1use indexmap::IndexMap;
2use serde::Serialize;
3use std::{
4 collections::HashSet,
5 sync::{LazyLock, RwLock, RwLockReadGuard},
6};
7use utoipa::ToSchema;
8
9#[derive(ToSchema, Serialize, Clone)]
10pub struct PermissionGroup {
11 pub description: &'static str,
12 pub permissions: IndexMap<&'static str, &'static str>,
13}
14
15impl PermissionGroup {
16 pub fn add_permission(&mut self, key: &'static str, description: &'static str) {
17 self.permissions.insert(key, description);
18 }
19}
20
21#[derive(ToSchema, Serialize)]
22pub struct PermissionMap {
23 #[serde(skip)]
24 list: HashSet<String>,
25 #[serde(flatten)]
26 map: IndexMap<&'static str, PermissionGroup>,
27}
28
29impl PermissionMap {
30 pub(crate) fn new() -> Self {
31 Self {
32 list: HashSet::new(),
33 map: IndexMap::new(),
34 }
35 }
36
37 pub(crate) fn replace(&mut self, map: IndexMap<&'static str, PermissionGroup>) {
38 self.list = map
39 .iter()
40 .flat_map(|(key, group)| {
41 group
42 .permissions
43 .keys()
44 .map(|permission| format!("{key}.{permission}"))
45 .collect::<HashSet<_>>()
46 })
47 .collect();
48 self.map = map;
49 }
50
51 #[inline]
52 pub fn list(&self) -> &HashSet<String> {
53 &self.list
54 }
55
56 pub fn validate_permissions(
57 &self,
58 permissions: &[compact_str::CompactString],
59 ) -> Result<(), garde::Error> {
60 for permission in permissions {
61 if !self.list().contains(&**permission) {
62 return Err(garde::Error::new(compact_str::format_compact!(
63 "invalid permission: {permission}"
64 )));
65 }
66 }
67
68 Ok(())
69 }
70}
71
72pub(crate) static BASE_USER_PERMISSIONS: LazyLock<IndexMap<&'static str, PermissionGroup>> =
73 LazyLock::new(|| {
74 IndexMap::from([
75 (
76 "account",
77 PermissionGroup {
78 description: "Permissions that control the ability to change account settings.",
79 permissions: IndexMap::from([
80 (
81 "infos",
82 "Allows changing the account's basic account information.",
83 ),
84 ("email", "Allows changing the account's email address."),
85 ("password", "Allows changing the account's password."),
86 (
87 "two-factor",
88 "Allows adding and removing two-factor authentication.",
89 ),
90 (
91 "avatar",
92 "Allows updating and removing the account's avatar.",
93 ),
94 ]),
95 },
96 ),
97 (
98 "servers",
99 PermissionGroup {
100 description: "Permissions that control the ability to list servers and manage server groups.",
101 permissions: IndexMap::from([
102 ("create", "Allows creating new server groups."),
103 ("read", "Allows viewing servers and server groups."),
104 ("update", "Allows modifying server groups."),
105 ("delete", "Allows deleting server groups."),
106 ]),
107 },
108 ),
109 (
110 "api-keys",
111 PermissionGroup {
112 description: "Permissions that control the ability to manage API keys on an account. API keys can never edit themselves or assign permissions they do not have.",
113 permissions: IndexMap::from([
114 ("create", "Allows creating new API keys."),
115 ("read", "Allows viewing API keys and their permissions."),
116 ("update", "Allows modifying other API keys."),
117 ("delete", "Allows deleting API keys."),
118 ("recreate", "Allows recreating API keys."),
119 ]),
120 },
121 ),
122 (
123 "security-keys",
124 PermissionGroup {
125 description: "Permissions that control the ability to manage security keys on an account.",
126 permissions: IndexMap::from([
127 ("create", "Allows creating new security keys."),
128 ("read", "Allows viewing security keys."),
129 ("update", "Allows modifying security keys."),
130 ("delete", "Allows deleting security keys."),
131 ]),
132 },
133 ),
134 (
135 "ssh-keys",
136 PermissionGroup {
137 description: "Permissions that control the ability to manage SSH keys on an account.",
138 permissions: IndexMap::from([
