rusty-gasket 0.1.3

A plugin-based Rust framework for backend HTTP services
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203

//! Verified caller identity.
//!
//! [`Identity`] is the framework's universal "who is this caller?" type.
//! It is backend-agnostic: a JWT, an API key, or an OIDC token all produce
//! the same `Identity`. Backend-specific data can be attached via the
//! typed `attributes` extension map.

use std::collections::HashSet;

/// A verified identity produced by an authentication backend.
///
/// This is the framework's universal "who is this caller?" type. It is
/// backend-agnostic: a JWT, an API key, or an OIDC token all produce
/// the same `Identity`. Backend-specific data can be attached via the
/// typed `attributes` extension map.
///
/// Fields are private after construction to prevent accidental mutation
/// of scopes or subject by downstream handlers. Use the builder-style
/// methods on `IdentityBuilder` or `Identity::new()` to construct.
#[derive(Debug, Clone)]
pub struct Identity {
    subject: String,
    auth_method: &'static str,
    display_name: Option<String>,
    scopes: HashSet<String>,
    service_account: bool,
    privileged: bool,
    attributes: http::Extensions,
}

impl Identity {
    /// Create a minimal identity with just a subject and method.
    #[must_use]
    pub fn new(subject: impl Into<String>, auth_method: &'static str) -> Self {
        Self {
            subject: subject.into(),
            auth_method,
            display_name: None,
            scopes: HashSet::new(),
            service_account: false,
            privileged: false,
            attributes: http::Extensions::new(),
        }
    }

    /// Create an identity builder for more complex construction.
    pub fn builder(subject: impl Into<String>, auth_method: &'static str) -> IdentityBuilder {
        IdentityBuilder {
            identity: Self::new(subject, auth_method),
        }
    }

    /// Primary identifier for the caller.
    #[must_use]
    pub fn subject(&self) -> &str {
        &self.subject
    }

    /// Which authentication method produced this identity.
    #[must_use]
    pub const fn auth_method(&self) -> &'static str {
        self.auth_method
    }

    /// Optional human-readable name for logging and display.
    #[must_use]
    pub fn display_name(&self) -> Option<&str> {
        self.display_name.as_deref()
    }

    /// Scopes or permissions granted by the credential.
    #[must_use]
    pub const fn scopes(&self) -> &HashSet<String> {
        &self.scopes
    }

    /// Whether this identity has elevated/superuser privileges.
    ///
    /// Backends decide what privileged means for them: a superuser client
    /// allowlist, an admin scope, a specific issuer, etc. The framework
    /// only consumes this flag for observability (it appears as the
    /// `is_privileged` field on the request span) so SIEM rules can
    /// flag privileged actions.
    #[must_use]
    pub const fn is_privileged(&self) -> bool {
        self.privileged
    }

    /// Whether this identity represents service-to-service automation.
    ///
    /// Auth backends set this flag when the credential is a machine/service
    /// account rather than a human-delegated user token. Handlers should use
    /// the [`ServiceAccount`](rusty_gasket::auth::ServiceAccount) extractor when they need
    /// this policy enforced before business logic starts.
    #[must_use]
    pub const fn is_service_account(&self) -> bool {
        self.service_account
    }

    /// Typed extension map for backend-specific data.
    ///
    /// Organization-specific overlays can attach custom claims here.
    /// Downstream code extracts by type:
    /// `identity.attributes().get::<MyCustomClaims>()`.
    #[must_use]
    pub const fn attributes(&self) -> &http::Extensions {
        &self.attributes
    }

    /// Mutable access to the extension map.
    ///
    /// Useful for wrapper backends that augment an identity produced by an
    /// inner backend (e.g. attaching organization-specific token metadata
    /// after JWT validation has succeeded).
    pub const fn attributes_mut(&mut self) -> &mut http::Extensions {
        &mut self.attributes
    }

    /// Mark this identity as privileged. See [`Identity::is_privileged`].
    ///
    /// Useful for wrapper backends that decide privilege after the inner
    /// backend has produced an identity (e.g. an org-specific superuser
    /// allowlist applied on top of JWT validation).
    pub const fn set_privileged(&mut self, privileged: bool) {
        self.privileged = privileged;
    }

    /// Mark this identity as a service account.
    pub const fn set_service_account(&mut self, service_account: bool) {
        self.service_account = service_account;
    }

    /// Check whether this identity has a specific scope.
    #[must_use]
    pub fn has_scope(&self, scope: &str) -> bool {
        self.scopes.contains(scope)
    }

    /// Check whether this identity has all of the given scopes.
    #[must_use]
    pub fn has_all_scopes(&self, scopes: &[&str]) -> bool {
        scopes.iter().all(|s| self.scopes.contains(*s))
    }

    /// Check whether this identity has any of the given scopes.
    #[must_use]
    pub fn has_any_scope(&self, scopes: &[&str]) -> bool {
        scopes.iter().any(|s| self.scopes.contains(*s))
    }
}

/// Builder for constructing `Identity` instances with optional fields.
#[derive(Debug)]
#[must_use = "IdentityBuilder must be consumed by .build() to produce an Identity"]
pub struct IdentityBuilder {
    identity: Identity,
}

impl IdentityBuilder {
    /// Set the display name.
    pub fn display_name(mut self, name: impl Into<String>) -> Self {
        self.identity.display_name = Some(name.into());
        self
    }

    /// Add a single scope.
    pub fn scope(mut self, scope: impl Into<String>) -> Self {
        self.identity.scopes.insert(scope.into());
        self
    }

    /// Add multiple scopes.
    pub fn scopes(mut self, scopes: impl IntoIterator<Item = impl Into<String>>) -> Self {
        self.identity
            .scopes
            .extend(scopes.into_iter().map(Into::into));
        self
    }

    /// Mark the identity as privileged. See [`Identity::is_privileged`].
    pub const fn privileged(mut self, privileged: bool) -> Self {
        self.identity.privileged = privileged;
        self
    }

    /// Mark the identity as service-to-service automation.
    pub const fn service_account(mut self, service_account: bool) -> Self {
        self.identity.service_account = service_account;
        self
    }

    /// Insert a typed attribute.
    pub fn attribute<T: Clone + Send + Sync + 'static>(mut self, value: T) -> Self {
        self.identity.attributes.insert(value);
        self
    }

    /// Consume the builder and return the identity.
    #[must_use]
    pub fn build(self) -> Identity {
        self.identity
    }
}