cli-engine/src/auth/credential.rs at main · godaddy/cli-engine · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
use chrono::{DateTime, Duration, Utc};
use serde::{Deserialize, Serialize};

/// Cache TTL used when a credential has `cached_at`.
pub const CACHE_TTL: Duration = Duration::minutes(30);

/// Credential returned by an auth provider.
///
/// Field names and omission behavior match the provider JSON contract. Empty
/// strings are accepted because some providers omit optional values.
#[derive(Clone, Debug, Default, Eq, PartialEq, Serialize, Deserialize)]
pub struct Credential {
    /// Access token used by transport injectors.
    #[serde(default)]
    pub token: String,
    /// Explicit expiration timestamp.
    #[serde(default)]
    pub expires_at: String,
    /// Cache creation timestamp. When present, [`CACHE_TTL`] determines expiry.
    #[serde(default, skip_serializing_if = "String::is_empty")]
    pub cached_at: String,
    /// Provider that produced this credential.
    #[serde(default, skip_serializing_if = "String::is_empty")]
    pub provider: String,
    /// Environment this credential targets.
    #[serde(default, skip_serializing_if = "String::is_empty")]
    pub env: String,
    /// Environment alias accepted from provider responses.
    #[serde(default, skip_serializing_if = "String::is_empty")]
    pub realm: String,
    /// Human-readable identity.
    #[serde(default, skip_serializing_if = "String::is_empty")]
    pub identity: String,
    /// Subject identifier.
    #[serde(default, skip_serializing_if = "String::is_empty")]
    pub sub: String,
    /// Account type associated with the credential.
    #[serde(default, skip_serializing_if = "String::is_empty")]
    pub account_type: String,
}

impl Credential {
    /// Returns the timestamp used for status display.
    #[must_use]
    pub fn effective_expiry(&self) -> String {
        if let Ok(cached_at) = DateTime::parse_from_rfc3339(&self.cached_at) {
            return (cached_at.with_timezone(&Utc) + CACHE_TTL)
                .to_rfc3339_opts(chrono::SecondsFormat::Secs, true);
        }
        self.expires_at.clone()
    }

    /// Reports whether the credential is expired.
    ///
    /// Invalid `expires_at` values are treated as expired. Credentials without
    /// either `expires_at` or `cached_at` are treated as not expired.
    #[must_use]
    pub fn is_expired(&self) -> bool {
        if let Ok(cached_at) = DateTime::parse_from_rfc3339(&self.cached_at) {
            return Utc::now() > cached_at.with_timezone(&Utc) + CACHE_TTL;
        }
        if self.expires_at.is_empty() {
            return false;
        }
        match DateTime::parse_from_rfc3339(&self.expires_at) {
            Ok(expires_at) => Utc::now() > expires_at.with_timezone(&Utc),
            Err(_) => true,
        }
    }
}