139 ("create", "Allows creating or importing new SSH keys."),
140 ("read", "Allows viewing SSH keys."),
141 ("update", "Allows modifying other SSH keys."),
142 ("delete", "Allows deleting SSH keys."),
143 ]),
144 },
145 ),
146 (
147 "oauth-links",
148 PermissionGroup {
149 description: "Permissions that control the ability to manage OAuth links on an account.",
150 permissions: IndexMap::from([
151 ("create", "Allows creating new OAuth links."),
152 ("read", "Allows viewing OAuth links."),
153 ("delete", "Allows deleting OAuth links."),
154 ]),
155 },
156 ),
157 (
158 "command-snippets",
159 PermissionGroup {
160 description: "Permissions that control the ability to manage command snippets on an account.",
161 permissions: IndexMap::from([
162 ("create", "Allows creating new command snippets."),
163 ("read", "Allows viewing command snippets."),
164 ("update", "Allows modifying command snippets."),
165 ("delete", "Allows deleting command snippets."),
166 ]),
167 },
168 ),
169 (
170 "sessions",
171 PermissionGroup {
172 description: "Permissions that control the ability to manage sessions on an account.",
173 permissions: IndexMap::from([
174 ("read", "Allows viewing sessions and their IP addresses."),
175 ("delete", "Allows deleting sessions."),
176 ]),
177 },
178 ),
179 (
180 "activity",
181 PermissionGroup {
182 description: "Permissions that control the ability to view the activity log on an account.",
183 permissions: IndexMap::from([(
184 "read",
185 "Allows viewing the account's activity logs.",
186 )]),
187 },
188 ),
189 ])
190 });
191
192pub(crate) static USER_PERMISSIONS: LazyLock<RwLock<PermissionMap>> =
193 LazyLock::new(|| RwLock::new(PermissionMap::new()));
194
195#[inline]
196pub fn get_user_permissions() -> RwLockReadGuard<'static, PermissionMap> {
197 USER_PERMISSIONS.read().unwrap()
198}
199
200#[inline]
201pub fn validate_user_permissions(
202 permissions: &[compact_str::CompactString],
203 _context: &(),
204) -> Result<(), garde::Error> {
205 get_user_permissions().validate_permissions(permissions)
206}
207
208pub(crate) static BASE_ADMIN_PERMISSIONS: LazyLock<IndexMap<&'static str, PermissionGroup>> =
209 LazyLock::new(|| {
210 IndexMap::from([
211 (
212 "stats",
213 PermissionGroup {
214 description: "Permissions that control the ability to view stats for the panel.",
215 permissions: IndexMap::from([("read", "Allows viewing panel statistics.")]),
216 },
217 ),
218 (
219 "settings",
220 PermissionGroup {
221 description: "Permissions that control the ability to manage settings for the panel.",
222 permissions: IndexMap::from([
223 ("read", "Allows viewing panel settings and secrets."),
224 ("update", "Allows modifying panel settings and secrets."),
225 ]),
226 },
227 ),
228 (
229 "email-templates",
230 PermissionGroup {
231 description: "Permissions that control the ability to manage email templates for the panel.",
232 permissions: IndexMap::from([
233 ("read", "Allows viewing email templates."),
234 ("update", "Allows modifying email templates."),
235 ]),
236 },
237 ),
238 (
239 "extensions",
240 PermissionGroup {
241 description: "Permissions that control the ability to manage extensions for the panel.",
242 permissions: IndexMap::from([
243 ("read", "Allows viewing panel extensions."),
244 (
245 "manage",
246 "Allows installing, updating, and removing panel extensions, usually also used to manage extension settings.",
247 ),
248 ]),
249 },
250 ),
251 (
252 "announcements",
253 PermissionGroup {
254 description: "Permissions that control the ability to manage announcements for the panel.",
255 permissions: IndexMap::from([
256 ("create", "Allows creating new announcements."),
257 ("read", "Allows viewing announcements."),
