+9 -2

crates/atproto-jetstream/src/consumer.rs

··· 153 153 pub(crate) enum SubscriberSourcedMessage { 154 154 #[serde(rename = "options_update")] 155 155 Update { 156 156 - #[serde(rename = "wantedCollections", skip_serializing_if = "Vec::is_empty", default)] 156 156 + #[serde( 157 157 + rename = "wantedCollections", 158 158 + skip_serializing_if = "Vec::is_empty", 159 159 + default 160 160 + )] 157 161 wanted_collections: Vec<String>, 158 162 159 163 #[serde(rename = "wantedDids", skip_serializing_if = "Vec::is_empty", default)] ··· 264 268 // Add wantedCollections if specified (each collection as a separate query parameter) 265 269 if !self.config.collections.is_empty() && !self.config.require_hello { 266 270 for collection in &self.config.collections { 267 267 - query_params.push(format!("wantedCollections={}", urlencoding::encode(collection))); 271 271 + query_params.push(format!( 272 272 + "wantedCollections={}", 273 273 + urlencoding::encode(collection) 274 274 + )); 268 275 } 269 276 } 270 277

+4 -3

crates/atproto-oauth-axum/src/handler_metadata.rs

··· 66 66 let mut jwks_keys = Vec::new(); 67 67 for key_data in &oauth_client_config.signing_keys { 68 68 if let Ok(public_key_data) = to_public(key_data) 69 69 - && let Ok(jwk) = generate(&public_key_data) { 70 70 - jwks_keys.push(jwk); 71 71 - } 69 69 + && let Ok(jwk) = generate(&public_key_data) 70 70 + { 71 71 + jwks_keys.push(jwk); 72 72 + } 72 73 } 73 74 (None, Some(WrappedJsonWebKeySet { keys: jwks_keys })) 74 75 };

+4 -3

crates/atproto-oauth/src/dpop.rs

··· 752 752 // exp (expiration) - validate if present 753 753 if let Some(exp_value) = claims.get("exp") 754 754 && let Some(exp) = exp_value.as_u64() 755 755 - && config.now as u64 >= exp { 756 756 - return Err(JWTError::TokenExpired.into()); 757 757 - } 755 755 + && config.now as u64 >= exp 756 756 + { 757 757 + return Err(JWTError::TokenExpired.into()); 758 758 + } 758 759 759 760 // 3. VERIFY SIGNATURE 760 761 let content = format!("{}.{}", encoded_header, encoded_payload);

+8 -6

crates/atproto-oauth/src/jwt.rs

··· 215 215 216 216 // Validate expiration time if present 217 217 if let Some(exp) = claims.jose.expiration 218 218 - && now >= exp { 219 219 - return Err(JWTError::TokenExpired.into()); 220 220 - } 218 218 + && now >= exp 219 219 + { 220 220 + return Err(JWTError::TokenExpired.into()); 221 221 + } 221 222 222 223 // Validate not-before time if present 223 224 if let Some(nbf) = claims.jose.not_before 224 224 - && now < nbf { 225 225 - return Err(JWTError::TokenNotValidYet.into()); 226 226 - } 225 225 + && now < nbf 226 226 + { 227 227 + return Err(JWTError::TokenNotValidYet.into()); 228 228 + } 227 229 228 230 // Return validated claims 229 231 Ok(claims)

+4

crates/atproto-oauth/src/lib.rs

··· 6 6 #![forbid(unsafe_code)] 7 7 #![warn(missing_docs)] 8 8 9 9 + /// DPoP (Demonstrating Proof of Possession) implementation for OAuth 2.0. 9 10 pub mod dpop; 10 11 /// Base64 encoding and decoding utilities. 11 12 pub mod encoding; ··· 17 18 pub mod jwt; 18 19 /// PKCE (Proof Key for Code Exchange) implementation for OAuth 2.0 security. 19 20 pub mod pkce; 21 21 + /// OAuth resource and authorization server management. 20 22 pub mod resources; 21 23 /// OAuth request storage abstraction for CRUD operations. 22 24 pub mod storage; ··· 25 27 pub mod storage_lru; 26 28 /// OAuth workflow implementation for AT Protocol authorization flows. 27 29 pub mod workflow; 30 30 + /// OAuth 2.0 scope definitions and parsing for AT Protocol. 31 31 + pub mod scopes;

