Unify diesel error conversions under 'public_error_from_diesel_pool' (#…

…647) - Unifies diesel error conversions under `public_error_from_diesel_pool` - The function now takes an `ErrorHandler` as an argument, which allows callers to customize the user-level errors that may be returned.
oxidecomputer · Jan 29, 2022 · c4e76cb · c4e76cb
1 parent 908599d
commit c4e76cb
Show file tree

Hide file tree

Showing 5 changed files with 366 additions and 244 deletions.
diff --git a/nexus/src/authz/api_resources.rs b/nexus/src/authz/api_resources.rs
@@ -48,13 +48,22 @@ pub trait ApiResource: Clone + Send + Sync + 'static {
     /// can affect access to this resource, return the parent resource.
     /// Otherwise, returns `None`.
     fn parent(&self) -> Option<&dyn AuthorizedResource>;
+}
 
+/// Practically, all objects which implement [`ApiResourceError`]
+/// also implement [`ApiResource`]. However, [`ApiResource`] is not object
+/// safe because it implements [`std::clone::Clone`].
+///
+/// This allows callers to use [`ApiResourceError`] as a trait object.
+pub trait ApiResourceError {
     /// Returns an error as though this resource were not found, suitable for
     /// use when an actor should not be able to see that this resource exists
     fn not_found(&self) -> Error;
 }
 
-impl<T: ApiResource + oso::PolarClass> AuthorizedResource for T {
+impl<T: ApiResource + ApiResourceError + oso::PolarClass> AuthorizedResource
+    for T
+{
     fn load_roles<'a, 'b, 'c, 'd, 'e, 'f>(
         &'a self,
         opctx: &'b OpContext,
@@ -238,7 +247,9 @@ impl ApiResource for FleetChild {
     fn parent(&self) -> Option<&dyn AuthorizedResource> {
         Some(&FLEET)
     }
+}
 
+impl ApiResourceError for FleetChild {
     fn not_found(&self) -> Error {
         self.lookup_type.clone().into_not_found(self.resource_type)
     }
@@ -309,7 +320,9 @@ impl ApiResource for Organization {
     fn parent(&self) -> Option<&dyn AuthorizedResource> {
         Some(&FLEET)
     }
+}
 
+impl ApiResourceError for Organization {
     fn not_found(&self) -> Error {
         self.lookup_type.clone().into_not_found(ResourceType::Organization)
     }
@@ -393,7 +406,9 @@ impl ApiResource for Project {
     fn parent(&self) -> Option<&dyn AuthorizedResource> {
         Some(&self.parent)
     }
+}
 
+impl ApiResourceError for Project {
     fn not_found(&self) -> Error {
         self.lookup_type.clone().into_not_found(ResourceType::Project)
     }
@@ -450,7 +465,9 @@ impl ApiResource for ProjectChild {
     fn parent(&self) -> Option<&dyn AuthorizedResource> {
         Some(&self.parent)
     }
+}
 
+impl ApiResourceError for ProjectChild {
     fn not_found(&self) -> Error {
         self.lookup_type.clone().into_not_found(self.resource_type)
     }

diff --git a/nexus/src/authz/mod.rs b/nexus/src/authz/mod.rs
@@ -163,7 +163,7 @@
 mod actor;
 
 mod api_resources;
-pub use api_resources::ApiResource;
+pub use api_resources::ApiResourceError;
 pub use api_resources::Fleet;
 pub use api_resources::FleetChild;
 pub use api_resources::Organization;

diff --git a/nexus/src/context.rs b/nexus/src/context.rs
@@ -193,7 +193,7 @@ pub struct OpContext {
     kind: OpKind,
 }
 
-pub enum OpKind {
+enum OpKind {
     /// Handling an external API request
     ExternalApiRequest,
     /// Background operations in Nexus