email templates, sendgrid, creds, and some experimental things

Started playing with namespace configs and integrating with zanzibar impls. Still lot's of experimenting and dead code going on.

1 files changed, 34 insertions, 178 deletions

diff --git a/crates/iam/src/api.rs b/crates/iam/src/api.rs
index ace3199..af175a7 100644
--- a/crates/iam/src/api.rs
+++ b/crates/iam/src/api.rs
@@ -1,7 +1,6 @@
 use crate::ISSUE_TRACKER_LOC;
 use clap::{Parser, Subcommand, ValueEnum};
 use colored::*;
-use secd::IdentityId;
 use serde::{Deserialize, Serialize};
 use thiserror;
 use url::Url;
@@ -81,52 +80,23 @@ pub enum Command {
         object: DevObject,
     },
     #[command(
-        about = "Get details for a specific IAM object",
+        about = "List and filter IAM objects",
         long_about = "Get\n\nGet details for a specific IAM object"
     )]
     Get {
         #[command(subcommand)]
         object: GetObject,
     },
+    /// Start the iam repl to more easily interact with iam and its primitives
+    Repl,
     #[command(
-        about = "Initialize an IAM store (alias for `iam admin init`)",
-        long_about = "Init\n\nInitalize a new IAM admin store and save the store's configuration profile. This command is an alias for, and thus equiavlent to, `iam admin init`."
-    )]
-    Init {
-        /// If true, interactively initialize an IAM store. Otherwise output a template config.
-        #[arg(long, short, action)]
-        interactive: bool,
-    },
-    #[command(
-        about = "Link multiple IAM objects together",
-        long_about = "Link\n\nCleave different IAM entities to create an IAM system."
-    )]
-    Link {
-        #[command(subcommand)]
-        object: LinkObject,
-        /// Unlink the provided entities rather than link them.
-        #[arg(long, short, action)]
-        unlink: bool,
-    },
-    #[command(
-        about = "List and filter IAM objects",
-        long_about = "List\n\nPage through collections of IAM objects with optional filtering"
+        about = "Update specified IAM object",
+        long_about = "Update\n\nUpdate details for the specified IAM object"
     )]
-    Ls {
+    Update {
         #[command(subcommand)]
-        object: ListObject,
-        /// Regex filter for entity names
-        #[arg(long, short)]
-        name: Option<String>,
-        /// Only fetch entities created after this time
-        #[arg(long, short)]
-        after: Option<i64>,
-        /// Only fetch entities created before this time
-        #[arg(long, short)]
-        before: Option<i64>,
+        object: UpdateObject,
     },
-    /// Start the iam repl to more easily interact with iam and its primitives
-    Repl,
 }
 
 #[derive(Subcommand)]
@@ -232,86 +202,13 @@ pub enum VoiceProvider {
 
 #[derive(Subcommand)]
 pub enum CreateObject {
-    #[command(
-        about = "A set of long-lived tokens which authorize an identity",
-        long_about = "Api Keys\n\nApi keys are long lived identifiers which authenticate and authorize a identity. Keys have a public and private part,\nwhich may be shared and must be kept private, respectively. Unlike sessions, api keys may be long-lived (infinite) or\nset to expire within certain timeframes."
-    )]
-    ApiKey {
-        /// Identity against which this api key will be linked
-        identity: Uuid,
-        /// Time this api key expires (epoch time)
-        expired_at: Option<i64>,
-    },
-    #[command(
-        about = "A collection of identities",
-        long_about = "Group\n\nA group may be created to operate simultaneously against a collection of identities. An identity may be part of mutliple groups, but it may not be part of the same group more than once."
-    )]
-    Group {
-        /// The unique name for this group
-        name: String,
-        /// An optional set of identities to link against this group
-        identities: Vec<Uuid>,
-    },
-    #[command(
-        about = "A collection of services and service actions",
-        long_about = "Permission\n\nA permission may be created to operate simultaneously against a collection of services and service actions. A service or service action may be part of mutliple permissions, but it may not be part of the same permission more than once. A permission may be used when many services and service actions are linked and unlinked against a role."
-    )]
-    Permission {
-        /// An optional set of services to link against this permission
-        #[arg(long, short)]
-        services: Vec<Uuid>,
-        /// An optional set of service actions to link against this permission
-        #[arg(long, short)]
-        actions: Vec<Uuid>,
-    },
-    #[command(
-        about = "A collection of permissions",
-        long_about = "Role\n\nA role may be created to operate simultaneously against a collection of permissions. A permission may be part of mutliple roles, but it may not be part of the same role more than once. A role may be used when many entities (such as groups or identities) are linked and unlinked against many permissions."
-    )]
-    Role {
-        /// The unique name for this role
-        name: String,
-        /// An optional set of permissions to link against this role
-        permissions: Vec<Uuid>,
-    },
-    #[command(
-        about = "An entity for which an action may be authorized",
-        long_about = "Service\n\nA service is an atomic entity which requires authorization. While a service's authorization may be subdivided by service actions, a service represents a logical element of authorization separation."
-    )]
-    Service {
-        /// The unique name for this service
-        name: String,
-        /// URI for this service which may be used to resolve authorization
-        #[arg(long, short)]
-        uri: Option<String>,
-    },
-    #[command(
-        about = "A specific authorization action by a service",
-        long_about = "Service Action\n\nA service action is a domain specific action which defines what an identity authorization within that service. A service action may be a simple boolean value or a more complex express which is evaluated at runtime. For example, a boolean action may be something like `can_read_salary_table`, and a more complex action may be `readable_table_rows(datetime)` which executes at runtime and returns a value (or list of values) the service may use to determine authorization. Service actions are used as an inversion of control pattern to ensure that services do not need to worry about specific authorization actions for identities. A service action is unnecessary if the service has no specific authorization logic."
-    )]
-    ServiceAction {
-        /// The unique name for this service action
-        name: String,
-        /// Program executed for this service action
-        #[arg(long, short)]
-        program: Option<String>,
-    },
-    #[command(
-        about = "A timebound token which authorizes an identity",
-        long_about = "Session\n\nA session is an opaque timebound token which allows an identity to authorize against IAM services. The session may be created by providing a validation request id and secret challenge code"
-    )]
-    Session {
-        /// The validation id associated with a non-expired valid validation
-        #[arg(long, short)]
-        validation_id: Uuid,
-        /// The secret code associated with this validation.
+    Credential {
+        #[command(subcommand)]
+        method: CredentialMethod,
+        /// The identity against which to associate this credential. A new identity will be created if no identity is provided.
         #[arg(long, short)]
-        secret_code: String,
+        identity_id: Option<Uuid>,
     },
-    #[command(
-        about = "An action which initiates an address validation",
-        long_about = "Validation\n\nA validation requires that the identity authenticate in some way, either by providing IAM managed credentials, an external gated mechanism (e.g. email, phone, or hardware key), or through a secondary authentication provider (oauth, saml, ldap, kerberos)."
-    )]
     Validation {
         /// Method by which the validation will occur
         #[command(subcommand)]
@@ -350,6 +247,17 @@ pub enum DevObject {
 }
 
