trust-tasks-https 0.1.0

HTTPS transport binding for the Trust Tasks framework — typed client + axum-based server with bearer-auth identity, suitable for demos, mockups, and end-to-end testing.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

//! A demo Trust Tasks server over HTTPS.
//!
//! Exposes `acl/grant/0.1` and `acl/revoke/0.1` on `http://localhost:3000`.
//! Two bearer tokens are accepted: `alice` (maps to `did:web:alice.example`)
//! and `bob` (maps to `did:web:bob.example`); everything else is treated as
//! unauthenticated.
//!
//! Run with:
//!
//! ```sh
//! cargo run -p trust-tasks-https --example server_demo
//! ```
//!
//! Then point [`client_demo`] at it.

use trust_tasks_https::{BearerAuth, HttpsServer};
use trust_tasks_rs::{
    specs::acl::{grant, revoke},
    RejectReason,
};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let auth = BearerAuth::from_pairs([
        ("alice", "did:web:alice.example"),
        ("bob", "did:web:bob.example"),
    ]);

    let server = HttpsServer::builder()
        .local_vid("did:web:maintainer.example")
        .with_auth(auth)
        // Handler for acl/grant: accepts, echoes the entry back as the
        // canonical post-state. Demonstrates the typed payload + context.
        .on::<grant::v0_1::Payload, grant::v0_1::Response, _>(|req, ctx| {
            println!(
                "acl/grant received from {} for subject {} (role {})",
                ctx.authenticated_sender.as_deref().unwrap_or("<unauth>"),
                req.payload.entry.subject,
                &*req.payload.entry.role,
            );
            Ok(grant::v0_1::Response {
                entry: req.payload.entry.clone(),
            })
        })
        // Handler for acl/revoke: returns null entry meaning "removed".
        // Demonstrates RejectReason as the error path.
        .on::<revoke::v0_1::Payload, revoke::v0_1::Response, _>(|req, ctx| {
            println!(
                "acl/revoke received from {} for subject {}",
                ctx.authenticated_sender.as_deref().unwrap_or("<unauth>"),
                req.payload.subject,
            );
            if !ctx
                .authenticated_sender
                .as_deref()
                .map(|s| s.starts_with("did:web:"))
                .unwrap_or(false)
            {
                return Err(RejectReason::PermissionDenied {
                    reason: "revoke requires an authenticated did:web sender".into(),
                });
            }
            Ok(revoke::v0_1::Response { entry: None })
        })
        .build();

    println!("Trust Tasks server listening on http://127.0.0.1:3000/trust-tasks");
    server.serve("127.0.0.1:3000").await?;
    Ok(())
}