lakehouse/crates/gateway/src/access_service.rs

use axum::{
    Json, Router,
    extract::{Query, State},
    http::StatusCode,
    response::IntoResponse,
    routing::{get, post},
};
use serde::Deserialize;

use crate::access::{AccessControl, AgentRole};

pub fn router(ac: AccessControl) -> Router {
    Router::new()
        .route("/roles", get(list_roles))
        .route("/roles", post(set_role))
        .route("/audit", get(query_audit))
        .route("/check", post(check_access))
        .with_state(ac)
}

async fn list_roles(State(ac): State<AccessControl>) -> impl IntoResponse {
    Json(ac.list_roles().await)
}

async fn set_role(
    State(ac): State<AccessControl>,
    Json(role): Json<AgentRole>,
) -> impl IntoResponse {
    let name = role.agent_name.clone();
    ac.set_role(role).await;
    (StatusCode::OK, format!("role set: {name}"))
}

#[derive(Deserialize)]
struct AuditQuery {
    limit: Option<usize>,
}

async fn query_audit(
    State(ac): State<AccessControl>,
    Query(q): Query<AuditQuery>,
) -> impl IntoResponse {
    Json(ac.recent_audit(q.limit.unwrap_or(50)).await)
}

#[derive(Deserialize)]
struct CheckRequest {
    agent: String,
    sensitivity: shared::types::Sensitivity,
}

async fn check_access(
    State(ac): State<AccessControl>,
    Json(req): Json<CheckRequest>,
) -> impl IntoResponse {
    let allowed = ac.can_access(&req.agent, &req.sensitivity).await;
    Json(serde_json::json!({
        "agent": req.agent,
        "sensitivity": req.sensitivity,
        "allowed": allowed,
    }))
}