+1

Cargo.lock

reviewed

··· 2365 2365 "http", 2366 2366 "jacquard-common", 2367 2367 "jacquard-identity", 2368 2368 + "jacquard-lexicon", 2368 2369 "jose-jwa", 2369 2370 "jose-jwk", 2370 2371 "k256",

+2

crates/jacquard-oauth/Cargo.toml

reviewed

··· 19 19 tracing = ["dep:tracing"] 20 20 websocket = ["jacquard-common/websocket"] 21 21 streaming = ["jacquard-common/streaming", "dep:n0-future"] 22 22 + scope-check = ["dep:jacquard-lexicon"] 22 23 23 24 [dependencies] 24 25 jacquard-common = { version = "0.12.0-beta.1", path = "../jacquard-common", features = ["reqwest-client"] } 25 26 jacquard-identity = { version = "0.12.0-beta.1", path = "../jacquard-identity" } 27 27 + jacquard-lexicon = { version = "0.12.0-beta.1", path = "../jacquard-lexicon", optional = true } 26 28 serde = { workspace = true, features = ["derive"] } 27 29 serde_json = { workspace = true } 28 30 smol_str = { workspace = true }

+8 -1

crates/jacquard-oauth/src/client.rs

reviewed

··· 296 296 } else { 297 297 Scopes::empty() 298 298 }; 299 299 - let client_data = ClientSessionData { 299 299 + let mut client_data = ClientSessionData { 300 300 account_did: token_set.sub.clone(), 301 301 session_id: auth_req_info.state, 302 302 host_url: Uri::parse(token_set.aud.as_str())?.to_owned(), ··· 313 313 .unwrap_or_default(), 314 314 }, 315 315 token_set, 316 316 + #[cfg(feature = "scope-check")] 317 317 + resolved_scopes: None, 316 318 }; 319 319 + 320 320 + // TODO: Phase 5 Task 3 - eagerly resolve include scopes 321 321 + // When scope-check is enabled, iterate the scopes, find any Include scopes, 322 322 + // resolve them via resolve_permission_set(), and populate resolved_scopes. 323 323 + // For now, this is left as None. 317 324 318 325 self.create_session(client_data).await 319 326 }

+2

crates/jacquard-oauth/src/request.rs

reviewed

··· 1096 1096 token_type: crate::types::OAuthTokenType::DPoP, 1097 1097 expires_at: None, 1098 1098 }, 1099 1099 + #[cfg(feature = "scope-check")] 1100 1100 + resolved_scopes: None, 1099 1101 }; 1100 1102 let err = super::refresh(&client, session, &meta).await.unwrap_err(); 1101 1103 assert!(matches!(err.kind(), RequestErrorKind::NoRefreshToken));

