pdk-token-introspection-lib 1.7.0

PDK Token Introspection Library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

// Copyright (c) 2026, Salesforce, Inc.,
// All rights reserved.
// For full license text, see the LICENSE.txt file

//! Error types for token introspection operations.
//!
//! This module contains all error types used across the token introspection library.

use thiserror::Error;

/// Policy configuration errors.
#[non_exhaustive]
#[derive(Error, Debug, PartialEq, Eq)]
pub enum ConfigError {
    /// Invalid Introspection URL.
    #[error("Config error: the introspection URL is not valid")]
    InvalidIntrospectionURL,
    /// Invalid authorization value.
    #[error("Config error: invalid authorization value")]
    InvalidAuthorizationValue,
    /// Invalid consumer_by value.
    #[error("Config error: invalid consumer_by value")]
    InvalidConsumerBy,
}

/// Errors related to token validation.
#[non_exhaustive]
#[derive(Error, Debug, PartialEq, Eq)]
pub enum ValidationError {
    /// Token has expired.
    #[error("Token has expired.")]
    TokenExpired,
    /// Token has been revoked.
    #[error("Token has been revoked.")]
    TokenRevoked,
    /// The required scopes are not authorized.
    #[error("The required scopes are not authorized")]
    InvalidScopes,
    /// Token is inactive.
    #[error("Token is inactive.")]
    TokenInactive,
    /// The contract collector is not set.
    #[error("The contract collector is not set")]
    EmptyContractValidator,
    /// Invalid client contracts.
    #[error("Invalid Client")]
    InvalidClientContracts {
        name: Option<String>,
        id: Option<String>,
    },
}

/// Errors from the introspection flow.
#[non_exhaustive]
#[derive(Error, Debug)]
pub enum IntrospectionError {
    /// HTTP request to introspection endpoint failed.
    #[error("Introspection request failed: {0}")]
    RequestFailed(String),
    /// HTTP response status was not 200.
    #[error("Introspection HTTP error: status={status}, body={body}")]
    HttpError { status: u32, body: String },
    /// Failed to parse introspection response.
    #[error("Failed to parse introspection response: {0}")]
    ParseError(String),
    /// Token validation failed.
    #[error("Token validation failed: {0}")]
    Validation(#[from] ValidationError),
}

/// Errors related to token parsing and caching.
#[derive(Error, Debug, PartialEq, Eq)]
pub(crate) enum TokenError {
    /// Unexpected error when deserializing cached value.
    #[error("Unexpected error when deserializing cached value: {msg:}")]
    BinaryDeserializeError { msg: String },
    /// Unexpected error when serializing cached value.
    #[error("Unexpected error when serializing cached value: {msg:}")]
    BinarySerializeError { msg: String },
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn config_error_messages_contain_context() {
        let err = ConfigError::InvalidIntrospectionURL;
        assert!(err.to_string().contains("introspection URL"));
        assert!(!err.to_string().contains("authorization")); // proves distinction

        let err = ConfigError::InvalidAuthorizationValue;
        assert!(err.to_string().contains("authorization"));
        assert!(!err.to_string().contains("introspection URL")); // proves distinction
    }

    #[test]
    fn validation_errors_are_distinct() {
        let expired = ValidationError::TokenExpired.to_string();
        let revoked = ValidationError::TokenRevoked.to_string();
        let scopes = ValidationError::InvalidScopes.to_string();

        // Each has unique message
        assert!(expired.contains("expired"));
        assert!(revoked.contains("revoked"));
        assert!(scopes.contains("scopes"));

        // Messages are distinct
        assert_ne!(expired, revoked);
        assert_ne!(revoked, scopes);
    }

    #[test]
    fn token_error_messages_include_dynamic_fields() {
        let err1 = TokenError::BinaryDeserializeError {
            msg: "invalid data".to_string(),
        };
        let err2 = TokenError::BinaryDeserializeError {
            msg: "other error".to_string(),
        };
        assert!(err1.to_string().contains("invalid data"));
        assert!(err2.to_string().contains("other error"));
        assert_ne!(err1.to_string(), err2.to_string()); // proves dynamic

        let err3 = TokenError::BinarySerializeError {
            msg: "serialize error".to_string(),
        };
        assert!(err3.to_string().contains("serialize error"));
        assert_ne!(err1.to_string(), err3.to_string()); // proves distinction
    }
}