Support for {PUT, DELETE} /api/topic-permissions/{vhost}/{user}

Author: michaelklishin

src/api.rs

@@ -1404,7 +1404,10 @@ where
 
     /// Lists all topic permissions of a user.
     /// See [Topic Authorisation](https://www.rabbitmq.com/docs/access-control#topic-authorisation) to learn more.
-    pub async fn list_topic_permissions_of(&self, user: &str) -> Result<Vec<responses::TopicPermission>> {
+    pub async fn list_topic_permissions_of(
+        &self,
+        user: &str,
+    ) -> Result<Vec<responses::TopicPermission>> {
         let response = self
             .http_get(path!("users", user, "topic-permissions"), None, None)
             .await?;
@@ -1420,6 +1423,36 @@ where
         Ok(response)
     }
 
+    /// Sets [topic permissions](https://www.rabbitmq.com/docs/access-control#topic-authorisation) in a specific virtual host.
+    pub async fn declare_topic_permissions(
+        &self,
+        params: &requests::TopicPermissions<'_>,
+    ) -> Result<()> {
+        self.put_api_request(
+            path!("topic-permissions", params.vhost, params.user),
+            params,
+        )
+        .await
+    }
+
+    /// Clears [topic permissions](https://www.rabbitmq.com/docs/access-control#topic-authorisation) for a user in a specific virtual host.
+    pub async fn clear_topic_permissions(
+        &self,
+        vhost: &str,
+        user: &str,
+        idempotently: bool,
+    ) -> Result<()> {
+        let excludes = if idempotently {
+            Some(StatusCode::NOT_FOUND)
+        } else {
+            None
+        };
+        let _response = self
+            .http_delete(path!("topic-permissions", vhost, user), excludes, None)
+            .await?;
+        Ok(())
+    }
+
     //
     // Rebalancing
     //

src/blocking_api.rs

@@ -1313,8 +1313,7 @@ where
     /// Lists all topic permissions of a user.
     /// See [Topic Authorisation](https://www.rabbitmq.com/docs/access-control#topic-authorisation) to learn more.
     pub fn list_topic_permissions_of(&self, user: &str) -> Result<Vec<responses::TopicPermission>> {
-        let response = self
-            .http_get(path!("users", user, "topic-permissions"), None, None)?;
+        let response = self.http_get(path!("users", user, "topic-permissions"), None, None)?;
         let response = response.json()?;
         Ok(response)
     }
@@ -1326,6 +1325,31 @@ where
         Ok(response)
     }
 
+    /// Sets [topic permissions](https://www.rabbitmq.com/docs/access-control#topic-authorisation) in a specific virtual host.
+    pub fn declare_topic_permissions(&self, params: &requests::TopicPermissions<'_>) -> Result<()> {
+        self.put_api_request(
+            path!("topic-permissions", params.vhost, params.user),
+            params,
+        )
+    }
+
+    /// Clears [topic permissions](https://www.rabbitmq.com/docs/access-control#topic-authorisation) for a user in a specific virtual host.
+    pub fn clear_topic_permissions(
+        &self,
+        vhost: &str,
+        user: &str,
+        idempotently: bool,
+    ) -> Result<()> {
+        let excludes = if idempotently {
+            Some(StatusCode::NOT_FOUND)
+        } else {
+            None
+        };
+        let _response =
+            self.http_delete(path!("topic-permissions", vhost, user), excludes, None)?;
+        Ok(())
+    }
+
     //
     // Rebalancing
     //

src/requests.rs

@@ -568,7 +568,7 @@ impl From<PolDef> for PolicyDefinition {
 ///
 /// # Pattern Examples
 /// * `"^amq\\."` - Matches resources starting with "amq."
-/// * `".*"` - Matches all resources  
+/// * `".*"` - Matches all resources
 /// * `"orders\\.(urgent|normal)"` - Matches "orders.urgent" or "orders.normal"
 /// * `"temp_.*"` - Matches resources starting with "temp_"
 ///
@@ -614,10 +614,25 @@ pub struct Permissions<'a> {
     pub configure: &'a str,
     /// Regex pattern for resources user can read from
     pub read: &'a str,
-    /// Regex pattern for resources user can write to  
+    /// Regex pattern for resources user can write to
     pub write: &'a str,
 }
 
