static_authn_plugin/
module.rs

1//! Static `AuthN` resolver plugin module.
2
3use std::sync::{Arc, OnceLock};
4
5use async_trait::async_trait;
6use authn_resolver_sdk::{AuthNResolverPluginClient, AuthNResolverPluginSpecV1};
7use modkit::Module;
8use modkit::client_hub::ClientScope;
9use modkit::context::ModuleCtx;
10use modkit::gts::BaseModkitPluginV1;
11use tracing::info;
12use types_registry_sdk::{RegisterResult, TypesRegistryClient};
13
14use crate::config::StaticAuthNPluginConfig;
15use crate::domain::Service;
16
17/// Static `AuthN` resolver plugin module.
18///
19/// Provides token-to-identity mapping from configuration.
20///
21/// **Plugin registration pattern:**
22/// - Gateway registers the plugin schema (GTS type definition)
23/// - This plugin registers its instance (implementation metadata)
24/// - This plugin registers its scoped client (implementation in `ClientHub`)
25#[modkit::module(
26    name = "static-authn-plugin",
27    deps = ["types-registry"]
28)]
29pub struct StaticAuthNPlugin {
30    service: OnceLock<Arc<Service>>,
31}
32
33impl Default for StaticAuthNPlugin {
34    fn default() -> Self {
35        Self {
36            service: OnceLock::new(),
37        }
38    }
39}
40
41#[async_trait]
42impl Module for StaticAuthNPlugin {
43    async fn init(&self, ctx: &ModuleCtx) -> anyhow::Result<()> {
44        // Load configuration
45        let cfg: StaticAuthNPluginConfig = ctx.config()?;
46        if matches!(cfg.mode, crate::config::AuthNMode::AcceptAll) {
47            tracing::warn!(
48                "Static AuthN plugin is running in `accept_all` mode \u{2014} \
49                 all bearer tokens will be accepted with a hardcoded identity. \
50                 Do NOT use this mode in production."
51            );
52        }
53
54        info!(
55            vendor = %cfg.vendor,
56            priority = cfg.priority,
57            mode = ?cfg.mode,
58            token_count = cfg.tokens.len(),
59            "Loaded plugin configuration"
60        );
61
62        // Generate plugin instance ID
63        let instance_id = AuthNResolverPluginSpecV1::gts_make_instance_id(
64            "hyperspot.builtin.static_authn_resolver.plugin.v1",
65        );
66
67        // Register plugin instance in types-registry
68        let registry = ctx.client_hub().get::<dyn TypesRegistryClient>()?;
69        let instance = BaseModkitPluginV1::<AuthNResolverPluginSpecV1> {
70            id: instance_id.clone(),
71            vendor: cfg.vendor.clone(),
72            priority: cfg.priority,
73            properties: AuthNResolverPluginSpecV1,
74        };
75        let instance_json = serde_json::to_value(&instance)?;
76
77        let results = registry.register(vec![instance_json]).await?;
78        RegisterResult::ensure_all_ok(&results)?;
79
80        // Create service from config
81        let service = Arc::new(Service::from_config(&cfg));
82        self.service
83            .set(service.clone())
84            .map_err(|_| anyhow::anyhow!("{} module already initialized", Self::MODULE_NAME))?;
85
86        // Register scoped client in ClientHub
87        let api: Arc<dyn AuthNResolverPluginClient> = service;
88        ctx.client_hub()
89            .register_scoped::<dyn AuthNResolverPluginClient>(
90                ClientScope::gts_id(&instance_id),
91                api,
92            );
93
94        info!(instance_id = %instance_id);
95        Ok(())
96    }
97}
static_authn_plugin/module.rs

static_authn_plugin/
module.rs
