Skip to main content

nominal_api/conjure/clients/authorization/
internal_sandbox_token_service.rs

1use conjure_http::endpoint;
2/// Cluster-internal endpoint that mints short-lived access tokens for a
3/// preconfigured sandbox workspace + sandbox user. The intended caller is an
4/// in-cluster integration test Job; access is gated by a shared-secret header
5/// and a NetworkPolicy that restricts the source pods.
6///
7/// This service must not be exposed via the public ingress.
8#[conjure_http::conjure_client(name = "InternalSandboxTokenService")]
9pub trait InternalSandboxTokenService<
10    #[response_body]
11    I: Iterator<
12            Item = Result<conjure_http::private::Bytes, conjure_http::private::Error>,
13        >,
14> {
15    /// Issue a Nominal-signed bearer token bound to the configured sandbox
16    /// user + org. The TTL is capped at 1 hour server-side regardless of the
17    /// requested value. The shared-secret header must match the value
18    /// configured on gatekeeper or the call is rejected.
19    #[endpoint(
20        method = POST,
21        path = "/sandbox-token-internal/v1/issue",
22        name = "issueSandboxToken",
23        accept = conjure_http::client::StdResponseDeserializer
24    )]
25    fn issue_sandbox_token(
26        &self,
27        #[body(serializer = conjure_http::client::StdRequestSerializer)]
28        request: &super::super::super::objects::authorization::IssueSandboxTokenRequest,
29        #[header(
30            name = "X-Nominal-Sandbox-Shared-Secret",
31            encoder = conjure_http::client::conjure::PlainEncoder
32        )]
33        shared_secret: &str,
34    ) -> Result<
35        super::super::super::objects::authorization::IssueSandboxTokenResponse,
36        conjure_http::private::Error,
37    >;
38}
39/// Cluster-internal endpoint that mints short-lived access tokens for a
40/// preconfigured sandbox workspace + sandbox user. The intended caller is an
41/// in-cluster integration test Job; access is gated by a shared-secret header
42/// and a NetworkPolicy that restricts the source pods.
43///
44/// This service must not be exposed via the public ingress.
45#[conjure_http::conjure_client(name = "InternalSandboxTokenService")]
46pub trait AsyncInternalSandboxTokenService<
47    #[response_body]
48    I: conjure_http::private::Stream<
49            Item = Result<conjure_http::private::Bytes, conjure_http::private::Error>,
50        >,
51> {
52    /// Issue a Nominal-signed bearer token bound to the configured sandbox
53    /// user + org. The TTL is capped at 1 hour server-side regardless of the
54    /// requested value. The shared-secret header must match the value
55    /// configured on gatekeeper or the call is rejected.
56    #[endpoint(
57        method = POST,
58        path = "/sandbox-token-internal/v1/issue",
59        name = "issueSandboxToken",
60        accept = conjure_http::client::StdResponseDeserializer
61    )]
62    async fn issue_sandbox_token(
63        &self,
64        #[body(serializer = conjure_http::client::StdRequestSerializer)]
65        request: &super::super::super::objects::authorization::IssueSandboxTokenRequest,
66        #[header(
67            name = "X-Nominal-Sandbox-Shared-Secret",
68            encoder = conjure_http::client::conjure::PlainEncoder
69        )]
70        shared_secret: &str,
71    ) -> Result<
72        super::super::super::objects::authorization::IssueSandboxTokenResponse,
73        conjure_http::private::Error,
74    >;
75}
76/// Cluster-internal endpoint that mints short-lived access tokens for a
77/// preconfigured sandbox workspace + sandbox user. The intended caller is an
78/// in-cluster integration test Job; access is gated by a shared-secret header
79/// and a NetworkPolicy that restricts the source pods.
80///
81/// This service must not be exposed via the public ingress.
82#[conjure_http::conjure_client(name = "InternalSandboxTokenService", local)]
83pub trait LocalAsyncInternalSandboxTokenService<
84    #[response_body]
85    I: conjure_http::private::Stream<
86            Item = Result<conjure_http::private::Bytes, conjure_http::private::Error>,
87        >,
88> {
89    /// Issue a Nominal-signed bearer token bound to the configured sandbox
90    /// user + org. The TTL is capped at 1 hour server-side regardless of the
91    /// requested value. The shared-secret header must match the value
92    /// configured on gatekeeper or the call is rejected.
93    #[endpoint(
94        method = POST,
95        path = "/sandbox-token-internal/v1/issue",
96        name = "issueSandboxToken",
97        accept = conjure_http::client::StdResponseDeserializer
98    )]
99    async fn issue_sandbox_token(
100        &self,
101        #[body(serializer = conjure_http::client::StdRequestSerializer)]
102        request: &super::super::super::objects::authorization::IssueSandboxTokenRequest,
103        #[header(
104            name = "X-Nominal-Sandbox-Shared-Secret",
105            encoder = conjure_http::client::conjure::PlainEncoder
106        )]
107        shared_secret: &str,
108    ) -> Result<
109        super::super::super::objects::authorization::IssueSandboxTokenResponse,
110        conjure_http::private::Error,
111    >;
112}