Skip to main content

securitydept_token_set_context/access_token_substrate/
mod.rs

1//! Shared access-token substrate — cross-mode runtime infrastructure.
2//!
3//! This module **owns** capabilities that depend only on a verified access
4//! token and `X-SecurityDept-Propagation`, regardless of which OIDC mode
5//! originally produced the token.
6//!
7//! # Capability axes
8//!
9//! - **`token_propagation`** — `disabled` vs `enabled` (downstream bearer
10//!   propagation substrate)
11//!
12//! # Submodules
13//!
14//! | Submodule | Description |
15//! |---|---|
16//! | [`capabilities`] | Substrate capability axes (`TokenPropagation`) |
17//! | [`config`] | `AccessTokenSubstrateConfig` |
18//! | [`runtime`] | `AccessTokenSubstrateRuntime` — single authority for substrate runtime objects |
19//! | [`propagation`] | Destination-policy gated bearer propagation |
20//! | [`forwarder`] | Propagation forwarder traits (`PropagationForwarderConfigSource`, `PropagationForwarder`, `PropagationForwarderError`) + axum reverse-proxy forwarder (feature-gated) |
21//!
22//! # Resource-server types
23//!
24//! Key resource-server types from `securitydept-oauth-resource-server` are
25//! re-exported here so adopters do not need a direct dependency:
26//!
27//! - [`ResourceTokenPrincipal`]
28//! - [`VerifiedAccessToken`], [`VerifiedToken`]
29//! - [`VerificationPolicy`]
30//! - [`OAuthResourceServerVerifier`]
31
32// --- Own submodules (physically live here) ---
33
34pub mod capabilities;
35pub mod config;
36pub(crate) mod forwarder;
37pub(crate) mod propagation;
38pub mod runtime;
39mod service;
40
41// --- Capabilities public re-exports ---
42pub use capabilities::{TokenPropagation, TokenPropagationKind};
43// --- Config public re-exports ---
44pub use config::{
45    AccessTokenSubstrateConfig, AccessTokenSubstrateConfigSource,
46    ResolvedAccessTokenSubstrateConfig,
47};
48// --- Axum concrete forwarder re-exports (feature-gated) ---
49#[cfg(feature = "axum-reverse-proxy-propagation-forwarder")]
50pub use forwarder::{
51    AxumReverseProxyPropagationForwarder, AxumReverseProxyPropagationForwarderConfig,
52};
53// --- Forwarder trait + error re-exports (always available) ---
54pub use forwarder::{
55    PropagationForwarder, PropagationForwarderConfigSource, PropagationForwarderError,
56    PropagationForwarderResult,
57};
58// --- Propagation public re-exports ---
59pub use propagation::{
60    AllowedPropagationTarget, BearerPropagationPolicy, DEFAULT_PROPAGATION_HEADER_NAME,
61    PropagatedBearer, PropagatedTokenValidationConfig, PropagationDestinationPolicy,
62    PropagationDirective, PropagationNodeTargetResolver, PropagationRequestTarget,
63    PropagationScheme, TokenPropagator, TokenPropagatorConfig, TokenPropagatorError,
64    TokenPropagatorResult,
65};
66// --- Runtime public re-exports ---
67pub use runtime::{AccessTokenSubstrateRuntime, AccessTokenSubstrateRuntimeError};
68// --- Resource-server re-exports ---
69pub use securitydept_oauth_resource_server::{
70    OAuthResourceServerVerifier, ResourceTokenPrincipal, VerificationPolicy, VerifiedAccessToken,
71    VerifiedToken,
72};
73// --- Service public re-exports ---
74pub use service::{AccessTokenSubstrateResourceService, AccessTokenSubstrateResourceServiceError};