securitydept-token-set-context 0.2.0

Token Set Context of SecurityDept, a layered authentication and authorization toolkit built as reusable Rust crates.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204

//! `frontend-oidc` mode runtime.
//!
//! In `frontend-oidc` mode the browser runs the full OIDC flow. The Rust
//! backend provides configuration projection but does not host a
//! client/callback/refresh runtime.
//!
//! `FrontendOidcModeRuntime` exists as the formal runtime landing point so
//! that future capabilities (browser-callback policy enforcement, frontend
//! token handoff validation, address validation, etc.) have a proper owner.

use securitydept_utils::observability::{
    AuthFlowDiagnosis, AuthFlowDiagnosisField, AuthFlowOperation, DiagnosedResult,
};

use super::{
    capabilities::FrontendOidcModeCapabilities, config::ResolvedFrontendOidcModeConfig,
    contracts::FrontendOidcModeConfigProjection,
};

// ---------------------------------------------------------------------------
// Runtime
// ---------------------------------------------------------------------------

/// Runtime for `frontend-oidc` mode.
///
/// Wraps the resolved config (which already embeds capabilities) and provides
/// helpers for config projection generation. Capabilities are accessed via
/// `self.config.capabilities` — they are carried through from the raw config
/// by [`FrontendOidcModeConfigSource::resolve_all`].
#[derive(Debug, Clone)]
pub struct FrontendOidcModeRuntime {
    config: ResolvedFrontendOidcModeConfig,
}

impl FrontendOidcModeRuntime {
    /// Create a new runtime from a resolved config.
    ///
    /// Emits startup warnings for any unsafe capabilities that are enabled.
    pub fn new(config: ResolvedFrontendOidcModeConfig) -> Self {
        config.capabilities.warn_unsafe();
        Self { config }
    }

    /// Access the resolved config (including capabilities).
    pub fn config(&self) -> &ResolvedFrontendOidcModeConfig {
        &self.config
    }

    /// Access the capability axes.
    pub fn capabilities(&self) -> &FrontendOidcModeCapabilities {
        &self.config.capabilities
    }

    /// Build a config projection for the frontend.
    ///
    /// Capability settings are read from `self.config.capabilities` — e.g.
    /// `client_secret` is only included when `UnsafeFrontendClientSecret` is
    /// enabled.
    ///
    /// # Errors
    ///
    /// Returns an `io::Error` if the claims check script file cannot be read.
    pub async fn config_projection(&self) -> std::io::Result<FrontendOidcModeConfigProjection> {
        self.config_projection_with_diagnosis().await.into_result()
    }

    /// Build a config projection and return a machine-readable diagnosis.
    pub async fn config_projection_with_diagnosis(
        &self,
    ) -> DiagnosedResult<FrontendOidcModeConfigProjection, std::io::Error> {
        let base_diagnosis = AuthFlowDiagnosis::started(AuthFlowOperation::PROJECTION_CONFIG_FETCH)
            .field(AuthFlowDiagnosisField::MODE, "frontend_oidc")
            .field("client_id", self.config.oidc_client.client_id.clone())
            .field("pkce_enabled", self.config.oidc_client.pkce_enabled)
            .field(
                "claims_check_script_configured",
                self.config.oidc_client.claims_check_script.is_some(),
            );

        match self.config.to_config_projection().await {
            Ok(projection) => DiagnosedResult::success(
                base_diagnosis
                    .with_outcome(
                        securitydept_utils::observability::AuthFlowDiagnosisOutcome::Succeeded,
                    )
                    .field("has_client_secret", projection.client_secret.is_some())
                    .field(
                        "has_claims_check_script",
                        projection.claims_check_script.is_some(),
                    ),
                projection,
            ),
            Err(error) => DiagnosedResult::failure(
                base_diagnosis
                    .with_outcome(
                        securitydept_utils::observability::AuthFlowDiagnosisOutcome::Failed,
                    )
                    .field(
                        AuthFlowDiagnosisField::FAILURE_STAGE,
                        "projection_generation",
                    ),
                error,
            ),
        }
    }
}

// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------

#[cfg(test)]
mod tests {
    use securitydept_oauth_provider::{OAuthProviderRemoteConfig, OidcSharedConfig};

    use super::*;
    use crate::frontend_oidc_mode::{
        capabilities::UnsafeFrontendClientSecret,
        config::{FrontendOidcModeConfig, FrontendOidcModeConfigSource},
    };

    fn test_runtime() -> FrontendOidcModeRuntime {
        let shared = OidcSharedConfig {
            remote: OAuthProviderRemoteConfig {
                well_known_url: Some(
                    "https://auth.example.com/.well-known/openid-configuration".to_string(),
                ),
                ..Default::default()
            },
            client_id: Some("spa-client".to_string()),
            ..Default::default()
        };

        let config = FrontendOidcModeConfig::default()
            .resolve_all(&shared)
            .expect("should resolve");
        FrontendOidcModeRuntime::new(config)
    }

    #[tokio::test]
    async fn runtime_produces_config_projection() {
        let runtime = test_runtime();
        let projection = runtime
            .config_projection()
            .await
            .expect("projection should succeed");
        assert_eq!(projection.client_id, "spa-client");
        assert_eq!(
            projection.well_known_url.as_deref(),
            Some("https://auth.example.com/.well-known/openid-configuration")
        );
        // Default capabilities: client_secret should NOT be exposed
        assert!(projection.client_secret.is_none());
    }

    #[tokio::test]
    async fn runtime_exposes_client_secret_when_capability_enabled() {
        let shared = OidcSharedConfig {
            remote: OAuthProviderRemoteConfig {
                well_known_url: Some(
                    "https://auth.example.com/.well-known/openid-configuration".to_string(),
                ),
                ..Default::default()
            },
            client_id: Some("spa-client".to_string()),
            ..Default::default()
        };

        let config = FrontendOidcModeConfig {
            oidc_client: securitydept_oidc_client::OidcClientRawConfig {
                client_secret: Some("test-secret".to_string()),
                ..Default::default()
            },
            capabilities: FrontendOidcModeCapabilities {
                unsafe_frontend_client_secret: UnsafeFrontendClientSecret::Enabled,
            },
        };
        let resolved = config.resolve_all(&shared).expect("should resolve");
        let runtime = FrontendOidcModeRuntime::new(resolved);
        let projection = runtime
            .config_projection()
            .await
            .expect("projection should succeed");
        assert_eq!(projection.client_secret.as_deref(), Some("test-secret"));
    }

    #[tokio::test]
    async fn runtime_reports_projection_diagnosis() {
        let runtime = test_runtime();
        let diagnosed = runtime.config_projection_with_diagnosis().await;

        assert!(diagnosed.result().is_ok());
        assert_eq!(
            diagnosed.diagnosis().operation,
            AuthFlowOperation::PROJECTION_CONFIG_FETCH
        );
        assert_eq!(diagnosed.diagnosis().outcome.as_str(), "succeeded");
        assert_eq!(
            diagnosed.diagnosis().fields[AuthFlowDiagnosisField::MODE],
            "frontend_oidc"
        );
        assert_eq!(diagnosed.diagnosis().fields["client_id"], "spa-client");
    }
}