HessraClient

hessra_api

Enum HessraClient 

Source 
pub enum HessraClient {
    Http1(Http1Client),
}
Expand description

The main Hessra client type providing token request and verification

Variants§

§

Http1(Http1Client)

HTTP/1.1 client

Implementations§

Source§

impl HessraClient

Source

pub fn builder() -> HessraClientBuilder

Create a new client builder

Source

pub async fn fetch_public_key( base_url: impl Into<String>, port: Option<u16>, server_ca: impl Into<String>, ) -> Result<String, ApiError>

Fetch the public key from the Hessra service without creating a client The public_key endpoint is available as both an authenticated and unauthenticated request.

Source

pub async fn fetch_ca_cert( base_url: impl Into<String>, port: Option<u16>, ) -> Result<String, ApiError>

Fetch the CA certificate from the Hessra service without authentication

This function makes an unauthenticated request to the /ca_cert endpoint to retrieve the server’s CA certificate in PEM format. This is useful for bootstrapping trust when setting up a new client.

§Bootstrap Trust Considerations

This function uses the system CA store for the initial connection. If the server uses a self-signed certificate, consider using fetch_ca_cert_insecure instead (with appropriate warnings to users).

Source

pub async fn request_token( &self, resource: String, operation: String, domain: Option<String>, ) -> Result<TokenResponse, ApiError>

Request a token for a resource Returns the full TokenResponse which may include pending signoffs for multi-party tokens

§Arguments
  • resource - The resource identifier to request authorization for
  • operation - The operation to request authorization for
  • domain - Optional domain for domain-restricted identity token verification
Source

pub async fn request_token_with_identity( &self, resource: String, operation: String, identity_token: String, domain: Option<String>, ) -> Result<TokenResponse, ApiError>

Request a token for a resource using an identity token for authentication The identity token will be sent in the Authorization header as a Bearer token Returns the full TokenResponse which may include pending signoffs for multi-party tokens

§Arguments
  • resource - The resource identifier to request authorization for
  • operation - The operation to request authorization for
  • identity_token - The identity token to use for authentication
  • domain - Optional domain for domain-restricted identity token verification
Source

pub async fn request_token_simple( &self, resource: String, operation: String, ) -> Result<String, ApiError>

Request a token for a resource (legacy method) This method returns just the token string for backward compatibility

Source

pub async fn verify_token( &self, token: String, subject: String, resource: String, operation: String, ) -> Result<String, ApiError>

Verify a token for subject doing operation on resource. This will verify the token using the remote authorization service API.

Source

pub async fn verify_service_chain_token( &self, token: String, subject: String, resource: String, component: Option<String>, ) -> Result<String, ApiError>

Verify a service chain token. If no component is provided, the entire service chain will be used to verify the token. If a component name is provided, the service chain up to and excluding the component will be used to verify the token. This is useful for a node in the middle of the service chain verifying a token has been attested by all previous nodes.

Source

pub async fn sign_token( &self, token: &str, resource: &str, operation: &str, ) -> Result<SignTokenResponse, ApiError>

Sign a multi-party token by calling an authorization service’s signoff endpoint

Source

pub async fn get_public_key(&self) -> Result<String, ApiError>

Get the public key from the server

Source

pub async fn request_identity_token( &self, identifier: Option<String>, ) -> Result<IdentityTokenResponse, ApiError>

Request a new identity token from the authorization service

This endpoint requires mTLS authentication as it’s the initial issuance of an identity token. The identifier parameter is optional when using mTLS, as the identity can be derived from the client certificate.

§Arguments
  • identifier - Optional identifier for the identity. Required for non-mTLS future requests, optional with mTLS.
Source

pub async fn refresh_identity_token( &self, current_token: String, identifier: Option<String>, ) -> Result<IdentityTokenResponse, ApiError>

Refresh an existing identity token

This endpoint can use either mTLS or the current identity token for authentication. When using identity token authentication (no mTLS), the identifier parameter is required. The current token will be validated and a new token with updated expiration will be issued.

§Arguments
  • current_token - The existing identity token to refresh
  • identifier - Optional identifier. Required when not using mTLS authentication.
Source

pub async fn mint_domain_restricted_identity_token( &self, subject: String, duration: Option<u64>, ) -> Result<MintIdentityTokenResponse, ApiError>

Mint a new domain-restricted identity token

This endpoint requires mTLS authentication from a “realm” identity (one without domain restriction). The minted token will be restricted to the minting identity’s domain and cannot mint further sub-identities. Permissions are determined by domain roles configured on the server.

§Arguments
  • subject - The subject identifier for the new identity (e.g., “uri:urn:test:argo-cli1:user123”)
  • duration - Optional duration in seconds. If None, server uses configured default.

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more