authy/auth/
context.rs

1/// The resolved authentication context after verifying credentials.
2#[derive(Debug, Clone)]
3#[allow(dead_code)]
4pub struct AuthContext {
5    /// The authentication method used.
6    pub method: AuthMethod,
7    /// Optional scope for policy-based access (set when using tokens).
8    pub scope: Option<String>,
9    /// Whether this context allows write operations.
10    pub can_write: bool,
11    /// When true, secrets can only be injected via `run` — `get`, `env`, `export` are blocked.
12    pub run_only: bool,
13}
14
15#[derive(Debug, Clone)]
16pub enum AuthMethod {
17    Passphrase,
18    Keyfile,
19    SessionToken { session_id: String },
20}
21
22impl AuthContext {
23    pub fn master_passphrase() -> Self {
24        Self {
25            method: AuthMethod::Passphrase,
26            scope: None,
27            can_write: true,
28            run_only: false,
29        }
30    }
31
32    pub fn master_keyfile() -> Self {
33        Self {
34            method: AuthMethod::Keyfile,
35            scope: None,
36            can_write: true,
37            run_only: false,
38        }
39    }
40
41    pub fn from_token(session_id: String, scope: String, run_only: bool) -> Self {
42        Self {
43            method: AuthMethod::SessionToken { session_id },
44            scope: Some(scope),
45            can_write: false,
46            run_only,
47        }
48    }
49
50    pub fn actor_name(&self) -> String {
51        match &self.method {
52            AuthMethod::Passphrase => "master(passphrase)".to_string(),
53            AuthMethod::Keyfile => "master(keyfile)".to_string(),
54            AuthMethod::SessionToken { session_id } => format!("token({})", session_id),
55        }
56    }
57}
authy/auth/context.rs

authy/auth/
context.rs
