Skip to main content

static_authn_plugin/
config.rs

1//! Configuration for the static `AuthN` resolver plugin.
2
3use serde::Deserialize;
4use uuid::Uuid;
5
6use modkit_security::constants::{DEFAULT_SUBJECT_ID, DEFAULT_TENANT_ID};
7
8/// Plugin configuration.
9#[derive(Debug, Clone, Deserialize)]
10#[serde(default, deny_unknown_fields)]
11pub struct StaticAuthNPluginConfig {
12    /// Vendor name for GTS instance registration.
13    pub vendor: String,
14
15    /// Plugin priority (lower = higher priority).
16    pub priority: i16,
17
18    /// Authentication mode.
19    pub mode: AuthNMode,
20
21    /// Default identity returned in `accept_all` mode.
22    pub default_identity: IdentityConfig,
23
24    /// Static token-to-identity mappings for `static_tokens` mode.
25    pub tokens: Vec<TokenMapping>,
26}
27
28impl Default for StaticAuthNPluginConfig {
29    fn default() -> Self {
30        Self {
31            vendor: "hyperspot".to_owned(),
32            priority: 100,
33            mode: AuthNMode::AcceptAll,
34            default_identity: IdentityConfig::default(),
35            tokens: Vec::new(),
36        }
37    }
38}
39
40/// Authentication mode.
41#[derive(Debug, Clone, Deserialize, Default)]
42#[serde(rename_all = "snake_case")]
43pub enum AuthNMode {
44    /// Accept any non-empty token and return the default identity.
45    #[default]
46    AcceptAll,
47    /// Map specific tokens to specific identities.
48    StaticTokens,
49}
50
51/// Identity configuration for a subject.
52#[derive(Debug, Clone, Deserialize)]
53#[serde(default, deny_unknown_fields)]
54pub struct IdentityConfig {
55    /// Subject ID (user/service).
56    pub subject_id: Uuid,
57
58    /// Subject's home tenant.
59    pub subject_tenant_id: Uuid,
60
61    /// Token scopes. `["*"]` means first-party / unrestricted.
62    pub token_scopes: Vec<String>,
63}
64
65impl Default for IdentityConfig {
66    fn default() -> Self {
67        Self {
68            subject_id: DEFAULT_SUBJECT_ID,
69            subject_tenant_id: DEFAULT_TENANT_ID,
70            token_scopes: vec!["*".to_owned()],
71        }
72    }
73}
74
75/// Maps a static token to a specific identity.
76#[derive(Debug, Clone, Deserialize)]
77#[serde(deny_unknown_fields)]
78pub struct TokenMapping {
79    /// The bearer token value to match.
80    pub token: String,
81    /// The identity to return when this token is presented.
82    pub identity: IdentityConfig,
83}