Skip to main content

securitydept_token_set_context/access_token_substrate/propagation/
error.rs

1use securitydept_utils::error::{ErrorPresentation, ToErrorPresentation, UserRecovery};
2use snafu::Snafu;
3
4use super::config::BearerPropagationPolicy;
5
6#[derive(Debug, Snafu)]
7pub enum TokenPropagatorError {
8    #[snafu(display("token propagator is misconfigured: {message}"))]
9    PropagatorConfig { message: String },
10    #[snafu(display(
11        "token propagation policy `{policy:?}` cannot attach an authorization header directly"
12    ))]
13    UnsupportedDirectAuthorization { policy: BearerPropagationPolicy },
14    #[snafu(display("authorization header value is invalid: {source}"))]
15    InvalidHeaderValue {
16        source: http::header::InvalidHeaderValue,
17    },
18    #[snafu(display("propagation directive is invalid: {message}"))]
19    InvalidPropagationDirective { message: String },
20    #[snafu(display("propagation target uses unsupported scheme `{scheme}`"))]
21    UnsupportedTargetScheme { scheme: String },
22    #[snafu(display("propagation target `{target}` is incomplete"))]
23    IncompleteTarget { target: String },
24    #[snafu(display("propagation target for node `{node_id}` requires a node target resolver"))]
25    NodeTargetResolverRequired { node_id: String },
26    #[snafu(display("propagation target for node `{node_id}` could not be resolved"))]
27    NodeTargetUnresolved { node_id: String },
28    #[snafu(display("propagation target host `{host}` is invalid"))]
29    InvalidTargetHost { host: String },
30    #[snafu(display("propagation target `{target}` is not allowed"))]
31    DestinationNotAllowed { target: String },
32    #[snafu(display(
33        "propagation target host `{host}` is a sensitive IP literal and is not allowed"
34    ))]
35    SensitiveIpLiteralDenied { host: String },
36    #[snafu(display("propagation CIDR `{cidr}` is invalid"))]
37    InvalidCidr { cidr: String },
38    #[snafu(display("propagated token issuer `{issuer}` is not allowed"))]
39    TokenIssuerNotAllowed { issuer: String },
40    #[snafu(display(
41        "propagated token facts are unavailable; resource_token_principal is required for \
42         validation"
43    ))]
44    TokenFactsUnavailable,
45    #[snafu(display("propagated token is missing an allowed audience"))]
46    TokenAudienceNotAllowed,
47    #[snafu(display("propagated token is missing required scope `{scope}`"))]
48    TokenScopeMissing { scope: String },
49    #[snafu(display("propagated token azp `{azp}` is not allowed"))]
50    TokenAzpNotAllowed { azp: String },
51}
52
53impl ToErrorPresentation for TokenPropagatorError {
54    fn to_error_presentation(&self) -> ErrorPresentation {
55        ErrorPresentation::new(
56            "propagation_context_invalid",
57            format!("The propagation header is invalid: {self}"),
58            UserRecovery::Retry,
59        )
60    }
61}
62
63pub type TokenPropagatorResult<T> = Result<T, TokenPropagatorError>;