axess-core 0.2.0

Core implementation for the axess library. Session state machine, multi-factor authentication engine, Cedar Policy evaluation, and pluggable storage backends. Use the `axess` facade crate unless you need direct access to internals.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333

//! Axum extractors for [`Principal`].
//!
//! `AuthPrincipal` resolves whichever principal kind the current request
//! presents; `AuthHumanPrincipal` and `AuthWorkloadPrincipal` narrow to a
//! specific variant and reject the other.
//!
//! # Resolution chain
//!
//! Today the chain is single-step: [`SessionResolver`] over the request's
//! [`AuthSession`]. When the+ workload resolvers
//! (JWT-SVID / mTLS / SPIRE) land, they'll be wired in by middleware that
//! injects a typed `PrincipalResolverChain` into request extensions; the
//! extractor will read that chain first and fall back to the session
//! resolver. The extractor surface here stays stable through that
//! change. Adopter handlers that write `async fn handler(p: AuthPrincipal, ...)`
//! today pick up new resolver kinds automatically as they land.
//!
//! # Naming
//!
//! Wrappers are named `Auth*` to parallel
//! [`crate::AuthSession`], the existing extractor pattern.
//! Foreign-type orphan rules forbid implementing
//! [`axum::extract::FromRequestParts`] directly on
//! [`axess_identity::Principal`] from inside axess-core (both types are
//! foreign); the local newtype absorbs that constraint while
//! [`std::ops::Deref`] keeps access ergonomic.

use std::ops::Deref;

use axess_identity::{
    HumanPrincipal, IdentityError, Principal, PrincipalResolver, WorkloadPrincipal,
};
use axum::extract::FromRequestParts;
use axum::http::{StatusCode, request::Parts};
use axum::response::IntoResponse;

use super::session_resolver::SessionResolver;
use crate::AuthSession;
use crate::session::extractor::SessionMissing;

/// Axum extractor that resolves the calling [`Principal`] (human or
/// workload) for the current request.
///
/// ```ignore
/// async fn handler(principal: AuthPrincipal) -> impl IntoResponse {
///     match &*principal {
///         Principal::Human(h) => format!("hello {}", h.user_id),
///         Principal::Workload(w) => format!("workload {}", w.workload_id),
///     }
/// }
/// ```
#[derive(Debug, Clone)]
pub struct AuthPrincipal(pub Principal);

impl AuthPrincipal {
    /// Consume the wrapper and return the underlying [`Principal`].
    pub fn into_inner(self) -> Principal {
        self.0
    }
}

impl Deref for AuthPrincipal {
    type Target = Principal;

    fn deref(&self) -> &Self::Target {
        &self.0
    }
}

/// Axum extractor that narrows to a human principal. Resolved workloads
/// are rejected with [`PrincipalRejection::WrongKind`].
#[derive(Debug, Clone)]
pub struct AuthHumanPrincipal(pub HumanPrincipal);

impl AuthHumanPrincipal {
    /// Consume the wrapper and return the underlying [`HumanPrincipal`].
    pub fn into_inner(self) -> HumanPrincipal {
        self.0
    }
}

impl Deref for AuthHumanPrincipal {
    type Target = HumanPrincipal;

    fn deref(&self) -> &Self::Target {
        &self.0
    }
}

/// Axum extractor that narrows to a workload principal. Resolved humans
/// are rejected with [`PrincipalRejection::WrongKind`].
#[derive(Debug, Clone)]
pub struct AuthWorkloadPrincipal(pub WorkloadPrincipal);

impl AuthWorkloadPrincipal {
    /// Consume the wrapper and return the underlying [`WorkloadPrincipal`].
    pub fn into_inner(self) -> WorkloadPrincipal {
        self.0
    }
}

impl Deref for AuthWorkloadPrincipal {
    type Target = WorkloadPrincipal;

    fn deref(&self) -> &Self::Target {
        &self.0
    }
}

/// Reason a principal extractor refused the request.
#[derive(Debug)]
pub enum PrincipalRejection {
    /// The session layer is not installed; adopter wiring error, not a
    /// caller fault. Surfaces as 500 to match
    /// [`crate::session::extractor::SessionMissing`].
    SessionLayerMissing,

    /// No principal could be resolved for this request; typically the
    /// caller is unauthenticated. Surfaces as 401.
    NotAuthenticated,

    /// A principal was resolved but its kind (human vs. workload) does
    /// not match the extractor used. Surfaces as 403.
    WrongKind,

    /// The resolver returned an [`IdentityError`] other than
    /// `NotAuthenticated` (e.g. malformed SPIFFE ID at a future
    /// workload resolver). Surfaces as 401 to fail closed.
    Identity(IdentityError),
}

impl IntoResponse for PrincipalRejection {
    fn into_response(self) -> axum::response::Response {
        let (status, msg): (StatusCode, &'static str) = match self {
            Self::SessionLayerMissing => (
                StatusCode::INTERNAL_SERVER_ERROR,
                "session layer not installed",
            ),
            Self::NotAuthenticated => (StatusCode::UNAUTHORIZED, "not authenticated"),
            Self::WrongKind => (StatusCode::FORBIDDEN, "principal kind mismatch"),
            Self::Identity(_) => (StatusCode::UNAUTHORIZED, "identity resolution failed"),
        };
        (status, msg).into_response()
    }
}

async fn resolve_principal<S>(parts: &mut Parts, state: &S) -> Result<Principal, PrincipalRejection>
where
    S: Send + Sync,
{
    // Today: SessionResolver only.+ will read a registered
    // resolver chain from `parts.extensions` and try those first,
    // falling through to SessionResolver as the human path.
    let session = AuthSession::from_request_parts(parts, state)
        .await
        .map_err(|_: SessionMissing| PrincipalRejection::SessionLayerMissing)?;
    SessionResolver::new(session)
        .resolve()
        .await
        .map_err(|e| match e {
            IdentityError::NotAuthenticated => PrincipalRejection::NotAuthenticated,
            other => PrincipalRejection::Identity(other),
        })
}

impl<S> FromRequestParts<S> for AuthPrincipal
where
    S: Send + Sync,
{
    type Rejection = PrincipalRejection;