+128

crates/jacquard-oauth/src/resolver.rs

reviewed

··· 124 124 #[error("url parsing error")] 125 125 #[diagnostic(code(jacquard_oauth::resolver::url))] 126 126 Uri, 127 127 + 128 128 + /// Permission set is not a lexicon def 129 129 + #[cfg(feature = "scope-check")] 130 130 + #[error("permission set is not a valid lexicon def")] 131 131 + #[diagnostic( 132 132 + code(jacquard_oauth::resolver::not_a_permission_set), 133 133 + help("ensure the lexicon schema's 'main' def is a permission-set type") 134 134 + )] 135 135 + NotAPermissionSet, 136 136 + 137 137 + /// Permission set namespace constraint violation 138 138 + #[cfg(feature = "scope-check")] 139 139 + #[error("permission set namespace violation: {0}")] 140 140 + #[diagnostic( 141 141 + code(jacquard_oauth::resolver::permission_set_namespace), 142 142 + help("all permissions must be within the owning namespace") 143 143 + )] 144 144 + PermissionSetNamespace(SmolStr), 145 145 + 146 146 + /// Permission set conversion error 147 147 + #[cfg(feature = "scope-check")] 148 148 + #[error("permission set conversion error: {0}")] 149 149 + #[diagnostic(code(jacquard_oauth::resolver::permission_set_conversion))] 150 150 + PermissionSetConversion(SmolStr), 127 151 } 128 152 129 153 impl ResolverError { ··· 257 281 pub fn http_status(status: StatusCode) -> Self { 258 282 Self::new(ResolverErrorKind::HttpStatus(status), None) 259 283 } 284 284 + 285 285 + /// Create a "not a permission set" error 286 286 + #[cfg(feature = "scope-check")] 287 287 + pub fn not_a_permission_set() -> Self { 288 288 + Self::new(ResolverErrorKind::NotAPermissionSet, None) 289 289 + } 290 290 + 291 291 + /// Create a permission set namespace violation error 292 292 + #[cfg(feature = "scope-check")] 293 293 + pub fn permission_set_namespace(msg: impl Into<SmolStr>) -> Self { 294 294 + Self::new(ResolverErrorKind::PermissionSetNamespace(msg.into()), None) 295 295 + } 296 296 + 297 297 + /// Create a permission set conversion error 298 298 + #[cfg(feature = "scope-check")] 299 299 + pub fn permission_set_conversion(msg: impl Into<SmolStr>) -> Self { 300 300 + Self::new(ResolverErrorKind::PermissionSetConversion(msg.into()), None) 301 301 + } 260 302 } 261 303 262 304 /// Result type for resolver operations ··· 306 348 Self::new(ResolverErrorKind::Uri, Some(Box::new(e))) 307 349 .with_context(msg) 308 350 .with_help("ensure URIs are well-formed (e.g., https://example.com)") 351 351 + } 352 352 + } 353 353 + 354 354 + #[cfg(feature = "scope-check")] 355 355 + impl From<jacquard_identity::lexicon_resolver::LexiconResolutionError> for ResolverError { 356 356 + fn from(e: jacquard_identity::lexicon_resolver::LexiconResolutionError) -> Self { 357 357 + let msg = smol_str::format_smolstr!("{:?}", e); 358 358 + Self::new(ResolverErrorKind::Transport, Some(Box::new(e))) 359 359 + .with_context(msg) 360 360 + .with_help("failed to resolve lexicon schema; check network connectivity") 309 361 } 310 362 } 311 363 ··· 764 816 } 765 817 } 766 818 819 819 + /// Resolve a permission set NSID into its constituent scopes. 820 820 + /// 821 821 + /// Requires both `OAuthResolver` (for identity/HTTP) and 822 822 + /// `LexiconSchemaResolver` (for lexicon schema fetching, which uses 823 823 + /// the `nsid_to_schema` cache with 7-day TTL). 824 824 + #[cfg(feature = "scope-check")] 825 825 + pub async fn resolve_permission_set<R, S>( 826 826 + resolver: &R, 827 827 + nsid: &jacquard_common::types::nsid::Nsid<S>, 828 828 + inherited_audience: Option<&jacquard_common::types::did::Did<smol_str::SmolStr>>, 829 829 + ) -> Result<Vec<crate::scopes::Scope<smol_str::SmolStr>>> 830 830 + where 831 831 + R: OAuthResolver + jacquard_identity::lexicon_resolver::LexiconSchemaResolver + Sync, 832 832 + S: jacquard_common::bos::BosStr + Sync, 833 833 + { 834 834 + use jacquard_lexicon::lexicon::{LexUserType, PermissionSetError}; 835 835 + 836 836 + // 1. Fetch the lexicon schema (cached via nsid_to_schema). 837 837 + let schema = resolver.resolve_lexicon_schema(nsid).await?; 838 838 + 839 839 + // 2. Extract the "main" def from the LexiconDoc. 840 840 + let main_def = schema.doc.defs.get("main") 841 841 + .ok_or_else(|| ResolverError::not_found())?; 842 842 + 843 843 + // 3. Downcast to LexPermissionSet. 844 844 + let perm_set = match main_def { 845 845 + LexUserType::PermissionSet(ps) => ps, 846 846 + _ => return Err(ResolverError::not_a_permission_set()), 847 847 + }; 848 848 + 849 849 + // 4. Validate namespace constraints. 850 850 + perm_set.validate(nsid.as_ref()) 851 851 + .map_err(|e| match e { 852 852 + PermissionSetError::EmptyPermissions => { 853 853 + ResolverError::permission_set_conversion("permission set has empty permissions array") 854 854 + } 855 855 + PermissionSetError::NamespaceViolation { nsid: n, resource: r } => { 856 856 + ResolverError::permission_set_namespace( 857 857 + smol_str::format_smolstr!("{} references out-of-namespace resource: {}", n, r) 858 858 + ) 859 859 + } 860 860 + })?; 861 861 + 862 862 + // 5. Expand to concrete scopes, passing inherited audience for inheritAud. 863 863 + crate::scopes::expand_permission_set(perm_set, inherited_audience) 864 864 + .map_err(|e| ResolverError::permission_set_conversion(smol_str::format_smolstr!("{}", e))) 865 865 + } 866 866 + 767 867 /// Fetch and validate the `/.well-known/oauth-authorization-server` document for `server`. 768 868 /// 769 869 /// Per RFC 8414 §3.3 the `issuer` field in the response must equal the `server` URL exactly; ··· 917 1017 let issuer_base = CowStr::new_static("https://issuer.example.com"); 918 1018 let issuer_with_path = CowStr::new_static("https://issuer.example.com/path"); 919 1019 assert_ne!(issuer_base, issuer_with_path); 1020 1020 + } 1021 1021 + 1022 1022 + #[cfg(feature = "scope-check")] 1023 1023 + #[tokio::test] 1024 1024 + async fn test_expand_permission_set_exported() { 1025 1025 + // This is a simple integration test that verifies expand_permission_set is accessible 1026 1026 + use crate::scopes::expand_permission_set; 1027 1027 + use jacquard_lexicon::lexicon::{LexPermission, LexPermissionResource, LexPermissionSet}; 1028 1028 + use jacquard_common::CowStr; 1029 1029 + 1030 1030 + let mut perms = Vec::new(); 1031 1031 + perms.push(LexPermission::Permission { 1032 1032 + resource: LexPermissionResource::Identity { 1033 1033 + attr: CowStr::Borrowed("handle"), 1034 1034 + }, 1035 1035 + }); 1036 1036 + 1037 1037 + let perm_set = LexPermissionSet { 1038 1038 + title: None, 1039 1039 + title_lang: None, 1040 1040 + detail: None, 1041 1041 + detail_lang: None, 1042 1042 + permissions: perms, 1043 1043 + }; 1044 1044 + 1045 1045 + let scopes = expand_permission_set(&perm_set, None).expect("should expand permission set"); 1046 1046 + assert_eq!(scopes.len(), 1); 1047 1047 + assert!(matches!(scopes[0], crate::scopes::Scope::Identity(crate::scopes::IdentityScope::Handle))); 920 1048 } 921 1049 }