+1841

crates/atproto-oauth/src/scopes.rs

··· 1 1 + //! AT Protocol OAuth scopes module 2 2 + //! 3 3 + //! This module provides comprehensive support for AT Protocol OAuth scopes, 4 4 + //! including parsing, serialization, normalization, and permission checking. 5 5 + //! 6 6 + //! Scopes in AT Protocol follow a prefix-based format with optional query parameters: 7 7 + //! - `account`: Access to account information (email, repo, status) 8 8 + //! - `identity`: Access to identity information (handle) 9 9 + //! - `blob`: Access to blob operations with mime type constraints 10 10 + //! - `repo`: Repository operations with collection and action constraints 11 11 + //! - `rpc`: RPC method access with lexicon and audience constraints 12 12 + //! - `atproto`: Required scope to indicate that other AT Protocol scopes will be used 13 13 + //! - `transition`: Migration operations (generic or email) 14 14 + //! 15 15 + //! Standard OpenID Connect scopes (no suffixes or query parameters): 16 16 + //! - `openid`: Required for OpenID Connect authentication 17 17 + //! - `profile`: Access to user profile information 18 18 + //! - `email`: Access to user email address 19 19 + 20 20 + use std::collections::{BTreeMap, BTreeSet}; 21 21 + use std::fmt; 22 22 + use std::str::FromStr; 23 23 + 24 24 + /// Represents an AT Protocol OAuth scope 25 25 + #[derive(Debug, Clone, PartialEq, Eq, Hash)] 26 26 + pub enum Scope { 27 27 + /// Account scope for accessing account information 28 28 + Account(AccountScope), 29 29 + /// Identity scope for accessing identity information 30 30 + Identity(IdentityScope), 31 31 + /// Blob scope for blob operations with mime type constraints 32 32 + Blob(BlobScope), 33 33 + /// Repository scope for collection operations 34 34 + Repo(RepoScope), 35 35 + /// RPC scope for method access 36 36 + Rpc(RpcScope), 37 37 + /// AT Protocol scope - required to indicate that other AT Protocol scopes will be used 38 38 + Atproto, 39 39 + /// Transition scope for migration operations 40 40 + Transition(TransitionScope), 41 41 + /// OpenID Connect scope - required for OpenID Connect authentication 42 42 + OpenId, 43 43 + /// Profile scope - access to user profile information 44 44 + Profile, 45 45 + /// Email scope - access to user email address 46 46 + Email, 47 47 + } 48 48 + 49 49 + /// Account scope attributes 50 50 + #[derive(Debug, Clone, PartialEq, Eq, Hash)] 51 51 + pub struct AccountScope { 52 52 + /// The account resource type 53 53 + pub resource: AccountResource, 54 54 + /// The action permission level 55 55 + pub action: AccountAction, 56 56 + } 57 57 + 58 58 + /// Account resource types 59 59 + #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] 60 60 + pub enum AccountResource { 61 61 + /// Email access 62 62 + Email, 63 63 + /// Repository access 64 64 + Repo, 65 65 + /// Status access 66 66 + Status, 67 67 + } 68 68 + 69 69 + /// Account action permissions 70 70 + #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] 71 71 + pub enum AccountAction { 72 72 + /// Read-only access 73 73 + Read, 74 74 + /// Management access (includes read) 75 75 + Manage, 76 76 + } 77 77 + 78 78 + /// Identity scope attributes 79 79 + #[derive(Debug, Clone, PartialEq, Eq, Hash)] 80 80 + pub enum IdentityScope { 81 81 + /// Handle access 82 82 + Handle, 83 83 + /// All identity access (wildcard) 84 84 + All, 85 85 + } 86 86 + 87 87 + /// Transition scope types 88 88 + #[derive(Debug, Clone, PartialEq, Eq, Hash)] 89 89 + pub enum TransitionScope { 90 90 + /// Generic transition operations 91 91 + Generic, 92 92 + /// Email transition operations 93 93 + Email, 94 94 + } 95 95 + 96 96 + /// Blob scope with mime type constraints 97 97 + #[derive(Debug, Clone, PartialEq, Eq, Hash)] 98 98 + pub struct BlobScope { 99 99 + /// Accepted mime types 100 100 + pub accept: BTreeSet<MimePattern>, 101 101 + } 102 102 + 103 103 + /// MIME type pattern for blob scope 104 104 + #[derive(Debug, Clone, PartialEq, Eq, Hash, PartialOrd, Ord)] 105 105 + pub enum MimePattern { 106 106 + /// Match all types 107 107 + All, 108 108 + /// Match all subtypes of a type (e.g., "image/*") 109 109 + TypeWildcard(String), 110 110 + /// Exact mime type match 111 111 + Exact(String), 112 112 + } 113 113 + 114 114 + /// Repository scope with collection and action constraints 115 115 + #[derive(Debug, Clone, PartialEq, Eq, Hash)] 116 116 + pub struct RepoScope { 117 117 + /// Collection NSID or wildcard 118 118 + pub collection: RepoCollection, 119 119 + /// Allowed actions 120 120 + pub actions: BTreeSet<RepoAction>, 121 121 + } 122 122 + 123 123 + /// Repository collection identifier 124 124 + #[derive(Debug, Clone, PartialEq, Eq, Hash)] 125 125 + pub enum RepoCollection { 126 126 + /// All collections (wildcard) 127 127 + All, 128 128 + /// Specific collection NSID 129 129 + Nsid(String), 130 130 + } 131 131 + 132 132 + /// Repository actions 133 133 + #[derive(Debug, Clone, PartialEq, Eq, Hash, PartialOrd, Ord)] 134 134 + pub enum RepoAction { 135 135 + /// Create records 136 136 + Create, 137 137 + /// Update records 138 138 + Update, 139 139 + /// Delete records 140 140 + Delete, 141 141 + } 142 142 + 143 143 + /// RPC scope with lexicon method and audience constraints 144 144 + #[derive(Debug, Clone, PartialEq, Eq, Hash)] 145 145 + pub struct RpcScope { 146 146 + /// Lexicon methods (NSIDs or wildcard) 147 147 + pub lxm: BTreeSet<RpcLexicon>, 148 148 + /// Audiences (DIDs or wildcard) 149 149 + pub aud: BTreeSet<RpcAudience>, 150 150 + } 151 151 + 152 152 + /// RPC lexicon identifier 153 153 + #[derive(Debug, Clone, PartialEq, Eq, Hash, PartialOrd, Ord)] 154 154 + pub enum RpcLexicon { 155 155 + /// All lexicons (wildcard) 156 156 + All, 157 157 + /// Specific lexicon NSID 158 158 + Nsid(String), 159 159 + } 160 160 + 161 161 + /// RPC audience identifier 162 162 + #[derive(Debug, Clone, PartialEq, Eq, Hash, PartialOrd, Ord)] 163 163 + pub enum RpcAudience { 164 164 + /// All audiences (wildcard) 165 165 + All, 166 166 + /// Specific DID 167 167 + Did(String), 168 168 + } 169 169 + 170 170 + impl Scope { 171 171 + /// Parse multiple space-separated scopes from a string 172 172 + /// 173 173 + /// # Examples 174 174 + /// ``` 175 175 + /// # use atproto_oauth::scopes::Scope; 176 176 + /// let scopes = Scope::parse_multiple("atproto repo:*").unwrap(); 177 177 + /// assert_eq!(scopes.len(), 2); 178 178 + /// ``` 179 179 + pub fn parse_multiple(s: &str) -> Result<Vec<Self>, ParseError> { 180 180 + if s.trim().is_empty() { 181 181 + return Ok(Vec::new()); 182 182 + } 183 183 + 184 184 + let mut scopes = Vec::new(); 185 185 + for scope_str in s.trim().split_whitespace() { 186 186 + scopes.push(Self::parse(scope_str)?); 187 187 + } 188 188 + 189 189 + Ok(scopes) 190 190 + } 191 191 + 192 192 + /// Parse multiple space-separated scopes and return the minimal set needed 193 193 + /// 194 194 + /// This method removes duplicate scopes and scopes that are already granted 195 195 + /// by other scopes in the list, returning only the minimal set of scopes needed. 196 196 + /// 197 197 + /// # Examples 198 198 + /// ``` 199 199 + /// # use atproto_oauth::scopes::Scope; 200 200 + /// // repo:* grants repo:foo.bar, so only repo:* is kept 201 201 + /// let scopes = Scope::parse_multiple_reduced("atproto repo:foo.bar repo:*").unwrap(); 202 202 + /// assert_eq!(scopes.len(), 2); // atproto and repo:* 203 203 + /// ``` 204 204 + pub fn parse_multiple_reduced(s: &str) -> Result<Vec<Self>, ParseError> { 205 205 + let all_scopes = Self::parse_multiple(s)?; 206 206 + 207 207 + if all_scopes.is_empty() { 208 208 + return Ok(Vec::new()); 209 209 + } 210 210 + 211 211 + let mut result: Vec<Self> = Vec::new(); 212 212 + 213 213 + for scope in all_scopes { 214 214 + // Check if this scope is already granted by something in the result 215 215 + let mut is_granted = false; 216 216 + for existing in &result { 217 217 + if existing.grants(&scope) && existing != &scope { 218 218 + is_granted = true; 219 219 + break; 220 220 + } 221 221 + } 222 222 + 223 223 + if is_granted { 224 224 + continue; // Skip this scope, it's already covered 225 225 + } 226 226 + 227 227 + // Check if this scope grants any existing scopes in the result 228 228 + let mut indices_to_remove = Vec::new(); 229 229 + for (i, existing) in result.iter().enumerate() { 230 230 + if scope.grants(existing) && &scope != existing { 231 231 + indices_to_remove.push(i); 232 232 + } 233 233 + } 234 234 + 235 235 + // Remove scopes that are granted by the new scope (in reverse order to maintain indices) 236 236 + for i in indices_to_remove.into_iter().rev() { 237 237 + result.remove(i); 238 238 + } 239 239 + 240 240 + // Add the new scope if it's not a duplicate 241 241 + if !result.contains(&scope) { 242 242 + result.push(scope); 243 243 + } 244 244 + } 245 245 + 246 246 + Ok(result) 247 247 + } 248 248 + 249 249 + /// Serialize a list of scopes into a space-separated OAuth scopes string 250 250 + /// 251 251 + /// The scopes are sorted alphabetically by their string representation to ensure 252 252 + /// consistent output regardless of input order. 253 253 + /// 254 254 + /// # Examples 255 255 + /// ``` 256 256 + /// # use atproto_oauth::scopes::Scope; 257 257 + /// let scopes = vec![ 258 258 + /// Scope::parse("repo:*").unwrap(), 259 259 + /// Scope::parse("atproto").unwrap(), 260 260 + /// Scope::parse("account:email").unwrap(), 261 261 + /// ]; 262 262 + /// let result = Scope::serialize_multiple(&scopes); 263 263 + /// assert_eq!(result, "account:email atproto repo:*"); 264 264 + /// ``` 265 265 + pub fn serialize_multiple(scopes: &[Self]) -> String { 266 266 + if scopes.is_empty() { 267 267 + return String::new(); 268 268 + } 269 269 + 270 270 + let mut serialized: Vec<String> = scopes.iter().map(|scope| scope.to_string()).collect(); 271 271 + 272 272 + serialized.sort(); 273 273 + serialized.join(" ") 274 274 + } 275 275 + 276 276 + /// Remove a scope from a list of scopes 277 277 + /// 278 278 + /// Returns a new vector with all instances of the specified scope removed. 279 279 + /// If the scope doesn't exist in the list, returns a copy of the original list. 280 280 + /// 281 281 + /// # Examples 282 282 + /// ``` 283 283 + /// # use atproto_oauth::scopes::Scope; 284 284 + /// let scopes = vec![ 285 285 + /// Scope::parse("repo:*").unwrap(), 286 286 + /// Scope::parse("atproto").unwrap(), 287 287 + /// Scope::parse("account:email").unwrap(), 288 288 + /// ]; 289 289 + /// let to_remove = Scope::parse("atproto").unwrap(); 290 290 + /// let result = Scope::remove_scope(&scopes, &to_remove); 291 291 + /// assert_eq!(result.len(), 2); 292 292 + /// assert!(!result.contains(&to_remove)); 293 293 + /// ``` 294 294 + pub fn remove_scope(scopes: &[Self], scope_to_remove: &Self) -> Vec<Self> { 295 295 + scopes 296 296 + .iter() 297 297 + .filter(|s| *s != scope_to_remove) 298 298 + .cloned() 299 299 + .collect() 300 300 + } 301 301 + 302 302 + /// Parse a scope from a string 303 303 + pub fn parse(s: &str) -> Result<Self, ParseError> { 304 304 + // Determine the prefix first by checking for known prefixes 305 305 + let prefixes = [ 306 306 + "account", 307 307 + "identity", 308 308 + "blob", 309 309 + "repo", 310 310 + "rpc", 311 311 + "atproto", 312 312 + "transition", 313 313 + "openid", 314 314 + "profile", 315 315 + "email", 316 316 + ]; 317 317 + let mut found_prefix = None; 318 318 + let mut suffix = None; 319 319 + 320 320 + for prefix in &prefixes { 321 321 + if s.starts_with(prefix) { 322 322 + let remainder = &s[prefix.len()..]; 323 323 + if remainder.is_empty() || remainder.starts_with(':') || remainder.starts_with('?') 