fix: permissions mechanism (#16)

* ci: fix

* test: authentication failing

* test:  ignore auth tests

* test: re-enable test server auth tests

* test: re-enable client auth tests

* test: disable client auth tests

* test: do not clear db

* chore: rename access to permission

* refactor: check_permission

* test: try mt tests

* chore: remove all lints

* test: remove dependency_on_unit_never_type_fallback

* test: make default server port to 6666

* fix: lint

.github/scripts/cargo_build.sh

@@ -24,7 +24,9 @@ fi
 rustup target add "$TARGET"
 
 # shellcheck disable=SC2086
-cargo build --target $TARGET $RELEASE $FEATURES
+cargo build --target $TARGET $RELEASE
+
+export RUST_LOG="cosmian_findex_cli=trace,cosmian_findex_server=trace,test_findex_server=trace"
 
 # shellcheck disable=SC2086
 cargo test --target $TARGET $RELEASE --workspace -- --nocapture $SKIP_SERVICES_TESTS

.github/scripts/loop.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -ex
+
+cargo build
+
+# export RUST_LOG="cosmian_findex_cli=trace,cosmian_findex_server=trace,test_findex_server=trace"
+
+echo "Running tests in an infinite loop"
+while true; do
+  reset
+  # cargo test --workspace -- --nocapture
+  cargo nextest run --workspace --nocapture
+  sleep 1
+done

.github/workflows/build_all.yml

@@ -39,7 +39,7 @@ jobs:
       archive-name: ${{ matrix.archive-name }}
       target: ${{ matrix.target }}
       debug_or_release: ${{ inputs.debug_or_release }}
-      skip_services_tests: --skip test_findex
+      skip_services_tests: --skip test_findex --skip test_all_authentications --skip test_server_auth_matrix
 
   generic-macos:
     strategy:
@@ -58,7 +58,7 @@ jobs:
       archive-name: ${{ matrix.archive-name }}
       target: ${{ matrix.target }}
       debug_or_release: ${{ inputs.debug_or_release }}
-      skip_services_tests: --skip test_findex
+      skip_services_tests: --skip test_findex --skip test_all_authentications --skip test_server_auth_matrix
 
   cleanup:
     needs:

Cargo.toml

@@ -59,3 +59,4 @@ tracing = "0.1"
 url = "2.5"
 x509-parser = "0.16"
 zeroize = { version = "1.8", default-features = false }
+uuid = { version = "1.10", features = ["v4"] }

crate/cli/Cargo.toml

@@ -33,8 +33,8 @@ clap = { workspace = true, features = [
   "cargo",
 ] }
 cloudproof_findex = { workspace = true, features = ["rest-interface"] }
-cosmian_rest_client = { path = "../client" }
 cosmian_logger = { path = "../logger" }
+cosmian_rest_client = { path = "../client" }
 csv = "1.3.0"
 der = { workspace = true, features = ["pem"] }
 hex = "0.4"
@@ -47,6 +47,7 @@ thiserror = { workspace = true }
 tokio = { workspace = true, features = ["full"] }
 tracing = { workspace = true }
 url = { workspace = true }
+uuid = { workspace = true, features = ["v4"] }
 
 [dev-dependencies]
 actix-rt = "2.10"

crate/cli/src/actions/findex/mod.rs

@@ -8,6 +8,7 @@ use cloudproof_findex::{
 };
 use cosmian_rest_client::RestClient;
 use tracing::debug;
+use uuid::Uuid;
 
 use crate::error::result::CliResult;
 
@@ -16,7 +17,6 @@ pub mod search;
 
