securitydept-token-set-context 0.2.0

Token Set Context of SecurityDept, a layered authentication and authorization toolkit built as reusable Rust crates.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185

use std::collections::HashMap;

use chrono::{DateTime, Utc};
use http::header::{AUTHORIZATION, HeaderMap, HeaderValue};
use securitydept_utils::principal::AuthenticatedPrincipal as SharedAuthenticatedPrincipal;
use serde::{Deserialize, Serialize};
use serde_json::Value;
use typed_builder::TypedBuilder;

use crate::backend_oidc_mode::SealedRefreshMaterial;

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Default)]
#[serde(rename_all = "snake_case")]
pub enum AuthenticationSourceKind {
    OidcAuthorizationCode,
    RefreshToken,
    ForwardedBearer,
    StaticToken,
    #[default]
    Unknown,
}

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, TypedBuilder, Default)]
pub struct AuthenticationSource {
    #[builder(default = AuthenticationSourceKind::Unknown)]
    #[serde(default)]
    pub kind: AuthenticationSourceKind,
    #[serde(skip_serializing_if = "Option::is_none")]
    #[builder(default, setter(strip_option, into))]
    pub provider_id: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    #[builder(default, setter(strip_option, into))]
    pub issuer: Option<String>,
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    #[builder(default)]
    pub kind_history: Vec<AuthenticationSourceKind>,
    #[serde(flatten)]
    #[builder(default)]
    pub attributes: HashMap<String, Value>,
}

pub type AuthenticatedPrincipal = SharedAuthenticatedPrincipal;

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, TypedBuilder)]
pub struct AuthTokenSnapshot {
    #[builder(setter(into))]
    pub access_token: String,
    #[builder(default, setter(into))]
    pub id_token: String,
    #[serde(skip_serializing_if = "Option::is_none")]
    #[builder(default, setter(strip_option))]
    pub refresh_material: Option<SealedRefreshMaterial>,
    #[serde(skip_serializing_if = "Option::is_none")]
    #[builder(default, setter(strip_option))]
    pub access_token_expires_at: Option<DateTime<Utc>>,
}

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, TypedBuilder)]
pub struct AuthTokenDelta {
    #[builder(setter(into))]
    pub access_token: String,
    #[serde(skip_serializing_if = "Option::is_none")]
    #[builder(default, setter(strip_option, into))]
    pub id_token: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    #[builder(default, setter(strip_option))]
    pub refresh_material: Option<SealedRefreshMaterial>,
    #[serde(skip_serializing_if = "Option::is_none")]
    #[builder(default, setter(strip_option))]
    pub access_token_expires_at: Option<DateTime<Utc>>,
}

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, TypedBuilder, Default)]
pub struct AuthStateMetadataSnapshot {
    #[serde(skip_serializing_if = "Option::is_none")]
    #[builder(default, setter(strip_option))]
    pub principal: Option<AuthenticatedPrincipal>,
    #[builder(default)]
    #[serde(default)]
    pub source: AuthenticationSource,
    #[serde(flatten, skip_serializing_if = "HashMap::is_empty")]
    #[builder(default)]
    pub attributes: HashMap<String, Value>,
}

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, TypedBuilder, Default)]
pub struct CurrentAuthenticationSourcePartial {
    #[serde(skip_serializing_if = "Option::is_none")]
    #[builder(default, setter(strip_option))]
    pub kind: Option<AuthenticationSourceKind>,
    #[serde(skip_serializing_if = "Option::is_none")]
    #[builder(default, setter(strip_option))]
    pub provider_id: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    #[builder(default, setter(strip_option))]
    pub issuer: Option<String>,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    #[builder(default, setter(strip_option))]
    pub kind_history: Option<Vec<AuthenticationSourceKind>>,
    #[serde(default, flatten, skip_serializing_if = "HashMap::is_empty")]
    #[builder(default)]
    pub attributes: HashMap<String, Value>,
}

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, TypedBuilder, Default)]
pub struct CurrentAuthStateMetadataSnapshotPartial {
    #[serde(skip_serializing_if = "Option::is_none")]
    #[builder(default, setter(strip_option))]
    pub principal: Option<AuthenticatedPrincipal>,
    #[serde(skip_serializing_if = "Option::is_none")]
    #[builder(default, setter(strip_option))]
    pub source: Option<CurrentAuthenticationSourcePartial>,
    #[serde(default, flatten, skip_serializing_if = "HashMap::is_empty")]
    #[builder(default)]
    pub attributes: HashMap<String, Value>,
}

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, TypedBuilder, Default)]
pub struct AuthStateMetadataDelta {
    #[serde(skip_serializing_if = "Option::is_none")]
    #[builder(default, setter(strip_option))]
    pub principal: Option<AuthenticatedPrincipal>,
    #[serde(skip_serializing_if = "Option::is_none")]
    #[builder(default, setter(strip_option))]
    pub source: Option<AuthenticationSource>,
    #[serde(default, flatten, skip_serializing_if = "HashMap::is_empty")]
    #[builder(default)]
    pub attributes: HashMap<String, Value>,
}

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, TypedBuilder)]
pub struct AuthStateSnapshot {
    pub tokens: AuthTokenSnapshot,
    pub metadata: AuthStateMetadataSnapshot,
}

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, TypedBuilder)]
pub struct AuthStateDelta {
    pub tokens: AuthTokenDelta,
    #[builder(default)]
    #[serde(
        default,
        flatten,
        skip_serializing_if = "AuthStateMetadataDelta::is_empty"
    )]
    pub metadata: AuthStateMetadataDelta,
}

impl AuthTokenSnapshot {
    pub fn access_token_is_expired_at(&self, now: DateTime<Utc>) -> bool {
        self.access_token_expires_at
            .is_some_and(|expires_at| expires_at <= now)
    }

    pub fn should_refresh_at(&self, now: DateTime<Utc>) -> bool {
        self.access_token_is_expired_at(now)
            || self
                .access_token_expires_at
                .is_some_and(|expires_at| expires_at <= now + chrono::TimeDelta::minutes(1))
    }

    pub fn authorization_value(&self) -> String {
        format!("Bearer {}", self.access_token)
    }

    pub fn authorization_header_value(
        &self,
    ) -> Result<HeaderValue, http::header::InvalidHeaderValue> {
        HeaderValue::from_str(&self.authorization_value())
    }

    pub fn apply_authorization_header(
        &self,
        headers: &mut HeaderMap,
    ) -> Result<(), http::header::InvalidHeaderValue> {
        headers.insert(AUTHORIZATION, self.authorization_header_value()?);
        Ok(())
    }
}

impl AuthStateMetadataDelta {
    pub fn is_empty(&self) -> bool {
        self.principal.is_none() && self.source.is_none() && self.attributes.is_empty()
    }
}