+508

crates/jacquard-oauth/src/scopes.rs

reviewed

··· 2207 2207 params 2208 2208 } 2209 2209 2210 2210 + /// Error type for permission set expansion and conversion 2211 2211 + #[derive(Debug, Clone, PartialEq, Eq, thiserror::Error)] 2212 2212 + #[non_exhaustive] 2213 2213 + pub enum PermissionSetConversionError { 2214 2214 + /// Unknown identity attribute in permission set 2215 2215 + #[error("unknown identity attribute: {0}")] 2216 2216 + UnknownIdentityAttr(String), 2217 2217 + 2218 2218 + /// Unknown account attribute in permission set 2219 2219 + #[error("unknown account attribute: {0}")] 2220 2220 + UnknownAccountAttr(String), 2221 2221 + 2222 2222 + /// Invalid MIME pattern in blob permission 2223 2223 + #[error("invalid MIME pattern: {0}")] 2224 2224 + InvalidMimePattern(String), 2225 2225 + } 2226 2226 + 2210 2227 /// Error type for scope parsing 2211 2228 #[derive(Debug, Clone, PartialEq, Eq, thiserror::Error, miette::Diagnostic)] 2212 2229 #[non_exhaustive] ··· 2238 2255 } 2239 2256 } 2240 2257 2258 2258 + /// Convert a resolved permission set into its constituent scope values. 2259 2259 + /// 2260 2260 + /// Each permission entry expands to one or more concrete scopes: 2261 2261 + /// - Repo: one `Scope::Repo` per collection NSID 2262 2262 + /// - Rpc: one `Scope::Rpc` per lxm NSID (with shared aud) 2263 2263 + /// - Blob: one `Scope::Blob` with all accept patterns 2264 2264 + /// - Identity: `Scope::Identity` based on attr 2265 2265 + /// - Account: `Scope::Account` based on attr and action 2266 2266 + /// `inherited_audience` is the audience from the `include:` scope's `?aud=` 2267 2267 + /// parameter. Passed to RPC permissions with `inherit_aud: true`. 2268 2268 + #[cfg(feature = "scope-check")] 2269 2269 + pub fn expand_permission_set( 2270 2270 + perm_set: &jacquard_lexicon::lexicon::LexPermissionSet<'static>, 2271 2271 + inherited_audience: Option<&Did<SmolStr>>, 2272 2272 + ) -> Result<Vec<Scope<SmolStr>>, PermissionSetConversionError> { 2273 2273 + use jacquard_lexicon::lexicon::{LexPermission, LexPermissionResource}; 2274 2274 + 2275 2275 + let mut scopes = Vec::new(); 2276 2276 + 2277 2277 + for perm in &perm_set.permissions { 2278 2278 + let LexPermission::Permission { resource } = perm; 2279 2279 + match resource { 2280 2280 + LexPermissionResource::Repo { collection, action } => { 2281 2281 + let actions = action 2282 2282 + .as_ref() 2283 2283 + .map(|a| a.iter().copied().collect()) 2284 2284 + .unwrap_or_else(|| { 2285 2285 + let mut all = BTreeSet::new(); 2286 2286 + all.insert(RepoAction::Create); 2287 2287 + all.insert(RepoAction::Update); 2288 2288 + all.insert(RepoAction::Delete); 2289 2289 + all 2290 2290 + }); 2291 2291 + 2292 2292 + for col_nsid in collection { 2293 2293 + scopes.push(Scope::Repo(RepoScope { 2294 2294 + collection: RepoCollection::Nsid(col_nsid.clone().convert()), 2295 2295 + actions: actions.clone(), 2296 2296 + })); 2297 2297 + } 2298 2298 + } 2299 2299 + LexPermissionResource::Rpc { lxm, aud, inherit_aud } => { 2300 2300 + // Build the audience set based on priority order 2301 2301 + let mut aud_set = BTreeSet::new(); 2302 2302 + if let Some(explicit_aud) = aud { 2303 2303 + aud_set.insert(RpcAudience::Did(explicit_aud.clone().convert())); 2304 2304 + } else if inherit_aud.unwrap_or(false) && inherited_audience.is_some() { 2305 2305 + aud_set.insert(RpcAudience::Did(inherited_audience.unwrap().clone())); 2306 2306 + } else { 2307 2307 + aud_set.insert(RpcAudience::All); 2308 2308 + } 2309 2309 + 2310 2310 + // Create one RpcScope with all lxm NSIDs and the resolved audience 2311 2311 + let mut lxm_set = BTreeSet::new(); 2312 2312 + for lxm_nsid in lxm { 2313 2313 + lxm_set.insert(RpcLexicon::Nsid(lxm_nsid.clone().convert())); 2314 2314 + } 2315 2315 + 2316 2316 + if !lxm_set.is_empty() { 2317 2317 + scopes.push(Scope::Rpc(RpcScope { 2318 2318 + lxm: lxm_set, 2319 2319 + aud: aud_set, 2320 2320 + })); 2321 2321 + } 2322 2322 + } 2323 2323 + LexPermissionResource::Blob { accept, .. } => { 2324 2324 + let mut patterns = BTreeSet::new(); 2325 2325 + for mime_type in accept { 2326 2326 + let pattern_str = mime_type.as_ref(); 2327 2327 + match validate_mime_pattern(pattern_str) { 2328 2328 + Ok(kind) => { 2329 2329 + // For TypeWildcard, strip the `/*` suffix before storing. 