auth: move Permission and ValidationResults to auth crate

crates/auth/Cargo.toml

@@ -14,6 +14,7 @@ opaque_server = []
 opaque_client = []
 js = []
 sea_orm = ["dep:sea-orm"]
+test = []
 
 [dependencies]
 rust-argon2 = "0.8"

crates/auth/src/access_control.rs

@@ -0,0 +1,58 @@
+use crate::types::UserId;
+use serde::{Deserialize, Serialize};
+
+#[derive(Clone, Copy, PartialEq, Eq, Debug, Serialize, Deserialize)]
+pub enum Permission {
+    Admin,
+    PasswordManager,
+    Readonly,
+    Regular,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+pub struct ValidationResults {
+    pub user: UserId,
+    pub permission: Permission,
+}
+
+impl ValidationResults {
+    #[cfg(feature = "test")]
+    pub fn admin() -> Self {
+        Self {
+            user: UserId::new("admin"),
+            permission: Permission::Admin,
+        }
+    }
+
+    #[must_use]
+    pub fn is_admin(&self) -> bool {
+        self.permission == Permission::Admin
+    }
+
+    #[must_use]
+    pub fn can_read_all(&self) -> bool {
+        self.permission == Permission::Admin
+            || self.permission == Permission::Readonly
+            || self.permission == Permission::PasswordManager
+    }
+
+    #[must_use]
+    pub fn can_read(&self, user: &UserId) -> bool {
+        self.permission == Permission::Admin
+            || self.permission == Permission::PasswordManager
+            || self.permission == Permission::Readonly
+            || &self.user == user
+    }
+
+    #[must_use]
+    pub fn can_change_password(&self, user: &UserId, user_is_admin: bool) -> bool {
+        self.permission == Permission::Admin
+            || (self.permission == Permission::PasswordManager && !user_is_admin)
+            || &self.user == user
+    }
+
+    #[must_use]
+    pub fn can_write(&self, user: &UserId) -> bool {
+        self.permission == Permission::Admin || &self.user == user
+    }
+}

crates/auth/src/lib.rs

@@ -5,6 +5,7 @@ use serde::{Deserialize, Serialize};
 use std::collections::HashSet;
 use std::fmt;
 
+pub mod access_control;
 pub mod opaque;
 
 /// The messages for the 3-step OPAQUE and simple login process.