 #[derive(Parser, Debug)]
 #[clap(verbatim_doc_comment)]
-// todo(manu): review global struct exposition
 pub(crate) struct FindexParameters {
     /// The user findex key used (to add, search, delete and compact).
     /// The key is a 16 bytes hex string.
@@ -27,7 +27,7 @@ pub(crate) struct FindexParameters {
     pub label: String,
     /// The index ID
     #[clap(long, short = 'i')]
-    pub index_id: String,
+    pub index_id: Uuid,
 }
 
 impl FindexParameters {
@@ -43,13 +43,13 @@ impl FindexParameters {
 #[allow(clippy::future_not_send)]
 pub(crate) async fn instantiate_findex(
     rest_client: RestClient,
-    index_id: &str,
+    index_id: &Uuid,
 ) -> CliResult<InstantiatedFindex> {
     let config = Configuration::Rest(
         rest_client.client,
         rest_client.server_url.clone(),
         rest_client.server_url,
-        index_id.to_owned(),
+        index_id.to_string(),
     );
     let findex = InstantiatedFindex::new(config).await?;
     debug!("Findex instantiated");

crate/cli/src/actions/findex/search.rs

@@ -26,8 +26,8 @@ impl SearchAction {
     ///
     /// # Arguments
     ///
-    /// * `rest_client` - The Findex server client instance used to
-    ///   communicate with the Findex server server.
+    /// * `rest_client` - The Findex server client instance used to communicate
+    ///   with the Findex server server.
     ///
     /// # Errors
     ///

crate/cli/src/actions/mod.rs

@@ -1,7 +1,7 @@
-pub mod access;
 pub mod console;
 pub mod findex;
 pub mod login;
 pub mod logout;
 pub mod markdown;
+pub mod permissions;
 pub mod version;

crate/cli/src/actions/access.rs → crate/cli/src/actions/permissions.rs

@@ -1,22 +1,22 @@
 use clap::Parser;
-use cosmian_rest_client::RestClient;
-use tracing::trace;
+use cosmian_rest_client::{Permission, RestClient};
+use uuid::Uuid;
 
 use crate::{
     actions::console,
     error::result::{CliResult, CliResultHelper},
 };
 
-/// Manage the users' access rights to the indexes
+/// Manage the users permissions to the indexes
 #[derive(Parser, Debug)]
-pub enum AccessAction {
-    Create(CreateAccess),
-    Grant(GrantAccess),
-    Revoke(RevokeAccess),
+pub enum PermissionsAction {
+    Create(CreateIndex),
+    Grant(GrantPermission),
+    Revoke(RevokePermission),
 }
 
-impl AccessAction {
-    /// Processes the access action.
+impl PermissionsAction {
+    /// Processes the permissions action.
     ///
     /// # Arguments
     ///
@@ -36,12 +36,14 @@ impl AccessAction {
     }
 }
 
-/// Create a new access right.
+/// Create a new index. It results on an `admin` permission on a new index.
+///
+/// Users can have 1 permission on multiple indexes
 #[derive(Parser, Debug)]
-pub struct CreateAccess;
+pub struct CreateIndex;
 
-impl CreateAccess {
-    /// Create a new Index with a default `admin` role.
+impl CreateIndex {
+    /// Create a new Index with a default `admin` permission.
     ///
     /// Generates an unique index ID which is returned to the owner.
     /// This ID will be shared between several users that will be able to:
@@ -50,100 +52,99 @@ impl CreateAccess {
     ///
     /// # Arguments
     ///
-    /// * `rest_client` - A reference to the Findex client used to
-    ///   communicate with the Findex server.
+    /// * `rest_client` - A reference to the Findex client used to communicate
+    ///   with the Findex server.
     ///
     /// # Errors
     ///
     /// Returns an error if the query execution on the Findex server fails.
     pub async fn run(&self, rest_client: RestClient) -> CliResult<String> {
         let response = rest_client
-            .create_access()
+            .create_index_id()
             .await
-            .with_context(|| "Can't execute the create access query on the findex server")?;
-
-        trace!("cli: New access successfully created: {}", response.success);
+            .with_context(|| "Can't execute the create index id query on the findex server")?;
+        // should replace the user configuration file
         console::Stdout::new(&response.success).write()?;
 
         Ok(response.success)
     }
 }
 
-/// Grant access.
+/// Grant permission on a index.
 ///
 /// This command can only be called by the owner of the index. It allows to
 /// grant:
-/// * `reader` access: the user can only read the index
-/// * `writer` access: the user can read and write the index
-/// * `admin` access: the user can read, write and grant access to the index
+/// * `read` permission: the user can only read the index
+/// * `write` permission: the user can read and write the index
+/// * `admin` permission: the user can read, write and grant permission to the
+///   index
 #[derive(Parser, Debug)]
-pub struct GrantAccess {
+pub struct GrantPermission {
     /// The user identifier to allow
     #[clap(long, required = true)]
     pub user: String,
 
