@@ -439,3 +439,164 @@ func (h *AdminHandler) FgaReset(ctx context.Context, _ *authorizerv1.FgaResetReq
439439 }
440440 return & authorizerv1.FgaResetResponse {Message : res .Message }, nil
441441}
442+
443+ // CreateServiceAccount delegates to service.CreateServiceAccount and returns the
444+ // generated client secret exactly once (CreateServiceAccountResponse is the only
445+ // admin message that carries a secret). Requires super-admin auth.
446+ func (h * AdminHandler ) CreateServiceAccount (ctx context.Context , req * authorizerv1.CreateServiceAccountRequest ) (* authorizerv1.CreateServiceAccountResponse , error ) {
447+ res , _ , err := h .Service .CreateServiceAccount (ctx , transport .MetaFromGRPC (ctx ), & model.CreateServiceAccountRequest {
448+ Name : req .GetName (),
449+ Description : req .Description ,
450+ AllowedScopes : req .GetAllowedScopes (),
451+ })
452+ if err != nil {
453+ return nil , err
454+ }
455+ return & authorizerv1.CreateServiceAccountResponse {
456+ ServiceAccount : projectServiceAccount (res .ServiceAccount ),
457+ ClientSecret : res .ClientSecret ,
458+ }, nil
459+ }
460+
461+ // UpdateServiceAccount delegates to service.UpdateServiceAccount. Optional proto
462+ // fields map 1:1 onto the model's nullable pointers; the client secret is never
463+ // touched. Requires super-admin auth.
464+ func (h * AdminHandler ) UpdateServiceAccount (ctx context.Context , req * authorizerv1.UpdateServiceAccountRequest ) (* authorizerv1.UpdateServiceAccountResponse , error ) {
465+ res , _ , err := h .Service .UpdateServiceAccount (ctx , transport .MetaFromGRPC (ctx ), & model.UpdateServiceAccountRequest {
466+ ID : req .GetId (),
467+ Name : req .Name ,
468+ Description : req .Description ,
469+ AllowedScopes : req .GetAllowedScopes (),
470+ IsActive : req .IsActive ,
471+ })
472+ if err != nil {
473+ return nil , err
474+ }
475+ return & authorizerv1.UpdateServiceAccountResponse {ServiceAccount : projectServiceAccount (res )}, nil
476+ }
477+
478+ // DeleteServiceAccount delegates to service.DeleteServiceAccount, which cascades
479+ // to the account's trusted issuers. Requires super-admin auth.
480+ func (h * AdminHandler ) DeleteServiceAccount (ctx context.Context , req * authorizerv1.DeleteServiceAccountRequest ) (* authorizerv1.DeleteServiceAccountResponse , error ) {
481+ res , _ , err := h .Service .DeleteServiceAccount (ctx , transport .MetaFromGRPC (ctx ), & model.ServiceAccountRequest {
482+ ID : req .GetId (),
483+ })
484+ if err != nil {
485+ return nil , err
486+ }
487+ return & authorizerv1.DeleteServiceAccountResponse {Message : res .Message }, nil
488+ }
489+
490+ // RotateServiceAccountSecret delegates to service.RotateServiceAccountSecret and
491+ // returns the new client secret exactly once (reusing CreateServiceAccountResponse).
492+ // Requires super-admin auth.
493+ func (h * AdminHandler ) RotateServiceAccountSecret (ctx context.Context , req * authorizerv1.RotateServiceAccountSecretRequest ) (* authorizerv1.CreateServiceAccountResponse , error ) {
494+ res , _ , err := h .Service .RotateServiceAccountSecret (ctx , transport .MetaFromGRPC (ctx ), & model.ServiceAccountRequest {
495+ ID : req .GetId (),
496+ })
497+ if err != nil {
498+ return nil , err
499+ }
500+ return & authorizerv1.CreateServiceAccountResponse {
501+ ServiceAccount : projectServiceAccount (res .ServiceAccount ),
502+ ClientSecret : res .ClientSecret ,
503+ }, nil
504+ }
505+
506+ // GetServiceAccount delegates to service.ServiceAccount and projects the result.
507+ // The client secret is never surfaced. Requires super-admin auth.