258 ("update", "Allows modifying announcements."),
259 ("delete", "Allows deleting announcements."),
260 ]),
261 },
262 ),
263 (
264 "assets",
265 PermissionGroup {
266 description: "Permissions that control the ability to manage assets for the panel.",
267 permissions: IndexMap::from([
268 ("read", "Allows viewing panel assets."),
269 ("upload", "Allows creating and modifying assets."),
270 ("delete", "Allows deleting panel assets."),
271 ]),
272 },
273 ),
274 (
275 "users",
276 PermissionGroup {
277 description: "Permissions that control the ability to manage users for the panel.",
278 permissions: IndexMap::from([
279 ("create", "Allows creating new users."),
280 ("read", "Allows viewing users."),
281 ("update", "Allows modifying users."),
282 (
283 "disable-two-factor",
284 "Allows removing two-factor authentication from users.",
285 ),
286 ("delete", "Allows deleting users."),
287 (
288 "email",
289 "Allows sending email actions to users, such as password resets.",
290 ),
291 ("activity", "Allows viewing a user's activity log."),
292 (
293 "oauth-links",
294 "Allows viewing and managing a user's OAuth links.",
295 ),
296 ("impersonate", "Allows impersonating other users."),
297 ]),
298 },
299 ),
300 (
301 "roles",
302 PermissionGroup {
303 description: "Permissions that control the ability to manage roles for the panel.",
304 permissions: IndexMap::from([
305 ("create", "Allows creating new roles."),
306 ("read", "Allows viewing roles."),
307 ("update", "Allows modifying roles."),
308 ("delete", "Allows deleting roles."),
309 ]),
310 },
311 ),
312 (
313 "locations",
314 PermissionGroup {
315 description: "Permissions that control the ability to manage locations for the panel.",
316 permissions: IndexMap::from([
317 ("create", "Allows creating new locations."),
318 ("read", "Allows viewing locations."),
319 ("update", "Allows modifying locations."),
320 ("delete", "Allows deleting locations."),
321 (
322 "database-hosts",
323 "Allows viewing and managing a location's database hosts.",
324 ),
325 ]),
326 },
327 ),
328 (
329 "backup-configurations",
330 PermissionGroup {
331 description: "Permissions that control the ability to manage backup configurations for the panel.",
332 permissions: IndexMap::from([
333 ("create", "Allows creating new backup configurations."),
334 (
335 "read",
336 "Allows viewing backup configurations and their passwords.",
337 ),
338 (
339 "update",
340 "Allows modifying backup configurations and their passwords.",
341 ),
342 ("delete", "Allows deleting backup configurations."),
343 (
344 "backups",
345 "Allows viewing backups associated with a backup configuration.",
346 ),
347 ]),
348 },
349 ),
350 (
351 "nodes",
352 PermissionGroup {
353 description: "Permissions that control the ability to manage nodes for the panel.",
354 permissions: IndexMap::from([
355 ("create", "Allows creating new nodes."),
356 ("read", "Allows viewing nodes and their tokens."),
357 ("update", "Allows modifying nodes."),
358 ("delete", "Allows deleting nodes."),
359 ("reset-token", "Allows resetting a node's token."),
360 (
361 "allocations",
362 "Allows viewing and managing a node's allocations.",
363 ),
364 ("mounts", "Allows viewing and managing a node's mounts."),
365 ("backups", "Allows viewing and managing a node's backups."),
366 ("power", "Allows executing mass-power actions on nodes."),
367 (
368 "transfers",
369 "Allows viewing and managing mass-server transfers between nodes.",
370 ),
371 ]),
372 },
373 ),
374 (
375 "servers",
376 PermissionGroup {
377 description: "Permissions that control the ability to manage servers for the panel.",
378 permissions: IndexMap::from([
379 ("create", "Allows creating new servers."),
380 ("read", "Allows viewing servers."),
