Skip to main content

AuditEvent

pas_external::audit

Struct AuditEvent 

Source 
pub struct AuditEvent {
    pub kind: VerifyErrorKind,
    pub occurred_at: OffsetDateTime,
    pub source_id: String,
    pub client_id_hint: Option<String>,
    pub kid_hint: Option<String>,
    pub metadata: BTreeMap<String, Value>,
}
Expand description

Single typed event emitted on every BearerVerifier::verify rejection.

kind drives audit-pivot grouping; source_id drives rate-limiting and per-source dashboards; metadata carries free-form context (engine M-row identifier for Other, claim names, etc.).

Best-effort hint decoding: client_id_hint and kid_hint come from the rejected token’s payload/header via defensive base64+JSON parse. Either may be None if the token was malformed; callers MUST NOT treat absence as a security signal — by definition the token was rejected, so its claims are untrusted. The hints exist for grouping, not authentication.

source_id derivation: per Phase 9 design call (e), source_id is the compound client_id_hint ‖ kid_hint key. Anonymous / kid-less rejections collapse into a canonical "anon::nokid" bucket so attacker-controlled token mangling can’t explode the bucket count. See compose_source_id and AuditEvent::from_hints.

All fields are pub so adapters can serialize them or pivot on arbitrary subsets. The canonical construction path is AuditEvent::from_hints, which guarantees source_id matches the hints. Hand-constructing with mismatched values is technically possible (and useful for fault-injection in tests) but a code review concern in production.

Fields§

§kind: VerifyErrorKind

Failure classification — drives audit-pivot grouping.

§occurred_at: OffsetDateTime

Wall-clock at engine reject (UTC, RFC 3339 wire format).

§source_id: String

Compound client_id_hint ‖ kid_hint key for rate-limiting + per-source pivot.

§client_id_hint: Option<String>

Best-effort client_id claim from the rejected token’s payload.

§kid_hint: Option<String>

Best-effort kid from the rejected token’s header.

§metadata: BTreeMap<String, Value>

Free-form structured context — engine M-row identifier for Other, claim names for telemetry, etc. BTreeMap (not HashMap) for deterministic ordering in snapshot tests.

Implementations§

Source§

impl AuditEvent

Source

pub fn from_hints( kind: VerifyErrorKind, occurred_at: OffsetDateTime, client_id_hint: Option<String>, kid_hint: Option<String>, metadata: BTreeMap<String, Value>, ) -> AuditEvent

Canonical constructor — composes source_id from the hints so the two never disagree. Production callers (Phase 9.D PasJwtVerifier::verify) use this.

Source

pub fn from_id_token_hints( kind: VerifyErrorKind, occurred_at: OffsetDateTime, azp_hint: Option<String>, aud_hint: Option<String>, kid_hint: Option<String>, metadata: BTreeMap<String, Value>, ) -> AuditEvent

id_token-specific canonical constructor (Phase 10.11.D, δ2).

Composes the 3-tuple azp ‖ aud ‖ kid source key — strongest per-source discrimination for log-flood DoS prevention on the RP side. azp (when present) is the canonical “authorized party”; aud may be array (the engine surfaces only the first element to the hint pipeline); kid identifies the signing key.

Field repurpose: stores azp_hint in Self::client_id_hint (the SDK-shaped “authorized party” shares semantic with access-token’s client_id); pushes aud_hint into metadata under the key "aud_hint". Dashboard pivots on the access-token side use client_id_hint directly; id_token pivots use the same field plus the aud_hint metadata entry.

Production caller: [crate::oidc::PasIdTokenVerifier::emit_failure].

Source

pub fn rate_limit_key(&self) -> RateLimitKey

Per-bucket rate-limit key. By default 1:1 with source_id. Composing once at construction keeps this O(1).

Trait Implementations§

Source§

impl Clone for AuditEvent

Source§

fn clone(&self) -> AuditEvent

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for AuditEvent

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter. Read more
Source§

impl<'de> Deserialize<'de> for AuditEvent

Source§

fn deserialize<__D>( __deserializer: __D, ) -> Result<AuditEvent, <__D as Deserializer<'de>>::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl Serialize for AuditEvent

Source§

fn serialize<__S>( &self, __serializer: __S, ) -> Result<<__S as Serializer>::Ok, <__S as Serializer>::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,