aboutsummaryrefslogtreecommitdiff
path: root/src/core/key_table.rs
diff options
context:
space:
mode:
Diffstat (limited to 'src/core/key_table.rs')
-rw-r--r--src/core/key_table.rs154
1 files changed, 154 insertions, 0 deletions
diff --git a/src/core/key_table.rs b/src/core/key_table.rs
new file mode 100644
index 00000000..76d163b5
--- /dev/null
+++ b/src/core/key_table.rs
@@ -0,0 +1,154 @@
+use async_trait::async_trait;
+use serde::{Deserialize, Serialize};
+
+use garage_table::*;
+use garage_util::data::*;
+use garage_util::error::Error;
+
+#[derive(PartialEq, Clone, Debug, Serialize, Deserialize)]
+pub struct Key {
+ // Primary key
+ pub key_id: String,
+
+ // Associated secret key (immutable)
+ pub secret_key: String,
+
+ // Name
+ pub name: String,
+ pub name_timestamp: u64,
+
+ // Deletion
+ pub deleted: bool,
+
+ // Authorized keys
+ authorized_buckets: Vec<AllowedBucket>,
+}
+
+impl Key {
+ pub fn new(name: String, buckets: Vec<AllowedBucket>) -> Self {
+ let key_id = format!("GK{}", hex::encode(&rand::random::<[u8; 12]>()[..]));
+ let secret_key = hex::encode(&rand::random::<[u8; 32]>()[..]);
+ let mut ret = Self {
+ key_id,
+ secret_key,
+ name,
+ name_timestamp: now_msec(),
+ deleted: false,
+ authorized_buckets: vec![],
+ };
+ for b in buckets {
+ ret.add_bucket(b)
+ .expect("Duplicate AllowedBucket in Key constructor");
+ }
+ ret
+ }
+ pub fn delete(key_id: String) -> Self {
+ Self {
+ key_id,
+ secret_key: "".into(),
+ name: "".into(),
+ name_timestamp: now_msec(),
+ deleted: true,
+ authorized_buckets: vec![],
+ }
+ }
+ /// Add an authorized bucket, only if it wasn't there before
+ pub fn add_bucket(&mut self, new: AllowedBucket) -> Result<(), ()> {
+ match self
+ .authorized_buckets
+ .binary_search_by(|b| b.bucket.cmp(&new.bucket))
+ {
+ Err(i) => {
+ self.authorized_buckets.insert(i, new);
+ Ok(())
+ }
+ Ok(_) => Err(()),
+ }
+ }
+ pub fn authorized_buckets(&self) -> &[AllowedBucket] {
+ &self.authorized_buckets[..]
+ }
+ pub fn clear_buckets(&mut self) {
+ self.authorized_buckets.clear();
+ }
+ pub fn allow_read(&self, bucket: &str) -> bool {
+ self.authorized_buckets
+ .iter()
+ .find(|x| x.bucket.as_str() == bucket)
+ .map(|x| x.allow_read)
+ .unwrap_or(false)
+ }
+ pub fn allow_write(&self, bucket: &str) -> bool {
+ self.authorized_buckets
+ .iter()
+ .find(|x| x.bucket.as_str() == bucket)
+ .map(|x| x.allow_write)
+ .unwrap_or(false)
+ }
+}
+
+#[derive(PartialEq, Clone, Debug, Serialize, Deserialize)]
+pub struct AllowedBucket {
+ pub bucket: String,
+ pub timestamp: u64,
+ pub allow_read: bool,
+ pub allow_write: bool,
+}
+
+impl Entry<EmptyKey, String> for Key {
+ fn partition_key(&self) -> &EmptyKey {
+ &EmptyKey
+ }
+ fn sort_key(&self) -> &String {
+ &self.key_id
+ }
+
+ fn merge(&mut self, other: &Self) {
+ if other.deleted {
+ self.deleted = true;
+ }
+ if self.deleted {
+ self.authorized_buckets.clear();
+ return;
+ }
+ if other.name_timestamp > self.name_timestamp {
+ self.name_timestamp = other.name_timestamp;
+ self.name = other.name.clone();
+ }
+
+ for ab in other.authorized_buckets.iter() {
+ match self
+ .authorized_buckets
+ .binary_search_by(|our_ab| our_ab.bucket.cmp(&ab.bucket))
+ {
+ Ok(i) => {
+ let our_ab = &mut self.authorized_buckets[i];
+ if ab.timestamp > our_ab.timestamp {
+ *our_ab = ab.clone();
+ }
+ }
+ Err(i) => {
+ self.authorized_buckets.insert(i, ab.clone());
+ }
+ }
+ }
+ }
+}
+
+pub struct KeyTable;
+
+#[async_trait]
+impl TableSchema for KeyTable {
+ type P = EmptyKey;
+ type S = String;
+ type E = Key;
+ type Filter = ();
+
+ async fn updated(&self, _old: Option<Self::E>, _new: Option<Self::E>) -> Result<(), Error> {
+ Ok(())
+ }
+
+ fn matches_filter(entry: &Self::E, _filter: &Self::Filter) -> bool {
+ !entry.deleted
+ }
+}