+            .expect("Error creating the enforcer");
 
-        // Converts the policy from a string type to a vector
-        let policy = casbin_configuration
-            .policy
-            .lines()
-            .filter(|line| !line.trim().is_empty())
-            .map(|line| line.split(',').map(|s| s.trim().to_owned()).collect::<Vec<String>>())
-            .collect();
+        enforcer
+            .add_policies(casbin_configuration.policy_lines())
+            .await
+            .expect("Error loading the policy");
+
+        let enforcer = Arc::new(RwLock::new(enforcer));
+
+        Self { enforcer }
+    }
 
-        let mut enforcer = Enforcer::new(model, ()).await.expect("Error creating the enforcer");
+    /// # Panics
+    ///
+    /// Will panic if:
+    ///
+    /// - The enforcer can't be created.
+    /// - The policies can't be loaded.
+    pub async fn with_configuration(casbin_configuration: CasbinConfiguration) -> Self {
+        let mut enforcer = Enforcer::new(casbin_configuration.default_model().await, ())
+            .await
+            .expect("Error creating the enforcer");
 
-        enforcer.add_policies(policy).await.expect("Error loading the policy");
+        enforcer
+            .add_policies(casbin_configuration.policy_lines())
+            .await
+            .expect("Error loading the policy");
 
         let enforcer = Arc::new(RwLock::new(enforcer));
 
         Self { enforcer }
     }
 }
+
 #[allow(dead_code)]
-struct CasbinConfiguration {
+pub struct CasbinConfiguration {
     model: String,
     policy: String,
 }
 
 impl CasbinConfiguration {
-    pub fn new() -> Self {
-        CasbinConfiguration {
+    #[must_use]
+    pub fn new(model: &str, policy: &str) -> Self {
+        Self {
+            model: model.to_owned(),
+            policy: policy.to_owned(),
+        }
+    }
+
+    /// # Panics
+    ///
+    /// It panics if the model cannot be loaded.
+    async fn default_model(&self) -> DefaultModel {
+        DefaultModel::from_str(&self.model).await.expect("Error loading the model")
+    }
+
+    /// Converts the policy from a string type to a vector.
+    fn policy_lines(&self) -> Vec<Vec<String>> {
+        self.policy
+            .lines()
+            .filter(|line| !line.trim().is_empty())
+            .map(|line| line.split(',').map(|s| s.trim().to_owned()).collect::<Vec<String>>())
+            .collect()
+    }
+}
+
+impl Default for CasbinConfiguration {
+    fn default() -> Self {
+        Self {
             model: String::from(
                 "
                 [request_definition]