From ed34a5251f13bbded0aa15719887db4924b351eb Mon Sep 17 00:00:00 2001 From: benj Date: Mon, 22 May 2023 15:47:06 -0700 Subject: update credential API to include sessions This change updates the credential API to include sessions as just another credential type. It adds the ApiToken type and enables revocation of credentials. Updates were also made to the Identity API which now includes a list of new credentials added to an Identity. This change also migrates off the hacky ENV configuration paradigm and includes a new config.toml file specified by the SECD_CONFIG_PATH env var. No default is currently provided. Clippy updates and code cleanup. --- crates/iam/src/api.rs | 98 +++++++++++++++++++++++---------------------------- 1 file changed, 45 insertions(+), 53 deletions(-) (limited to 'crates/iam/src/api.rs') diff --git a/crates/iam/src/api.rs b/crates/iam/src/api.rs index af175a7..c662e0c 100644 --- a/crates/iam/src/api.rs +++ b/crates/iam/src/api.rs @@ -97,6 +97,14 @@ pub enum Command { #[command(subcommand)] object: UpdateObject, }, + #[command( + about = "Validate an IAM credential, optionally returning a session from the validation", + long_about = "Validate\n\nCredentials which have been created for identities may be validated and optionally exchanged for sessions." + )] + Validate { + #[command(subcommand)] + object: ValidateObject, + }, } #[derive(Subcommand)] @@ -248,11 +256,15 @@ pub enum DevObject { #[derive(Subcommand)] pub enum CredentialMethod { - /// A + ApiToken { + #[arg(long)] + expires_at: Option, + }, + /// Unique username and passphrase credential. Each username may have at most one Passprhase credential. Passphrase { - /// B + /// The username associated with this credential username: String, - /// C + /// The secret passphrase for this credential passphrase: String, }, } @@ -274,60 +286,13 @@ pub enum ValidationMethod { #[derive(Subcommand)] pub enum GetObject { - ApiKey { - /// Public key associated with this api key set - public_key: String, - }, - Group { - /// Unique group name - name: String, - /// Unique group id - #[arg(long, short)] - id: Option, - }, Identity { /// The unique id corresponding to this identity. #[arg(long, short)] identity_id: Option, - /// Any session corresponding to this identity. - #[arg(long, short)] - session_token: Option, - }, - Permission { - /// Unique permission name - name: String, - /// Unique permission id - #[arg(long, short)] - id: Option, - }, - Role { - /// Unique role name - name: String, - /// Unique role id - #[arg(long, short)] - id: Option, - }, - Session { - /// The plaintext token which uniquely identifies the session - secret: String, - }, - Service { - /// Unique service name - name: String, - /// Unique service id - #[arg(long, short)] - id: Option, - }, - ServiceAction { - /// Unique service action name - name: String, - /// Unique service action id - #[arg(long, short)] - id: Option, - }, - Validation { - /// Unique validation request id - id: Uuid, + /// The credential corresponding to this identity. + #[command(subcommand)] + credential: Option, }, } @@ -340,6 +305,33 @@ pub enum UpdateObject { #[arg(long, short)] metadata: Option, }, + Credential { + /// Unique identifier for this credential. + /// Note: You can validate the credential to find it's id. + id: Uuid, + /// Whether to revoke this credential. Once revoked, the credential may no longer be used + /// and may not be un-revoked. + #[arg(long, short, action)] + revoke: bool, + }, +} + +#[derive(Subcommand)] +pub enum ValidateObject { + ApiToken { + /// Api token to validate + token: String, + }, + Passphrase { + /// The username associated with this credential + username: String, + /// The secret passphrase for this credential + passphrase: String, + }, + Session { + /// The secret token associated with this session. + token: String, + }, } #[derive(Serialize, Deserialize)] -- cgit v1.2.3