Skip to main content

slim_auth/
errors.rs

1// Copyright AGNTCY Contributors (https://github.com/agntcy)
2// SPDX-License-Identifier: Apache-2.0
3
4use http::StatusCode;
5#[cfg(not(target_arch = "wasm32"))]
6use jsonwebtoken::jwk::KeyAlgorithm;
7
8#[cfg(all(not(target_arch = "wasm32"), not(target_family = "windows")))]
9use spiffe::{
10    JwtSourceError, JwtSvidError, SpiffeIdError, TrustDomain, WorkloadApiError, X509SourceError,
11};
12
13use thiserror::Error;
14
15#[derive(Error, Debug)]
16pub enum AuthError {
17    // JWT errors
18    #[cfg(not(target_arch = "wasm32"))]
19    #[error("unsupported key algorithm: {0}")]
20    JwtUnsupportedKeyAlgorithm(KeyAlgorithm),
21    #[error("JWK does not contain the key algorithm (alg) field")]
22    JwtMissingKeyAlgorithm,
23    #[error("no private key available for signing")]
24    JwtMissingPrivateKey,
25    #[error("missing decoding key or autoresolve is disabled")]
26    JwtMissingDecodingKeyOrKeyResolver,
27    #[error("missing 'iss' in JWT claims")]
28    JwtMissingIssuer,
29    #[error("no key resolver available")]
30    JwtNoKeyResolver,
31    #[error("no static JWT token configured")]
32    JwtNoStaticTokenConfigured,
33    #[error("JWK format not supported for encoding (signing) keys")]
34    JwtJwkFormatNotSupportedForEncoding,
35    #[error("failed to fetch JWKS for issuer - status_code: {0}")]
36    JwtFetchJwksFailed(StatusCode),
37    #[error("StaticTokenProvider does not support custom claims")]
38    JwtStaticUnsupportedCustomClaims,
39
40    // OIDC/Oauth2 errors
41    #[error("token_endpoint not found in discovery document")]
42    OidcDiscoveryMissingTokenEndpoint,
43    #[error("key not found: {0}")]
44    OidcKeyNotFound(String),
45    #[error("kid is missing and multiple keys are available")]
46    OidcMissingKidWithMultipleKeys,
47    #[error("OIDC Token Provider does not support custom claims")]
48    OidcUnsupportedCustomClaims,
49    #[error("OAuth2 request error: {0}")]
50    OAuth2Request(Box<dyn std::error::Error + Send + Sync>),
51    #[error("Token endpoint error: status {status}, body: {body}")]
52    TokenEndpointError { status: u16, body: String },
53    #[error("Invalid client credentials")]
54    InvalidClientCredentials,
55
56    // hmac
57    #[error("hmac key is too short")]
58    HmacKeyTooShort,
59    #[error("hmac key is missing")]
60    HmacKeyMissing,
61
62    // Time
63    #[error("time error")]
64    TimeError(#[from] std::time::SystemTimeError),
65
66    // URL parsing
67    #[cfg(not(target_arch = "wasm32"))]
68    #[error("URL parse error")]
69    UrlParseError(#[from] url::ParseError),
70
71    // Header parsing
72    #[error("invalid header name")]
73    HeaderNameError(#[from] http::header::InvalidHeaderName),
74    #[error("invalid header value")]
75    HeaderValueError(#[from] http::header::InvalidHeaderValue),
76
77    // File watcher
78    #[cfg(not(target_arch = "wasm32"))]
79    #[error("file watcher error")]
80    FileWatcherError(#[from] crate::file_watcher::FileWatcherError),
81
82    // Token lifecycle
83    #[error("no token available")]
84    GetTokenError,
85    #[error("token invalid")]
86    TokenInvalid,
87    #[error("token malformed")]
88    TokenMalformed,
89    #[error("token invalid: missing subject claim")]
90    TokenInvalidMissingSub,
91    #[error("token invalid: replay")]
92    TokenInvalidReplay,
93    #[cfg(not(target_arch = "wasm32"))]
94    #[error("token invalid")]
95    JwtTokenInvalid(#[from] jsonwebtoken::errors::Error),
96    #[error("token invalid - missing or invalid exp claim")]
97    TokenInvalidMissingExp,
98
99    // HTTP / networking
100    #[cfg(not(target_arch = "wasm32"))]
