teams: API authorization, CLI, smoketests

This adds authorization to the relevant API endpoints, updates the CLI
commands and adds smoketests for the teams feature.

Depends-on: #3519

Author: kim

.github/workflows/ci.yml

@@ -71,7 +71,7 @@ jobs:
         run: python -m pip install psycopg2-binary xmltodict
       - name: Run smoketests
         # Note: clear_database and replication only work in private
-        run: python -m smoketests ${{ matrix.smoketest_args }} -x clear_database replication
+        run: python -m smoketests ${{ matrix.smoketest_args }} -x clear_database replication teams
       - name: Stop containers (Linux)
         if: always() && runner.os == 'Linux'
         run: docker compose down

Cargo.lock

@@ -266,6 +266,7 @@ tar = "0.4"
 tempdir = "0.3.7"
 tempfile = "3.20"
 termcolor = "1.2.0"
+termtree = "0.5.1"
 thin-vec = "0.2.13"
 thiserror = "1.0.37"
 tokio = { version = "1.37", features = ["full"] }

Cargo.toml

@@ -64,6 +64,7 @@ tabled.workspace = true
 tar.workspace = true
 tempfile.workspace = true
 termcolor.workspace = true
+termtree.workspace = true
 thiserror.workspace = true
 tokio.workspace = true
 tokio-tungstenite.workspace = true
@@ -77,6 +78,9 @@ clap-markdown.workspace = true
 rolldown.workspace = true
 rolldown_utils.workspace = true
 
+[dev-dependencies]
+pretty_assertions.workspace = true
+
 [target.'cfg(not(target_env = "msvc"))'.dependencies]
 tikv-jemallocator = { workspace = true }
 tikv-jemalloc-ctl = { workspace = true }

crates/cli/Cargo.toml

@@ -1,7 +1,15 @@
+use std::io;
+
 use crate::common_args;
 use crate::config::Config;
-use crate::util::{add_auth_header_opt, database_identity, get_auth_header};
+use crate::util::{add_auth_header_opt, database_identity, get_auth_header, y_or_n, AuthHeader};
 use clap::{Arg, ArgMatches};
+use http::StatusCode;
+use itertools::Itertools as _;
+use reqwest::Response;
+use spacetimedb_client_api_messages::http::{DatabaseDeleteConfirmationResponse, DatabaseTree, DatabaseTreeNode};
+use spacetimedb_lib::Hash;
+use tokio::io::AsyncWriteExt as _;
 
 pub fn cli() -> clap::Command {
     clap::Command::new("delete")
@@ -22,11 +30,143 @@ pub async fn exec(mut config: Config, args: &ArgMatches) -> Result<(), anyhow::E
     let force = args.get_flag("force");
 
     let identity = database_identity(&config, database, server).await?;
-
-    let builder = reqwest::Client::new().delete(format!("{}/v1/database/{}", config.get_host_url(server)?, identity));
+    let host_url = config.get_host_url(server)?;
+    let request_path = format!("{host_url}/v1/database/{identity}");
     let auth_header = get_auth_header(&mut config, false, server, !force).await?;
-    let builder = add_auth_header_opt(builder, &auth_header);
-    builder.send().await?.error_for_status()?;
+    let client = reqwest::Client::new();
+
+    let response = send_request(&client, &request_path, &auth_header, None).await?;
+    match response.status() {
+        StatusCode::PRECONDITION_REQUIRED => {
+            let confirm = response.json::<DatabaseDeleteConfirmationResponse>().await?;
+            println!("WARNING: Deleting the database {identity} will also delete its children!");
+            if !force {
+                print_database_tree_info(&confirm.database_tree).await?;
+            }
+            if y_or_n(force, "Do you want to proceed deleting above databases?")? {
+                send_request(&client, &request_path, &auth_header, Some(confirm.confirmation_token))
+                    .await?
+                    .error_for_status()?;
+            } else {
+                println!("Aborting");
+            }
+
+            Ok(())
+        }
+        StatusCode::OK => Ok(()),
+        _ => response.error_for_status().map(drop).map_err(Into::into),
+    }
+}
+
+async fn send_request(
+    client: &reqwest::Client,
+    request_path: &str,
+    auth: &AuthHeader,
+    confirmation_token: Option<Hash>,
+) -> Result<Response, reqwest::Error> {
+    let mut builder = client.delete(request_path);
+    builder = add_auth_header_opt(builder, auth);
+    if let Some(token) = confirmation_token {
+        builder = builder.query(&[("token", token)]);
+    }
+    builder.send().await
+}
+
+async fn print_database_tree_info(tree: &DatabaseTree) -> io::Result<()> {
+    tokio::io::stdout()
+        .write_all(as_termtree(tree).to_string().as_bytes())
+        .await
+}
+
+fn as_termtree(tree: &DatabaseTree) -> termtree::Tree<String> {
+    let mut stack: Vec<(&DatabaseTree, bool)> = vec![];
+    stack.push((tree, false));
+
+    let mut built: Vec<termtree::Tree<String>> = <_>::default();
+
+    while let Some((node, visited)) = stack.pop() {
+        if visited {
+            let mut term_node = termtree::Tree::new(fmt_tree_node(&node.root));
+            term_node.leaves = built.drain(built.len() - node.children.len()..).collect();
+            term_node.leaves.reverse();
+            built.push(term_node);
+        } else {
+            stack.push((node, true));
+            stack.extend(node.children.iter().rev().map(|child| (child, false)));
+        }
+    }
+
+    built
+        .pop()
+        .expect("database tree contains a root and we pushed it last")
+}
+
+fn fmt_tree_node(node: &DatabaseTreeNode) -> String {
+    format!(
+        "{}{}",
+        node.database_identity,
+        if node.database_names.is_empty() {
+            <_>::default()
+        } else {
+            format!(": {}", node.database_names.iter().join(", "))
+        }
+    )
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use spacetimedb_client_api_messages::http::{DatabaseTree, DatabaseTreeNode};
+    use spacetimedb_lib::{sats::u256, Identity};
 