324 324 + { 325 325 + found_prefix = Some(*prefix); 326 326 + if remainder.starts_with(':') { 327 327 + suffix = Some(&remainder[1..]); 328 328 + } else if remainder.starts_with('?') { 329 329 + suffix = Some(remainder); 330 330 + } else { 331 331 + suffix = None; 332 332 + } 333 333 + break; 334 334 + } 335 335 + } 336 336 + } 337 337 + 338 338 + let prefix = found_prefix.ok_or_else(|| { 339 339 + // If no known prefix found, extract what looks like a prefix for error reporting 340 340 + let end = s.find(':').or_else(|| s.find('?')).unwrap_or(s.len()); 341 341 + ParseError::UnknownPrefix(s[..end].to_string()) 342 342 + })?; 343 343 + 344 344 + match prefix { 345 345 + "account" => Self::parse_account(suffix), 346 346 + "identity" => Self::parse_identity(suffix), 347 347 + "blob" => Self::parse_blob(suffix), 348 348 + "repo" => Self::parse_repo(suffix), 349 349 + "rpc" => Self::parse_rpc(suffix), 350 350 + "atproto" => Self::parse_atproto(suffix), 351 351 + "transition" => Self::parse_transition(suffix), 352 352 + "openid" => Self::parse_openid(suffix), 353 353 + "profile" => Self::parse_profile(suffix), 354 354 + "email" => Self::parse_email(suffix), 355 355 + _ => Err(ParseError::UnknownPrefix(prefix.to_string())), 356 356 + } 357 357 + } 358 358 + 359 359 + fn parse_account(suffix: Option<&str>) -> Result<Self, ParseError> { 360 360 + let (resource_str, params) = match suffix { 361 361 + Some(s) => { 362 362 + if let Some(pos) = s.find('?') { 363 363 + (&s[..pos], Some(&s[pos + 1..])) 364 364 + } else { 365 365 + (s, None) 366 366 + } 367 367 + } 368 368 + None => return Err(ParseError::MissingResource), 369 369 + }; 370 370 + 371 371 + let resource = match resource_str { 372 372 + "email" => AccountResource::Email, 373 373 + "repo" => AccountResource::Repo, 374 374 + "status" => AccountResource::Status, 375 375 + _ => return Err(ParseError::InvalidResource(resource_str.to_string())), 376 376 + }; 377 377 + 378 378 + let action = if let Some(params) = params { 379 379 + let parsed_params = parse_query_string(params); 380 380 + match parsed_params 381 381 + .get("action") 382 382 + .and_then(|v| v.first()) 383 383 + .map(|s| s.as_str()) 384 384 + { 385 385 + Some("read") => AccountAction::Read, 386 386 + Some("manage") => AccountAction::Manage, 387 387 + Some(other) => return Err(ParseError::InvalidAction(other.to_string())), 388 388 + None => AccountAction::Read, 389 389 + } 390 390 + } else { 391 391 + AccountAction::Read 392 392 + }; 393 393 + 394 394 + Ok(Scope::Account(AccountScope { resource, action })) 395 395 + } 396 396 + 397 397 + fn parse_identity(suffix: Option<&str>) -> Result<Self, ParseError> { 398 398 + let scope = match suffix { 399 399 + Some("handle") => IdentityScope::Handle, 400 400 + Some("*") => IdentityScope::All, 401 401 + Some(other) => return Err(ParseError::InvalidResource(other.to_string())), 402 402 + None => return Err(ParseError::MissingResource), 403 403 + }; 404 404 + 405 405 + Ok(Scope::Identity(scope)) 406 406 + } 407 407 + 408 408 + fn parse_blob(suffix: Option<&str>) -> Result<Self, ParseError> { 409 409 + let mut accept = BTreeSet::new(); 410 410 + 411 411 + match suffix { 412 412 + Some(s) if s.starts_with('?') => { 413 413 + let params = parse_query_string(&s[1..]); 414 414 + if let Some(values) = params.get("accept") { 415 415 + for value in values { 416 416 + accept.insert(MimePattern::from_str(value)?); 417 417 + } 418 418 + } 419 419 + } 420 420 + Some(s) => { 421 421 + accept.insert(MimePattern::from_str(s)?); 422 422 + } 423 423 + None => { 424 424 + accept.insert(MimePattern::All); 425 425 + } 426 426 + } 427 427 + 428 428 + if accept.is_empty() { 429 429 + accept.insert(MimePattern::All); 430 430 + } 431 431 + 432 432 + Ok(Scope::Blob(BlobScope { accept })) 433 433 + } 434 434 + 435 435 + fn parse_repo(suffix: Option<&str>) -> Result<Self, ParseError> { 436 436 + let (collection_str, params) = match suffix { 437 437 + Some(s) => { 438 438 + if let Some(pos) = s.find('?') { 439 439 + (Some(&s[..pos]), Some(&s[pos + 1..])) 440 440 + } else { 441 441 + (Some(s), None) 442 442 + } 443 443 + } 444 444 + None => (None, None), 445 445 + }; 446 446 + 447 447 + let collection = match collection_str { 448 448 + Some("*") | None => RepoCollection::All, 449 449 + Some(nsid) => RepoCollection::Nsid(nsid.to_string()), 450 450 + }; 451 451 + 452 452 + let mut actions = BTreeSet::new(); 453 453 + if let Some(params) = params { 454 454 + let parsed_params = parse_query_string(params); 455 455 + if let Some(values) = parsed_params.get("action") { 456 456 + for value in values { 457 457 + match value.as_str() { 458 458 + "create" => { 459 459 + actions.insert(RepoAction::Create); 460 460 + } 461 461 + "update" => { 462 462 + actions.insert(RepoAction::Update); 463 463 + } 464 464 + "delete" => { 465 465 + actions.insert(RepoAction::Delete); 466 466 + } 467 467 + "*" => { 468 468 + actions.insert(RepoAction::Create); 469 469 + actions.insert(RepoAction::Update); 470 470 + actions.insert(RepoAction::Delete); 471 471 + } 472 472 + other => return Err(ParseError::InvalidAction(other.to_string())), 473 473 + } 474 474 + } 475 475 + } 476 476 + } 477 477 + 478 478 + if actions.is_empty() { 479 479 + actions.insert(RepoAction::Create); 480 480 + actions.insert(RepoAction::Update); 481 481 + actions.insert(RepoAction::Delete); 482 482 + } 483 483 + 484 484 + Ok(Scope::Repo(RepoScope { 485 485 + collection, 486 486 + actions, 487 487 + })) 488 488 + } 489 489 + 490 490 + fn parse_rpc(suffix: Option<&str>) -> Result<Self, ParseError> { 491 491 + let mut lxm = BTreeSet::new(); 492 492 + let mut aud = BTreeSet::new(); 493 493 + 494 494 + match suffix { 495 495 + Some("*") => { 496 496 + lxm.insert(RpcLexicon::All); 497 497 + aud.insert(RpcAudience::All); 498 498 + } 499 499 + Some(s) if s.starts_with('?') => { 500 500 + let params = parse_query_string(&s[1..]); 501 501 + 502 502 + if let Some(values) = params.get("lxm") { 503 503 + for value in values { 504 504 + if value == "*" { 505 505 + lxm.insert(RpcLexicon::All); 506 506 + } else { 507 507 + lxm.insert(RpcLexicon::Nsid(value.to_string())); 508 508 + } 509 509 + } 510 510 + } 511 511 + 512 512 + if let Some(values) = params.get("aud") { 513 513 + for value in values { 514 514 + if value == "*" { 515 515 + aud.insert(RpcAudience::All); 516 516 + } else { 517 517 + aud.insert(RpcAudience::Did(value.to_string())); 518 518 + } 519 519 + } 520 520 + } 521 521 + } 522 522 + Some(s) => { 523 523 + // Check if there's a query string in the suffix 524 524 + if let Some(pos) = s.find('?') { 525 525 + let nsid = &s[..pos]; 526 526 + let params = parse_query_string(&s[pos + 1..]); 527 527 + 528 528 + lxm.insert(RpcLexicon::Nsid(nsid.to_string())); 529 529 + 530 530 + if let Some(values) = params.get("aud") { 531 531 + for value in values { 532 532 + if value == "*" { 533 533 + aud.insert(RpcAudience::All); 534 534 + } else { 535 535 + aud.insert(RpcAudience::Did(value.to_string())); 536 536 + } 537 537 + } 538 538 + } 539 539 + } else { 540 540 + lxm.insert(RpcLexicon::Nsid(s.to_string())); 541 541 + } 542 542 + } 543 543 + None => {} 544 544 + } 545 545 + 546 546 + if lxm.is_empty() { 547 547 + lxm.insert(RpcLexicon::All); 548 548 + } 549 549 + if aud.is_empty() { 550 550 + aud.insert(RpcAudience::All); 551 551 + } 552 552 + 553 553 + Ok(Scope::Rpc(RpcScope { lxm, aud })) 554 554 + } 555 555 + 556 556 + fn parse_atproto(suffix: Option<&str>) -> Result<Self, ParseError> { 557 557 + if suffix.is_some() { 558 558 + return Err(ParseError::InvalidResource( 559 559 + "atproto scope does not accept suffixes".to_string(), 560 560 + )); 561 561 + } 562 562 + Ok(Scope::Atproto) 563 563 + } 564 564 + 565 565 + fn parse_transition(suffix: Option<&str>) -> Result<Self, ParseError> { 566 566 + let scope = match suffix { 567 567 + Some("generic") => TransitionScope::Generic, 568 568 + Some("email") => TransitionScope::Email, 569 569 + Some(other) => return Err(ParseError::InvalidResource(other.to_string())), 570 570 + None => return Err(ParseError::MissingResource), 571 571 + }; 572 572 + 573 573 + Ok(Scope::Transition(scope)) 574 574 + } 575 575 + 576 576 + fn parse_openid(suffix: Option<&str>) -> Result<Self, ParseError> { 577 577 + if suffix.is_some() { 578 578 + return Err(ParseError::InvalidResource( 579 579 + "openid scope does not accept suffixes".to_string(), 580 580 + )); 581 581 + } 582 582 + Ok(Scope::OpenId) 583 583 + } 584 584 + 585 585 + fn parse_profile(suffix: Option<&str>) -> Result<Self, ParseError> { 586 586 + if suffix.is_some() { 587 587 + return Err(ParseError::InvalidResource( 588 588 + "profile scope does not accept suffixes".to_string(), 589 589 + )); 590 590 + } 591 591 + Ok(Scope::Profile) 592 592 + } 593 593 + 594 594 + fn parse_email(suffix: Option<&str>) -> Result<Self, ParseError> { 595 595 + if suffix.is_some() { 596 596 + return Err(ParseError::InvalidResource( 597 597 + "email scope does not accept suffixes".to_string(), 598 598 + )); 599 599 + } 600 600 + Ok(Scope::Email) 601 601 + } 602 602 + 603 603 + /// Convert the scope to its normalized string representation 604 604 + pub fn to_string_normalized(&self) -> String { 605 605 + match self { 606 606 + Scope::Account(scope) => { 607 607 + let resource = match scope.resource { 608 608 + AccountResource::Email => "email", 609 609 + AccountResource::Repo => "repo", 610 610 + AccountResource::Status => "status", 611 611 + }; 612 612 + 613 613 + match scope.action { 614 614 + AccountAction::Read => format!("account:{}", resource), 615 615 + AccountAction::Manage => format!("account:{}?action=manage", resource), 616 616 + } 617 617 + } 618 618 + Scope::Identity(scope) => match scope { 619 619 + IdentityScope::Handle => "identity:handle".to_string(), 620 620 + IdentityScope::All => "identity:*".to_string(), 621 621 + }, 622 622 + Scope::Blob(scope) => { 623 623 + if scope.accept.len() == 1 { 624 624 + if let Some(pattern) = scope.accept.iter().next() { 625 625 + match pattern { 626 626 + MimePattern::All => "blob:*/*".to_string(), 627 627 + MimePattern::TypeWildcard(t) => format!("blob:{}/*", t), 628 628 + MimePattern::Exact(mime) => format!("blob:{}", mime), 629 629 + } 630 630 + } else { 631 631 + "blob:*/*".to_string() 632 632 + } 633 633 + } else { 634 634 + let mut params = Vec::new(); 635 635 + for pattern in &scope.accept { 636 636 + match pattern { 637 637 + MimePattern::All => params.push("accept=*/*".to_string()), 638 638 + MimePattern::TypeWildcard(t) => params.push(format!("accept={}/*", t)), 639 639 + MimePattern::Exact(mime) => params.push(format!("accept={}", mime)), 640 640 + } 641 641 + } 642 642 + params.sort(); 643 643 + format!("blob?{}", params.join("&")) 644 644 + } 645 645 + } 646 646 + Scope::Repo(scope) => { 647 647 + let collection = match &scope.collection { 648 648 + RepoCollection::All => "*", 649 649 + RepoCollection::Nsid(nsid) => nsid, 650 650 + }; 651 651 + 652 652 + if scope.actions.len() == 3 { 653 653 + format!("repo:{}", collection) 654 654 + } else { 655 655 + let mut params = Vec::new(); 656 656 + for action in &scope.actions { 657 657 + match action { 658 658 + RepoAction::Create => params.push("action=create"), 659 659 + RepoAction::Update => params.push("action=update"), 660 660 + RepoAction::Delete => params.push("action=delete"), 661 661 + } 662 662 + } 663 663 + format!("repo:{}?{}", collection, params.join("&")) 664 664 + } 665 665 + } 666 666 + Scope::Rpc(scope) => { 667 667 + if scope.lxm.len() == 1 668 668 + && scope.lxm.contains(&RpcLexicon::All) 669 669 + && scope.aud.len() == 1 670 670 + && scope.aud.contains(&RpcAudience::All) 671 671 + { 672 672 + "rpc:*".to_string() 673 673 + } else if scope.lxm.len() == 1 674 674 + && scope.aud.len() == 1 675 675 + && scope.aud.contains(&RpcAudience::All) 676 676 + { 677 677 + if let Some(lxm) = scope.lxm.iter().next() { 678 678 + match lxm { 679 679 + RpcLexicon::All => "rpc:*".to_string(), 680 680 + RpcLexicon::Nsid(nsid) => format!