- implemented a `KeyService` for `JwtService` that manages decoding keys
  which are used to validate Json Web Tokens (JWTs).

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

…ategy

Signed-off-by: rmarinn <[email protected]>

…or services

- Replaced custom `mockhttp` with `mockito` for simulating HTTP requests in tests.
- Refactored `JwtService` and `KeyService` to remove the need for the `GetKey` trait.
  `KeyService` can now be initialized directly, simplifying the code and improving clarity.

Signed-off-by: rmarinn <[email protected]>

…ation, and simplify services

- restructured the folder structure in the /jwt module for better organization.
- added comprehensive docstrings to enhance code readability and maintainability.
- simplified KeyService and DecodingStrategy by removing unnecessary traits for their communication.

Signed-off-by: rmarinn <[email protected]>

…cies for cleaner build

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

…ror logging

- reuse a HTTP client initialized on init for `KeyService` when making requests to improve efficiency
- replaced `println!` with `eprintln!` for better error logging

Signed-off-by: rmarinn <[email protected]>

…ition failure

- added error handling for cases where acquiring a lock on decoding keys fails
- replaced `unwrap()` with a custom error to handle poisoned locks gracefully

Signed-off-by: rmarinn <[email protected]>

- validate the `userinfo_token` to ensure its integrity and correctness
- verify that the `client_id` of the `userinfo_token` matches the `aud` of the corresponding `access_token`
- verify that the `sub` of the `userinfo_token` matches the `sub` of the corresponding `id_token`

Signed-off-by: rmarinn <[email protected]>

- revise example tokens to reflect current requirements

Signed-off-by: rmarinn <[email protected]>

- clean up the `jwt::token` module by removing fields that are unused.

Signed-off-by: rmarinn <[email protected]>

…oken types

- introduced `InvalidAccessToken` error for invalid access tokens
- introduced `InvalidIdToken` error for invalid ID tokens
- introduced `InvalidUserinfoToken` error for invalid userinfo tokens
- this change provides clearer feedback based on the type of invalid token encountered

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: Arnab Dutta <[email protected]>

- implement Deserialize for TokenKind instead of using the
  derialize_with macro

Signed-off-by: rmarinn <[email protected]>

…olicy_store.rs

Signed-off-by: rmarinn <[email protected]>

…appings

Signed-off-by: rmarinn <[email protected]>

- added the Copy trait implementation to TokenKind for more efficient value handling

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

…c<String>

- updated the MultipleRoleMappings error variant to store a Vec<String>
  instead of a single String, allowing it to capture multiple tokens with role mappings.

Signed-off-by: rmarinn <[email protected]>

…criptive

- rename `schema` field in `PolicyStore` to `cedar_schema`
- rename `policies` field in `PolicyStore` to `cedar_policies`

Signed-off-by: rmarinn <[email protected]>

…cyStore

- policy_store_id is now only required when loading from Lock Master, simplifying the structure of policy_store.json
- renamed and simplified field and function names for better clarity in policy deserialization
- updated docstrings to enhance understanding of PolicyStore fields and deserialization process
- updated test cases to reflect new naming conventions and improve error handling

Signed-off-by: rmarinn <[email protected]>

- added support for the cedar_version field to specify the version of Cedar being used.
- this enhancement allows for version-specific parsing of schemas and policies during deserialization.
- updated relevant structures and deserialization logic to validate the cedar_version format.

Signed-off-by: rmarinn <[email protected]>

…es to PolicyStore

- checking for multiple roles now occurs during the deserialization of PolicyStore
- the corresponding test has been relocated from `init/policy_store.rs` to
  `common/policy_store.rs` for better organization and clarity.

Signed-off-by: rmarinn <[email protected]>

- rename `parse_policy` to `parse_single_policy` to make the intent of
  calling the function clearer

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: Arnab Dutta <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: Arnab Dutta <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: Arnab Dutta <[email protected]>

Signed-off-by: Arnab Dutta <[email protected]>

Signed-off-by: Arnab Dutta <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

…heck_token_metadata`

Signed-off-by: rmarinn <[email protected]>

…ver crate

Signed-off-by: rmarinn <[email protected]>

- removed the need for a Visitor in parsing logic
- users now pass `access_token`, `id_token`, `userinfo_token`,
  or `transaction_token` (case-insensitive) as the token type

Signed-off-by: rmarinn <[email protected]>

…y Ok wrapper

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

…en metadata test

Signed-off-by: rmarinn <[email protected]>

- updated the deserialization logic to collect and report multiple errors encountered during policy parsing

Signed-off-by: rmarinn <[email protected]>

…ssue-9901 and jans-cedarling-9905

Signed-off-by: rmarinn <[email protected]>

… clarity

- reorganized tests into a dedicated file for better structure
- improved readability of policy and schema inputs in the tests

Signed-off-by: rmarinn <[email protected]>

- fixed needless borrows to improve code efficiency

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

- added comments so it's obvious what's in the claims in the tokens
  string in the examples directory

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

- moved the `extract_claims` function out of the method that uses `self`,
  making it an associated function to avoid unnecessary usage of `self`
  while preserving organization within the impl block.

Signed-off-by: rmarinn <[email protected]>

…rithm parsing

- manually reverted to returning a custom Error when parsing an
  unsupported algorithm, preserving previous error reporting behavior

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

- renamed `person_id` to `user_id` in the example

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

- update README to show how to run the new tests

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: Oleh Bohzok <[email protected]>

Signed-off-by: rmarinn <[email protected]>

Signed-off-by: rmarinn <[email protected]>