yeti_types/plugins/

auth.rs

//! Identity → access resolution.
//!
//! Replaces the legacy `AuthHook::on_resolve_role` trait. Plugins
//! that want to override default role resolution register a
//! `tower::Service<ResolveRequest, Response = ResolveResponse>`.
//!
//! The host runs the registered pipeline; the first plugin to
//! return `Some(access)` wins. Plugins that don't have an opinion
//! return `Ok(None)` and dispatch falls through to the next.
//!
//! Closed-enum boundary (2026-05-14): `ResolveResponse` carries an
//! [`Access`] value, not a `dyn AccessControl` trait object — the
//! request hot path stays devirtualized. Plugins that need to
//! produce a custom RBAC role construct it as `Access::User(Arc::new(
//! User { username, role: Role { ... } }))`; the role's
//! [`Permission`](crate::auth::Permission) tree expresses the same
//! RBAC matrix the deleted trait used to.

use std::sync::Arc;

use crate::auth::{Access, AuthIdentity};

/// Input to the auth resolver pipeline.
#[derive(Debug, Clone)]
pub struct ResolveRequest {
    /// The authenticated identity (from cookie, OAuth session,
    /// JWT, basic auth, mTLS — whichever provider populated it).
    pub identity: AuthIdentity,
    /// The target app id this request is being routed to.
    pub app_id: Arc<str>,
}

/// Output of the auth resolver pipeline. `Some(access)` short-circuits
/// the pipeline; `None` means "I don't have an opinion, fall through."
pub type ResolveResponse = Option<Access>;