("rpc:{}", nsid), 681 681 + } 682 682 + } else { 683 683 + "rpc:*".to_string() 684 684 + } 685 685 + } else { 686 686 + let mut params = Vec::new(); 687 687 + 688 688 + for lxm in &scope.lxm { 689 689 + match lxm { 690 690 + RpcLexicon::All => params.push("lxm=*".to_string()), 691 691 + RpcLexicon::Nsid(nsid) => params.push(format!("lxm={}", nsid)), 692 692 + } 693 693 + } 694 694 + 695 695 + for aud in &scope.aud { 696 696 + match aud { 697 697 + RpcAudience::All => params.push("aud=*".to_string()), 698 698 + RpcAudience::Did(did) => params.push(format!("aud={}", did)), 699 699 + } 700 700 + } 701 701 + 702 702 + params.sort(); 703 703 + 704 704 + if params.is_empty() { 705 705 + "rpc:*".to_string() 706 706 + } else { 707 707 + format!("rpc?{}", params.join("&")) 708 708 + } 709 709 + } 710 710 + } 711 711 + Scope::Atproto => "atproto".to_string(), 712 712 + Scope::Transition(scope) => match scope { 713 713 + TransitionScope::Generic => "transition:generic".to_string(), 714 714 + TransitionScope::Email => "transition:email".to_string(), 715 715 + }, 716 716 + Scope::OpenId => "openid".to_string(), 717 717 + Scope::Profile => "profile".to_string(), 718 718 + Scope::Email => "email".to_string(), 719 719 + } 720 720 + } 721 721 + 722 722 + /// Check if this scope grants the permissions of another scope 723 723 + pub fn grants(&self, other: &Scope) -> bool { 724 724 + match (self, other) { 725 725 + // Atproto only grants itself (it's a required scope, not a permission grant) 726 726 + (Scope::Atproto, Scope::Atproto) => true, 727 727 + (Scope::Atproto, _) => false, 728 728 + // Nothing else grants atproto 729 729 + (_, Scope::Atproto) => false, 730 730 + // Transition scopes only grant themselves 731 731 + (Scope::Transition(a), Scope::Transition(b)) => a == b, 732 732 + // Other scopes don't grant transition scopes 733 733 + (_, Scope::Transition(_)) => false, 734 734 + (Scope::Transition(_), _) => false, 735 735 + // OpenID Connect scopes only grant themselves 736 736 + (Scope::OpenId, Scope::OpenId) => true, 737 737 + (Scope::OpenId, _) => false, 738 738 + (_, Scope::OpenId) => false, 739 739 + (Scope::Profile, Scope::Profile) => true, 740 740 + (Scope::Profile, _) => false, 741 741 + (_, Scope::Profile) => false, 742 742 + (Scope::Email, Scope::Email) => true, 743 743 + (Scope::Email, _) => false, 744 744 + (_, Scope::Email) => false, 745 745 + (Scope::Account(a), Scope::Account(b)) => { 746 746 + a.resource == b.resource 747 747 + && match (a.action, b.action) { 748 748 + (AccountAction::Manage, _) => true, 749 749 + (AccountAction::Read, AccountAction::Read) => true, 750 750 + _ => false, 751 751 + } 752 752 + } 753 753 + (Scope::Identity(a), Scope::Identity(b)) => match (a, b) { 754 754 + (IdentityScope::All, _) => true, 755 755 + (IdentityScope::Handle, IdentityScope::Handle) => true, 756 756 + _ => false, 757 757 + }, 758 758 + (Scope::Blob(a), Scope::Blob(b)) => { 759 759 + for b_pattern in &b.accept { 760 760 + let mut granted = false; 761 761 + for a_pattern in &a.accept { 762 762 + if a_pattern.grants(b_pattern) { 763 763 + granted = true; 764 764 + break; 765 765 + } 766 766 + } 767 767 + if !granted { 768 768 + return false; 769 769 + } 770 770 + } 771 771 + true 772 772 + } 773 773 + (Scope::Repo(a), Scope::Repo(b)) => { 774 774 + let collection_match = match (&a.collection, &b.collection) { 775 775 + (RepoCollection::All, _) => true, 776 776 + (RepoCollection::Nsid(a_nsid), RepoCollection::Nsid(b_nsid)) => { 777 777 + a_nsid == b_nsid 778 778 + } 779 779 + _ => false, 780 780 + }; 781 781 + 782 782 + if !collection_match { 783 783 + return false; 784 784 + } 785 785 + 786 786 + b.actions.is_subset(&a.actions) || a.actions.len() == 3 787 787 + } 788 788 + (Scope::Rpc(a), Scope::Rpc(b)) => { 789 789 + let lxm_match = if a.lxm.contains(&RpcLexicon::All) { 790 790 + true 791 791 + } else { 792 792 + b.lxm.iter().all(|b_lxm| match b_lxm { 793 793 + RpcLexicon::All => false, 794 794 + RpcLexicon::Nsid(_) => a.lxm.contains(b_lxm), 795 795 + }) 796 796 + }; 797 797 + 798 798 + let aud_match = if a.aud.contains(&RpcAudience::All) { 799 799 + true 800 800 + } else { 801 801 + b.aud.iter().all(|b_aud| match b_aud { 802 802 + RpcAudience::All => false, 803 803 + RpcAudience::Did(_) => a.aud.contains(b_aud), 804 804 + }) 805 805 + }; 806 806 + 807 807 + lxm_match && aud_match 808 808 + } 809 809 + _ => false, 810 810 + } 811 811 + } 812 812 + } 813 813 + 814 814 + impl MimePattern { 815 815 + fn grants(&self, other: &MimePattern) -> bool { 816 816 + match (self, other) { 817 817 + (MimePattern::All, _) => true, 818 818 + (MimePattern::TypeWildcard(a_type), MimePattern::TypeWildcard(b_type)) => { 819 819 + a_type == b_type 820 820 + } 821 821 + (MimePattern::TypeWildcard(a_type), MimePattern::Exact(b_mime)) => { 822 822 + b_mime.starts_with(&format!("{}/", a_type)) 823 823 + } 824 824 + (MimePattern::Exact(a), MimePattern::Exact(b)) => a == b, 825 825 + _ => false, 826 826 + } 827 827 + } 828 828 + } 829 829 + 830 830 + impl FromStr for MimePattern { 831 831 + type Err = ParseError; 832 832 + 833 833 + fn from_str(s: &str) -> Result<Self, Self::Err> { 834 834 + if s == "*/*" { 835 835 + Ok(MimePattern::All) 836 836 + } else if s.ends_with("/*") { 837 837 + Ok(MimePattern::TypeWildcard(s[..s.len() - 2].to_string())) 838 838 + } else if s.contains('/') { 839 839 + Ok(MimePattern::Exact(s.to_string())) 840 840 + } else { 841 841 + Err(ParseError::InvalidMimeType(s.to_string())) 842 842 + } 843 843 + } 844 844 + } 845 845 + 846 846 + impl FromStr for Scope { 847 847 + type Err = ParseError; 848 848 + 849 849 + fn from_str(s: &str) -> Result<Self, Self::Err> { 850 850 + Self::parse(s) 851 851 + } 852 852 + } 853 853 + 854 854 + impl fmt::Display for Scope { 855 855 + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 856 856 + write!(f, "{}", self.to_string_normalized()) 857 857 + } 858 858 + } 859 859 + 860 860 + /// Parse a query string into a map of keys to lists of values 861 861 + fn parse_query_string(query: &str) -> BTreeMap<String, Vec<String>> { 862 862 + let mut params = BTreeMap::new(); 863 863 + 864 864 + for pair in query.split('&') { 865 865 + if let Some(pos) = pair.find('=') { 866 866 + let key = &pair[..pos]; 867 867 + let value = &pair[pos + 1..]; 868 868 + params 869 869 + .entry(key.to_string()) 870 870 + .or_insert_with(Vec::new) 871 871 + .push(value.to_string()); 872 872 + } 873 873 + } 874 874 + 875 875 + params 876 876 + } 877 877 + 878 878 + /// Error type for scope parsing 879 879 + #[derive(Debug, Clone, PartialEq, Eq)] 880 880 + pub enum ParseError { 881 881 + /// Unknown scope prefix 882 882 + UnknownPrefix(String), 883 883 + /// Missing required resource 884 884 + MissingResource, 885 885 + /// Invalid resource type 886 886 + InvalidResource(String), 887 887 + /// Invalid action type 888 888 + InvalidAction(String), 889 889 + /// Invalid MIME type 890 890 + InvalidMimeType(String), 891 891 + } 892 892 + 893 893 + impl fmt::Display for ParseError { 894 894 + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 895 895 + match self { 896 896 + ParseError::UnknownPrefix(prefix) => write!(f, "Unknown scope prefix: {}", prefix), 897 897 + ParseError::MissingResource => write!(f, "Missing required resource"), 898 898 + ParseError::InvalidResource(resource) => write!(f, "Invalid resource: {}", resource), 899 899 + ParseError::InvalidAction(action) => write!(f, "Invalid action: {}", action), 900 900 + ParseError::InvalidMimeType(mime) => write!(f, "Invalid MIME type: {}", mime), 901 901 + } 902 902 + } 903 903 + } 904 904 + 905 905 + impl std::error::Error for ParseError {} 906 906 + 907 907 + #[cfg(test)] 908 908 + mod tests { 909 909 + use super::*; 910 910 + 911 911 + #[test] 912 912 + fn test_account_scope_parsing() { 913 913 + let scope = Scope::parse("account:email").unwrap(); 914 914 + assert_eq!( 915 915 + scope, 916 916 + Scope::Account(AccountScope { 917 917 + resource: AccountResource::Email, 918 918 + action: AccountAction::Read, 919 919 + }) 920 920 + ); 921 921 + 922 922 + let scope = Scope::parse("account:repo?action=manage").unwrap(); 923 923 + assert_eq!( 924 924 + scope, 925 925 + Scope::Account(AccountScope { 926 926 + resource: AccountResource::Repo, 927 927 + action: AccountAction::Manage, 928 928 + }) 929 929 + ); 930 930 + 931 931 + let scope = Scope::parse("account:status?action=read").unwrap(); 932 932 + assert_eq!( 933 933 + scope, 934 934 + Scope::Account(AccountScope { 935 935 + resource: AccountResource::Status, 936 936 + action: AccountAction::Read, 937 937 + }) 938 938 + ); 939 939 + } 940 940 + 941 941 + #[test] 942 942 + fn test_identity_scope_parsing() { 943 943 + let scope = Scope::parse("identity:handle").unwrap(); 944 944 + assert_eq!(scope, Scope::Identity(IdentityScope::Handle)); 945 945 + 946 946 + let scope = Scope::parse("identity:*").unwrap(); 947 947 + assert_eq!(scope, Scope::Identity(IdentityScope::All)); 948 948 + } 949 949 + 950 950 + #[test] 951 951 + fn test_blob_scope_parsing() { 952 952 + let scope = Scope::parse("blob:*/*").unwrap(); 953 953 + let mut accept = BTreeSet::new(); 954 954 + accept.insert(MimePattern::All); 955 955 + assert_eq!(scope, Scope::Blob(BlobScope { accept })); 956 956 + 957 957 + let scope = Scope::parse("blob:image/png").unwrap(); 958 958 + let mut accept = BTreeSet::new(); 959 959 + accept.insert(MimePattern::Exact("image/png".to_string())); 960 960 + assert_eq!(scope, Scope::Blob(BlobScope { accept })); 961 961 + 962 962 + let scope = Scope::parse("blob?accept=image/png&accept=image/jpeg").unwrap(); 963 963 + let mut accept = BTreeSet::new(); 964 964 + accept.insert(MimePattern::Exact("image/png".to_string())); 965 965 + accept.insert(MimePattern::Exact("image/jpeg".to_string())); 966 966 + assert_eq!(scope, Scope::Blob(BlobScope { accept })); 967 967 + 968 968 + let scope = Scope::parse("blob:image/*").unwrap(); 969 969 + let mut accept = BTreeSet::new(); 970 970 + accept.insert(MimePattern::TypeWildcard("image".to_string())); 971 971 + assert_eq!(scope, Scope::Blob(BlobScope { accept })); 972 972 + } 973 973 + 974 974 + #[test] 975 975 + fn test_repo_scope_parsing() { 976 976 + let scope = Scope::parse("repo:*?action=create").unwrap(); 977 977 + let mut actions = BTreeSet::new(); 978 978 + actions.insert(RepoAction::Create); 979 979 + assert_eq!( 980 980 + scope, 981 981 + Scope::Repo(RepoScope { 982 982 + collection: RepoCollection::All, 983 983 + actions, 984 984 + }) 985 985 + ); 986 986 + 987 987 + let scope = Scope::parse("repo:foo.bar?action=create&action=update").unwrap(); 988 988 + let mut actions = BTreeSet::new(); 989 989 + actions.insert(RepoAction::Create); 990 990 + actions.insert(RepoAction::Update); 991 991 + assert_eq!( 992 992 + scope, 993 993 + Scope::Repo(RepoScope { 994 994 + collection: RepoCollection::Nsid("foo.bar".to_string()), 995 995 + actions, 996 996 + }) 997 997 + ); 998 998 + 999 999 + let scope = Scope::parse("repo:foo.bar").unwrap(); 1000 1000 + let mut actions = BTreeSet::new(); 1001 1001 + actions.insert(RepoAction::Create); 1002 1002 + actions.insert(RepoAction::Update); 1003 1003 + actions.insert(RepoAction::Delete); 1004 1004 + assert_eq!( 1005 1005 + scope, 1006 1006 + Scope::Repo(RepoScope { 1007 1007 + collection: RepoCollection::Nsid("foo.bar".to_string()), 1008 1008 + actions, 1009 1009 + }) 1010 1010 + ); 1011 1011 + } 1012 1012 + 1013 1013 + #[test] 1014 1014 + fn test_rpc_scope_parsing() { 1015 1015 + let scope = Scope::parse("rpc:*").unwrap(); 1016 1016 + let mut lxm = BTreeSet::new(); 1017 1017 + let mut aud = BTreeSet::new(); 1018 1018 + lxm.insert(RpcLexicon::All); 1019 1019 + aud.insert(RpcAudience::All); 1020 1020 + assert_eq!