refactor: Redesign SecurityContext with two-phase validation

crates/api-types/src/error_conv.rs

@@ -26,6 +26,7 @@ use openstack_keystone_core_types::assignment::AssignmentProviderError;
 use openstack_keystone_core_types::auth::AuthenticationError;
 use openstack_keystone_core_types::catalog::CatalogProviderError;
 use openstack_keystone_core_types::error::BuilderError;
+use openstack_keystone_core_types::error::KeystoneError;
 use openstack_keystone_core_types::identity::IdentityProviderError;
 use openstack_keystone_core_types::resource::ResourceProviderError;
 use openstack_keystone_core_types::revoke::RevokeProviderError;
@@ -75,18 +76,30 @@ impl From<JsonRejection> for KeystoneApiError {
 impl From<AuthenticationError> for KeystoneApiError {
     fn from(value: AuthenticationError) -> Self {
         match value {
-            AuthenticationError::AuthPrincipalDiffers => {
+            AuthenticationError::ActorHasNoRolesOnTarget => {
                 KeystoneApiError::unauthorized(value, None::<String>)
             }
-            AuthenticationError::DomainDisabled(..) => {
+            AuthenticationError::AuthApplicationCredentialExpired => {
                 KeystoneApiError::unauthorized(value, None::<String>)
             }
-            AuthenticationError::ProjectDisabled(..) => {
+            AuthenticationError::AuthnPrincipalMismatch => {
+                KeystoneApiError::unauthorized(value, None::<String>)
+            }
+            AuthenticationError::AuthTokenExpired => {
+                KeystoneApiError::unauthorized(value, None::<String>)
+            }
+            AuthenticationError::AuthzPrincipalMismatch => {
+                KeystoneApiError::unauthorized(value, None::<String>)
+            }
+            AuthenticationError::DomainDisabled(..) => {
                 KeystoneApiError::unauthorized(value, None::<String>)
             }
-            AuthenticationError::ScopeNotAllowed => {
+            AuthenticationError::Forbidden => KeystoneApiError::forbidden(value),
+            AuthenticationError::ProjectDisabled(..) => {
                 KeystoneApiError::unauthorized(value, None::<String>)
             }
+            AuthenticationError::SecurityContextNotResolved => KeystoneApiError::internal(value),
+            AuthenticationError::ScopeNotAllowed => KeystoneApiError::forbidden(value),
             AuthenticationError::StructBuilder { source } => {
                 KeystoneApiError::InternalError(source.to_string())
             }
@@ -123,9 +136,13 @@ impl From<AuthenticationError> for KeystoneApiError {
             AuthenticationError::Unauthorized => {
                 KeystoneApiError::unauthorized(value, None::<String>)
             }
-            AuthenticationError::Validation { source } => {
-                KeystoneApiError::InternalError(source.to_string())
+            AuthenticationError::RoleConversionFailed => {
+                KeystoneApiError::InternalError(value.to_string())
+            }
+            AuthenticationError::Validation(ref ve) => {
+                KeystoneApiError::BadRequest(format!("validation error: {ve}"))
             }
+            other => KeystoneApiError::unauthorized(other, None::<String>),
         }
     }
 }
@@ -216,6 +233,10 @@ impl From<TokenProviderError> for KeystoneApiError {
     fn from(value: TokenProviderError) -> Self {
         match value {
             TokenProviderError::Authentication(source) => source.into(),
+            TokenProviderError::TrustorDomainDisabled
+            | TokenProviderError::TrustorUserDisabled(_) => {
+                Self::unauthorized(value, None::<String>)
+            }
             TokenProviderError::DomainDisabled(x) => Self::NotFound {
                 resource: "domain".into(),
                 identifier: x,
@@ -256,3 +277,25 @@ impl From<validator::ValidationErrors> for KeystoneApiError {
         Self::BadRequest(value.to_string())
     }
 }
+
+impl From<KeystoneError> for KeystoneApiError {
+    fn from(value: KeystoneError) -> Self {
+        match value {
+            //KeystoneError::ApplicationCredential { source } => source.into(),
+            KeystoneError::AssignmentProvider { source } => source.into(),
+            KeystoneError::Authentication { source } => source.into(),
+            KeystoneError::CatalogProvider { source } => source.into(),
+            KeystoneError::FederationProvider { source } => source.into(),
+            //KeystoneError::IdentityMapping { source } => source.into(),
+            KeystoneError::Json { source } => source.into(),
+            KeystoneError::K8sAuthProvider { source } => source.into(),
+            KeystoneError::PolicyEnforcementNotAvailable => KeystoneApiError::internal(value),
+            KeystoneError::ResourceProvider { source } => source.into(),
+            KeystoneError::RevokeProvider { source } => source.into(),
+            KeystoneError::RoleProvider { source } => source.into(),
+            KeystoneError::TokenProvider { source } => source.into(),
+            KeystoneError::TrustProvider { source } => source.into(),
+            _ => KeystoneApiError::internal(value),
+        }
+    }
+}

crates/api-types/src/v3/auth_conv.rs

@@ -46,10 +46,12 @@ impl TryFrom<api_types::UserPassword>
     }
 }
 
-impl TryFrom<&openstack_keystone_core_types::token::Token> for api_types::Token {
+impl TryFrom<&openstack_keystone_core_types::token::FernetToken> for api_types::Token {
     type Error = BuilderError;
 
-    fn try_from(value: &openstack_keystone_core_types::token::Token) -> Result<Self, Self::Error> {
+    fn try_from(
+        value: &openstack_keystone_core_types::token::FernetToken,
+    ) -> Result<Self, Self::Error> {
         let mut token = api_types::TokenBuilder::default();
         token.user(
             api_types::UserBuilder::default()

crates/api-types/src/v3/project.rs

@@ -249,7 +249,7 @@ mod tests {
         assert_eq!(
             serde_json::json!({"name": "name", "domain_id": "did", "enabled": true, "is_domain": false}),
             serde_json::to_value(
-                &ProjectCreateBuilder::default()
+                ProjectCreateBuilder::default()
                     .name("name")
                     .domain_id("did")
                     .build()
@@ -260,7 +260,7 @@ mod tests {
         assert_eq!(
             serde_json::json!({"name": "name", "domain_id": "did", "enabled": true, "is_domain": false, "unknown": "bar"}),
             serde_json::to_value(
-                &ProjectCreateBuilder::default()
+                ProjectCreateBuilder::default()
                     .name("name")
                     .domain_id("did")
                     .extra(std::collections::HashMap::from([(

crates/api-types/src/v3/role.rs

@@ -139,3 +139,13 @@ pub struct RoleCreateRequest {
     #[cfg_attr(feature = "validate", validate(nested))]
     pub role: RoleCreate,
 }
+
+impl From<&Role> for RoleRef {
+    fn from(value: &Role) -> Self {
+        Self {
+            domain_id: value.domain_id.clone(),
+            id: value.id.clone(),
+            name: value.name.clone(),
+        }
+    }
+}