rbac: add _seaography_user_role_permission

Author: tyt2y3

.github/workflows/tests.yaml

@@ -85,9 +85,10 @@ jobs:
           cargo test --test custom_query_tests
           cargo test --test custom_mutation_tests
           cargo test --test query_tests --features=rbac
+          cargo test --test rbac_tests --features=rbac
           cargo test --test plural_query_tests --features=field-pluralize
           cargo test --test entity_filter_tests --features=field-pluralize
-          rm tests/custom_mutation_tests.rs tests/custom_query_tests.rs tests/plural_query_tests.rs
+          rm tests/custom_mutation_tests.rs tests/custom_query_tests.rs tests/plural_query_tests.rs tests/rbac_tests.rs
       - name: Remove generated folder
         run: rm -rf ./examples/sqlite/src
       - name: Copy sample database

examples/sqlite/Cargo.toml

@@ -32,3 +32,11 @@ field-pluralize = ["seaography/field-pluralize"]
 name = "plural_query_tests"
 path = "tests/plural_query_tests.rs"
 required-features = ["field-pluralize"]
+
+[[test]]
+name = "rbac_tests"
+path = "tests/rbac_tests.rs"
+required-features = ["rbac"]
+
+[patch.crates-io]
+sea-orm = { git = "https://github.com/SeaQL/sea-orm", branch = "master" }

examples/sqlite/src/main.rs

@@ -6,7 +6,7 @@ use async_graphql::{
 use async_graphql_actix_web::{GraphQLRequest, GraphQLResponse};
 use dotenv::dotenv;
 use sea_orm::Database;
-use seaography::{async_graphql, lazy_static};
+use seaography::{async_graphql, lazy_static, DatabaseContext};
 use std::env;
 
 lazy_static::lazy_static! {
@@ -42,7 +42,8 @@ async fn main() -> std::io::Result<()> {
         .init();
     let database = Database::connect(&*DATABASE_URL)
         .await
-        .expect("Fail to initialize database connection");
+        .expect("Fail to initialize database connection")
+        .unrestricted();
     let schema =
         seaography_sqlite_example::query_root::schema(database, *DEPTH_LIMIT, *COMPLEXITY_LIMIT)
             .unwrap();

examples/sqlite/tests/rbac_tests.rs

@@ -0,0 +1,68 @@
+use async_graphql::{dynamic::*, Response};
+use sea_orm::Database;
+use seaography::{async_graphql, DatabaseContext};
+
+pub async fn get_schema() -> Schema {
+    let database = Database::connect("sqlite://sakila.db").await.unwrap();
+    let schema =
+        seaography_sqlite_example::query_root::schema(database.unrestricted(), None, None).unwrap();
+
+    schema
+}
+
+pub fn assert_eq(a: Response, b: &str) {
+    assert_eq!(
+        a.data.into_json().unwrap(),
+        serde_json::from_str::<serde_json::Value>(b).unwrap()
+    )
+}
+
+#[tokio::test]
+async fn test_user_role_permission() {
+    let schema = get_schema().await;
+
+    assert_eq(
+        schema
+            .execute(
+                r#"
+                {
+                  _seaography_current_user_role_permission {
+                    role {
+                      role
+                    }
+                    permissions {
+                      resource {
+                        schema
+                        table
+                      }
+                      permission {
+                        action
+                      }
+                    }
+                  }
+                }
+                "#,
+            )
+            .await,
+        r#"
+        {
+          "_seaography_current_user_role_permission": {
+            "role": {
+              "role": "unrestricted"
+            },
+            "permissions": [
+              {
+                "resource": {
+                  "schema": null,
+                  "table": "*"
+                },
+                "permission": {
+                  "action": "*"
+                }
+              }
+            ]
+          }
+        }
+        "#,
+    )
+}

src/builder.rs

@@ -369,11 +369,27 @@ impl Builder {
         self.queries.push(field);
     }
 
+    #[cfg(feature = "rbac")]
+    fn register_rbac(&mut self) {
+        use crate::rbac::*;
+
+        self.register_custom_output::<UserRolePermissions>();
+        self.register_custom_output::<ResourcePermission>();
+        self.register_custom_entity::<role::Entity>();
+        self.register_custom_entity::<resource::Entity>();
+        self.register_custom_entity::<permission::Entity>();
+
+        self.register_custom_query::<Queries>();
+    }
+
     /// used to consume the builder context and generate a ready to be completed GraphQL schema
     pub fn schema_builder(mut self) -> SchemaBuilder {
         #[cfg(feature = "schema-meta")]
         self.register_schema_meta();
 
+        #[cfg(feature = "rbac")]
+        self.register_rbac();
+
         let query = self.query;
         let mutation = self.mutation;
         let subscription = self.subscription;

src/rbac.rs

@@ -1,5 +1,10 @@
 use sea_orm::{DatabaseConnection, DbErr, StatementBuilder};
 
+#[cfg(feature = "rbac")]
+mod operations;
+#[cfg(feature = "rbac")]
+pub use operations::*;
+
 #[derive(Default)]
 pub struct UserContext {
     pub user_id: i64,

src/rbac/operations.rs

@@ -0,0 +1,55 @@
+use crate as seaography;
+use async_graphql::{dynamic::ResolverContext, Result as GqlResult};
+pub use sea_orm::rbac::entity::{permission, resource, role};
+use sea_orm::DatabaseConnection;
+use seaography::{
+    macros::{CustomOperation, CustomOutput},
+    BuilderContext, DatabaseContext, UserContext,
+};
+
+// Users can't customize this context
+lazy_static::lazy_static! { static ref CONTEXT: BuilderContext = BuilderContext::default(); }
+
+#[derive(Clone, CustomOutput)]
+#[seaography(prefix = "SeaOrm", suffix = "")]
+pub struct UserRolePermissions {
+    pub role: role::Model,
+    pub permissions: Vec<ResourcePermission>,
+}
+
+#[derive(Clone, CustomOutput)]
+#[seaography(prefix = "SeaOrm", suffix = "")]
+pub struct ResourcePermission {
+    pub resource: resource::Model,
+    pub permission: permission::Model,
+}
+
+#[allow(dead_code)]
+#[derive(CustomOperation)]
+pub struct Queries {
+    _seaography_current_user_role_permission: fn() -> UserRolePermissions,
+}
+
+impl Queries {
+    async fn _seaography_current_user_role_permission(
+        ctx: &ResolverContext<'_>,
+    ) -> GqlResult<UserRolePermissions> {
+        let db = &ctx
+            .data::<DatabaseConnection>()?
+            .restricted(ctx.data_opt::<UserContext>())?;
+
+        let role = db.user_role_permissions()?;
+
+        Ok(UserRolePermissions {
+            role: role.role,
+            permissions: role
+                .permissions
+                .into_iter()
+                .map(|(resource, permission)| ResourcePermission {
+                    resource,
+                    permission,
+                })
+                .collect(),
+        })
+    }
+}