112 lines
3.0 KiB
Rust
112 lines
3.0 KiB
Rust
//! Authentication and API key management
|
|
|
|
use serde::{Deserialize, Serialize};
|
|
use std::collections::HashMap;
|
|
use uuid::Uuid;
|
|
|
|
/// API key scope/permission level
|
|
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
|
|
#[serde(rename_all = "lowercase")]
|
|
pub enum ApiKeyScope {
|
|
/// Full access - can manage keys, runners, jobs
|
|
Admin,
|
|
/// Can register new runners
|
|
Registrar,
|
|
/// Can create and manage jobs
|
|
User,
|
|
}
|
|
|
|
impl ApiKeyScope {
|
|
pub fn as_str(&self) -> &'static str {
|
|
match self {
|
|
ApiKeyScope::Admin => "admin",
|
|
ApiKeyScope::Registrar => "registrar",
|
|
ApiKeyScope::User => "user",
|
|
}
|
|
}
|
|
}
|
|
|
|
/// An API key with metadata
|
|
#[derive(Debug, Clone, Serialize, Deserialize)]
|
|
pub struct ApiKey {
|
|
/// The actual key value (UUID or custom string)
|
|
pub key: String,
|
|
/// Human-readable name for the key
|
|
pub name: String,
|
|
/// Permission scope
|
|
pub scope: ApiKeyScope,
|
|
/// When the key was created
|
|
pub created_at: String,
|
|
/// Optional expiration timestamp
|
|
pub expires_at: Option<String>,
|
|
}
|
|
|
|
impl ApiKey {
|
|
/// Create a new API key with a generated UUID
|
|
pub fn new(name: String, scope: ApiKeyScope) -> Self {
|
|
Self {
|
|
key: Uuid::new_v4().to_string(),
|
|
name,
|
|
scope,
|
|
created_at: chrono::Utc::now().to_rfc3339(),
|
|
expires_at: None,
|
|
}
|
|
}
|
|
|
|
/// Create a new API key with a specific key value
|
|
pub fn with_key(key: String, name: String, scope: ApiKeyScope) -> Self {
|
|
Self {
|
|
key,
|
|
name,
|
|
scope,
|
|
created_at: chrono::Utc::now().to_rfc3339(),
|
|
expires_at: None,
|
|
}
|
|
}
|
|
}
|
|
|
|
/// Response for auth verification
|
|
#[derive(Debug, Clone, Serialize, Deserialize)]
|
|
pub struct AuthVerifyResponse {
|
|
pub valid: bool,
|
|
pub name: String,
|
|
pub scope: String,
|
|
}
|
|
|
|
/// Method authorization requirements
|
|
/// Maps RPC method names to required scopes
|
|
pub fn get_method_required_scopes(method: &str) -> Option<Vec<ApiKeyScope>> {
|
|
use ApiKeyScope::*;
|
|
|
|
match method {
|
|
// Admin-only methods
|
|
"key.create" | "key.generate" | "key.delete" | "key.list" |
|
|
"supervisor.info" => {
|
|
Some(vec![Admin])
|
|
}
|
|
|
|
// Admin or Registrar methods
|
|
"runner.create" | "runner.remove" => {
|
|
Some(vec![Admin, Registrar])
|
|
}
|
|
|
|
// Admin or User methods
|
|
"job.create" | "job.run" | "job.start" | "job.stop" | "job.delete" => {
|
|
Some(vec![Admin, User])
|
|
}
|
|
|
|
// Public methods (no auth required)
|
|
"rpc.discover" => None,
|
|
|
|
// Any authenticated user (read-only operations)
|
|
"runner.list" | "runner.ping" |
|
|
"job.get" | "job.list" | "job.status" | "job.result" | "job.logs" |
|
|
"auth.verify" => {
|
|
Some(vec![Admin, Registrar, User])
|
|
}
|
|
|
|
// Default: require authentication
|
|
_ => Some(vec![Admin, Registrar, User]),
|
|
}
|
|
}
|