101    #[error("HTTP request error")]
102    HttpError(#[from] reqwest::Error),
103
104    // JWKS / key resolution
105    #[error("failed to parse JWKS: {source}")]
106    JwksParse { source: serde_json::Error },
107    #[error("no suitable key found in JWKS for token header")]
108    JwksNoSuitableKey,
109    #[error("no cached JWKS for issuer: {issuer}")]
110    JwksCacheMiss { issuer: String },
111    #[error("openid discovery document missing jwks_uri field")]
112    OidcDiscoveryMissingJwksUri,
113    #[error("cached JWKS expired for issuer: {issuer}")]
114    JwksCacheExpired { issuer: String },
115
116    // SPIFFE / SPIRE integration
117    #[error("spire integration is not supported on Windows")]
118    SpireUnsupportedOnWindows,
119    #[cfg(all(not(target_arch = "wasm32"), not(target_family = "windows")))]
120    #[error("serde error while encoding audience: {source}")]
121    SpiffeCustomClaimsSerialize { source: serde_json::Error },
122    #[cfg(all(not(target_arch = "wasm32"), not(target_family = "windows")))]
123    #[error("spiffe error")]
124    SpiffeError(#[from] SpiffeIdError),
125    #[cfg(all(not(target_arch = "wasm32"), not(target_family = "windows")))]
126    #[error("spiffe grpc error")]
127    SpiffeGrpcError(#[from] WorkloadApiError),
128    #[cfg(all(not(target_arch = "wasm32"), not(target_family = "windows")))]
129    #[error("spiffe workload api unavailable")]
130    SpiffeWorkloadApiUnavailable,
131    #[cfg(all(not(target_arch = "wasm32"), not(target_family = "windows")))]
132    #[error("spiffe x509 source error")]
133    SpiffeX509SourceError(#[from] X509SourceError),
134    #[cfg(all(not(target_arch = "wasm32"), not(target_family = "windows")))]
135    #[error("spiffe jwt source error")]
136    SpiffeJwtSourceError(#[from] JwtSourceError),
137    #[cfg(all(not(target_arch = "wasm32"), not(target_family = "windows")))]
138    #[error("jwt source not initialized")]
139    SpiffeJwtSourceNotInitialized,
140    #[cfg(all(not(target_arch = "wasm32"), not(target_family = "windows")))]
141    #[error("missing jwt svid")]
142    SpiffeJwtSvidMissing,
143    #[cfg(all(not(target_arch = "wasm32"), not(target_family = "windows")))]
144    #[error("missing jwt bundle")]
145    SpiffeJwtBundleMissing,
146    #[cfg(all(not(target_arch = "wasm32"), not(target_family = "windows")))]
147    #[error("invalid JWT svid")]
148    SpiffeInvalidJwtSvid(#[from] JwtSvidError),
149    #[cfg(all(not(target_arch = "wasm32"), not(target_family = "windows")))]
150    #[error("failed to fetch x509 SVID")]
151    SpiffeX509SvidMissing,
152    #[cfg(all(not(target_arch = "wasm32"), not(target_family = "windows")))]
153    #[error("x509 source not initialized")]
154    SpiffeX509SourceNotInitialized,
155    #[cfg(all(not(target_arch = "wasm32"), not(target_family = "windows")))]
156    #[error("x509 trust bundle not available: {0}")]
157    SpiffeX509BundleMissing(TrustDomain),
158    #[cfg(all(not(target_arch = "wasm32"), not(target_family = "windows")))]
159    #[error("spire x509 empty certificate chain")]
160    SpiffeX509EmptyCertChain,
161    // Serialization
162    #[error("JSON serialization error")]
163    JsonError(#[from] serde_json::Error),
164    #[error("base64 decode error")]
165    Base64DecodeError(#[from] base64::DecodeError),
166
167    // Operational
168    #[error("operation would block on async I/O; call async variant")]
169    WouldBlockOn,
170
171    // MLS
172    #[error("MLS is not supported by this provider")]
173    MlsNotSupported,
174    #[error("public key not found in identity claims")]
175    PublicKeyNotFound,
176    #[error("subject not found in identity claims")]
177    SubjectNotFound,
178}