2330 2330 + let mime_str = match kind { 2331 2331 + MimePatternKind::TypeWildcard => { 2332 2332 + SmolStr::new(&pattern_str[..pattern_str.len() - 2]) 2333 2333 + } 2334 2334 + _ => SmolStr::new(pattern_str), 2335 2335 + }; 2336 2336 + let pattern = unsafe { MimePattern::unchecked(mime_str, kind) }; 2337 2337 + patterns.insert(pattern); 2338 2338 + } 2339 2339 + Err(_) => { 2340 2340 + return Err(PermissionSetConversionError::InvalidMimePattern( 2341 2341 + pattern_str.to_string(), 2342 2342 + )); 2343 2343 + } 2344 2344 + } 2345 2345 + } 2346 2346 + 2347 2347 + if !patterns.is_empty() { 2348 2348 + scopes.push(Scope::Blob(BlobScope { accept: patterns })); 2349 2349 + } 2350 2350 + } 2351 2351 + LexPermissionResource::Identity { attr } => { 2352 2352 + let identity_scope = match attr.as_ref() { 2353 2353 + "handle" => IdentityScope::Handle, 2354 2354 + "*" => IdentityScope::All, 2355 2355 + other => return Err(PermissionSetConversionError::UnknownIdentityAttr(other.to_string())), 2356 2356 + }; 2357 2357 + scopes.push(Scope::Identity(identity_scope)); 2358 2358 + } 2359 2359 + LexPermissionResource::Account { attr, action } => { 2360 2360 + let resource = match attr.as_ref() { 2361 2361 + "email" => AccountResource::Email, 2362 2362 + "repo" => AccountResource::Repo, 2363 2363 + "status" => AccountResource::Status, 2364 2364 + other => return Err(PermissionSetConversionError::UnknownAccountAttr(other.to_string())), 2365 2365 + }; 2366 2366 + 2367 2367 + let act = action 2368 2368 + .as_ref() 2369 2369 + .and_then(|a| a.first()) 2370 2370 + .copied() 2371 2371 + .unwrap_or(AccountAction::Read); 2372 2372 + 2373 2373 + scopes.push(Scope::Account(AccountScope { 2374 2374 + resource, 2375 2375 + action: act, 2376 2376 + })); 2377 2377 + } 2378 2378 + } 2379 2379 + } 2380 2380 + 2381 2381 + Ok(scopes) 2382 2382 + } 2383 2383 + 2241 2384 #[cfg(test)] 2242 2385 mod tests { 2243 2386 use super::*; 2387 2387 + #[cfg(feature = "scope-check")] 2388 2388 + use jacquard_common::CowStr; 2244 2389 2245 2390 #[test] 2246 2391 fn test_account_scope_parsing() { ··· 3699 3844 // Normalized form expands bare `rpc` to explicit `rpc:*`. 3700 3845 let normalized = scopes.to_normalized_string(); 3701 3846 assert_eq!(normalized, "rpc:*"); 3847 3847 + } 3848 3848 + 3849 3849 + #[cfg(feature = "scope-check")] 3850 3850 + #[test] 3851 3851 + fn test_expand_permission_set_repo() { 3852 3852 + use jacquard_lexicon::lexicon::{LexPermissionSet, LexPermission, LexPermissionResource}; 3853 3853 + 3854 3854 + // Create a simple permission set with a repo permission 3855 3855 + let mut perms = Vec::new(); 3856 3856 + perms.push(LexPermission::Permission { 3857 3857 + resource: LexPermissionResource::Repo { 3858 3858 + collection: vec![ 3859 3859 + Nsid::new_static("app.bsky.feed.post").unwrap(), 3860 3860 + Nsid::new_static("app.bsky.graph.follow").unwrap(), 3861 3861 + ], 3862 3862 + action: Some(vec![RepoAction::Create]), 3863 3863 + }, 3864 3864 + }); 3865 3865 + 3866 3866 + let perm_set = LexPermissionSet { 3867 3867 + title: None, 3868 3868 + title_lang: None, 3869 3869 + detail: None, 3870 3870 + detail_lang: None, 3871 3871 + permissions: perms, 3872 3872 + }; 3873 3873 + 3874 3874 + let scopes = expand_permission_set(&perm_set, None).unwrap(); 3875 3875 + assert_eq!(scopes.len(), 2); 3876 3876 + 3877 3877 + // Check that we got the expected repo scopes 3878 3878 + let mut found_post = false; 3879 3879 + let mut found_follow = false; 3880 3880 + 3881 3881 + for scope in &scopes { 3882 3882 + if let Scope::Repo(repo_scope) = scope { 3883 3883 + if let RepoCollection::Nsid(nsid) = &repo_scope.collection { 3884 3884 + if nsid.as_ref() == "app.bsky.feed.post" { 3885 3885 + assert_eq!