-    Ok(())
+    #[test]
+    fn render_termtree() {
+        let tree = DatabaseTree {
+            root: DatabaseTreeNode {
+                database_identity: Identity::ONE,
+                database_names: ["parent".into()].into(),
+            },
+            children: vec![
+                DatabaseTree {
+                    root: DatabaseTreeNode {
+                        database_identity: Identity::from_u256(u256::new(2)),
+                        database_names: ["child".into()].into(),
+                    },
+                    children: vec![
+                        DatabaseTree {
+                            root: DatabaseTreeNode {
+                                database_identity: Identity::from_u256(u256::new(3)),
+                                database_names: ["grandchild".into()].into(),
+                            },
+                            children: vec![],
+                        },
+                        DatabaseTree {
+                            root: DatabaseTreeNode {
+                                database_identity: Identity::from_u256(u256::new(5)),
+                                database_names: [].into(),
+                            },
+                            children: vec![],
+                        },
+                    ],
+                },
+                DatabaseTree {
+                    root: DatabaseTreeNode {
+                        database_identity: Identity::from_u256(u256::new(4)),
+                        database_names: ["sibling".into(), "bro".into()].into(),
+                    },
+                    children: vec![],
+                },
+            ],
+        };
+        pretty_assertions::assert_eq!(
+            "\
+0000000000000000000000000000000000000000000000000000000000000001: parent
+├── 0000000000000000000000000000000000000000000000000000000000000004: bro, sibling
+└── 0000000000000000000000000000000000000000000000000000000000000002: child
+    ├── 0000000000000000000000000000000000000000000000000000000000000005
+    └── 0000000000000000000000000000000000000000000000000000000000000003: grandchild
+",
+            &as_termtree(&tree).to_string()
+        );
+    }
 }

crates/cli/src/subcommands/delete.rs

@@ -8,7 +8,7 @@ use std::path::PathBuf;
 use std::{env, fs};
 
 use crate::config::Config;
-use crate::util::{add_auth_header_opt, get_auth_header, unauth_error_context, AuthHeader, ResponseExt};
+use crate::util::{add_auth_header_opt, get_auth_header, AuthHeader, ResponseExt};
 use crate::util::{decode_identity, y_or_n};
 use crate::{build, common_args};
 
@@ -220,18 +220,6 @@ pub async fn exec(mut config: Config, args: &ArgMatches) -> Result<(), anyhow::E
     }
 
     let res = builder.body(program_bytes).send().await?;
-    if res.status() == StatusCode::UNAUTHORIZED && !anon_identity {
-        // If we're not in the `anon_identity` case, then we have already forced the user to log in above (using `get_auth_header`), so this should be safe to unwrap.
-        let token = config.spacetimedb_token().unwrap();
-        let identity = decode_identity(token)?;
-        let err = res.text().await?;
-        return unauth_error_context(
-            Err(anyhow::anyhow!(err)),
-            &identity,
-            config.server_nick_or_host(server)?,
-        );
-    }
-
     let response: PublishResult = res.json_or_error().await?;
     match response {
         PublishResult::Success {

crates/cli/src/subcommands/publish.rs

@@ -281,15 +281,6 @@ pub fn y_or_n(force: bool, prompt: &str) -> anyhow::Result<bool> {
     Ok(input == "y" || input == "yes")
 }
 
