Skip to main content

Permission

modkit_auth::claims

Struct Permission 

Source 
pub struct Permission { /* private fields */ }
Expand description

Represents a permission from JWT claims. Serializes to format: "{tenant_id}:{resource_pattern}:{resource_id}:{action}" where tenant_id and resource_id are “*” if None. This is compatible with modkit_security::Permission.

Implementations§

Source§

impl Permission

Source

pub fn builder() -> PermissionBuilder

Examples found in repository?
examples/dispatcher_usage.rs (line 72)
26    fn normalize(&self, raw: &Value) -> Result<Claims, ClaimsError> {
27        let issuer_value = raw
28            .get("iss")
29            .ok_or_else(|| ClaimsError::MissingClaim("iss".to_owned()))?;
30        let issuer = extract_string(issuer_value, "iss")?;
31
32        let sub_value = raw
33            .get("sub")
34            .ok_or_else(|| ClaimsError::MissingClaim("sub".to_owned()))?;
35        let subject = parse_uuid_from_value(sub_value, "sub")?;
36
37        let audiences = raw.get("aud").map(extract_audiences).unwrap_or_default();
38
39        let expires_at = raw
40            .get("exp")
41            .map(|value| parse_timestamp(value, "exp"))
42            .transpose()?;
43
44        let not_before = raw
45            .get("nbf")
46            .map(|value| parse_timestamp(value, "nbf"))
47            .transpose()?;
48
49        let issued_at = raw
50            .get("iat")
51            .map(|value| parse_timestamp(value, "iat"))
52            .transpose()?;
53
54        let jwt_id = raw
55            .get("jti")
56            .and_then(|v| v.as_str())
57            .map(ToString::to_string);
58
59        let tenant_id_value = raw
60            .get("tenant_id")
61            .ok_or_else(|| ClaimsError::MissingClaim("tenant_id".to_owned()))?;
62        let tenant_id = parse_uuid_from_value(tenant_id_value, "tenant_id")?;
63
64        let permissions: Vec<Permission> = raw
65            .get("roles")
66            .and_then(Value::as_array)
67            .map(|arr| {
68                arr.iter()
69                    .filter_map(|value| value.as_str())
70                    .filter_map(|role| {
71                        if let Some(pos) = role.rfind(':') {
72                            Permission::builder()
73                                .resource_pattern(&role[..pos])
74                                .action(&role[pos + 1..])
75                                .build()
76                                .ok()
77                        } else {
78                            Permission::builder()
79                                .resource_pattern(role)
80                                .action("*")
81                                .build()
82                                .ok()
83                        }
84                    })
85                    .collect()
86            })
87            .unwrap_or_default();
88
89        Ok(Claims {
90            issuer,
91            subject,
92            audiences,
93            expires_at,
94            not_before,
95            issued_at,
96            jwt_id,
97            tenant_id,
98            permissions,
99            extras: serde_json::Map::new(),
100        })
101    }
Source

pub fn tenant_id(&self) -> Option<Uuid>

Source

pub fn resource_pattern(&self) -> &str

Examples found in repository?
examples/dispatcher_usage.rs (line 181)
127async fn main() -> Result<(), Box<dyn std::error::Error>> {
128    let mut plugins = PluginRegistry::default();
129    plugins.register("demo", Arc::new(DemoClaimsPlugin));
130
131    let mut plugin_configs = HashMap::new();
132    plugin_configs.insert(
133        "demo".to_owned(),
134        PluginConfig::Oidc {
135            tenant_claim: "tenants".to_owned(),
136            roles_claim: "roles".to_owned(),
137        },
138    );
139
140    let config = AuthConfig {
141        mode: AuthModeConfig {
142            provider: "demo".to_owned(),
143        },
144        issuers: vec!["https://issuer.local".to_owned()],
145        audiences: vec!["demo-api".to_owned()],
146        plugins: plugin_configs,
147        ..AuthConfig::default()
148    };
149
150    let validation = ValidationConfig {
151        allowed_issuers: config.issuers.clone(),
152        allowed_audiences: config.audiences.clone(),
153        leeway_seconds: config.leeway_seconds,
154        require_uuid_subject: true,
155        require_uuid_tenants: true,
156    };
157
158    let subject = Uuid::new_v4();
159    let tenant = Uuid::new_v4();
160    let expires_at = OffsetDateTime::now_utc() + Duration::minutes(15);
161
162    let raw_claims = serde_json::json!({
163        "iss": "https://issuer.local",
164        "sub": subject.to_string(),
165        "aud": ["demo-api"],
166        "exp": expires_at.unix_timestamp(),
167        "tenant_id": tenant.to_string(),
168        "roles": ["viewer:read"]
169    });
170
171    let dispatcher = AuthDispatcher::new(validation, &config, &plugins)?
172        .with_key_provider(Arc::new(StaticKeyProvider::new(raw_claims)));
173
174    let claims = dispatcher.validate_jwt("demo-token").await?;
175    let perm_list = if claims.permissions.is_empty() {
176        "none".to_owned()
177    } else {
178        claims
179            .permissions
180            .iter()
181            .map(|p| format!("{}:{}", p.resource_pattern(), p.action()))
182            .collect::<Vec<_>>()
183            .join(", ")
184    };
185    println!(
186        "Validated token for subject {} with permissions {}",
187        claims.subject, perm_list
188    );
189
190    Ok(())
191}
Source