381 ("update", "Allows modifying servers."),
382 ("delete", "Allows deleting servers."),
383 (
384 "transfer",
385 "Allows transferring servers to other nodes or canceling ongoing transfers.",
386 ),
387 (
388 "allocations",
389 "Allows viewing and managing a server's allocations.",
390 ),
391 (
392 "variables",
393 "Allows viewing and managing a server's variables.",
394 ),
395 ("mounts", "Allows viewing and managing a server's mounts."),
396 ]),
397 },
398 ),
399 (
400 "nests",
401 PermissionGroup {
402 description: "Permissions that control the ability to manage nests for the panel.",
403 permissions: IndexMap::from([
404 ("create", "Allows creating new nests."),
405 ("read", "Allows viewing nests."),
406 ("update", "Allows modifying nests."),
407 ("delete", "Allows deleting nests."),
408 ]),
409 },
410 ),
411 (
412 "eggs",
413 PermissionGroup {
414 description: "Permissions that control the ability to manage eggs for the panel.",
415 permissions: IndexMap::from([
416 ("create", "Allows creating and importing new eggs."),
417 ("read", "Allows viewing eggs."),
418 ("update", "Allows modifying eggs."),
419 ("delete", "Allows deleting eggs."),
420 ("mounts", "Allows viewing and managing an egg's mounts."),
421 ]),
422 },
423 ),
424 (
425 "egg-configurations",
426 PermissionGroup {
427 description: "Permissions that control the ability to manage egg configurations for the panel.",
428 permissions: IndexMap::from([
429 ("create", "Allows creating new egg configurations."),
430 ("read", "Allows viewing egg configurations."),
431 ("update", "Allows modifying egg configurations."),
432 ("delete", "Allows deleting egg configurations."),
433 ]),
434 },
435 ),
436 (
437 "egg-repositories",
438 PermissionGroup {
439 description: "Permissions that control the ability to manage egg repositories for the panel.",
440 permissions: IndexMap::from([
441 ("create", "Allows creating new egg repositories."),
442 ("read", "Allows viewing egg repositories."),
443 ("update", "Allows modifying egg repositories."),
444 ("delete", "Allows deleting egg repositories."),
445 (
446 "sync",
447 "Allows synchronizing egg repositories with their remote sources.",
448 ),
449 ]),
450 },
451 ),
452 (
453 "database-hosts",
454 PermissionGroup {
455 description: "Permissions that control the ability to manage database hosts for the panel.",
456 permissions: IndexMap::from([
457 ("create", "Allows creating new database hosts."),
458 ("read", "Allows viewing database hosts."),
459 ("update", "Allows modifying database hosts."),
460 ("delete", "Allows deleting database hosts."),
461 ("test", "Allows testing database host connections."),
462 ]),
463 },
464 ),
465 (
466 "oauth-providers",
467 PermissionGroup {
468 description: "Permissions that control the ability to manage OAuth providers for the panel.",
469 permissions: IndexMap::from([
470 ("create", "Allows creating new OAuth providers."),
471 ("read", "Allows viewing OAuth providers."),
472 ("update", "Allows modifying OAuth providers."),
473 ("delete", "Allows deleting OAuth providers."),
474 ]),
475 },
476 ),
477 (
478 "mounts",
479 PermissionGroup {
480 description: "Permissions that control the ability to manage mounts for the panel.",
481 permissions: IndexMap::from([
482 ("create", "Allows creating new mounts."),
483 ("read", "Allows viewing mounts."),
484 ("update", "Allows modifying mounts."),
485 ("delete", "Allows deleting mounts."),
486 ]),
487 },
488 ),
489 (
490 "activity",
491 PermissionGroup {
492 description: "Permissions that control the ability to view the activity log for all admin operations.",
493 permissions: IndexMap::from([(
494 "read",
495 "Allows viewing the activity logs for all admin operations.",
496 )]),
497 },
498 ),