(repo_scope.actions.len(), 1); 3886 3886 + assert!(repo_scope.actions.contains(&RepoAction::Create)); 3887 3887 + found_post = true; 3888 3888 + } else if nsid.as_ref() == "app.bsky.graph.follow" { 3889 3889 + assert_eq!(repo_scope.actions.len(), 1); 3890 3890 + assert!(repo_scope.actions.contains(&RepoAction::Create)); 3891 3891 + found_follow = true; 3892 3892 + } 3893 3893 + } 3894 3894 + } 3895 3895 + } 3896 3896 + 3897 3897 + assert!(found_post, "Expected post scope"); 3898 3898 + assert!(found_follow, "Expected follow scope"); 3899 3899 + } 3900 3900 + 3901 3901 + #[cfg(feature = "scope-check")] 3902 3902 + #[test] 3903 3903 + fn test_expand_permission_set_identity() { 3904 3904 + use jacquard_lexicon::lexicon::{LexPermissionSet, LexPermission, LexPermissionResource}; 3905 3905 + 3906 3906 + let mut perms = Vec::new(); 3907 3907 + perms.push(LexPermission::Permission { 3908 3908 + resource: LexPermissionResource::Identity { 3909 3909 + attr: CowStr::Borrowed("handle"), 3910 3910 + }, 3911 3911 + }); 3912 3912 + 3913 3913 + let perm_set = LexPermissionSet { 3914 3914 + title: None, 3915 3915 + title_lang: None, 3916 3916 + detail: None, 3917 3917 + detail_lang: None, 3918 3918 + permissions: perms, 3919 3919 + }; 3920 3920 + 3921 3921 + let scopes = expand_permission_set(&perm_set, None).unwrap(); 3922 3922 + assert_eq!(scopes.len(), 1); 3923 3923 + 3924 3924 + assert_eq!(scopes[0], Scope::Identity(IdentityScope::Handle)); 3925 3925 + } 3926 3926 + 3927 3927 + #[cfg(feature = "scope-check")] 3928 3928 + #[test] 3929 3929 + fn test_expand_permission_set_account() { 3930 3930 + use jacquard_lexicon::lexicon::{LexPermissionSet, LexPermission, LexPermissionResource}; 3931 3931 + 3932 3932 + let mut perms = Vec::new(); 3933 3933 + perms.push(LexPermission::Permission { 3934 3934 + resource: LexPermissionResource::Account { 3935 3935 + attr: CowStr::Borrowed("email"), 3936 3936 + action: Some(vec![AccountAction::Manage]), 3937 3937 + }, 3938 3938 + }); 3939 3939 + 3940 3940 + let perm_set = LexPermissionSet { 3941 3941 + title: None, 3942 3942 + title_lang: None, 3943 3943 + detail: None, 3944 3944 + detail_lang: None, 3945 3945 + permissions: perms, 3946 3946 + }; 3947 3947 + 3948 3948 + let scopes = expand_permission_set(&perm_set, None).unwrap(); 3949 3949 + assert_eq!(scopes.len(), 1); 3950 3950 + 3951 3951 + assert_eq!( 3952 3952 + scopes[0], 3953 3953 + Scope::Account(AccountScope { 3954 3954 + resource: AccountResource::Email, 3955 3955 + action: AccountAction::Manage, 3956 3956 + }) 3957 3957 + ); 3958 3958 + } 3959 3959 + 3960 3960 + #[cfg(feature = "scope-check")] 3961 3961 + #[test] 3962 3962 + fn test_expand_permission_set_rpc_with_inherit_aud() { 3963 3963 + use jacquard_lexicon::lexicon::{LexPermissionSet, LexPermission, LexPermissionResource}; 3964 3964 + 3965 3965 + let mut perms = Vec::new(); 3966 3966 + perms.push(LexPermission::Permission { 3967 3967 + resource: LexPermissionResource::Rpc { 3968 3968 + lxm: vec![Nsid::new_static("app.bsky.feed.getTimeline").unwrap()], 3969 3969 + aud: None, 3970 3970 + inherit_aud: Some(true), 3971 3971 + }, 3972 3972 + }); 3973 3973 + 3974 3974 + let perm_set = LexPermissionSet { 3975 3975 + title: None, 3976 3976 + title_lang: None, 3977 3977 + detail: None, 3978 3978 + detail_lang: None, 3979 3979 + permissions: perms, 3980 3980 + }; 3981 3981 + 3982 3982 + let inherited_did = Did::new_static("did:web:example.com").unwrap(); 3983 3983 + let scopes = expand_permission_set(&perm_set, Some(&inherited_did)).unwrap(); 3984 3984 + assert_eq!(scopes.len(), 1); 3985 3985 + 3986 3986 + if let Scope::Rpc(rpc_scope) = &scopes[0] { 3987 3987 + assert_eq!(rpc_scope.lxm.len(), 1); 3988 3988 + assert_eq!(rpc_scope.aud.len(), 1); 3989 3989 + assert!(matches!(rpc_scope.aud.iter().next(), Some(RpcAudience::Did(d)) if d.as_ref() == "did:web:example.com")); 3990 3990 + } else { 3991 3991 + panic!