Trait AuthorizationService

pub trait AuthorizationService {
    // Required methods
    fn authorize(
        &self,
        auth_: BearerToken,
        request: AuthorizationRequest,
    ) -> Result<BTreeSet<ResourceIdentifier>, Error>;
    fn batch_get_workspace_for_resource(
        &self,
        auth_: BearerToken,
        request: BTreeSet<ResourceIdentifier>,
    ) -> Result<BTreeMap<ResourceIdentifier, WorkspaceRid>, Error>;
    fn register_in_workspace(
        &self,
        auth_: BearerToken,
        request: RegisterInWorkspaceRequest,
    ) -> Result<(), Error>;
    fn check_admin(&self, auth_: BearerToken) -> Result<(), Error>;
    fn is_email_allowed(
        &self,
        request: IsEmailAllowedRequest,
    ) -> Result<IsEmailAllowedResponse, Error>;
    fn get_access_token(
        &self,
        request: GetAccessTokenRequest,
    ) -> Result<GetAccessTokenResponse, Error>;
    fn create_api_key(
        &self,
        auth_: BearerToken,
        request: CreateApiKeyRequest,
    ) -> Result<CreateApiKeyResponse, Error>;
    fn list_api_keys_in_org(
        &self,
        auth_: BearerToken,
        request: ListApiKeyRequest,
    ) -> Result<ListApiKeyResponse, Error>;
    fn list_user_api_keys(
        &self,
        auth_: BearerToken,
        request: ListApiKeyRequest,
    ) -> Result<ListApiKeyResponse, Error>;
    fn revoke_api_key(
        &self,
        auth_: BearerToken,
        rid: ApiKeyRid,
    ) -> Result<(), Error>;
}

Authorization service manages the permissions for a user to access resources.

Required Methods

fn authorize( &self, auth_: BearerToken, request: AuthorizationRequest, ) -> Result<BTreeSet<ResourceIdentifier>, Error>

Given a set of resources, returns the set of resources that the user is authorized to access.

fn batch_get_workspace_for_resource( &self, auth_: BearerToken, request: BTreeSet<ResourceIdentifier>, ) -> Result<BTreeMap<ResourceIdentifier, WorkspaceRid>, Error>

Given a set of resources, returns the workspace that each resource belongs to. If a user is not authorized on the resource, will omit the resource from the response.

fn register_in_workspace( &self, auth_: BearerToken, request: RegisterInWorkspaceRequest, ) -> Result<(), Error>

Marks a set of resources as belonging to a workspace. Either all resources are registered or none are. If the user is not in the workspace, this will throw. If a resource already belongs to a different workspace, this will throw. If a resource already belongs to this workspace, this is a no-op.

fn check_admin(&self, auth_: BearerToken) -> Result<(), Error>

Given an authenticated session, this endpoint returns a HTTP 204 if the authenticated user is an admin and HTTP 403 otherwise.

fn is_email_allowed( &self, request: IsEmailAllowedRequest, ) -> Result<IsEmailAllowedResponse, Error>

Checks if the email is allowed to register.

fn get_access_token( &self, request: GetAccessTokenRequest, ) -> Result<GetAccessTokenResponse, Error>

Provide an OIDC ID and access token to get a Nominal access token, suitable for making API requests. Its expiry will match that of the input access token, capped at 24h. Throws NotAuthorized if either token is invalid or if the OIDC provider is not known.

fn create_api_key( &self, auth_: BearerToken, request: CreateApiKeyRequest, ) -> Result<CreateApiKeyResponse, Error>

Provide a long-lived API key for making API requests. The API key is irretrievable after initial creation.

fn list_api_keys_in_org( &self, auth_: BearerToken, request: ListApiKeyRequest, ) -> Result<ListApiKeyResponse, Error>

List all API keys in the organization.

fn list_user_api_keys( &self, auth_: BearerToken, request: ListApiKeyRequest, ) -> Result<ListApiKeyResponse, Error>

List all API keys for the user.

fn revoke_api_key( &self, auth_: BearerToken, rid: ApiKeyRid, ) -> Result<(), Error>

Delete an API key.

Implementors