499 ])
500 });
501
502pub(crate) static ADMIN_PERMISSIONS: LazyLock<RwLock<PermissionMap>> =
503 LazyLock::new(|| RwLock::new(PermissionMap::new()));
504
505#[inline]
506pub fn get_admin_permissions() -> RwLockReadGuard<'static, PermissionMap> {
507 ADMIN_PERMISSIONS.read().unwrap()
508}
509
510#[inline]
511pub fn validate_admin_permissions(
512 permissions: &[compact_str::CompactString],
513 _context: &(),
514) -> Result<(), garde::Error> {
515 get_admin_permissions().validate_permissions(permissions)
516}
517
518pub(crate) static BASE_SERVER_PERMISSIONS: LazyLock<IndexMap<&'static str, PermissionGroup>> =
519 LazyLock::new(|| {
520 IndexMap::from([
521 (
522 "control",
523 PermissionGroup {
524 description: "Permissions that control the ability to control the power state of a server, read the console, or send commands.",
525 permissions: IndexMap::from([
526 ("read-console", "Allows reading the server console logs."),
527 (
528 "console",
529 "Allows sending commands to the server instance via the console.",
530 ),
531 ("start", "Allows starting the server if it is stopped."),
532 ("stop", "Allows stopping the server if it is running."),
533 (
534 "restart",
535 "Allows restarting the server. This permits starting the server if it is offline, but not placing it in a completely stopped state.",
536 ),
537 ]),
538 },
539 ),
540 (
541 "subusers",
542 PermissionGroup {
543 description: "Permissions that control the ability to manage subusers of a server. Users can never edit their own account or assign permissions they do not have.",
544 permissions: IndexMap::from([
545 ("create", "Allows creating new subusers for the server."),
546 ("read", "Allows viewing subusers and their permissions."),
547 ("update", "Allows modifying other subusers."),
548 ("delete", "Allows deleting subusers from the server."),
549 ]),
550 },
551 ),
552 (
553 "files",
554 PermissionGroup {
555 description: "Permissions that control the ability to modify the filesystem for this server.",
556 permissions: IndexMap::from([
557 (
558 "create",
559 "Allows creating additional files and folders via the panel or direct upload.",
560 ),
561 (
562 "read",
563 "Allows viewing the contents of a directory, but not reading or downloading individual files.",
564 ),
565 (
566 "read-content",
567 "Allows viewing the contents of a specific file. This also permits downloading files.",
568 ),
569 (
570 "update",
571 "Allows updating the contents of an existing file or directory.",
572 ),
573 ("delete", "Allows deleting files or directories."),
574 ("archive", "Allows archiving the contents of a directory."),
575 ("sftp", "Allows connecting via SFTP to manage files."),
576 ]),
577 },
578 ),
579 (
580 "backups",
581 PermissionGroup {
582 description: "Permissions that control the ability to manage server backups.",
583 permissions: IndexMap::from([
584 ("create", "Allows creating new backups for the server."),
585 ("read", "Allows viewing existing backups."),
586 ("download", "Allows downloading backups."),
587 ("restore", "Allows restoring backups."),
588 ("update", "Allows updating existing backups."),
589 ("delete", "Allows deleting backups."),
590 ]),
591 },
592 ),
593 (
594 "schedules",
595 PermissionGroup {
596 description: "Permissions that control the ability to manage server schedules.",
597 permissions: IndexMap::from([
598 ("create", "Allows creating new schedules."),
599 ("read", "Allows viewing existing schedules."),
600 ("update", "Allows updating existing schedules."),
601 ("delete", "Allows deleting schedules."),
602 ]),
603 },
604 ),
605 (
606 "allocations",
607 PermissionGroup {
608 description: "Permissions that control the ability to modify the port allocations for this server.",