("Expected Rpc scope"); 3992 3992 + } 3993 3993 + } 3994 3994 + 3995 3995 + #[cfg(feature = "scope-check")] 3996 3996 + #[test] 3997 3997 + fn test_expand_permission_set_rpc_explicit_aud() { 3998 3998 + use jacquard_lexicon::lexicon::{LexPermissionSet, LexPermission, LexPermissionResource}; 3999 3999 + 4000 4000 + let mut perms = Vec::new(); 4001 4001 + perms.push(LexPermission::Permission { 4002 4002 + resource: LexPermissionResource::Rpc { 4003 4003 + lxm: vec![Nsid::new_static("app.bsky.feed.getTimeline").unwrap()], 4004 4004 + aud: Some(Did::new_static("did:web:custom.com").unwrap()), 4005 4005 + inherit_aud: None, 4006 4006 + }, 4007 4007 + }); 4008 4008 + 4009 4009 + let perm_set = LexPermissionSet { 4010 4010 + title: None, 4011 4011 + title_lang: None, 4012 4012 + detail: None, 4013 4013 + detail_lang: None, 4014 4014 + permissions: perms, 4015 4015 + }; 4016 4016 + 4017 4017 + let scopes = expand_permission_set(&perm_set, None).unwrap(); 4018 4018 + assert_eq!(scopes.len(), 1); 4019 4019 + 4020 4020 + if let Scope::Rpc(rpc_scope) = &scopes[0] { 4021 4021 + assert_eq!(rpc_scope.aud.len(), 1); 4022 4022 + assert!(matches!(rpc_scope.aud.iter().next(), Some(RpcAudience::Did(d)) if d.as_ref() == "did:web:custom.com")); 4023 4023 + } else { 4024 4024 + panic!("Expected Rpc scope"); 4025 4025 + } 4026 4026 + } 4027 4027 + 4028 4028 + #[cfg(feature = "scope-check")] 4029 4029 + #[test] 4030 4030 + fn test_expand_permission_set_unknown_identity_attr() { 4031 4031 + use jacquard_lexicon::lexicon::{LexPermissionSet, LexPermission, LexPermissionResource}; 4032 4032 + 4033 4033 + let mut perms = Vec::new(); 4034 4034 + perms.push(LexPermission::Permission { 4035 4035 + resource: LexPermissionResource::Identity { 4036 4036 + attr: CowStr::Borrowed("invalid"), 4037 4037 + }, 4038 4038 + }); 4039 4039 + 4040 4040 + let perm_set = LexPermissionSet { 4041 4041 + title: None, 4042 4042 + title_lang: None, 4043 4043 + detail: None, 4044 4044 + detail_lang: None, 4045 4045 + permissions: perms, 4046 4046 + }; 4047 4047 + 4048 4048 + let result = expand_permission_set(&perm_set, None); 4049 4049 + assert!(matches!(result, Err(PermissionSetConversionError::UnknownIdentityAttr(_)))); 4050 4050 + } 4051 4051 + 4052 4052 + #[cfg(feature = "scope-check")] 4053 4053 + #[test] 4054 4054 + fn test_expand_permission_set_unknown_account_attr() { 4055 4055 + use jacquard_lexicon::lexicon::{LexPermissionSet, LexPermission, LexPermissionResource}; 4056 4056 + 4057 4057 + let mut perms = Vec::new(); 4058 4058 + perms.push(LexPermission::Permission { 4059 4059 + resource: LexPermissionResource::Account { 4060 4060 + attr: CowStr::Borrowed("invalid"), 4061 4061 + action: None, 4062 4062 + }, 4063 4063 + }); 4064 4064 + 4065 4065 + let perm_set = LexPermissionSet { 4066 4066 + title: None, 4067 4067 + title_lang: None, 4068 4068 + detail: None, 4069 4069 + detail_lang: None, 4070 4070 + permissions: perms, 4071 4071 + }; 4072 4072 + 4073 4073 + let result = expand_permission_set(&perm_set, None); 4074 4074 + assert!(matches!(result, Err(PermissionSetConversionError::UnknownAccountAttr(_)))); 4075 4075 + } 4076 4076 + 4077 4077 + #[cfg(feature = "scope-check")] 4078 4078 + #[test] 4079 4079 + fn test_expand_permission_set_blob() { 4080 4080 + use jacquard_lexicon::lexicon::{LexPermissionSet, LexPermission, LexPermissionResource}; 4081 4081 + use jacquard_common::types::blob::MimeType; 4082 4082 + 4083 4083 + // Test exact type 4084 4084 + let mut perms = Vec::new(); 4085 4085 + perms.push(LexPermission::Permission { 4086 4086 + resource: LexPermissionResource::Blob { 4087 4087 + accept: vec![MimeType::new(CowStr::Borrowed("image/png"))], 4088 4088 + max_size: None, 4089 4089 + }, 4090 4090 + }); 4091 4091 + 4092 4092 + let perm_set = LexPermissionSet { 4093 4093 + title: None, 4094 4094 + title_lang: None, 4095 4095 + detail: None, 4096 4096 + detail_lang: None, 4097 4097 + permissions: perms, 4098 4098 + }; 4099 4099 + 4100 4100 + let scopes = expand_permission_set(&perm_set, None).expect("should expand blob"); 4101 4101 + assert_eq!