vaultrs/auth/
oidc.rs

1use crate::{
2    api::{
3        self,
4        auth::oidc::{
5            requests::{JWTLoginRequest, OIDCAuthRequest, OIDCCallbackRequest},
6            responses::OIDCAuthResponse,
7        },
8        AuthInfo,
9    },
10    client::Client,
11    error::ClientError,
12};
13
14/// Obtain an authorization URL from Vault to start an OIDC login flow
15///
16/// See [OIDCAuthRequest]
17pub async fn auth(
18    client: &impl Client,
19    mount: &str,
20    redirect_uri: &str,
21    role: Option<String>,
22) -> Result<OIDCAuthResponse, ClientError> {
23    let mut endpoint = OIDCAuthRequest::builder();
24    if let Some(r) = role {
25        endpoint.role(r);
26    }
27    api::exec_with_result(
28        client,
29        endpoint
30            .mount(mount)
31            .redirect_uri(redirect_uri)
32            .build()
33            .unwrap(),
34    )
35    .await
36}
37
38/// Exchange an authorization code for an OIDC ID Token
39///
40/// See [OIDCCallbackRequest]
41pub async fn callback(
42    client: &impl Client,
43    mount: &str,
44    state: &str,
45    nonce: &str,
46    code: &str,
47) -> Result<AuthInfo, ClientError> {
48    let endpoint = OIDCCallbackRequest::builder()
49        .mount(mount)
50        .state(state)
51        .nonce(nonce)
52        .code(code)
53        .build()
54        .unwrap();
55    api::auth(client, endpoint).await
56}
57
58/// Fetch a token using a JWT token
59///
60/// See [JWTLoginRequest]
61pub async fn login(
62    client: &impl Client,
63    mount: &str,
64    jwt: &str,
65    role: Option<String>,
66) -> Result<AuthInfo, ClientError> {
67    let mut endpoint = JWTLoginRequest::builder();
68    if let Some(r) = role {
69        endpoint.role(r);
70    }
71    api::auth(client, endpoint.mount(mount).jwt(jwt).build().unwrap()).await
72}
73
74pub mod config {
75    use crate::{
76        api::{
77            self,
78            auth::oidc::{
79                requests::{
80                    ReadConfigurationRequest, SetConfigurationRequest,
81                    SetConfigurationRequestBuilder,
82                },
83                responses::ReadConfigurationResponse,
84            },
85        },
86        client::Client,
87        error::ClientError,
88    };
89
90    /// Read the configuration of the mounted KV engine
91    ///
92    /// See [ReadConfigurationResponse]
93    pub async fn read(
94        client: &impl Client,
95        mount: &str,
96    ) -> Result<ReadConfigurationResponse, ClientError> {
97        let endpoint = ReadConfigurationRequest::builder()
98            .mount(mount)
99            .build()
100            .unwrap();
101        api::exec_with_result(client, endpoint).await
102    }
103
104    /// Update the configuration of the mounted KV engine
105    ///
106    /// See [SetConfigurationRequest]
107    pub async fn set(
108        client: &impl Client,
109        mount: &str,
110        opts: Option<&mut SetConfigurationRequestBuilder>,
111    ) -> Result<(), ClientError> {
112        let mut t = SetConfigurationRequest::builder();
113        let endpoint = opts.unwrap_or(&mut t).mount(mount).build().unwrap();
114        api::exec_with_empty(client, endpoint).await
115    }
116}
117
118pub mod role {
119    use crate::api;
120    use crate::api::auth::oidc::{
121        requests::{
122            DeleteRoleRequest, ListRolesRequest, ReadRoleRequest, SetRoleRequest,
123            SetRoleRequestBuilder,
124        },
125        responses::{ListRolesResponse, ReadRoleResponse},
126    };
127    use crate::client::Client;
128    use crate::error::ClientError;
129
130    /// Deletes a role
131    ///
132    /// See [DeleteRoleRequest]
133    pub async fn delete(client: &impl Client, mount: &str, name: &str) -> Result<(), ClientError> {
134        let endpoint = DeleteRoleRequest::builder()
135            .mount(mount)
136            .name(name)
137            .build()
138            .unwrap();
139        api::exec_with_empty(client, endpoint).await
140    }
141
142    /// Lists all roles
143    ///
144    /// See [ListRolesRequest]
145    pub async fn list(client: &impl Client, mount: &str) -> Result<ListRolesResponse, ClientError> {
146        let endpoint = ListRolesRequest::builder().mount(mount).build().unwrap();
147        api::exec_with_result(client, endpoint).await
148    }
149
150    /// Reads a role
151    ///
152    /// See [ReadRoleRequest]
153    pub async fn read(
154        client: &impl Client,
155        mount: &str,
156        name: &str,
157    ) -> Result<ReadRoleResponse, ClientError> {
158        let endpoint = ReadRoleRequest::builder()
159            .mount(mount)
160            .name(name)
161            .build()
162            .unwrap();
163        api::exec_with_result(client, endpoint).await
164    }
165
166    /// Creates or updates a role
167    ///
168    /// See [SetRoleRequest]
169    pub async fn set(
170        client: &impl Client,
171        mount: &str,
172        name: &str,
173        user_claim: &str,
174        allowed_redirect_uris: Vec<String>,
175        opts: Option<&mut SetRoleRequestBuilder>,
176    ) -> Result<(), ClientError> {
177        let mut t = SetRoleRequest::builder();
178        let endpoint = opts
179            .unwrap_or(&mut t)
180            .mount(mount)
181            .name(name)
182            .user_claim(user_claim)
183            .allowed_redirect_uris(allowed_redirect_uris)
184            .build()
185            .unwrap();
186        api::exec_with_empty(client, endpoint).await
187    }
188}