spiffe_rustls/types.rs
1use std::sync::Arc;
2
3/// Authorization hook for peer SPIFFE IDs.
4///
5/// The callback is invoked with the peer SPIFFE ID string extracted from the leaf certificate
6/// (URI SAN), e.g. `spiffe://example.org/myservice`.
7pub type AuthorizeSpiffeId = Arc<dyn Fn(&str) -> bool + Send + Sync + 'static>;
8
9/// Returns an authorization hook that accepts any SPIFFE ID.
10///
11/// Authentication (certificate verification) still applies; this only makes the authorization step permissive.
12pub fn authorize_any() -> AuthorizeSpiffeId {
13 Arc::new(|_| true)
14}
15
16/// Returns an authorization hook that only accepts the given SPIFFE IDs.
17pub fn authorize_exact<I, S>(ids: I) -> AuthorizeSpiffeId
18where
19 I: IntoIterator<Item = S>,
20 S: Into<String>,
21{
22 let mut allow: Vec<String> = ids.into_iter().map(Into::into).collect();
23 allow.sort();
24 allow.dedup();
25 let allow = Arc::new(allow);
26
27 Arc::new(move |id: &str| allow.binary_search(&id.to_string()).is_ok())
28}