systemprompt_models/profile/
security.rs1use std::path::PathBuf;
2
3use crate::auth::JwtAudience;
4use serde::{Deserialize, Serialize};
5
6pub const GATEWAY_REQUIRED_RESOURCE_AUDIENCES: &[&str] = &["hook"];
17
18#[must_use]
24pub fn default_resource_audiences() -> Vec<String> {
25 GATEWAY_REQUIRED_RESOURCE_AUDIENCES
26 .iter()
27 .map(|aud| (*aud).to_owned())
28 .collect()
29}
30
31const fn default_allow_registration() -> bool {
32 true
33}
34
35fn default_signing_key_path() -> PathBuf {
36 PathBuf::from("signing_key.pem")
37}
38
39pub const DEFAULT_ID_JAG_TTL_SECS: i64 = 300;
42
43const fn default_id_jag_ttl_secs() -> i64 {
44 DEFAULT_ID_JAG_TTL_SECS
45}
46
47#[derive(Debug, Clone, Serialize, Deserialize, schemars::JsonSchema)]
48#[serde(deny_unknown_fields)]
49pub struct SecurityConfig {
50 #[serde(rename = "jwt_issuer")]
51 pub issuer: String,
52
53 #[serde(rename = "jwt_access_token_expiration")]
54 pub access_token_expiration: i64,
55
56 #[serde(rename = "jwt_refresh_token_expiration")]
57 pub refresh_token_expiration: i64,
58
59 #[serde(rename = "jwt_audiences")]
60 pub audiences: Vec<JwtAudience>,
61
62 #[serde(default)]
63 pub allowed_resource_audiences: Vec<String>,
64
65 #[serde(default = "default_allow_registration")]
66 pub allow_registration: bool,
67
68 #[serde(default = "default_signing_key_path")]
69 pub signing_key_path: PathBuf,
70
71 #[serde(default, skip_serializing_if = "Vec::is_empty")]
72 pub trusted_issuers: Vec<TrustedIssuer>,
73
74 #[serde(default = "default_id_jag_ttl_secs")]
75 pub id_jag_ttl_secs: i64,
76}
77
78#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, schemars::JsonSchema)]
84#[serde(deny_unknown_fields)]
85pub struct TrustedIssuer {
86 pub issuer: String,
87 pub jwks_uri: String,
88 pub audience: String,
89
90 #[serde(default, skip_serializing_if = "Vec::is_empty")]
92 pub typ_allowlist: Vec<String>,
93
94 #[serde(default, skip_serializing_if = "Vec::is_empty")]
97 pub allowed_client_ids: Vec<String>,
98
99 #[serde(default)]
101 pub can_issue_id_jag: bool,
102}