pub fn resource_id(&self) -> Option<Uuid>

Source

pub fn action(&self) -> &str

Examples found in repository?
examples/dispatcher_usage.rs (line 181)
127async fn main() -> Result<(), Box<dyn std::error::Error>> {
128    let mut plugins = PluginRegistry::default();
129    plugins.register("demo", Arc::new(DemoClaimsPlugin));
130
131    let mut plugin_configs = HashMap::new();
132    plugin_configs.insert(
133        "demo".to_owned(),
134        PluginConfig::Oidc {
135            tenant_claim: "tenants".to_owned(),
136            roles_claim: "roles".to_owned(),
137        },
138    );
139
140    let config = AuthConfig {
141        mode: AuthModeConfig {
142            provider: "demo".to_owned(),
143        },
144        issuers: vec!["https://issuer.local".to_owned()],
145        audiences: vec!["demo-api".to_owned()],
146        plugins: plugin_configs,
147        ..AuthConfig::default()
148    };
149
150    let validation = ValidationConfig {
151        allowed_issuers: config.issuers.clone(),
152        allowed_audiences: config.audiences.clone(),
153        leeway_seconds: config.leeway_seconds,
154        require_uuid_subject: true,
155        require_uuid_tenants: true,
156    };
157
158    let subject = Uuid::new_v4();
159    let tenant = Uuid::new_v4();
160    let expires_at = OffsetDateTime::now_utc() + Duration::minutes(15);
161
162    let raw_claims = serde_json::json!({
163        "iss": "https://issuer.local",
164        "sub": subject.to_string(),
165        "aud": ["demo-api"],
166        "exp": expires_at.unix_timestamp(),
167        "tenant_id": tenant.to_string(),
168        "roles": ["viewer:read"]
169    });
170
171    let dispatcher = AuthDispatcher::new(validation, &config, &plugins)?
172        .with_key_provider(Arc::new(StaticKeyProvider::new(raw_claims)));
173
174    let claims = dispatcher.validate_jwt("demo-token").await?;
175    let perm_list = if claims.permissions.is_empty() {
176        "none".to_owned()
177    } else {
178        claims
179            .permissions
180            .iter()
181            .map(|p| format!("{}:{}", p.resource_pattern(), p.action()))
182            .collect::<Vec<_>>()
183            .join(", ")
184    };
185    println!(
186        "Validated token for subject {} with permissions {}",
187        claims.subject, perm_list
188    );
189
190    Ok(())
191}

Trait Implementations§

Source§

impl Clone for Permission

Source§

fn clone(&self) -> Permission

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Permission

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl<'de> Deserialize<'de> for Permission

Source§

fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
where D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl Ord for Permission

Source§

fn cmp(&self, other: &Permission) -> Ordering

This method returns an Ordering between self and other. Read more
1.21.0 · Source§

fn max(self, other: Self) -> Self
where Self: Sized,

Compares and returns the maximum of two values. Read more
1.21.0 · Source§

fn min(self, other: Self) -> Self
where Self: Sized,

Compares and returns the minimum of two values. Read more
1.50.0 · Source§

fn clamp(self, min: Self, max: Self) -> Self
where Self: Sized,

Restrict a value to a certain interval. Read more
Source§

impl PartialEq for Permission

Source§

fn eq(&self, other: &Permission) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl PartialOrd for Permission

Source§

fn partial_cmp(&self, other: &Permission) -> Option<Ordering>

This method returns an ordering between self and other values if one exists. Read more
1.0.0 · Source§

fn lt(&self, other: &Rhs) -> bool

Tests less than (for self and other) and is used by the < operator. Read more
1.0.0 · Source§

fn le(&self, other: &Rhs) -> bool

Tests less than or equal to (for self and other) and is used by the <= operator. Read more
1.0.0 · Source§

fn gt(&self, other: &Rhs) -> bool

Tests greater than (for self and other) and is used by the > operator. Read more
1.0.0 · Source§

fn ge(&self, other: &Rhs) -> bool

Tests greater than or equal to (for self and other) and is used by the >= operator. Read more
Source§

impl Serialize for Permission

Source§

fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
where S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl Eq for Permission

Source§

impl StructuralPartialEq for Permission

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> FromRef<T> for T
where T: Clone,

Source§

fn from_ref(input: &T) -> T

Converts to this type from a reference to the input type.
Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,

Source§

impl<A, B, T> HttpServerConnExec<A, B> for T
where B: Body,