+/// Represents a user's [topic permission in a particular virtual host](https://www.rabbitmq.com/docs/access-control#topic-authorisation).
+///
+/// Topic permissions are defined using regular expression patterns that match exchange names.
+#[derive(Serialize, Debug)]
+pub struct TopicPermissions<'a> {
+    pub user: &'a str,
+    pub vhost: &'a str,
+    /// Regex pattern for the topics the user can publish to
+    pub write: &'a str,
+    /// Regex pattern for the topics the user can consume from (subscribe to)
+    pub read: &'a str,
+    /// The topic exchange these permissions apply to
+    pub exchange: &'a str,
+}
+
 /// Controls when federation resources (temporary queues/exchanges) are cleaned up.
 ///
 /// Federation creates temporary resources on the downstream cluster. This enum controls

src/responses.rs

@@ -1590,7 +1590,6 @@ pub struct TopicPermission {
     pub write: String,
 }
 
-
 impl Permissions {
     pub fn with_username(&self, username: &str) -> Self {
         Permissions {

tests/async_permission_tests.rs

@@ -11,10 +11,11 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-use rabbitmq_http_client::requests::VirtualHostParams;
-use rabbitmq_http_client::responses;
 use rabbitmq_http_client::api::Client;
+use rabbitmq_http_client::requests;
 use rabbitmq_http_client::requests::Permissions;
+use rabbitmq_http_client::requests::VirtualHostParams;
+use rabbitmq_http_client::responses;
 
 mod test_helpers;
 use crate::test_helpers::{PASSWORD, USERNAME, endpoint};
@@ -180,7 +181,95 @@ async fn test_async_list_topic_permissions_of() {
     assert!(result1.is_ok());
 
     let result = rc.list_topic_permissions_of("guest").await;
-    assert!(result.is_ok(), "list_topic_permissions_of returned {result:?}");
+    assert!(
+        result.is_ok(),
+        "list_topic_permissions_of returned {result:?}"
+    );
+
+    rc.delete_vhost(vh_params.name, false).await.unwrap();
+}
+
+#[tokio::test]
+async fn test_async_declare_topic_permissions() {
+    let endpoint = endpoint();
+    let rc = Client::new(&endpoint, USERNAME, PASSWORD);
+
+    let vh_params = VirtualHostParams::named("test_declare_topic_permissions");
+    let _ = rc.delete_vhost(vh_params.name, false).await;
+    let result1 = rc.create_vhost(&vh_params).await;
+    assert!(result1.is_ok());
+
+    let params = requests::TopicPermissions {
+        user: "guest",
+        vhost: vh_params.name,
+        exchange: "amq.topic",
+        read: ".*",
+        write: ".*",
+    };
+    let result = rc.declare_topic_permissions(&params).await;
+    assert!(
+        result.is_ok(),
+        "declare_topic_permissions returned {result:?}"
+    );
+
+    // Verify that the topic permissions are set
+    let topic_permissions = rc.list_topic_permissions_of("guest").await.unwrap();
+    assert!(topic_permissions.iter().any(|p| p.vhost == vh_params.name
+        && p.exchange == "amq.topic"
+        && p.read == ".*"
+        && p.write == ".*"));
+
+    rc.delete_vhost(vh_params.name, false).await.unwrap();
+}
+
+#[tokio::test]
+async fn test_async_clear_topic_permissions() {
+    let endpoint = endpoint();
+    let rc = Client::new(&endpoint, USERNAME, PASSWORD);
+
+    let vh_params = VirtualHostParams::named("test_clear_topic_permissions");
+    let _ = rc.delete_vhost(vh_params.name, false).await;
+    let result1 = rc.create_vhost(&vh_params).await;
+    assert!(result1.is_ok());
+
+    let params = requests::TopicPermissions {
+        user: "guest",
+        vhost: vh_params.name,
+        exchange: "amq.topic",
+        read: ".*",
+        write: ".*",
+    };
+    let result = rc.declare_topic_permissions(&params).await;
+    assert!(
+        result.is_ok(),
+        "declare_topic_permissions returned {result:?}"
+    );
+
+    // Verify that the topic permissions are set
+    let topic_permissions = rc.list_topic_permissions_of("guest").await.unwrap();
+    assert!(topic_permissions.iter().any(|p| p.vhost == vh_params.name
+        && p.exchange == "amq.topic"
+        && p.read == ".*"
+        && p.write == ".*"));
+
+    let result2 = rc
+        .clear_topic_permissions(vh_params.name, "guest", false)
+        .await;
+    assert!(
+        result2.is_ok(),
+        "clear_topic_permissions returned {result2:?}"
+    );
+
+    // Verify that the topic permissions are cleared
+    let topic_permissions_after_clear = rc.list_topic_permissions_of("guest").await.unwrap();
+    assert!(
+        !topic_permissions_after_clear
+            .iter()
+            .any(|p| p.vhost == vh_params.name
+                && p.exchange == "amq.topic"
+                && p.read == ".*"
+                && p.write == ".*")
+    );
 