     /// The index ID
     #[clap(long, required = true)]
-    pub index_id: String,
+    pub index_id: Uuid,
 
-    /// The role to grant (`reader`, `writer`, `admin`)
     #[clap(long, required = true)]
-    pub role: String,
+    pub permission: Permission,
 }
 
-impl GrantAccess {
-    /// Runs the `GrantAccess` action.
+impl GrantPermission {
+    /// Runs the `GrantPermission` action.
     ///
     /// # Arguments
     ///
-    /// * `rest_client` - A reference to the Findex client used to
-    ///   communicate with the Findex server.
+    /// * `rest_client` - A reference to the Findex client used to communicate
+    ///   with the Findex server.
     ///
     /// # Errors
     ///
     /// Returns an error if the query execution on the Findex server fails.
     pub async fn run(&self, rest_client: RestClient) -> CliResult<String> {
         let response = rest_client
-            .grant_access(&self.user, &self.role, &self.index_id)
+            .grant_permission(&self.user, &self.permission, &self.index_id)
             .await
-            .with_context(|| "Can't execute the grant access query on the findex server")?;
+            .with_context(|| "Can't execute the grant permission query on the findex server")?;
 
         console::Stdout::new(&response.success).write()?;
 
         Ok(response.success)
     }
 }
 
-/// Revoke user access.
+/// Revoke user permission.
 ///
 /// This command can only be called by the owner of the index.
 #[derive(Parser, Debug)]
-pub struct RevokeAccess {
+pub struct RevokePermission {
     /// The user identifier to revoke
     #[clap(long, required = true)]
     pub user: String,
 
     /// The index id
     #[clap(long, required = true)]
-    pub index_id: String,
+    pub index_id: Uuid,
 }
 
-impl RevokeAccess {
-    /// Runs the `RevokeAccess` action.
+impl RevokePermission {
+    /// Runs the `RevokePermission` action.
     ///
     /// # Arguments
     ///
-    /// * `rest_client` - A reference to the Findex client used to
-    ///   communicate with the Findex server.
+    /// * `rest_client` - A reference to the Findex client used to communicate
+    ///   with the Findex server.
     ///
     /// # Errors
     ///
     /// Returns an error if the query execution on the Findex server fails.
     pub async fn run(&self, rest_client: RestClient) -> CliResult<String> {
         let response = rest_client
-            .revoke_access(&self.user, &self.index_id)
+            .revoke_permission(&self.user, &self.index_id)
             .await
-            .with_context(|| "Can't execute the revoke access query on the findex server")?;
+            .with_context(|| "Can't execute the revoke permission query on the findex server")?;
 
         console::Stdout::new(&response.success).write()?;
 

crate/cli/src/actions/version.rs

@@ -14,8 +14,8 @@ impl ServerVersionAction {
     ///
     /// # Arguments
     ///
-    /// * `rest_client` - The Findex server client instance used to
-    ///   communicate with the Findex server server.
+    /// * `rest_client` - The Findex server client instance used to communicate
+    ///   with the Findex server server.
     ///
     /// # Errors
     ///

crate/cli/src/error/mod.rs

@@ -41,11 +41,11 @@ pub enum CliError {
     ServerError(String),
 
     // Any actions of the user which is not allowed
-    #[error("Access denied: {0}")]
+    #[error("Permission denied: {0}")]
     Unauthorized(String),
 
     // A cryptographic error
-    #[error("Cryptographic error: {0}")]
+    #[error("CLI Cryptographic error: {0}")]
     Cryptographic(String),
 
     // Conversion errors
@@ -182,6 +182,12 @@ impl From<csv::Error> for CliError {
     }
 }
 
+impl From<uuid::Error> for CliError {
+    fn from(e: uuid::Error) -> Self {
+        Self::Conversion(e.to_string())
+    }
+}
+
 /// Return early with an error if a condition is not satisfied.
 ///
 /// This macro is equivalent to `if !$cond { return Err(From::from($err)); }`.