(scopes.len(), 1); 4102 4102 + match &scopes[0] { 4103 4103 + Scope::Blob(blob_scope) => { 4104 4104 + assert_eq!(blob_scope.accept.len(), 1); 4105 4105 + for pattern in &blob_scope.accept { 4106 4106 + if let MimePattern::Exact(s) = pattern { 4107 4107 + assert_eq!(s.as_ref() as &str, "image/png"); 4108 4108 + } else { 4109 4109 + panic!("expected Exact pattern"); 4110 4110 + } 4111 4111 + } 4112 4112 + } 4113 4113 + _ => panic!("expected Blob scope"), 4114 4114 + } 4115 4115 + 4116 4116 + // Test type wildcard 4117 4117 + let mut perms = Vec::new(); 4118 4118 + perms.push(LexPermission::Permission { 4119 4119 + resource: LexPermissionResource::Blob { 4120 4120 + accept: vec![MimeType::new(CowStr::Borrowed("image/*"))], 4121 4121 + max_size: None, 4122 4122 + }, 4123 4123 + }); 4124 4124 + 4125 4125 + let perm_set = LexPermissionSet { 4126 4126 + title: None, 4127 4127 + title_lang: None, 4128 4128 + detail: None, 4129 4129 + detail_lang: None, 4130 4130 + permissions: perms, 4131 4131 + }; 4132 4132 + 4133 4133 + let scopes = expand_permission_set(&perm_set, None).expect("should expand blob"); 4134 4134 + assert_eq!(scopes.len(), 1); 4135 4135 + match &scopes[0] { 4136 4136 + Scope::Blob(blob_scope) => { 4137 4137 + assert_eq!(blob_scope.accept.len(), 1); 4138 4138 + // TypeWildcard should store only the type prefix (e.g., "image") 4139 4139 + for pattern in &blob_scope.accept { 4140 4140 + if let MimePattern::TypeWildcard(s) = pattern { 4141 4141 + assert_eq!(s.as_ref() as &str, "image"); 4142 4142 + } else { 4143 4143 + panic!("expected TypeWildcard pattern"); 4144 4144 + } 4145 4145 + } 4146 4146 + } 4147 4147 + _ => panic!("expected Blob scope"), 4148 4148 + } 4149 4149 + 4150 4150 + // Test all wildcard 4151 4151 + let mut perms = Vec::new(); 4152 4152 + perms.push(LexPermission::Permission { 4153 4153 + resource: LexPermissionResource::Blob { 4154 4154 + accept: vec![MimeType::new(CowStr::Borrowed("*/*"))], 4155 4155 + max_size: None, 4156 4156 + }, 4157 4157 + }); 4158 4158 + 4159 4159 + let perm_set = LexPermissionSet { 4160 4160 + title: None, 4161 4161 + title_lang: None, 4162 4162 + detail: None, 4163 4163 + detail_lang: None, 4164 4164 + permissions: perms, 4165 4165 + }; 4166 4166 + 4167 4167 + let scopes = expand_permission_set(&perm_set, None).expect("should expand blob"); 4168 4168 + assert_eq!(scopes.len(), 1); 4169 4169 + match &scopes[0] { 4170 4170 + Scope::Blob(blob_scope) => { 4171 4171 + assert_eq!(blob_scope.accept.len(), 1); 4172 4172 + assert!( 4173 4173 + blob_scope 4174 4174 + .accept 4175 4175 + .iter() 4176 4176 + .any(|p| matches!(p, MimePattern::All)) 4177 4177 + ); 4178 4178 + } 4179 4179 + _ => panic!("expected Blob scope"), 4180 4180 + } 4181 4181 + } 4182 4182 + 4183 4183 + #[cfg(feature = "scope-check")] 4184 4184 + #[test] 4185 4185 + fn test_expand_permission_set_blob_invalid_mime() { 4186 4186 + use jacquard_common::types::blob::MimeType; 4187 4187 + use jacquard_lexicon::lexicon::{LexPermission, LexPermissionResource, LexPermissionSet}; 4188 4188 + 4189 4189 + let mut perms = Vec::new(); 4190 4190 + perms.push(LexPermission::Permission { 4191 4191 + resource: LexPermissionResource::Blob { 4192 4192 + accept: vec![MimeType::new(CowStr::Borrowed("invalid-mime-type"))], 4193 4193 + max_size: None, 4194 4194 + }, 4195 4195 + }); 4196 4196 + 4197 4197 + let perm_set = LexPermissionSet { 4198 4198 + title: None, 4199 4199 + title_lang: None, 4200 4200 + detail: None, 4201 4201 + detail_lang: None, 4202 4202 + permissions: perms, 4203 4203 + }; 4204 4204 + 4205 4205 + let result = expand_permission_set(&perm_set, None); 4206 4206 + assert!(matches!( 4207 4207 + result, 4208 4208 + Err(PermissionSetConversionError::InvalidMimePattern(_)) 4209 4209 + )); 3702 4210 } 3703 4211 }