     rc.delete_vhost(vh_params.name, false).await.unwrap();
 }

tests/blocking_permission_tests.rs

@@ -11,10 +11,11 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-use rabbitmq_http_client::requests::VirtualHostParams;
-use rabbitmq_http_client::responses;
 use rabbitmq_http_client::blocking_api::Client;
+use rabbitmq_http_client::requests;
 use rabbitmq_http_client::requests::Permissions;
+use rabbitmq_http_client::requests::VirtualHostParams;
+use rabbitmq_http_client::responses;
 
 mod test_helpers;
 use crate::test_helpers::{PASSWORD, USERNAME, endpoint};
@@ -136,7 +137,93 @@ fn test_blocking_list_topic_permissions_of() {
     assert!(result1.is_ok());
 
     let result = rc.list_topic_permissions_of("guest");
-    assert!(result.is_ok(), "list_topic_permissions_of returned {result:?}");
+    assert!(
+        result.is_ok(),
+        "list_topic_permissions_of returned {result:?}"
+    );
+
+    rc.delete_vhost(vh_params.name, false).unwrap();
+}
+
+#[test]
+fn test_blocking_declare_topic_permissions() {
+    let endpoint = endpoint();
+    let rc = Client::new(&endpoint, USERNAME, PASSWORD);
+
+    let vh_params = VirtualHostParams::named("test_blocking_declare_topic_permissions");
+    let _ = rc.delete_vhost(vh_params.name, false);
+    let result1 = rc.create_vhost(&vh_params);
+    assert!(result1.is_ok());
+
+    let params = requests::TopicPermissions {
+        user: "guest",
+        vhost: vh_params.name,
+        exchange: "amq.topic",
+        read: ".*",
+        write: ".*",
+    };
+    let result = rc.declare_topic_permissions(&params);
+    assert!(
+        result.is_ok(),
+        "declare_topic_permissions returned {result:?}"
+    );
+
+    // Verify that the topic permissions are set
+    let topic_permissions = rc.list_topic_permissions_of("guest").unwrap();
+    assert!(topic_permissions.iter().any(|p| p.vhost == vh_params.name
+        && p.exchange == "amq.topic"
+        && p.read == ".*"
+        && p.write == ".*"));
+
+    rc.delete_vhost(vh_params.name, false).unwrap();
+}
+
+#[test]
+fn test_blocking_clear_topic_permissions() {
+    let endpoint = endpoint();
+    let rc = Client::new(&endpoint, USERNAME, PASSWORD);
+
+    let vh_params = VirtualHostParams::named("test_blocking_clear_topic_permissions");
+    let _ = rc.delete_vhost(vh_params.name, false);
+    let result1 = rc.create_vhost(&vh_params);
+    assert!(result1.is_ok());
+
+    let params = requests::TopicPermissions {
+        user: "guest",
+        vhost: vh_params.name,
+        exchange: "amq.topic",
+        read: ".*",
+        write: ".*",
+    };
+    let result = rc.declare_topic_permissions(&params);
+    assert!(
+        result.is_ok(),
+        "declare_topic_permissions returned {result:?}"
+    );
+
+    // Verify that the topic permissions are set
+    let topic_permissions = rc.list_topic_permissions_of("guest").unwrap();
+    assert!(topic_permissions.iter().any(|p| p.vhost == vh_params.name
+        && p.exchange == "amq.topic"
+        && p.read == ".*"
+        && p.write == ".*"));
+
+    let result2 = rc.clear_topic_permissions(vh_params.name, "guest", false);
+    assert!(
+        result2.is_ok(),
+        "clear_topic_permissions returned {result2:?}"
+    );
+
+    // Verify that the topic permissions are cleared
+    let topic_permissions_after_clear = rc.list_topic_permissions_of("guest").unwrap();
+    assert!(
+        !topic_permissions_after_clear
+            .iter()
+            .any(|p| p.vhost == vh_params.name
+                && p.exchange == "amq.topic"
+                && p.read == ".*"
+                && p.write == ".*")
+    );
 
     rc.delete_vhost(vh_params.name, false).unwrap();
 }