aliri_tower 0.6.1

Tower middleware for interacting with `aliri` authorities
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165

use std::{fmt, marker::PhantomData};

use aliri::jwt::CoreClaims;
use aliri_oauth2::{
    scope::{BasicClaimsWithScope, HasScope},
    Authority, ScopePolicy,
};
use http_body::Body;
use tower_http::validate_request::{ValidateRequest, ValidateRequestHeaderLayer};

use crate::{OnJwtError, OnScopeError, TerseErrorHandler, VerboseErrorHandler};

/// Builder for generating layers that authenticate JWTs and authorize access
/// based on oauth2 scope grants
pub struct Oauth2Authorizer<Claims, OnError> {
    on_error: OnError,
    _claim: PhantomData<fn() -> Claims>,
}

impl<Claims, OnError> Clone for Oauth2Authorizer<Claims, OnError>
where
    OnError: Clone,
{
    fn clone(&self) -> Self {
        Self {
            on_error: self.on_error.clone(),
            _claim: PhantomData,
        }
    }
}

impl<Claims, OnError> Copy for Oauth2Authorizer<Claims, OnError> where OnError: Copy {}

impl<Claims, OnError> fmt::Debug for Oauth2Authorizer<Claims, OnError>
where
    OnError: fmt::Debug,
{
    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
        f.debug_struct("Authorizer")
            .field("on_error", &self.on_error)
            .finish()
    }
}

impl Oauth2Authorizer<BasicClaimsWithScope, ()> {
    /// Constructs a new scopes verifier with the default deny all scopes policy
    #[inline]
    pub fn new() -> Oauth2Authorizer<BasicClaimsWithScope, ()> {
        Self {
            on_error: (),
            _claim: PhantomData,
        }
    }
}

impl<OnError> Oauth2Authorizer<BasicClaimsWithScope, OnError> {
    /// Verification will expect the given custom claims object in request extensions
    #[inline]
    pub fn with_claims<Claims: HasScope>(self) -> Oauth2Authorizer<Claims, OnError> {
        Oauth2Authorizer {
            on_error: self.on_error,
            _claim: PhantomData,
        }
    }
}

impl<Claims> Oauth2Authorizer<Claims, ()> {
    /// Attaches a custom error handler to generate responses
    /// in the event of a verification failure
    #[inline]
    pub fn with_error_handler<OnError>(
        self,
        on_error: OnError,
    ) -> Oauth2Authorizer<Claims, OnError> {
        Oauth2Authorizer {
            on_error,
            _claim: self._claim,
        }
    }

    /// Attaches the default terse error handler: [`TerseErrorHandler`]
    ///
    /// This error handler generates responses containing the relevant
    /// status code with an empty body
    #[inline]
    pub fn with_terse_error_handler<ResBody: Body + Default>(
        self,
    ) -> Oauth2Authorizer<Claims, TerseErrorHandler<ResBody>> {
        Oauth2Authorizer {
            on_error: TerseErrorHandler::new(),
            _claim: self._claim,
        }
    }

    /// Attaches the default verbose error handler: [`VerboseErrorHandler`]
    ///
    /// This error handler generates responses containing the relevant
    /// status code with an empty body
    #[inline]
    pub fn with_verbose_error_handler<ResBody: Body + Default>(
        self,
    ) -> Oauth2Authorizer<Claims, VerboseErrorHandler<ResBody>> {
        Oauth2Authorizer {
            on_error: VerboseErrorHandler::new(),
            _claim: self._claim,
        }
    }
}

impl<Claims, OnError> Oauth2Authorizer<Claims, OnError>
where
    OnError: OnJwtError + Clone,
    OnError::Body: Body + Default,
    Claims:
        for<'de> serde::Deserialize<'de> + HasScope + CoreClaims + Clone + Send + Sync + 'static,
{
    /// Authorizer layer that verifies the validity of a JWT
    ///
    /// The JWT will be parsed from the request `Authorization` header and
    /// checked for validity by an [`Authority`].
    ///
    /// The extracted `Claims` in the JWT payload will be made available
    /// through [`Request::extensions`][http::Request::extensions].
    pub fn jwt_layer<ReqBody>(
        &self,
        authority: Authority,
    ) -> ValidateRequestHeaderLayer<
        impl ValidateRequest<ReqBody, ResponseBody = OnError::Body> + Clone,
    > {
        ValidateRequestHeaderLayer::custom(crate::jwt::VerifyJwt::<Claims, _>::new(
            authority,
            self.on_error.clone(),
        ))
    }
}

impl<Claims, OnError> Oauth2Authorizer<Claims, OnError>
where
    OnError: OnScopeError + Clone,
    OnError::Body: Body + Default,
    Claims: HasScope + Send + Sync + 'static,
{
    /// Authorizer layer that checks the access granted by a scopes claim
    /// against a scopes policy
    ///
    /// The `Claims` object is expected to have already been added to
    /// the [`Request::extensions`][http::Request::extensions].
    pub fn scope_layer<ReqBody>(
        &self,
        policy: ScopePolicy,
    ) -> ValidateRequestHeaderLayer<
        impl ValidateRequest<ReqBody, ResponseBody = OnError::Body> + Clone,
    > {
        ValidateRequestHeaderLayer::custom(crate::oauth2::VerifyScope::<Claims, _>::new(
            policy,
            self.on_error.clone(),
        ))
    }
}

impl Default for Oauth2Authorizer<BasicClaimsWithScope, ()> {
    fn default() -> Self {
        Self::new()
    }
}