(scope, Scope::Rpc(RpcScope { lxm, aud })); 1021 1021 + 1022 1022 + let scope = Scope::parse("rpc:com.example.service").unwrap(); 1023 1023 + let mut lxm = BTreeSet::new(); 1024 1024 + let mut aud = BTreeSet::new(); 1025 1025 + lxm.insert(RpcLexicon::Nsid("com.example.service".to_string())); 1026 1026 + aud.insert(RpcAudience::All); 1027 1027 + assert_eq!(scope, Scope::Rpc(RpcScope { lxm, aud })); 1028 1028 + 1029 1029 + let scope = Scope::parse("rpc:com.example.service?aud=did:example:123").unwrap(); 1030 1030 + let mut lxm = BTreeSet::new(); 1031 1031 + let mut aud = BTreeSet::new(); 1032 1032 + lxm.insert(RpcLexicon::Nsid("com.example.service".to_string())); 1033 1033 + aud.insert(RpcAudience::Did("did:example:123".to_string())); 1034 1034 + assert_eq!(scope, Scope::Rpc(RpcScope { lxm, aud })); 1035 1035 + 1036 1036 + let scope = 1037 1037 + Scope::parse("rpc?lxm=com.example.method1&lxm=com.example.method2&aud=did:example:123") 1038 1038 + .unwrap(); 1039 1039 + let mut lxm = BTreeSet::new(); 1040 1040 + let mut aud = BTreeSet::new(); 1041 1041 + lxm.insert(RpcLexicon::Nsid("com.example.method1".to_string())); 1042 1042 + lxm.insert(RpcLexicon::Nsid("com.example.method2".to_string())); 1043 1043 + aud.insert(RpcAudience::Did("did:example:123".to_string())); 1044 1044 + assert_eq!(scope, Scope::Rpc(RpcScope { lxm, aud })); 1045 1045 + } 1046 1046 + 1047 1047 + #[test] 1048 1048 + fn test_scope_normalization() { 1049 1049 + let tests = vec![ 1050 1050 + ("account:email", "account:email"), 1051 1051 + ("account:email?action=read", "account:email"), 1052 1052 + ("account:email?action=manage", "account:email?action=manage"), 1053 1053 + ("blob:image/png", "blob:image/png"), 1054 1054 + ( 1055 1055 + "blob?accept=image/jpeg&accept=image/png", 1056 1056 + "blob?accept=image/jpeg&accept=image/png", 1057 1057 + ), 1058 1058 + ("repo:foo.bar", "repo:foo.bar"), 1059 1059 + ("repo:foo.bar?action=create", "repo:foo.bar?action=create"), 1060 1060 + ("rpc:*", "rpc:*"), 1061 1061 + ]; 1062 1062 + 1063 1063 + for (input, expected) in tests { 1064 1064 + let scope = Scope::parse(input).unwrap(); 1065 1065 + assert_eq!(scope.to_string_normalized(), expected); 1066 1066 + } 1067 1067 + } 1068 1068 + 1069 1069 + #[test] 1070 1070 + fn test_account_scope_grants() { 1071 1071 + let manage = Scope::parse("account:email?action=manage").unwrap(); 1072 1072 + let read = Scope::parse("account:email?action=read").unwrap(); 1073 1073 + let other_read = Scope::parse("account:repo?action=read").unwrap(); 1074 1074 + 1075 1075 + assert!(manage.grants(&read)); 1076 1076 + assert!(manage.grants(&manage)); 1077 1077 + assert!(!read.grants(&manage)); 1078 1078 + assert!(read.grants(&read)); 1079 1079 + assert!(!read.grants(&other_read)); 1080 1080 + } 1081 1081 + 1082 1082 + #[test] 1083 1083 + fn test_identity_scope_grants() { 1084 1084 + let all = Scope::parse("identity:*").unwrap(); 1085 1085 + let handle = Scope::parse("identity:handle").unwrap(); 1086 1086 + 1087 1087 + assert!(all.grants(&handle)); 1088 1088 + assert!(all.grants(&all)); 1089 1089 + assert!(!handle.grants(&all)); 1090 1090 + assert!(handle.grants(&handle)); 1091 1091 + } 1092 1092 + 1093 1093 + #[test] 1094 1094 + fn test_blob_scope_grants() { 1095 1095 + let all = Scope::parse("blob:*/*").unwrap(); 1096 1096 + let image_all = Scope::parse("blob:image/*").unwrap(); 1097 1097 + let image_png = Scope::parse("blob:image/png").unwrap(); 1098 1098 + let text_plain = Scope::parse("blob:text/plain").unwrap(); 1099 1099 + 1100 1100 + assert!(all.grants(&image_all)); 1101 1101 + assert!(all.grants(&image_png)); 1102 1102 + assert!(all.grants(&text_plain)); 1103 1103 + assert!(image_all.grants(&image_png)); 1104 1104 + assert!(!image_all.grants(&text_plain)); 1105 1105 + assert!(!image_png.grants(&image_all)); 1106 1106 + } 1107 1107 + 1108 1108 + #[test] 1109 1109 + fn test_repo_scope_grants() { 1110 1110 + let all_all = Scope::parse("repo:*").unwrap(); 1111 1111 + let all_create = Scope::parse("repo:*?action=create").unwrap(); 1112 1112 + let specific_all = Scope::parse("repo:foo.bar").unwrap(); 1113 1113 + let specific_create = Scope::parse("repo:foo.bar?action=create").unwrap(); 1114 1114 + let other_create = Scope::parse("repo:baz.qux?action=create").unwrap(); 1115 1115 + 1116 1116 + assert!(all_all.grants(&all_create)); 1117 1117 + assert!(all_all.grants(&specific_all)); 1118 1118 + assert!(all_all.grants(&specific_create)); 1119 1119 + assert!(all_create.grants(&all_create)); 1120 1120 + assert!(!all_create.grants(&specific_all)); 1121 1121 + assert!(specific_all.grants(&specific_create)); 1122 1122 + assert!(!specific_create.grants(&specific_all)); 1123 1123 + assert!(!specific_create.grants(&other_create)); 1124 1124 + } 1125 1125 + 1126 1126 + #[test] 1127 1127 + fn test_rpc_scope_grants() { 1128 1128 + let all = Scope::parse("rpc:*").unwrap(); 1129 1129 + let specific_lxm = Scope::parse("rpc:com.example.service").unwrap(); 1130 1130 + let specific_both = Scope::parse("rpc:com.example.service?aud=did:example:123").unwrap(); 1131 1131 + 1132 1132 + assert!(all.grants(&specific_lxm)); 1133 1133 + assert!(all.grants(&specific_both)); 1134 1134 + assert!(specific_lxm.grants(&specific_both)); 1135 1135 + assert!(!specific_both.grants(&specific_lxm)); 1136 1136 + assert!(!specific_both.grants(&all)); 1137 1137 + } 1138 1138 + 1139 1139 + #[test] 1140 1140 + fn test_cross_scope_grants() { 1141 1141 + let account = Scope::parse("account:email").unwrap(); 1142 1142 + let identity = Scope::parse("identity:handle").unwrap(); 1143 1143 + 1144 1144 + assert!(!account.grants(&identity)); 1145 1145 + assert!(!identity.grants(&account)); 1146 1146 + } 1147 1147 + 1148 1148 + #[test] 1149 1149 + fn test_parse_errors() { 1150 1150 + assert!(matches!( 1151 1151 + Scope::parse("unknown:test"), 1152 1152 + Err(ParseError::UnknownPrefix(_)) 1153 1153 + )); 1154 1154 + 1155 1155 + assert!(matches!( 1156 1156 + Scope::parse("account"), 1157 1157 + Err(ParseError::MissingResource) 1158 1158 + )); 1159 1159 + 1160 1160 + assert!(matches!( 1161 1161 + Scope::parse("account:invalid"), 1162 1162 + Err(ParseError::InvalidResource(_)) 1163 1163 + )); 1164 1164 + 1165 1165 + assert!(matches!( 1166 1166 + Scope::parse("account:email?action=invalid"), 1167 1167 + Err(ParseError::InvalidAction(_)) 1168 1168 + )); 1169 1169 + } 1170 1170 + 1171 1171 + #[test] 1172 1172 + fn test_query_parameter_sorting() { 1173 1173 + let scope = 1174 1174 + Scope::parse("blob?accept=image/png&accept=application/pdf&accept=image/jpeg").unwrap(); 1175 1175 + let normalized = scope.to_string_normalized(); 1176 1176 + assert!(normalized.contains("accept=application/pdf")); 1177 1177 + assert!(normalized.contains("accept=image/jpeg")); 1178 1178 + assert!(normalized.contains("accept=image/png")); 1179 1179 + let pdf_pos = normalized.find("accept=application/pdf").unwrap(); 1180 1180 + let jpeg_pos = normalized.find("accept=image/jpeg").unwrap(); 1181 1181 + let png_pos = normalized.find("accept=image/png").unwrap(); 1182 1182 + assert!(pdf_pos < jpeg_pos); 1183 1183 + assert!(jpeg_pos < png_pos); 1184 1184 + } 1185 1185 + 1186 1186 + #[test] 1187 1187 + fn test_repo_action_wildcard() { 1188 1188 + let scope = Scope::parse("repo:foo.bar?action=*").unwrap(); 1189 1189 + let mut actions = BTreeSet::new(); 1190 1190 + actions.insert(RepoAction::Create); 1191 1191 + actions.insert(RepoAction::Update); 1192 1192 + actions.insert(RepoAction::Delete); 1193 1193 + assert_eq!( 1194 1194 + scope, 1195 1195 + Scope::Repo(RepoScope { 1196 1196 + collection: RepoCollection::Nsid("foo.bar".to_string()), 1197 1197 + actions, 1198 1198 + }) 1199 1199 + ); 1200 1200 + } 1201 1201 + 1202 1202 + #[test] 1203 1203 + fn test_multiple_blob_accepts() { 1204 1204 + let scope = Scope::parse("blob?accept=image/*&accept=text/plain").unwrap(); 1205 1205 + assert!(scope.grants(&Scope::parse("blob:image/png").unwrap())); 1206 1206 + assert!(scope.grants(&Scope::parse("blob:text/plain").unwrap())); 1207 1207 + assert!(!scope.grants(&Scope::parse("blob:application/json").unwrap())); 1208 1208 + } 1209 1209 + 1210 1210 + #[test] 1211 1211 + fn test_rpc_default_wildcards() { 1212 1212 + let scope = Scope::parse("rpc").unwrap(); 1213 1213 + let mut lxm = BTreeSet::new(); 1214 1214 + let mut aud = BTreeSet::new(); 1215 1215 + lxm.insert(RpcLexicon::All); 1216 1216 + aud.insert(RpcAudience::All); 1217 1217 + assert_eq!(scope, Scope::Rpc(RpcScope { lxm, aud })); 1218 1218 + } 1219 1219 + 1220 1220 + #[test] 1221 1221 + fn test_atproto_scope_parsing() { 1222 1222 + let scope = Scope::parse("atproto").unwrap(); 1223 1223 + assert_eq!(scope, Scope::Atproto); 1224 1224 + 1225 1225 + // Atproto should not accept suffixes 1226 1226 + assert!(Scope::parse("atproto:something").is_err()); 1227 1227 + assert!(Scope::parse("atproto?param=value").is_err()); 1228 1228 + } 1229 1229 + 1230 1230 + #[test] 1231 1231 + fn test_transition_scope_parsing() { 1232 1232 + let scope = Scope::parse("transition:generic").unwrap(); 1233 1233 + assert_eq!(scope, Scope::Transition(TransitionScope::Generic)); 1234 1234 + 1235 1235 + let scope = Scope::parse("transition:email").unwrap(); 1236 1236 + assert_eq!(scope, Scope::Transition(TransitionScope::Email)); 1237 1237 + 1238 1238 + // Test invalid transition types 1239 1239 + assert!(matches!( 1240 1240 + Scope::parse("transition:invalid"), 1241 1241 + Err(ParseError::InvalidResource(_)) 1242 1242 + )); 1243 1243 + 1244 1244 + // Test missing suffix 1245 1245 + assert!(matches!( 1246 1246 + Scope::parse("transition"), 1247 1247 + Err(ParseError::MissingResource) 1248 1248 + )); 1249 1249 + 1250 1250 + // Test transition doesn't accept query parameters 1251 1251 + assert!(matches!( 1252 1252 + Scope::parse("transition:generic?param=value"), 1253 1253 + Err(ParseError::InvalidResource(_)) 1254 1254 + )); 1255 1255 + } 1256 1256 + 1257 1257 + #[test] 1258 1258 + fn test_atproto_scope_normalization() { 1259 1259 + let scope = Scope::parse("atproto").unwrap(); 1260 1260 + assert_eq!(scope.to_string_normalized(), "atproto"); 1261 1261 + } 1262 1262 + 1263 1263 + #[test] 1264 1264 + fn test_transition_scope_normalization() { 1265 1265 + let tests = vec![ 1266 1266 + ("transition:generic", "transition:generic"), 1267 1267 + ("transition:email", "transition:email"), 1268 1268 + ]; 1269 1269 + 1270 1270 + for (input, expected) in tests { 1271 1271 + let scope = Scope::parse(input).unwrap(); 1272 1272 + assert_eq!(scope.to_string_normalized(), expected); 1273 1273 + } 1274 1274 + } 1275 1275 + 1276 1276 + #[test] 1277 1277 + fn test_atproto_scope_grants() { 1278 1278 + let atproto = Scope::parse("atproto").unwrap(); 1279 1279 + let account = Scope::parse("account:email").unwrap(); 1280 1280 + let identity = Scope::parse("identity:handle").unwrap(); 1281 1281 + let blob = Scope::parse("blob:image/png").unwrap(); 1282 1282 + let repo = Scope::parse("repo:foo.bar").unwrap(); 1283 1283 + let rpc = Scope::parse("rpc:com.example.service").unwrap(); 1284 1284 + let transition_generic = Scope::parse("transition:generic").unwrap(); 1285 1285 + let transition_email = Scope::parse("transition:email").unwrap(); 1286 1286 + 1287 1287 + // Atproto only grants itself (it's a required scope, not a permission grant) 1288 1288 + assert!(atproto.grants(&atproto)); 1289 1289 + assert!(!atproto.grants(&account)); 1290 1290 + assert!(!atproto.grants(&identity)); 1291 1291 + assert!(!atproto.grants(&blob)); 1292 1292 + assert!(!atproto.grants(&repo)); 1293 1293 + assert!(!atproto.grants(&rpc)); 1294 1294 + assert!(!atproto.grants(&transition_generic)); 1295 1295 + assert!(!atproto.grants(&transition_email)); 1296 1296 + 1297 1297 + // Nothing else grants atproto 1298 1298 + assert!(!account.grants(&atproto)); 1299 1299 + assert!(!identity.grants(&atproto)); 1300 1300 + assert!(!blob.grants(&atproto)); 1301 1301 + assert!