policy: prepare for the client credentials grant

2025-07-31 09:24:31 +03:00 · 2023-09-04 18:22:50 +02:00
parent 7a9197f222
commit 8658a3400d
5 changed files with 150 additions and 36 deletions
--- a/crates/policy/src/lib.rs
+++ b/crates/policy/src/lib.rs
@ -20,7 +20,7 @@
 pub mod model;

 use mas_data_model::{AuthorizationGrant, Client, User};
-use oauth2_types::registration::VerifiedClientMetadata;
+use oauth2_types::{registration::VerifiedClientMetadata, scope::Scope};
 use opa_wasm::Runtime;
 use thiserror::Error;
 use tokio::io::{AsyncRead, AsyncReadExt};
@ -30,6 +30,7 @@ use self::model::{
    AuthorizationGrantInput, ClientRegistrationInput, EmailInput, PasswordInput, RegisterInput,
 };
 pub use self::model::{EvaluationResult, Violation};
+use crate::model::GrantType;

 #[derive(Debug, Error)]
 pub enum LoadError {
@ -300,6 +301,7 @@ impl Policy {
        skip_all,
        fields(
            input.authorization_grant.id = %authorization_grant.id,
+            input.scope = %authorization_grant.scope,
            input.client.id = %client.id,
            input.user.id = %user.id,
        ),
@ -314,7 +316,43 @@ impl Policy {
        let input = AuthorizationGrantInput {
            user,
            client,
-            authorization_grant,
+            scope: &authorization_grant.scope,
+            grant_type: GrantType::AuthorizationCode,
+        };
+
+        let [res]: [EvaluationResult; 1] = self
+            .instance
+            .evaluate(
+                &mut self.store,
+                &self.entrypoints.authorization_grant,
+                &input,
+            )
+            .await?;
+
+        Ok(res)
+    }
+
+    #[tracing::instrument(
+        name = "policy.evaluate.client_credentials_grant",
+        skip_all,
+        fields(
+            input.scope = %scope,
+            input.client.id = %client.id,
+            input.user.id = %user.id,
+        ),
+        err,
+    )]
+    pub async fn evaluate_client_credentials_grant(
+        &mut self,
+        scope: &Scope,
+        client: &Client,
+        user: &User,
+    ) -> Result<EvaluationResult, EvaluationError> {
+        let input = AuthorizationGrantInput {
+            user,
+            client,
+            scope,
+            grant_type: GrantType::ClientCredentials,
        };

        let [res]: [EvaluationResult; 1] = self
--- a/crates/policy/src/model.rs
+++ b/crates/policy/src/model.rs
@ -12,8 +12,13 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-use mas_data_model::{AuthorizationGrant, Client, User};
-use oauth2_types::registration::VerifiedClientMetadata;
+//! Input and output types for policy evaluation.
+//!
+//! This is useful to generate JSON schemas for each input type, which can then
+//! be type-checked by Open Policy Agent.
+
+use mas_data_model::{Client, User};
+use oauth2_types::{registration::VerifiedClientMetadata, scope::Scope};
 use serde::{Deserialize, Serialize};

 /// A single violation of a policy.
@ -87,6 +92,14 @@ pub struct ClientRegistrationInput<'a> {
    pub client_metadata: &'a VerifiedClientMetadata,
 }

+#[derive(Serialize, Debug)]
+#[serde(rename_all = "snake_case")]
+#[cfg_attr(feature = "jsonschema", derive(schemars::JsonSchema))]
+pub enum GrantType {
+    AuthorizationCode,
+    ClientCredentials,
+}
+
 /// Input for the authorization grant policy.
 #[derive(Serialize, Debug)]
 #[serde(rename_all = "snake_case")]
@ -104,11 +117,10 @@ pub struct AuthorizationGrantInput<'a> {
    )]
    pub client: &'a Client,

-    #[cfg_attr(
-        feature = "jsonschema",
-        schemars(with = "std::collections::HashMap<String, serde_json::Value>")
-    )]
-    pub authorization_grant: &'a AuthorizationGrant,
+    #[cfg_attr(feature = "jsonschema", schemars(with = "String"))]
+    pub scope: &'a Scope,
+
+    pub grant_type: GrantType,
 }

 /// Input for the email add policy.