-pub fn unauth_error_context<T>(res: anyhow::Result<T>, identity: &str, server: &str) -> anyhow::Result<T> {
-    res.with_context(|| {
-        format!(
-            "Identity {identity} is not valid for server {server}.
-Please log back in with `spacetime logout` and then `spacetime login`."
-        )
-    })
-}
-
 pub fn decode_identity(token: &String) -> anyhow::Result<String> {
     // Here, we manually extract and decode the claims from the json web token.
     // We do this without using the `jsonwebtoken` crate because it doesn't seem to have a way to skip signature verification.

crates/cli/src/util.rs

@@ -1,6 +1,9 @@
+use std::collections::BTreeSet;
+use std::iter;
+
 use serde::{Deserialize, Serialize};
 use spacetimedb_lib::metrics::ExecutionMetrics;
-use spacetimedb_lib::ProductType;
+use spacetimedb_lib::{Hash, Identity, ProductType};
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct SqlStmtResult<Row> {
@@ -27,3 +30,34 @@ impl SqlStmtStats {
         }
     }
 }
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct DatabaseTree {
+    pub root: DatabaseTreeNode,
+    pub children: Vec<DatabaseTree>,
+}
+
+impl DatabaseTree {
+    pub fn iter(&self) -> impl Iterator<Item = &DatabaseTreeNode> + '_ {
+        let mut stack = vec![self];
+        iter::from_fn(move || {
+            let node = stack.pop()?;
+            for child in node.children.iter().rev() {
+                stack.push(child);
+            }
+            Some(&node.root)
+        })
+    }
+}
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct DatabaseTreeNode {
+    pub database_identity: Identity,
+    pub database_names: BTreeSet<String>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct DatabaseDeleteConfirmationResponse {
+    pub database_tree: DatabaseTree,
+    pub confirmation_token: Hash,
+}

crates/client-api-messages/src/http.rs

@@ -1,6 +1,8 @@
+use std::future::Future;
 use std::num::NonZeroU8;
 use std::sync::Arc;
 
+use anyhow::anyhow;
 use async_trait::async_trait;
 use axum::response::ErrorResponse;
 use bytes::Bytes;
@@ -17,6 +19,7 @@ use spacetimedb_client_api_messages::name::{DomainName, InsertDomainResult, Regi
 use spacetimedb_lib::{ProductTypeElement, ProductValue};
 use spacetimedb_paths::server::ModuleLogsDir;
 use spacetimedb_schema::auto_migrate::{MigrationPolicy, PrettyPrintStyle};
+use thiserror::Error;
 use tokio::sync::watch;
 
 pub mod auth;
@@ -413,6 +416,60 @@ impl<T: NodeDelegate + ?Sized> NodeDelegate for Arc<T> {
     }
 }
 
+#[derive(Debug, Error)]
+pub enum Unauthorized {
+    #[error("{subject} is not authorized to perform {action:?}")]
+    Unauthorized {
+        subject: Identity,
+        action: Action,
+        #[source]
+        source: Option<anyhow::Error>,
+    },
+    #[error("authorization failed due to internal error")]
+    InternalError(#[from] anyhow::Error),
+}
+
+impl Unauthorized {
+    pub fn into_response(self) -> ErrorResponse {
+        match self {
+            unauthorized @ Self::Unauthorized { .. } => {
+                (StatusCode::UNAUTHORIZED, format!("{:#}", anyhow!(unauthorized))).into()
+            }
+            Self::InternalError(e) => log_and_500(e),
+        }
+    }
+}
+
+#[derive(Debug)]
+pub enum Action {
+    CreateDatabase { parent: Option<Identity> },
+    UpdateDatabase,
+    ResetDatabase,
+    DeleteDatabase,
+    RenameDatabase,
+    ViewModuleLogs,
+}
+
+pub trait Authorization {
+    fn authorize_action(
+        &self,
+        subject: Identity,
+        database: Identity,
+        action: Action,
+    ) -> impl Future<Output = Result<(), Unauthorized>> + Send;
+}
+
+impl<T: Authorization> Authorization for Arc<T> {
+    fn authorize_action(
+        &self,
+        subject: Identity,
+        database: Identity,
+        action: Action,
+    ) -> impl Future<Output = Result<(), Unauthorized>> + Send {
+        (**self).authorize_action(subject, database, action)
+    }
+}
+
 pub fn log_and_500(e: impl std::fmt::Display) -> ErrorResponse {
     log::error!("internal error: {e:#}");
     (StatusCode::INTERNAL_SERVER_ERROR, format!("{e:#}")).into()