+12

crates/jacquard-oauth/src/session.rs

reviewed

··· 86 86 /// Current token set (access token, refresh token, expiry, etc.). 87 87 #[serde(flatten)] 88 88 pub token_set: TokenSet<S>, 89 89 + 90 90 + /// Fully expanded scopes with include scopes resolved. 91 91 + /// Populated eagerly at session creation when `scope-check` is enabled. 92 92 + /// `None` when `scope-check` is disabled or no include scopes are present. 93 93 + #[cfg(feature = "scope-check")] 94 94 + #[serde(skip)] 95 95 + pub resolved_scopes: Option<Vec<crate::scopes::Scope<smol_str::SmolStr>>>, 89 96 } 90 97 91 98 impl<S: BosStr + Ord + IntoStatic + AsRef<str>> IntoStatic for ClientSessionData<S> ··· 95 102 type Output = ClientSessionData<S::Output>; 96 103 97 104 fn into_static(self) -> Self::Output { 105 105 + #[cfg(feature = "scope-check")] 106 106 + let resolved_scopes = self.resolved_scopes; 107 107 + 98 108 ClientSessionData { 99 109 authserver_url: self.authserver_url.into_static(), 100 110 authserver_token_endpoint: self.authserver_token_endpoint.into_static(), ··· 107 117 account_did: self.account_did.into_static(), 108 118 session_id: self.session_id.into_static(), 109 119 host_url: self.host_url.clone(), 120 120 + #[cfg(feature = "scope-check")] 121 121 + resolved_scopes, 110 122 } 111 123 } 112 124 }

+1

crates/jacquard/Cargo.toml

reviewed

··· 47 47 cache = ["jacquard-identity/cache"] 48 48 websocket = ["jacquard-common/websocket"] 49 49 zstd = ["jacquard-common/zstd"] 50 50 + scope-check = ["jacquard-oauth/scope-check"] 50 51 51 52 52 53

+2

crates/jacquard/src/client/token.rs

reviewed

··· 152 152 token_type: session.token_type, 153 153 expires_at: session.expires_at, 154 154 }, 155 155 + #[cfg(feature = "scope-check")] 156 156 + resolved_scopes: None, 155 157 } 156 158 } 157 159 }

+6

crates/jacquard/tests/oauth_auto_refresh.rs

reviewed

··· 237 237 token_type: OAuthTokenType::DPoP, 238 238 expires_at: None, 239 239 }, 240 240 + #[cfg(feature = "scope-check")] 241 241 + resolved_scopes: None, 240 242 } 241 243 .into_static(); 242 244 let client_arc = client.clone(); ··· 265 267 token_type: OAuthTokenType::DPoP, 266 268 expires_at: None, 267 269 }, 270 270 + #[cfg(feature = "scope-check")] 271 271 + resolved_scopes: None, 268 272 } 269 273 .into_static(); 270 274 registry.set(data_store).await.unwrap(); ··· 366 370 token_type: OAuthTokenType::DPoP, 367 371 expires_at: None, 368 372 }, 373 373 + #[cfg(feature = "scope-check")] 374 374 + resolved_scopes: None, 369 375 } 370 376 .into_static(); 371 377 let client_arc = client.clone();