securitydept_token_set_context/access_token_substrate/capabilities.rs
1// ---------------------------------------------------------------------------
2// Access-token substrate capability axes
3// ---------------------------------------------------------------------------
4
5use serde::{Deserialize, Serialize};
6
7use super::propagation::TokenPropagatorConfig;
8
9// ---- Token propagation ----
10
11/// Simple discriminant for token propagation.
12#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize, Default)]
13#[serde(rename_all = "snake_case")]
14pub enum TokenPropagationKind {
15 /// Token propagation is disabled.
16 #[default]
17 Disabled,
18 /// Token propagation is enabled.
19 Enabled,
20}
21
22/// Whether and how access tokens may be propagated to downstream services.
23///
24/// `Enabled` carries the `TokenPropagatorConfig`, ensuring propagation policy
25/// configuration is always present when the feature is active.
26///
27/// This capability belongs to the `access_token_substrate` layer, not to any
28/// specific OIDC mode.
29#[derive(Debug, Clone, Deserialize, Default)]
30#[serde(tag = "kind", rename_all = "snake_case")]
31pub enum TokenPropagation {
32 /// Token propagation is disabled — no downstream forwarding.
33 #[default]
34 Disabled,
35 /// Token propagation is enabled with the associated policy configuration.
36 Enabled {
37 #[serde(flatten)]
38 config: TokenPropagatorConfig,
39 },
40}
41
42impl TokenPropagation {
43 pub fn kind(&self) -> TokenPropagationKind {
44 match self {
45 Self::Disabled => TokenPropagationKind::Disabled,
46 Self::Enabled { .. } => TokenPropagationKind::Enabled,
47 }
48 }
49
50 /// Extract the propagator configuration reference when enabled.
51 pub fn config(&self) -> Option<&TokenPropagatorConfig> {
52 match self {
53 Self::Enabled { config } => Some(config),
54 Self::Disabled => None,
55 }
56 }
57}