/
pdp_auth.rs
55 lines (44 loc) · 1.99 KB
/
pdp_auth.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
use ibmcloud_iam::jwt::validate_token;
use ibmcloud_iam::pdp as pdpapi;
use ibmcloud_iam::pdp::Resource;
use ibmcloud_iam::token::TokenManager;
pub fn main() -> Result<(), Box<dyn std::error::Error>> {
// production IAM endpoint
let endpoint = "https://iam.cloud.ibm.com";
// get a user token from IAM
// normally this would be something your web service or server would receive from a user
// but we grab one here for the sake of completeness
let api_key =
std::env::var("IBMCLOUD_API_KEY").expect("Could not read IBMCLOUD_API_KEY from env");
let tm = TokenManager::new(&api_key, &endpoint);
let user_token = tm.token()?;
// validate user token, this checks the signature and returns claims
let _claims = validate_token(&user_token, &endpoint);
// Service ID API key, this is unique to your web service/server
let service_id_key =
std::env::var("SERVICE_ID_KEY").expect("Could not parse SERVICE_ID_KEY from env");
// build PDP client object for interacting with the IAM PDP endpoint
let pdp = pdpapi::PDPClient::new(&service_id_key, &endpoint);
// get Subject type from user token
let sub = pdpapi::subject_from_token(&user_token);
// action on the resource to be authorized
let action = "books.dashboard.view";
// create Resource object for PDP authorization request
// this is specific to your web service/server and should
// match up with the Attributes allowed in your IAM Service definition
let mut resource = Resource::new();
[
("serviceName", "books"),
("accountId", "1111222233334444"),
("ctype", "public"),
("serviceInstance", "9e386139-0000-000-8101-103771fa7793"),
]
.iter()
.for_each(|tup| {
resource.insert(tup.0.to_string(), tup.1.to_string());
});
// build the final request, send to IAM, get and return the response
let resp = pdp.authorize(sub, &action, resource)?;
println!("Authorization Decision: {:?}", resp);
Ok(())
}