 #[derive(Subcommand)]
+pub enum CredentialMethod {
+    /// A
+    Passphrase {
+        /// B
+        username: String,
+        /// C
+        passphrase: String,
+    },
+}
+
+#[derive(Subcommand)]
 pub enum ValidationMethod {
     /// An email address to which the validation will be sent
     Email {
@@ -378,8 +286,12 @@ pub enum GetObject {
         id: Option<Uuid>,
     },
     Identity {
+        /// The unique id corresponding to this identity.
+        #[arg(long, short)]
+        identity_id: Option<Uuid>,
         /// Any session corresponding to this identity.
-        session_token: String,
+        #[arg(long, short)]
+        session_token: Option<String>,
     },
     Permission {
         /// Unique permission name
@@ -420,72 +332,16 @@ pub enum GetObject {
 }
 
 #[derive(Subcommand)]
-pub enum LinkObject {
-    Group {
-        group_name: String,
-        #[arg(short, long, alias = "id")]
-        group_id: Option<Uuid>,
-
-        identity_ids: Vec<Uuid>,
-    },
+pub enum UpdateObject {
     Identity {
-        identity_id: Uuid,
-
-        group_names: Vec<String>,
-        #[arg(long)]
-        group_ids: Vec<Uuid>,
-    },
-    Permission {
-        permission_name: String,
-        #[arg(short, long, alias = "id")]
-        permission_id: Option<Uuid>,
-
-        role_names: Vec<String>,
-        #[arg(long)]
-        role_ids: Vec<Uuid>,
-    },
-    Role {
-        role_name: String,
-        #[arg(short, long, alias = "id")]
-        role_id: Option<Uuid>,
-
-        permission_names: Vec<String>,
-        #[arg(long)]
-        permission_ids: Vec<Uuid>,
-    },
-    Service {
-        service_name: String,
-        #[arg(short, long, alias = "id")]
-        service_id: Option<Uuid>,
-
-        permission_names: Vec<String>,
-        #[arg(long)]
-        permission_ids: Vec<Uuid>,
-    },
-    ServiceAction {
-        service_action_name: String,
-        #[arg(short, long, alias = "id")]
-        service_action_id: Option<Uuid>,
-
-        service_name: Vec<String>,
-        #[arg(long)]
-        service_ids: Vec<Uuid>,
+        /// Unique identifier for this identity.
+        id: Uuid,
+        /// Metadata for this identity. Note, structured metadata must be configured to be enforced.
+        #[arg(long, short)]
+        metadata: Option<String>,
     },
 }
 
-#[derive(Subcommand)]
-pub enum ListObject {
-    ApiKey,
-    Group,
-    Identity,
-    Permission,
-    Role,
-    Session,
-    Service,
-    ServiceAction,
-    Validation,
-}
-
 #[derive(Serialize, Deserialize)]
 pub struct Config {
     pub profile: Vec<ConfigProfile>,