Skip to main content

zlayer_agent/
auth.rs

1use jsonwebtoken::{encode, EncodingKey, Header};
2use serde::{Deserialize, Serialize};
3use std::time::{Duration, SystemTime, UNIX_EPOCH};
4
5#[derive(Serialize, Deserialize)]
6struct Claims {
7    sub: String,
8    exp: u64,
9    iat: u64,
10    iss: String,
11    roles: Vec<String>,
12}
13
14/// Mint a scoped JWT for a container.
15///
16/// # Errors
17///
18/// Returns an error string if the system clock is unavailable or JWT encoding fails.
19pub fn mint_container_token(
20    secret: &str,
21    service_name: &str,
22    container_id: &str,
23    ttl: Duration,
24) -> Result<String, String> {
25    let now = SystemTime::now()
26        .duration_since(UNIX_EPOCH)
27        .map_err(|e| e.to_string())?;
28    let claims = Claims {
29        sub: format!("container:{service_name}:{container_id}"),
30        iat: now.as_secs(),
31        exp: (now + ttl).as_secs(),
32        iss: "zlayer".to_string(),
33        roles: vec!["container".to_string()],
34    };
35    encode(
36        &Header::default(),
37        &claims,
38        &EncodingKey::from_secret(secret.as_bytes()),
39    )
40    .map_err(|e| e.to_string())
41}