osproxy-spi 1.0.0

Public SPI traits implementers provide. Depends only on osproxy-core.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

//! Authentication and authorization contracts.
//!
//! Separated so policy can evolve independently (`docs/02` ยง3): an
//! [`Authenticator`] turns wire credentials into a [`Principal`]; an
//! [`Authorizer`] decides whether that principal may perform an action. Both are
//! provided by the implementer. The credential material itself
//! ([`ClientCredentials`]) is consumed here and never reaches the routing SPI or
//! telemetry (NFR-S2).

use osproxy_core::{EndpointKind, ErrorCode};
use thiserror::Error;

use crate::principal::Principal;

/// The raw client credentials extracted from a request by the transport.
///
/// Holds only what the authenticator needs; it is dropped after authentication,
/// so the bearer token never flows downstream. The TLS slice populates
/// [`ClientCredentials::client_cert_subject`] on mTLS termination.
#[derive(Clone, PartialEq, Eq, Debug, Default)]
pub struct ClientCredentials {
    /// A bearer token from the `Authorization` header, if present.
    pub bearer_token: Option<String>,
    /// The verified client-certificate subject from mTLS, if the connection was
    /// mutually authenticated.
    pub client_cert_subject: Option<String>,
}

impl ClientCredentials {
    /// Credentials carrying just a bearer token.
    #[must_use]
    pub fn bearer(token: impl Into<String>) -> Self {
        Self {
            bearer_token: Some(token.into()),
            client_cert_subject: None,
        }
    }

    /// Whether any credential is present.
    #[must_use]
    pub fn is_empty(&self) -> bool {
        self.bearer_token.is_none() && self.client_cert_subject.is_none()
    }
}

/// The action a principal is attempting, for authorization.
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct Action {
    /// The endpoint class being invoked.
    pub endpoint: EndpointKind,
    /// The logical index targeted (a name, never a value).
    pub logical_index: String,
}

/// A failure to authenticate or authorize a request.
#[non_exhaustive]
#[derive(Clone, PartialEq, Eq, Debug, Error)]
pub enum AuthError {
    /// No credentials were presented but the deployment requires them.
    #[error("missing credentials")]
    MissingCredentials,
    /// Credentials were presented but are not valid.
    #[error("invalid credentials")]
    InvalidCredentials,
    /// The principal is authenticated but not permitted the action.
    #[error("not authorized for the requested action")]
    Unauthorized,
}

impl AuthError {
    /// The stable [`ErrorCode`] for this failure.
    #[must_use]
    pub fn code(&self) -> ErrorCode {
        match self {
            Self::MissingCredentials | Self::InvalidCredentials => ErrorCode::AuthFailed,
            Self::Unauthorized => ErrorCode::Unauthorized,
        }
    }

    /// The HTTP status this failure maps to (401 vs 403).
    #[must_use]
    pub fn http_status(&self) -> u16 {
        match self {
            Self::MissingCredentials | Self::InvalidCredentials => 401,
            Self::Unauthorized => 403,
        }
    }
}

/// Authenticates a client and returns the principal. mTLS and/or token.
///
/// Consumed through generics (no dyn on the hot path); the future must be `Send`.
///
/// # Examples
///
/// ```
/// use osproxy_core::PrincipalId;
/// use osproxy_spi::{Authenticator, AuthError, ClientCredentials, Principal};
///
/// struct AllowAnyToken;
///
/// impl Authenticator for AllowAnyToken {
///     async fn authenticate(&self, creds: &ClientCredentials) -> Result<Principal, AuthError> {
///         let token = creds.bearer_token.as_deref().ok_or(AuthError::MissingCredentials)?;
///         Ok(Principal::new(PrincipalId::from(token)))
///     }
/// }
/// ```
pub trait Authenticator: Send + Sync + 'static {
    /// Authenticates the credentials, returning the principal.
    ///
    /// # Errors
    ///
    /// Returns [`AuthError::MissingCredentials`] or [`AuthError::InvalidCredentials`].
    fn authenticate(
        &self,
        creds: &ClientCredentials,
    ) -> impl std::future::Future<Output = Result<Principal, AuthError>> + Send;
}

/// Authorizes a resolved request. Separate from authentication so policy can
/// evolve independently.
pub trait Authorizer: Send + Sync + 'static {
    /// Decides whether `principal` may perform `action`.
    ///
    /// # Errors
    ///
    /// Returns [`AuthError::Unauthorized`] if the action is not permitted.
    fn authorize(
        &self,
        principal: &Principal,
        action: &Action,
    ) -> impl std::future::Future<Output = Result<(), AuthError>> + Send;
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn auth_errors_map_to_codes_and_statuses() {
        assert_eq!(AuthError::MissingCredentials.code(), ErrorCode::AuthFailed);
        assert_eq!(AuthError::MissingCredentials.http_status(), 401);
        assert_eq!(AuthError::Unauthorized.code(), ErrorCode::Unauthorized);
        assert_eq!(AuthError::Unauthorized.http_status(), 403);
    }

    #[test]
    fn credentials_helpers() {
        assert!(ClientCredentials::default().is_empty());
        let c = ClientCredentials::bearer("t");
        assert!(!c.is_empty());
        assert_eq!(c.bearer_token.as_deref(), Some("t"));
    }
}