(!repo.grants(&atproto)); 1302 1302 + assert!(!rpc.grants(&atproto)); 1303 1303 + assert!(!transition_generic.grants(&atproto)); 1304 1304 + assert!(!transition_email.grants(&atproto)); 1305 1305 + } 1306 1306 + 1307 1307 + #[test] 1308 1308 + fn test_transition_scope_grants() { 1309 1309 + let transition_generic = Scope::parse("transition:generic").unwrap(); 1310 1310 + let transition_email = Scope::parse("transition:email").unwrap(); 1311 1311 + let account = Scope::parse("account:email").unwrap(); 1312 1312 + 1313 1313 + // Transition scopes only grant themselves 1314 1314 + assert!(transition_generic.grants(&transition_generic)); 1315 1315 + assert!(transition_email.grants(&transition_email)); 1316 1316 + assert!(!transition_generic.grants(&transition_email)); 1317 1317 + assert!(!transition_email.grants(&transition_generic)); 1318 1318 + 1319 1319 + // Transition scopes don't grant other scope types 1320 1320 + assert!(!transition_generic.grants(&account)); 1321 1321 + assert!(!transition_email.grants(&account)); 1322 1322 + 1323 1323 + // Other scopes don't grant transition scopes 1324 1324 + assert!(!account.grants(&transition_generic)); 1325 1325 + assert!(!account.grants(&transition_email)); 1326 1326 + } 1327 1327 + 1328 1328 + #[test] 1329 1329 + fn test_parse_multiple() { 1330 1330 + // Test parsing multiple scopes 1331 1331 + let scopes = Scope::parse_multiple("atproto repo:*").unwrap(); 1332 1332 + assert_eq!(scopes.len(), 2); 1333 1333 + assert_eq!(scopes[0], Scope::Atproto); 1334 1334 + assert_eq!( 1335 1335 + scopes[1], 1336 1336 + Scope::Repo(RepoScope { 1337 1337 + collection: RepoCollection::All, 1338 1338 + actions: { 1339 1339 + let mut actions = BTreeSet::new(); 1340 1340 + actions.insert(RepoAction::Create); 1341 1341 + actions.insert(RepoAction::Update); 1342 1342 + actions.insert(RepoAction::Delete); 1343 1343 + actions 1344 1344 + } 1345 1345 + }) 1346 1346 + ); 1347 1347 + 1348 1348 + // Test with more scopes 1349 1349 + let scopes = Scope::parse_multiple("account:email identity:handle blob:image/png").unwrap(); 1350 1350 + assert_eq!(scopes.len(), 3); 1351 1351 + assert!(matches!(scopes[0], Scope::Account(_))); 1352 1352 + assert!(matches!(scopes[1], Scope::Identity(_))); 1353 1353 + assert!(matches!(scopes[2], Scope::Blob(_))); 1354 1354 + 1355 1355 + // Test with complex scopes 1356 1356 + let scopes = Scope::parse_multiple( 1357 1357 + "account:email?action=manage repo:foo.bar?action=create transition:email", 1358 1358 + ) 1359 1359 + .unwrap(); 1360 1360 + assert_eq!(scopes.len(), 3); 1361 1361 + 1362 1362 + // Test empty string 1363 1363 + let scopes = Scope::parse_multiple("").unwrap(); 1364 1364 + assert_eq!(scopes.len(), 0); 1365 1365 + 1366 1366 + // Test whitespace only 1367 1367 + let scopes = Scope::parse_multiple(" ").unwrap(); 1368 1368 + assert_eq!(scopes.len(), 0); 1369 1369 + 1370 1370 + // Test with extra whitespace 1371 1371 + let scopes = Scope::parse_multiple(" atproto repo:* ").unwrap(); 1372 1372 + assert_eq!(scopes.len(), 2); 1373 1373 + 1374 1374 + // Test single scope 1375 1375 + let scopes = Scope::parse_multiple("atproto").unwrap(); 1376 1376 + assert_eq!(scopes.len(), 1); 1377 1377 + assert_eq!(scopes[0], Scope::Atproto); 1378 1378 + 1379 1379 + // Test error propagation 1380 1380 + assert!(Scope::parse_multiple("atproto invalid:scope").is_err()); 1381 1381 + assert!(Scope::parse_multiple("account:invalid repo:*").is_err()); 1382 1382 + } 1383 1383 + 1384 1384 + #[test] 1385 1385 + fn test_parse_multiple_reduced() { 1386 1386 + // Test repo scope reduction - wildcard grants specific 1387 1387 + let scopes = Scope::parse_multiple_reduced("atproto repo:foo.bar repo:*").unwrap(); 1388 1388 + assert_eq!(scopes.len(), 2); 1389 1389 + assert!(scopes.contains(&Scope::Atproto)); 1390 1390 + assert!(scopes.contains(&Scope::Repo(RepoScope { 1391 1391 + collection: RepoCollection::All, 1392 1392 + actions: { 1393 1393 + let mut actions = BTreeSet::new(); 1394 1394 + actions.insert(RepoAction::Create); 1395 1395 + actions.insert(RepoAction::Update); 1396 1396 + actions.insert(RepoAction::Delete); 1397 1397 + actions 1398 1398 + } 1399 1399 + }))); 1400 1400 + 1401 1401 + // Test reverse order - should get same result 1402 1402 + let scopes = Scope::parse_multiple_reduced("atproto repo:* repo:foo.bar").unwrap(); 1403 1403 + assert_eq!(scopes.len(), 2); 1404 1404 + assert!(scopes.contains(&Scope::Atproto)); 1405 1405 + assert!(scopes.contains(&Scope::Repo(RepoScope { 1406 1406 + collection: RepoCollection::All, 1407 1407 + actions: { 1408 1408 + let mut actions = BTreeSet::new(); 1409 1409 + actions.insert(RepoAction::Create); 1410 1410 + actions.insert(RepoAction::Update); 1411 1411 + actions.insert(RepoAction::Delete); 1412 1412 + actions 1413 1413 + } 1414 1414 + }))); 1415 1415 + 1416 1416 + // Test account scope reduction - manage grants read 1417 1417 + let scopes = 1418 1418 + Scope::parse_multiple_reduced("account:email account:email?action=manage").unwrap(); 1419 1419 + assert_eq!(scopes.len(), 1); 1420 1420 + assert_eq!( 1421 1421 + scopes[0], 1422 1422 + Scope::Account(AccountScope { 1423 1423 + resource: AccountResource::Email, 1424 1424 + action: AccountAction::Manage, 1425 1425 + }) 1426 1426 + ); 1427 1427 + 1428 1428 + // Test identity scope reduction - wildcard grants specific 1429 1429 + let scopes = Scope::parse_multiple_reduced("identity:handle identity:*").unwrap(); 1430 1430 + assert_eq!(scopes.len(), 1); 1431 1431 + assert_eq!(scopes[0], Scope::Identity(IdentityScope::All)); 1432 1432 + 1433 1433 + // Test blob scope reduction - wildcard grants specific 1434 1434 + let scopes = Scope::parse_multiple_reduced("blob:image/png blob:image/* blob:*/*").unwrap(); 1435 1435 + assert_eq!(scopes.len(), 1); 1436 1436 + let mut accept = BTreeSet::new(); 1437 1437 + accept.insert(MimePattern::All); 1438 1438 + assert_eq!(scopes[0], Scope::Blob(BlobScope { accept })); 1439 1439 + 1440 1440 + // Test no reduction needed - different scope types 1441 1441 + let scopes = 1442 1442 + Scope::parse_multiple_reduced("account:email identity:handle blob:image/png").unwrap(); 1443 1443 + assert_eq!(scopes.len(), 3); 1444 1444 + 1445 1445 + // Test repo action reduction 1446 1446 + let scopes = 1447 1447 + Scope::parse_multiple_reduced("repo:foo.bar?action=create repo:foo.bar").unwrap(); 1448 1448 + assert_eq!(scopes.len(), 1); 1449 1449 + assert_eq!( 1450 1450 + scopes[0], 1451 1451 + Scope::Repo(RepoScope { 1452 1452 + collection: RepoCollection::Nsid("foo.bar".to_string()), 1453 1453 + actions: { 1454 1454 + let mut actions = BTreeSet::new(); 1455 1455 + actions.insert(RepoAction::Create); 1456 1456 + actions.insert(RepoAction::Update); 1457 1457 + actions.insert(RepoAction::Delete); 1458 1458 + actions 1459 1459 + } 1460 1460 + }) 1461 1461 + ); 1462 1462 + 1463 1463 + // Test RPC scope reduction 1464 1464 + let scopes = Scope::parse_multiple_reduced( 1465 1465 + "rpc:com.example.service?aud=did:example:123 rpc:com.example.service rpc:*", 1466 1466 + ) 1467 1467 + .unwrap(); 1468 1468 + assert_eq!(scopes.len(), 1); 1469 1469 + assert_eq!( 1470 1470 + scopes[0], 1471 1471 + Scope::Rpc(RpcScope { 1472 1472 + lxm: { 1473 1473 + let mut lxm = BTreeSet::new(); 1474 1474 + lxm.insert(RpcLexicon::All); 1475 1475 + lxm 1476 1476 + }, 1477 1477 + aud: { 1478 1478 + let mut aud = BTreeSet::new(); 1479 1479 + aud.insert(RpcAudience::All); 1480 1480 + aud 1481 1481 + } 1482 1482 + }) 1483 1483 + ); 1484 1484 + 1485 1485 + // Test duplicate removal 1486 1486 + let scopes = Scope::parse_multiple_reduced("atproto atproto atproto").unwrap(); 1487 1487 + assert_eq!(scopes.len(), 1); 1488 1488 + assert_eq!(scopes[0], Scope::Atproto); 1489 1489 + 1490 1490 + // Test transition scopes - only grant themselves 1491 1491 + let scopes = Scope::parse_multiple_reduced("transition:generic transition:email").unwrap(); 1492 1492 + assert_eq!(scopes.len(), 2); 1493 1493 + assert!(scopes.contains(&Scope::Transition(TransitionScope::Generic))); 1494 1494 + assert!(scopes.contains(&Scope::Transition(TransitionScope::Email))); 1495 1495 + 1496 1496 + // Test empty input 1497 1497 + let scopes = Scope::parse_multiple_reduced("").unwrap(); 1498 1498 + assert_eq!(scopes.len(), 0); 1499 1499 + 1500 1500 + // Test complex scenario with multiple reductions 1501 1501 + let scopes = Scope::parse_multiple_reduced( 1502 1502 + "account:email?action=manage account:email account:repo account:repo?action=read identity:* identity:handle" 1503 1503 + ).unwrap(); 1504 1504 + assert_eq!(scopes.len(), 3); 1505 1505 + // Should have: account:email?action=manage, account:repo, identity:* 1506 1506 + assert!(scopes.contains(&Scope::Account(AccountScope { 1507 1507 + resource: AccountResource::Email, 1508 1508 + action: AccountAction::Manage, 1509 1509 + }))); 1510 1510 + assert!(scopes.contains(&Scope::Account(AccountScope { 1511 1511 + resource: AccountResource::Repo, 1512 1512 + action: AccountAction::Read, 1513 1513 + }))); 1514 1514 + assert!(scopes.contains(&Scope::Identity(IdentityScope::All))); 1515 1515 + 1516 1516 + // Test that atproto doesn't grant other scopes (per recent change) 1517 1517 + let scopes = Scope::parse_multiple_reduced("atproto account:email repo:*").unwrap(); 1518 1518 + assert_eq!(scopes.len(), 3); 1519 1519 + assert!(scopes.contains(&Scope::Atproto)); 1520 1520 + assert!(scopes.contains(&Scope::Account(AccountScope { 1521 1521 + resource: AccountResource::Email, 1522 1522 + action: AccountAction::Read, 1523 1523 + }))); 1524 1524 + assert!(scopes.contains(&Scope::Repo(RepoScope { 1525 1525 + collection: RepoCollection::All, 1526 1526 + actions: { 1527 1527 + let mut actions = BTreeSet::new(); 1528 1528 + actions.insert(RepoAction::Create); 1529 1529 + actions.insert(RepoAction::Update); 1530 1530 + actions.insert(RepoAction::Delete); 1531 1531 + actions 1532 1532 + } 1533 1533 + }))); 1534 1534 + } 1535 1535 + 1536 1536 + #[test] 1537 1537 + fn test_openid_connect_scope_parsing() { 1538 1538 + // Test OpenID scope 1539 1539 + let scope = Scope::parse("openid").unwrap(); 1540 1540 + assert_eq!(scope, Scope::OpenId); 1541 1541 + 1542 1542 + // Test Profile scope 1543 1543 + let scope = Scope::parse("profile").unwrap(); 1544 1544 + assert_eq!(scope, Scope::Profile); 1545 1545 + 1546 1546 + // Test Email scope 1547 1547 + let scope = Scope::parse("email").unwrap(); 1548 1548 + assert_eq!(scope, Scope::Email); 1549 1549 + 1550 1550 + // Test that they don't accept suffixes 1551 1551 + assert!(Scope::parse("openid:something").is_err()); 1552 1552 + assert!(Scope::parse("profile:something").is_err()); 1553 1553 + assert!(Scope::parse("email:something").is_err()); 1554 1554 + 1555 1555 + // Test that they don't accept query parameters 1556 1556 + assert!(Scope::parse("openid?param=value").is_err()); 1557 1557 + assert!(Scope::parse("profile?param=value").is_err()); 1558 1558 + assert!(Scope::parse("email?param=value").is_err()); 1559 1559 + } 1560 1560 + 1561 1561 + #[test] 1562 1562 + fn test_openid_connect_scope_normalization() { 1563 1563 + let scope = Scope::parse("openid").unwrap(); 1564 1564 + assert_eq!(scope.to_string_normalized(), "openid"); 1565 1565 + 1566 1566 + let scope = Scope::parse("profile").unwrap(); 1567 1567 + assert_eq!(scope.to_string_normalized(), "profile"); 1568 1568 + 1569 1569 + let scope = Scope::parse("email").unwrap(); 1570 1570 + assert_eq!(scope.to_string_normalized(), "email"); 1571 1571 + } 1572 1572 + 1573 1573 + #[test] 1574 1574 + fn test_openid_connect_scope_grants() { 1575 1575 + let openid = Scope::parse("openid").unwrap(); 1576 1576 + let profile = Scope::parse("profile").unwrap(); 1577 1577 + let email = Scope::parse("email").unwrap(); 1578 1578 + let account = Scope::parse("account:email").unwrap(); 1579 1579 + 1580 1580 + // OpenID Connect scopes only grant themselves 1581 1581 + assert!