feat: Add access rule CRD to appcred provider

crates/appcred-driver-sql/src/application_credential.rs

@@ -24,6 +24,7 @@ use crate::entity::{
     application_credential_role as db_application_credential_role,
 };
 
+pub mod access_rule;
 mod create;
 mod get;
 mod list;

crates/appcred-driver-sql/src/application_credential/access_rule.rs

@@ -0,0 +1,44 @@
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+//! # Application credential access rule database backend.
+
+mod create;
+mod delete;
+mod get;
+mod list;
+
+pub use create::create;
+pub use delete::delete;
+pub use get::get;
+pub use list::list;
+
+#[cfg(test)]
+pub(crate) mod tests {
+    use crate::entity::access_rule;
+
+    /// Build a mock `access_rule::Model` for tests.
+    pub fn get_access_rule_mock<S: AsRef<str>>(
+        internal_id: i32,
+        external_id: S,
+    ) -> access_rule::Model {
+        access_rule::Model {
+            id: internal_id,
+            external_id: Some(external_id.as_ref().into()),
+            path: Some("/v2.1/servers".into()),
+            method: Some("POST".into()),
+            service: Some("compute".into()),
+            user_id: Some("user_id".into()),
+        }
+    }
+}

crates/appcred-driver-sql/src/application_credential/access_rule/create.rs

@@ -0,0 +1,77 @@
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+//! # Create access rule
+
+use sea_orm::ConnectionTrait;
+use sea_orm::entity::*;
+use uuid::Uuid;
+
+use openstack_keystone_core::application_credential::ApplicationCredentialProviderError;
+use openstack_keystone_core::error::DbContextExt;
+use openstack_keystone_core_types::application_credential::*;
+
+use crate::entity::access_rule as db_access_rule;
+
+/// Create a standalone access rule owned by a user.
+///
+/// # Parameters
+/// - `db`: The database connection.
+/// - `user_id`: The ID of the user owning the access rule.
+/// - `rule`: The access rule to create.
+///
+/// # Returns
+/// A `Result` containing the created `AccessRule` or an `Error`.
+pub async fn create<U: AsRef<str>>(
+    db: &impl ConnectionTrait,
+    user_id: U,
+    rule: AccessRuleCreate,
+) -> Result<AccessRule, ApplicationCredentialProviderError> {
+    db_access_rule::ActiveModel {
+        id: NotSet,
+        method: Set(rule.method),
+        path: Set(rule.path),
+        service: Set(rule.service),
+        external_id: Set(Some(rule.id.unwrap_or(Uuid::new_v4().simple().to_string()))),
+        user_id: Set(Some(user_id.as_ref().to_string())),
+    }
+    .insert(db)
+    .await
+    .context("persisting access rule")?
+    .try_into()
+}
+
+#[cfg(test)]
+mod tests {
+    use sea_orm::{DatabaseBackend, MockDatabase};
+
+    use super::super::tests::get_access_rule_mock;
+    use super::*;
+
+    #[tokio::test]
+    async fn test_create() {
+        let db = MockDatabase::new(DatabaseBackend::Postgres)
+            .append_query_results([vec![get_access_rule_mock(1, "rule_id")]])
+            .into_connection();
+
+        let req = AccessRuleCreate {
+            id: Some("rule_id".into()),
+            method: Some("POST".into()),
+            path: Some("/v2.1/servers".into()),
+            service: Some("compute".into()),
+        };
+
+        let result = create(&db, "user_id", req).await;
+        assert!(result.is_ok(), "create failed: {:?}", result.err());
+    }
+}

