Trait AuthorizationService 

pub trait AuthorizationService {
    // Required methods
    fn authorize(
        &self,
        auth_: BearerToken,
        request: AuthorizationRequest,
    ) -> Result<BTreeSet<ResourceIdentifier>, Error>;
    fn batch_get_workspace_for_resource(
        &self,
        auth_: BearerToken,
        request: BTreeSet<ResourceIdentifier>,
    ) -> Result<BTreeMap<ResourceIdentifier, WorkspaceRid>, Error>;
    fn register_in_workspace(
        &self,
        auth_: BearerToken,
        request: RegisterInWorkspaceRequest,
    ) -> Result<(), Error>;
    fn check_admin(&self, auth_: BearerToken) -> Result<(), Error>;
    fn is_email_allowed(
        &self,
        request: IsEmailAllowedRequest,
    ) -> Result<IsEmailAllowedResponse, Error>;
    fn is_email_allowed_okta(
        &self,
        request: OktaRegistrationRequest,
    ) -> Result<OktaRegistrationResponse, Error>;
    fn get_access_token(
        &self,
        request: GetAccessTokenRequest,
    ) -> Result<GetAccessTokenResponse, Error>;
    fn create_api_key(
        &self,
        auth_: BearerToken,
        request: CreateApiKeyRequest,
    ) -> Result<CreateApiKeyResponse, Error>;
    fn list_api_keys_in_org(
        &self,
        auth_: BearerToken,
        request: ListApiKeyRequest,
    ) -> Result<ListApiKeyResponse, Error>;
    fn list_user_api_keys(
        &self,
        auth_: BearerToken,
        request: ListApiKeyRequest,
    ) -> Result<ListApiKeyResponse, Error>;
    fn revoke_api_key(
        &self,
        auth_: BearerToken,
        rid: ApiKeyRid,
    ) -> Result<(), Error>;
}

Authorization service manages the permissions for a user to access resources.

Required Methods

fn authorize( &self, auth_: BearerToken, request: AuthorizationRequest, ) -> Result<BTreeSet<ResourceIdentifier>, Error>

Given a set of resources, returns the set of resources that the user is authorized to access.

fn batch_get_workspace_for_resource( &self, auth_: BearerToken, request: BTreeSet<ResourceIdentifier>, ) -> Result<BTreeMap<ResourceIdentifier, WorkspaceRid>, Error>

Given a set of resources, returns the workspace that each resource belongs to. If a user is not authorized on the resource, will omit the resource from the response.

fn register_in_workspace( &self, auth_: BearerToken, request: RegisterInWorkspaceRequest, ) -> Result<(), Error>

Marks a set of resources as belonging to a workspace. Either all resources are registered or none are. If the user is not in the workspace, this will throw. If a resource already belongs to a different workspace, this will throw. If a resource already belongs to this workspace, this is a no-op.

fn check_admin(&self, auth_: BearerToken) -> Result<(), Error>

Given an authenticated session, this endpoint returns a HTTP 204 if the authenticated user is an admin and HTTP 403 otherwise.

fn is_email_allowed( &self, request: IsEmailAllowedRequest, ) -> Result<IsEmailAllowedResponse, Error>

Checks if the email is allowed to register.

fn is_email_allowed_okta( &self, request: OktaRegistrationRequest, ) -> Result<OktaRegistrationResponse, Error>

Checks if the email is allowed to register, following Okta “registration inline hook” API.

fn get_access_token( &self, request: GetAccessTokenRequest, ) -> Result<GetAccessTokenResponse, Error>

Provide an OIDC ID token to get a Nominal access token suitable for making API requests. Its expiry will match that of the input ID token, capped at 24h. TODO(MGMT-933): reduce this duration. Throws NotAuthorized if the ID token is invalid or if the OIDC provider is not known.

fn create_api_key( &self, auth_: BearerToken, request: CreateApiKeyRequest, ) -> Result<CreateApiKeyResponse, Error>

Provide a long-lived API key for making API requests. The API key is irretrievable after initial creation.

fn list_api_keys_in_org( &self, auth_: BearerToken, request: ListApiKeyRequest, ) -> Result<ListApiKeyResponse, Error>

List all API keys in the organization.

fn list_user_api_keys( &self, auth_: BearerToken, request: ListApiKeyRequest, ) -> Result<ListApiKeyResponse, Error>

List all API keys for the user.

fn revoke_api_key( &self, auth_: BearerToken, rid: ApiKeyRid, ) -> Result<(), Error>

Delete an API key.

Implementors