(openid.grants(&openid)); 1582 1582 + assert!(!openid.grants(&profile)); 1583 1583 + assert!(!openid.grants(&email)); 1584 1584 + assert!(!openid.grants(&account)); 1585 1585 + 1586 1586 + assert!(profile.grants(&profile)); 1587 1587 + assert!(!profile.grants(&openid)); 1588 1588 + assert!(!profile.grants(&email)); 1589 1589 + assert!(!profile.grants(&account)); 1590 1590 + 1591 1591 + assert!(email.grants(&email)); 1592 1592 + assert!(!email.grants(&openid)); 1593 1593 + assert!(!email.grants(&profile)); 1594 1594 + assert!(!email.grants(&account)); 1595 1595 + 1596 1596 + // Other scopes don't grant OpenID Connect scopes 1597 1597 + assert!(!account.grants(&openid)); 1598 1598 + assert!(!account.grants(&profile)); 1599 1599 + assert!(!account.grants(&email)); 1600 1600 + } 1601 1601 + 1602 1602 + #[test] 1603 1603 + fn test_parse_multiple_with_openid_connect() { 1604 1604 + let scopes = Scope::parse_multiple("openid profile email atproto").unwrap(); 1605 1605 + assert_eq!(scopes.len(), 4); 1606 1606 + assert_eq!(scopes[0], Scope::OpenId); 1607 1607 + assert_eq!(scopes[1], Scope::Profile); 1608 1608 + assert_eq!(scopes[2], Scope::Email); 1609 1609 + assert_eq!(scopes[3], Scope::Atproto); 1610 1610 + 1611 1611 + // Test with mixed scopes 1612 1612 + let scopes = Scope::parse_multiple("openid account:email profile repo:*").unwrap(); 1613 1613 + assert_eq!(scopes.len(), 4); 1614 1614 + assert!(scopes.contains(&Scope::OpenId)); 1615 1615 + assert!(scopes.contains(&Scope::Profile)); 1616 1616 + } 1617 1617 + 1618 1618 + #[test] 1619 1619 + fn test_parse_multiple_reduced_with_openid_connect() { 1620 1620 + // OpenID Connect scopes don't grant each other, so no reduction 1621 1621 + let scopes = Scope::parse_multiple_reduced("openid profile email openid").unwrap(); 1622 1622 + assert_eq!(scopes.len(), 3); 1623 1623 + assert!(scopes.contains(&Scope::OpenId)); 1624 1624 + assert!(scopes.contains(&Scope::Profile)); 1625 1625 + assert!(scopes.contains(&Scope::Email)); 1626 1626 + 1627 1627 + // Mixed with other scopes 1628 1628 + let scopes = Scope::parse_multiple_reduced( 1629 1629 + "openid account:email account:email?action=manage profile", 1630 1630 + ) 1631 1631 + .unwrap(); 1632 1632 + assert_eq!(scopes.len(), 3); 1633 1633 + assert!(scopes.contains(&Scope::OpenId)); 1634 1634 + assert!(scopes.contains(&Scope::Profile)); 1635 1635 + assert!(scopes.contains(&Scope::Account(AccountScope { 1636 1636 + resource: AccountResource::Email, 1637 1637 + action: AccountAction::Manage, 1638 1638 + }))); 1639 1639 + } 1640 1640 + 1641 1641 + #[test] 1642 1642 + fn test_serialize_multiple() { 1643 1643 + // Test empty list 1644 1644 + let scopes: Vec<Scope> = vec![]; 1645 1645 + assert_eq!(Scope::serialize_multiple(&scopes), ""); 1646 1646 + 1647 1647 + // Test single scope 1648 1648 + let scopes = vec![Scope::Atproto]; 1649 1649 + assert_eq!(Scope::serialize_multiple(&scopes), "atproto"); 1650 1650 + 1651 1651 + // Test multiple scopes - should be sorted alphabetically 1652 1652 + let scopes = vec![ 1653 1653 + Scope::parse("repo:*").unwrap(), 1654 1654 + Scope::Atproto, 1655 1655 + Scope::parse("account:email").unwrap(), 1656 1656 + ]; 1657 1657 + assert_eq!( 1658 1658 + Scope::serialize_multiple(&scopes), 1659 1659 + "account:email atproto repo:*" 1660 1660 + ); 1661 1661 + 1662 1662 + // Test that sorting is consistent regardless of input order 1663 1663 + let scopes = vec![ 1664 1664 + Scope::parse("identity:handle").unwrap(), 1665 1665 + Scope::parse("blob:image/png").unwrap(), 1666 1666 + Scope::parse("account:repo?action=manage").unwrap(), 1667 1667 + ]; 1668 1668 + assert_eq!( 1669 1669 + Scope::serialize_multiple(&scopes), 1670 1670 + "account:repo?action=manage blob:image/png identity:handle" 1671 1671 + ); 1672 1672 + 1673 1673 + // Test with OpenID Connect scopes 1674 1674 + let scopes = vec![Scope::Email, Scope::OpenId, Scope::Profile, Scope::Atproto]; 1675 1675 + assert_eq!( 1676 1676 + Scope::serialize_multiple(&scopes), 1677 1677 + "atproto email openid profile" 1678 1678 + ); 1679 1679 + 1680 1680 + // Test with complex scopes including query parameters 1681 1681 + let scopes = vec![ 1682 1682 + Scope::parse("rpc:com.example.service?aud=did:example:123&lxm=com.example.method") 1683 1683 + .unwrap(), 1684 1684 + Scope::parse("repo:foo.bar?action=create&action=update").unwrap(), 1685 1685 + Scope::parse("blob:image/*?accept=image/png&accept=image/jpeg").unwrap(), 1686 1686 + ]; 1687 1687 + let result = Scope::serialize_multiple(&scopes); 1688 1688 + // The result should be sorted alphabetically 1689 1689 + // Note: RPC scope with query params is serialized as "rpc?aud=...&lxm=..." 1690 1690 + assert!(result.starts_with("blob:")); 1691 1691 + assert!(result.contains(" repo:")); 1692 1692 + assert!(result.contains("rpc?aud=did:example:123&lxm=com.example.service")); 1693 1693 + 1694 1694 + // Test with transition scopes 1695 1695 + let scopes = vec![ 1696 1696 + Scope::Transition(TransitionScope::Email), 1697 1697 + Scope::Transition(TransitionScope::Generic), 1698 1698 + Scope::Atproto, 1699 1699 + ]; 1700 1700 + assert_eq!( 1701 1701 + Scope::serialize_multiple(&scopes), 1702 1702 + "atproto transition:email transition:generic" 1703 1703 + ); 1704 1704 + 1705 1705 + // Test duplicates - they remain in the output (caller's responsibility to dedupe if needed) 1706 1706 + let scopes = vec![ 1707 1707 + Scope::Atproto, 1708 1708 + Scope::Atproto, 1709 1709 + Scope::parse("account:email").unwrap(), 1710 1710 + ]; 1711 1711 + assert_eq!( 1712 1712 + Scope::serialize_multiple(&scopes), 1713 1713 + "account:email atproto atproto" 1714 1714 + ); 1715 1715 + 1716 1716 + // Test normalization is preserved in serialization 1717 1717 + let scopes = vec![Scope::parse("blob?accept=image/png&accept=image/jpeg").unwrap()]; 1718 1718 + // Should normalize query parameters alphabetically 1719 1719 + assert_eq!( 1720 1720 + Scope::serialize_multiple(&scopes), 1721 1721 + "blob?accept=image/jpeg&accept=image/png" 1722 1722 + ); 1723 1723 + } 1724 1724 + 1725 1725 + #[test] 1726 1726 + fn test_serialize_multiple_roundtrip() { 1727 1727 + // Test that parse_multiple and serialize_multiple are inverses (when sorted) 1728 1728 + let original = "account:email atproto blob:image/png identity:handle repo:*"; 1729 1729 + let scopes = Scope::parse_multiple(original).unwrap(); 1730 1730 + let serialized = Scope::serialize_multiple(&scopes); 1731 1731 + assert_eq!(serialized, original); 1732 1732 + 1733 1733 + // Test with complex scopes 1734 1734 + let original = "account:repo?action=manage blob?accept=image/jpeg&accept=image/png rpc:*"; 1735 1735 + let scopes = Scope::parse_multiple(original).unwrap(); 1736 1736 + let serialized = Scope::serialize_multiple(&scopes); 1737 1737 + // Parse again to verify it's valid 1738 1738 + let reparsed = Scope::parse_multiple(&serialized).unwrap(); 1739 1739 + assert_eq!(scopes, reparsed); 1740 1740 + 1741 1741 + // Test with OpenID Connect scopes 1742 1742 + let original = "email openid profile"; 1743 1743 + let scopes = Scope::parse_multiple(original).unwrap(); 1744 1744 + let serialized = Scope::serialize_multiple(&scopes); 1745 1745 + assert_eq!(serialized, original); 1746 1746 + } 1747 1747 + 1748 1748 + #[test] 1749 1749 + fn test_remove_scope() { 1750 1750 + // Test removing a scope that exists 1751 1751 + let scopes = vec![ 1752 1752 + Scope::parse("repo:*").unwrap(), 1753 1753 + Scope::Atproto, 1754 1754 + Scope::parse("account:email").unwrap(), 1755 1755 + ]; 1756 1756 + let to_remove = Scope::Atproto; 1757 1757 + let result = Scope::remove_scope(&scopes, &to_remove); 1758 1758 + assert_eq!(result.len(), 2); 1759 1759 + assert!(!result.contains(&to_remove)); 1760 1760 + assert!(result.contains(&Scope::parse("repo:*").unwrap())); 1761 1761 + assert!(result.contains(&Scope::parse("account:email").unwrap())); 1762 1762 + 1763 1763 + // Test removing a scope that doesn't exist 1764 1764 + let scopes = vec![ 1765 1765 + Scope::parse("repo:*").unwrap(), 1766 1766 + Scope::parse("account:email").unwrap(), 1767 1767 + ]; 1768 1768 + let to_remove = Scope::parse("identity:handle").unwrap(); 1769 1769 + let result = Scope::remove_scope(&scopes, &to_remove); 1770 1770 + assert_eq!(result.len(), 2); 1771 1771 + assert_eq!(result, scopes); 1772 1772 + 1773 1773 + // Test removing from empty list 1774 1774 + let scopes: Vec<Scope> = vec![]; 1775 1775 + let to_remove = Scope::Atproto; 1776 1776 + let result = Scope::remove_scope(&scopes, &to_remove); 1777 1777 + assert_eq!(result.len(), 0); 1778 1778 + 1779 1779 + // Test removing all instances of a duplicate scope 1780 1780 + let scopes = vec![ 1781 1781 + Scope::Atproto, 1782 1782 + Scope::parse("account:email").unwrap(), 1783 1783 + Scope::Atproto, 1784 1784 + Scope::parse("repo:*").unwrap(), 1785 1785 + Scope::Atproto, 1786 1786 + ]; 1787 1787 + let to_remove = Scope::Atproto; 1788 1788 + let result = Scope::remove_scope(&scopes, &to_remove); 1789 1789 + assert_eq!(result.len(), 2); 1790 1790 + assert!(!result.contains(&to_remove)); 1791 1791 + assert!(result.contains(&Scope::parse("account:email").unwrap())); 1792 1792 + assert!(result.contains(&Scope::parse("repo:*").unwrap())); 1793 1793 + 1794 1794 + // Test removing complex scopes with query parameters 1795 1795 + let scopes = vec![ 1796 1796 + Scope::parse("account:email?action=manage").unwrap(), 1797 1797 + Scope::parse("blob?accept=image/png&accept=image/jpeg").unwrap(), 1798 1798 + Scope::parse("rpc:com.example.service?aud=did:example:123").unwrap(), 1799 1799 + ]; 1800 1800 + let to_remove = Scope::parse("blob?accept=image/jpeg&accept=image/png").unwrap(); // Note: normalized order 1801 1801 + let result = Scope::remove_scope(&scopes, &to_remove); 1802 1802 + assert_eq!(result.len(), 2); 1803 1803 + assert!(!result.contains(&to_remove)); 1804 1804 + 1805 1805 + // Test with OpenID Connect scopes 1806 1806 + let scopes = vec![Scope::OpenId, Scope::Profile, Scope::Email, Scope::Atproto]; 1807 1807 + let to_remove = Scope::Profile; 1808 1808 + let result = Scope::remove_scope(&scopes, &to_remove); 1809 1809 + assert_eq!(result.len(), 3); 1810 1810 + assert!(!result.contains(&to_remove)); 1811 1811 + assert!(result.contains(&Scope::OpenId)); 1812 1812 + assert!(result.contains(&Scope::Email)); 1813 1813 + assert!(result.contains(&Scope::Atproto)); 1814 1814 + 1815 1815 + // Test with transition scopes 1816 1816 + let scopes = vec![ 1817 1817 + Scope::Transition(TransitionScope::Generic), 1818 1818 + Scope::Transition(TransitionScope::Email), 1819 1819 + Scope::Atproto, 1820 1820 + ]; 1821 1821 + let to_remove = Scope::Transition(TransitionScope::Email); 1822 1822 + let result = Scope::remove_scope(&scopes, &to_remove); 1823 1823 + assert_eq!(result.len(), 2); 1824 1824 + assert!(!result.contains(&to_remove)); 1825 1825 + assert!(result.contains(&Scope::Transition(TransitionScope::Generic))); 1826 1826 + assert!(result.contains(&Scope::Atproto)); 1827 1827 + 1828 1828 + // Test that only exact matches are removed 1829 1829 + let scopes = vec![ 1830 1830 + Scope::parse("account:email").unwrap(), 1831 1831 + Scope::parse("account:email?action=manage").unwrap(), 1832 1832 + Scope::parse("account:repo").unwrap(), 1833 1833 + ]; 1834 1834 + let to_remove = Scope::parse("account:email").unwrap(); 1835 1835 + let result = Scope::remove_scope(&scopes, &to_remove); 1836 1836 + assert_eq!(result.len(), 2); 1837 1837 + assert!(!result.contains(&Scope::parse("account:email").unwrap())); 1838 1838 + assert!(result.contains(&Scope::parse("account:email?action=manage").unwrap())); 1839 1839 + assert!(result.contains(&Scope::parse("account:repo").unwrap())); 1840 1840 + } 1841 1841 + }