609 permissions: IndexMap::from([
610 (
611 "read",
612 "Allows viewing all allocations currently assigned to this server. Users with any level of access can always view the primary allocation.",
613 ),
614 (
615 "create",
616 "Allows assigning additional allocations to the server.",
617 ),
618 (
619 "update",
620 "Allows changing the primary server allocation and attaching notes to allocations.",
621 ),
622 ("delete", "Allows deleting allocations from the server."),
623 ]),
624 },
625 ),
626 (
627 "startup",
628 PermissionGroup {
629 description: "Permissions that control the ability to view and modify this server's startup parameters.",
630 permissions: IndexMap::from([
631 (
632 "read",
633 "Allows viewing the startup variables for the server.",
634 ),
635 ("update", "Allows modifying the startup variables."),
636 (
637 "command",
638 "Allows modifying the command used to start the server.",
639 ),
640 (
641 "docker-image",
642 "Allows modifying the Docker image used when running the server.",
643 ),
644 ]),
645 },
646 ),
647 (
648 "databases",
649 PermissionGroup {
650 description: "Permissions that control the ability to manage databases on this server.",
651 permissions: IndexMap::from([
652 ("create", "Allows creating new databases."),
653 (
654 "read",
655 "Allows viewing databases associated with this server.",
656 ),
657 (
658 "read-password",
659 "Allows viewing the password associated with a database instance.",
660 ),
661 (
662 "update",
663 "Allows rotating the password on a database instance. Users without the read-password permission will not see the updated password.",
664 ),
665 (
666 "recreate",
667 "Allows deleting and recreating a database, in the process wiping all data.",
668 ),
669 (
670 "delete",
671 "Allows removing database instances from this server.",
672 ),
673 ]),
674 },
675 ),
676 (
677 "mounts",
678 PermissionGroup {
679 description: "Permissions that control the ability to manage server mounts.",
680 permissions: IndexMap::from([
681 ("attach", "Allows attaching new mounts to the server."),
682 ("read", "Allows viewing existing mounts."),
683 ("detach", "Allows detaching mounts from the server."),
684 ]),
685 },
686 ),
687 (
688 "settings",
689 PermissionGroup {
690 description: "Permissions that control the ability to manage settings on this server.",
691 permissions: IndexMap::from([
692 (
693 "rename",
694 "Allows renaming the server and changing its description.",
695 ),
696 ("timezone", "Allows changing the server's timezone."),
697 (
698 "auto-kill",
699 "Allows changing the server's auto-kill settings.",
700 ),
701 (
702 "auto-start",
703 "Allows changing the server's auto-start settings.",
704 ),
705 ("install", "Allows triggering a reinstall of the server."),
706 (
707 "cancel-install",
708 "Allows canceling the server's installation process.",
709 ),
710 ]),
711 },
712 ),
713 (
714 "activity",
715 PermissionGroup {
716 description: "Permissions that control the ability to view the activity log on this server.",
717 permissions: IndexMap::from([
718 ("read", "Allows viewing the server's activity logs."),
719 (
720 "read-ip",
721 "Allows viewing IP addresses associated with activity logs.",
722 ),
723 ]),
724 },
725 ),
726 ])
727 });
728
729pub(crate) static SERVER_PERMISSIONS: LazyLock<RwLock<PermissionMap>> =
730 LazyLock::new(|| RwLock::new(PermissionMap::new()));
731
732#[inline]
733pub fn get_server_permissions() -> RwLockReadGuard<'static, PermissionMap> {
734 SERVER_PERMISSIONS.read().unwrap()
735}
736
737#[inline]
738pub fn validate_server_permissions(
739 permissions: &[compact_str::CompactString],
740 _context: &(),
741) -> Result<(), garde::Error> {
742 get_server_permissions().validate_permissions(permissions)
743}