More trace output of role checking

2024-11-22 14:57:56 +01:00 · 2022-05-31 13:45:51 +02:00 · 2022-05-31 13:45:51 +02:00 · 17fd08b7e5
commit 17fd08b7e5
parent a43c38c118
1 changed files with 6 additions and 0 deletions
--- a/bffhd/authorization/roles.rs
+++ b/bffhd/authorization/roles.rs
@ -67,17 +67,20 @@ impl Roles {
        role_id: &String,
        perm: &Permission,
    ) -> bool {
+        let _guard = tracing::debug_span!("tally", %role_id, perm=perm.as_str());
        if let Some(role) = self.get(role_id) {
            // Only check and tally parents of a role at the role itself if it's the first time we
            // see it
            if !roles.contains(role_id) {
                for perm_rule in role.permissions.iter() {
                    if perm_rule.match_perm(perm) {
+                        tracing::debug!("Permission granted by direct role");
                        return true;
                    }
                }
                for parent in role.parents.iter() {
                    if self.permitted_tally(roles, parent, perm) {
+                        tracing::debug!(%parent, "Permission granted by parent role");
                        return true;
                    }
                }
@ -86,10 +89,13 @@ impl Roles {
            }
        }

+        tracing::trace!(%role_id, "Permission not granted by role");
        false
    }

    pub fn is_permitted(&self, user: &UserData, perm: impl AsRef<Permission>) -> bool {
+        let perm = perm.as_ref();
+        tracing::debug!(perm=perm.as_str(), "Checking permission");
        let mut seen = HashSet::new();
        for role_id in user.roles.iter() {
            if self.permitted_tally(&mut seen, role_id, perm.as_ref()) {