+5 -2

crates/atproto-record/src/bytes.rs

··· 35 35 use serde::{Deserialize, Serialize}; 36 36 use serde::{Deserializer, Serializer}; 37 37 38 38 - use base64::{Engine, engine::general_purpose::{STANDARD, STANDARD_NO_PAD}}; 38 38 + use base64::{ 39 39 + Engine, 40 40 + engine::general_purpose::{STANDARD, STANDARD_NO_PAD}, 41 41 + }; 39 42 40 43 /// Serializes a byte vector to a base64 encoded string. 41 44 pub fn serialize<S: Serializer>(value: &Vec<u8>, serializer: S) -> Result<S::Ok, S::Error> { ··· 47 50 /// Handles both padded and unpadded base64 strings for compatibility. 48 51 pub fn deserialize<'de, D: Deserializer<'de>>(d: D) -> Result<Vec<u8>, D::Error> { 49 52 let encoded_value = String::deserialize(d)?; 50 50 - 53 53 + 51 54 // Try standard base64 with padding first 52 55 STANDARD 53 56 .decode(&encoded_value)

+9 -7

crates/atproto-record/src/lexicon/community_lexicon_attestation.rs

··· 167 167 eprintln!("TypedSignature deserialization error: {}", e); 168 168 } 169 169 } 170 170 - 170 170 + 171 171 // Then try as SignatureOrRef 172 172 let sig_or_ref_result: Result<SignatureOrRef, _> = serde_json::from_str(json_str); 173 173 match &sig_or_ref_result { ··· 182 182 eprintln!("SignatureOrRef deserialization error: {}", e); 183 183 } 184 184 } 185 185 - 185 185 + 186 186 // Try without $type field 187 187 let json_no_type = r#"{ 188 188 "issuedAt": "2025-08-19T20:17:17.133Z", ··· 191 191 "$bytes": "mr9c0MCu3g6SXNQ25JFhzfX1ecYgK9k1Kf6OZI2p2AlQRoQu09dOE7J5uaeilIx/UFCjJErO89C/uBBb9ANmUA" 192 192 } 193 193 }"#; 194 194 - 194 194 + 195 195 let no_type_result: Result<Signature, _> = serde_json::from_str(json_no_type); 196 196 match &no_type_result { 197 197 Ok(sig) => { 198 198 println!("Signature (no type) OK: issuer={}", sig.issuer); 199 199 assert_eq!(sig.issuer, "did:web:acudo-dev.smokesignal.tools"); 200 200 assert_eq!(sig.signature.bytes.len(), 64); 201 201 - 201 201 + 202 202 // Now wrap it in TypedLexicon and try as SignatureOrRef 203 203 let typed = TypedLexicon::new(sig.clone()); 204 204 let _as_sig_or_ref = SignatureOrRef::Inline(typed); ··· 208 208 eprintln!("Signature (no type) deserialization error: {}", e); 209 209 } 210 210 } 211 211 - 211 211 + 212 212 // Check that at least one worked 213 213 - assert!(typed_sig_result.is_ok() || sig_or_ref_result.is_ok() || no_type_result.is_ok(), 214 214 - "Failed to deserialize signature in any form"); 213 213 + assert!( 214 214 + typed_sig_result.is_ok() || sig_or_ref_result.is_ok() || no_type_result.is_ok(), 215 215 + "Failed to deserialize signature in any form" 216 216 + ); 215 217 } 216 218 217 219 #[test]

+8 -4

crates/atproto-record/src/lexicon/community_lexicon_calendar_rsvp.rs

··· 333 333 // First parse as generic JSON to verify structure 334 334 let json_value: Value = serde_json::from_str(json_str)?; 335 335 assert_eq!(json_value["$type"], "community.lexicon.calendar.rsvp"); 336 336 - assert_eq!(json_value["status"], "community.lexicon.calendar.rsvp#going"); 337 337 - 336 336 + assert_eq!( 337 337 + json_value["status"], 338 338 + "community.lexicon.calendar.rsvp#going" 339 339 + ); 340 340 + 338 341 // Deserialize the JSON 339 342 let typed_rsvp: TypedRsvp = serde_json::from_str(json_str)?; 340 343 ··· 350 353 ); 351 354 352 355 // Verify the timestamp 353 353 - let expected_time = Utc.with_ymd_and_hms(2025, 8, 19, 20, 17, 17) 356 356 + let expected_time = Utc 357 357 + .with_ymd_and_hms(2025, 8, 19, 20, 17, 17) 354 358 .unwrap() 355 359 .with_nanosecond(133_000_000) 356 360 .unwrap(); ··· 361 365 match &typed_rsvp.inner.signatures[0] { 362 366 SignatureOrRef::Inline(sig) => { 363 367 assert_eq!(sig.inner.issuer, "did:web:acudo-dev.smokesignal.tools"); 364 364 - 368 368 + 365 369 // Verify the issuedAt field if present 366 370 if let Some(issued_at_value) = sig.inner.extra.get("issuedAt") { 367 371 assert_eq!(issued_at_value, "2025-08-19T20:17:17.133Z");

+18 -17

crates/atproto-xrpcs/src/authorization.rs

··· 139 139 140 140 // If not found, try to resolve the subject 141 141 if did_document.is_none() 142 142 - && let Some(identity_resolver) = identity_resolver { 143 143 - did_document = match identity_resolver.resolve(issuer).await { 144 144 - Ok(value) => { 145 145 - storage 146 146 - .store_document(value.clone()) 147 147 - .await 148 148 - .map_err(|err| AuthorizationError::DocumentStorageFailed { error: err })?; 142 142 + && let Some(identity_resolver) = identity_resolver 143 143 + { 144 144 + did_document = match identity_resolver.resolve(issuer).await { 145 145 + Ok(value) => { 146 146 + storage 147 147 + .store_document(value.clone()) 148 148 + .await 149 149 + .map_err(|err| AuthorizationError::DocumentStorageFailed { error: err })?; 149 150 150 150 - Some(value) 151 151 + Some(value) 152 152 + } 153 153 + Err(err) => { 154 154 + return Err(AuthorizationError::SubjectResolutionFailed { 155 155 + issuer: issuer.to_string(), 156 156 + error: err, 151 157 } 152 152 - Err(err) => { 153 153 - return Err(AuthorizationError::SubjectResolutionFailed { 154 154 - issuer: issuer.to_string(), 155 155 - error: err, 156 156 - } 157 157 - .into()); 158 158 - } 159 159 - }; 160 160 - } 158 158 + .into()); 159 159 + } 160 160 + }; 161 161 + } 161 162 162 163 let did_document = did_document.ok_or_else(|| AuthorizationError::DIDDocumentNotFound { 163 164 issuer: issuer.to_string(),