    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
        resolve_principal(parts, state).await.map(AuthPrincipal)
    }
}

impl<S> FromRequestParts<S> for AuthHumanPrincipal
where
    S: Send + Sync,
{
    type Rejection = PrincipalRejection;

    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
        match resolve_principal(parts, state).await? {
            Principal::Human(h) => Ok(AuthHumanPrincipal(h)),
            Principal::Workload(_) => Err(PrincipalRejection::WrongKind),
        }
    }
}

impl<S> FromRequestParts<S> for AuthWorkloadPrincipal
where
    S: Send + Sync,
{
    type Rejection = PrincipalRejection;

    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
        match resolve_principal(parts, state).await? {
            Principal::Workload(w) => Ok(AuthWorkloadPrincipal(w)),
            Principal::Human(_) => Err(PrincipalRejection::WrongKind),
        }
    }
}

#[cfg(test)]
mod tests {
    use std::sync::Arc;

    use axum::http::{Request, StatusCode};
    use tokio::sync::RwLock;

    use super::*;
    use crate::session::data::SessionData;
    use crate::session::id::SessionId;
    use crate::session::layer::{SessionHandle, SessionInner};
    use crate::{AuthState, TenantId, UserId};
    use axess_rng::SystemRng;

    fn make_parts_with_session(data: SessionData) -> Parts {
        let inner = SessionInner {
            id: SessionId::new(&SystemRng),
            data,
            modified: false,
            regenerate: false,
            pre_cycle_id: None,
            pending_fingerprint: None,
            max_custom_bytes: 64 * 1024,
        };
        let handle = SessionHandle(Arc::new(RwLock::new(inner)));
        let request = Request::builder()
            .uri("/")
            .extension(handle)
            .body(())
            .expect("build request");
        let (parts, _) = request.into_parts();
        parts
    }

    fn make_parts_without_session() -> Parts {
        let request = Request::builder().uri("/").body(()).expect("build request");
        let (parts, _) = request.into_parts();
        parts
    }

    fn authenticated(user_id: UserId, tenant_id: TenantId) -> SessionData {
        SessionData {
            auth_state: AuthState::Authenticated {
                user_id,
                tenant_id,
                authn_time: chrono::Utc::now(),
                factors_completed: Vec::new(),
            },
            ..SessionData::default()
        }
    }

    /// Authenticated session resolves to a human principal.
    #[tokio::test]
    async fn auth_principal_resolves_human_from_session() {
        let user_id = UserId::new(&SystemRng);
        let tenant_id = TenantId::new(&SystemRng);
        let mut parts = make_parts_with_session(authenticated(user_id, tenant_id));

        let extracted = AuthPrincipal::from_request_parts(&mut parts, &()).await;
        let principal = extracted.expect("authenticated session must resolve").0;
        match principal {
            Principal::Human(h) => {
                assert_eq!(h.user_id, user_id);
                assert_eq!(h.tenant_id, tenant_id);
            }
            Principal::Workload(_) => panic!("session-backed extractor returned workload"),
        }
    }

    /// Guest session rejects with 401.
    #[tokio::test]
    async fn auth_principal_rejects_guest_session() {
        let mut parts = make_parts_with_session(SessionData::default());
        let err = AuthPrincipal::from_request_parts(&mut parts, &())
            .await
            .expect_err("guest session must reject");
        assert!(
            matches!(err, PrincipalRejection::NotAuthenticated),
            "got {err:?}"
        );
        assert_eq!(err.into_response().status(), StatusCode::UNAUTHORIZED);
    }

    /// Missing session layer surfaces 500 (adopter wiring error).
    #[tokio::test]
    async fn auth_principal_rejects_missing_session_layer() {
        let mut parts = make_parts_without_session();
        let err = AuthPrincipal::from_request_parts(&mut parts, &())
            .await
            .expect_err("no session layer must reject");
        assert!(
            matches!(err, PrincipalRejection::SessionLayerMissing),
            "got {err:?}"
        );
        assert_eq!(
            err.into_response().status(),
            StatusCode::INTERNAL_SERVER_ERROR
        );
    }

    /// Human-narrowing extractor succeeds when a human resolves.
    #[tokio::test]
    async fn auth_human_principal_succeeds_for_session() {
        let user_id = UserId::new(&SystemRng);
        let tenant_id = TenantId::new(&SystemRng);
        let mut parts = make_parts_with_session(authenticated(user_id, tenant_id));

        let human = AuthHumanPrincipal::from_request_parts(&mut parts, &())
            .await
            .expect("human extractor must succeed");
        assert_eq!(human.user_id, user_id);
    }

    /// Workload-narrowing extractor rejects with 403 when only a human
    /// is available (the case today; no workload resolver wired).
    #[tokio::test]
    async fn auth_workload_principal_rejects_human() {
        let user_id = UserId::new(&SystemRng);
        let tenant_id = TenantId::new(&SystemRng);
        let mut parts = make_parts_with_session(authenticated(user_id, tenant_id));

        let err = AuthWorkloadPrincipal::from_request_parts(&mut parts, &())
            .await
            .expect_err("workload extractor over human session must reject");
        assert!(matches!(err, PrincipalRejection::WrongKind), "got {err:?}");
        assert_eq!(err.into_response().status(), StatusCode::FORBIDDEN);
    }
}