crates/appcred-driver-sql/src/application_credential/access_rule/delete.rs

@@ -0,0 +1,133 @@
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+//! # Delete access rule
+
+use sea_orm::ConnectionTrait;
+use sea_orm::entity::*;
+use sea_orm::query::*;
+
+use openstack_keystone_core::application_credential::ApplicationCredentialProviderError;
+use openstack_keystone_core::error::DbContextExt;
+
+use crate::entity::{
+    access_rule as db_access_rule,
+    application_credential_access_rule as db_application_credential_access_rule,
+    prelude::{
+        AccessRule as DbAccessRule,
+        ApplicationCredentialAccessRule as DbApplicationCredentialAccessRule,
+    },
+};
+
+/// Delete a user's access rule by its (external) ID.
+///
+/// The access rule must not be referenced by any application credential;
+/// otherwise an `AccessRuleInUse` error is returned (deleting it would silently
+/// strip the credential's restriction).
+///
+/// # Parameters
+/// - `db`: The database connection.
+/// - `user_id`: The ID of the user owning the access rule.
+/// - `id`: The (external) ID of the access rule.
+///
+/// # Returns
+/// A `Result` containing `()` or an `Error` (`AccessRuleNotFound` if no such
+/// rule exists, `AccessRuleInUse` if it is still attached to a credential).
+pub async fn delete<U: AsRef<str>, I: AsRef<str>>(
+    db: &impl ConnectionTrait,
+    user_id: U,
+    id: I,
+) -> Result<(), ApplicationCredentialProviderError> {
+    let rule = DbAccessRule::find()
+        .filter(db_access_rule::Column::ExternalId.eq(id.as_ref()))
+        .filter(db_access_rule::Column::UserId.eq(user_id.as_ref()))
+        .one(db)
+        .await
+        .context("fetching access rule for delete")?
+        .ok_or_else(|| {
+            ApplicationCredentialProviderError::AccessRuleNotFound(id.as_ref().to_string())
+        })?;
+
+    // Refuse to delete a rule that is still attached to an application
+    // credential.
+    let in_use = DbApplicationCredentialAccessRule::find()
+        .filter(db_application_credential_access_rule::Column::AccessRuleId.eq(rule.id))
+        .all(db)
+        .await
+        .context("checking whether access rule is in use")?;
+    if !in_use.is_empty() {
+        return Err(ApplicationCredentialProviderError::AccessRuleInUse(
+            id.as_ref().to_string(),
+        ));
+    }
+
+    rule.delete(db).await.context("deleting access rule")?;
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use sea_orm::{DatabaseBackend, MockDatabase, MockExecResult};
+
+    use super::super::tests::get_access_rule_mock;
+    use super::*;
+    use crate::entity::access_rule;
+
+    #[tokio::test]
+    async fn test_delete() {
+        let db = MockDatabase::new(DatabaseBackend::Postgres)
+            // 1. fetch the existing rule
+            .append_query_results([vec![get_access_rule_mock(1, "rule_id")]])
+            // 2. usage check returns no relations
+            .append_query_results([Vec::<db_application_credential_access_rule::Model>::new()])
+            // 3. the DELETE
+            .append_exec_results([MockExecResult {
+                rows_affected: 1,
+                ..Default::default()
+            }])
+            .into_connection();
+
+        let result = delete(&db, "user_id", "rule_id").await;
+        assert!(result.is_ok(), "delete failed: {:?}", result.err());
+    }
+
+    #[tokio::test]
+    async fn test_delete_not_found() {
+        let db = MockDatabase::new(DatabaseBackend::Postgres)
+            .append_query_results([Vec::<access_rule::Model>::new()])
+            .into_connection();
+
+        let result = delete(&db, "user_id", "missing").await;
+        assert!(matches!(
+            result,
+            Err(ApplicationCredentialProviderError::AccessRuleNotFound(_))
+        ));
+    }
+
+    #[tokio::test]
+    async fn test_delete_in_use() {
+        let db = MockDatabase::new(DatabaseBackend::Postgres)
+            .append_query_results([vec![get_access_rule_mock(1, "rule_id")]])
+            .append_query_results([vec![db_application_credential_access_rule::Model {
+                application_credential_id: 1,
+                access_rule_id: 1,
+            }]])
+            .into_connection();
+
+        let result = delete(&db, "user_id", "rule_id").await;
+        assert!(matches!(
+            result,
+            Err(ApplicationCredentialProviderError::AccessRuleInUse(_))
+        ));
+    }
+}

crates/appcred-driver-sql/src/application_credential/access_rule/get.rs

@@ -0,0 +1,86 @@
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+//! # Get access rule
+
+use sea_orm::ConnectionTrait;
+use sea_orm::entity::*;
+use sea_orm::query::*;
+
+use openstack_keystone_core::application_credential::ApplicationCredentialProviderError;
+use openstack_keystone_core::error::DbContextExt;
+use openstack_keystone_core_types::application_credential::*;
+
+use crate::entity::{access_rule as db_access_rule, prelude::AccessRule as DbAccessRule};
+
+/// Get a user's access rule by its (external) ID.
+///
+/// # Parameters
+/// - `db`: The database connection.
+/// - `user_id`: The ID of the user owning the access rule.
+/// - `id`: The (external) ID of the access rule.
+///
+/// # Returns
+/// A `Result` containing an `Option` with the `AccessRule` if found, or an
+/// `Error`.
+pub async fn get<U: AsRef<str>, I: AsRef<str>>(
+    db: &impl ConnectionTrait,
+    user_id: U,
+    id: I,
+) -> Result<Option<AccessRule>, ApplicationCredentialProviderError> {
+    DbAccessRule::find()
+        .filter(db_access_rule::Column::ExternalId.eq(id.as_ref()))
+        .filter(db_access_rule::Column::UserId.eq(user_id.as_ref()))
+        .one(db)
+        .await
+        .context("fetching access rule by id")?
+        .map(TryInto::try_into)
+        .transpose()
+}
+
+#[cfg(test)]
+mod tests {
+    use sea_orm::{DatabaseBackend, MockDatabase};
+
+    use super::super::tests::get_access_rule_mock;
+    use super::*;
+    use crate::entity::access_rule;
+
+    #[tokio::test]
+    async fn test_get() {
+        let db = MockDatabase::new(DatabaseBackend::Postgres)
+            .append_query_results([vec![get_access_rule_mock(1, "rule_id")]])
+            .into_connection();
+
+        let result = get(&db, "user_id", "rule_id").await.unwrap();
+        assert_eq!(
+            result,
+            Some(AccessRule {
+                id: "rule_id".into(),
+                path: Some("/v2.1/servers".into()),
+                method: Some("POST".into()),
+                service: Some("compute".into()),
+            })
+        );
+    }
+
+    #[tokio::test]
+    async fn test_get_not_found() {
+        let db = MockDatabase::new(DatabaseBackend::Postgres)
+            .append_query_results([Vec::<access_rule::Model>::new()])
+            .into_connection();
+
+        let result = get(&db, "user_id", "missing").await.unwrap();
+        assert_eq!(result, None);
+    }
+}