508+ func (h * AdminHandler ) GetServiceAccount (ctx context.Context , req * authorizerv1.GetServiceAccountRequest ) (* authorizerv1.GetServiceAccountResponse , error ) {
509+ res , _ , err := h .Service .ServiceAccount (ctx , transport .MetaFromGRPC (ctx ), & model.ServiceAccountRequest {
510+ ID : req .GetId (),
511+ })
512+ if err != nil {
513+ return nil , err
514+ }
515+ return & authorizerv1.GetServiceAccountResponse {ServiceAccount : projectServiceAccount (res )}, nil
516+ }
517+
518+ // ServiceAccounts delegates to service.ServiceAccounts and projects the
519+ // paginated result. Client secrets are never surfaced. Requires super-admin auth.
520+ func (h * AdminHandler ) ServiceAccounts (ctx context.Context , req * authorizerv1.ServiceAccountsRequest ) (* authorizerv1.ServiceAccountsResponse , error ) {
521+ res , _ , err := h .Service .ServiceAccounts (ctx , transport .MetaFromGRPC (ctx ), & model.ListServiceAccountsRequest {
522+ Pagination : modelPaginatedRequest (req .GetPagination ()),
523+ })
524+ if err != nil {
525+ return nil , err
526+ }
527+ return projectServiceAccounts (res ), nil
528+ }
529+
530+ // AddTrustedIssuer delegates to service.AddTrustedIssuer. subject_claim defaults
531+ // to "sub" in the service layer when unset. Requires super-admin auth.
532+ func (h * AdminHandler ) AddTrustedIssuer (ctx context.Context , req * authorizerv1.AddTrustedIssuerRequest ) (* authorizerv1.AddTrustedIssuerResponse , error ) {
533+ res , _ , err := h .Service .AddTrustedIssuer (ctx , transport .MetaFromGRPC (ctx ), & model.AddTrustedIssuerRequest {
534+ ServiceAccountID : req .GetServiceAccountId (),
535+ Name : req .GetName (),
536+ IssuerURL : req .GetIssuerUrl (),
537+ KeySourceType : req .GetKeySourceType (),
538+ JwksURL : req .JwksUrl ,
539+ ExpectedAud : req .GetExpectedAud (),
540+ SubjectClaim : req .SubjectClaim ,
541+ IssuerType : req .GetIssuerType (),
542+ SpiffeRefreshHintSeconds : req .SpiffeRefreshHintSeconds ,
543+ })
544+ if err != nil {
545+ return nil , err
546+ }
547+ return & authorizerv1.AddTrustedIssuerResponse {TrustedIssuer : projectTrustedIssuer (res )}, nil
548+ }
549+
550+ // UpdateTrustedIssuer delegates to service.UpdateTrustedIssuer. Optional proto
551+ // fields map 1:1 onto the model's nullable pointers. Requires super-admin auth.
552+ func (h * AdminHandler ) UpdateTrustedIssuer (ctx context.Context , req * authorizerv1.UpdateTrustedIssuerRequest ) (* authorizerv1.UpdateTrustedIssuerResponse , error ) {
553+ res , _ , err := h .Service .UpdateTrustedIssuer (ctx , transport .MetaFromGRPC (ctx ), & model.UpdateTrustedIssuerRequest {
554+ ID : req .GetId (),
555+ Name : req .Name ,
556+ JwksURL : req .JwksUrl ,
557+ ExpectedAud : req .ExpectedAud ,
558+ IsActive : req .IsActive ,
559+ SpiffeRefreshHintSeconds : req .SpiffeRefreshHintSeconds ,
560+ })
561+ if err != nil {
562+ return nil , err
563+ }
564+ return & authorizerv1.UpdateTrustedIssuerResponse {TrustedIssuer : projectTrustedIssuer (res )}, nil
565+ }
566+
567+ // DeleteTrustedIssuer delegates to service.DeleteTrustedIssuer. Requires
568+ // super-admin auth.
569+ func (h * AdminHandler ) DeleteTrustedIssuer (ctx context.Context , req * authorizerv1.DeleteTrustedIssuerRequest ) (* authorizerv1.DeleteTrustedIssuerResponse , error ) {
570+ res , _ , err := h .Service .DeleteTrustedIssuer (ctx , transport .MetaFromGRPC (ctx ), & model.TrustedIssuerRequest {
571+ ID : req .GetId (),
572+ })
573+ if err != nil {
574+ return nil , err
575+ }
576+ return & authorizerv1.DeleteTrustedIssuerResponse {Message : res .Message }, nil
577+ }
578+
579+ // GetTrustedIssuer delegates to service.TrustedIssuer and projects the result.
580+ // Requires super-admin auth.
581+ func (h * AdminHandler ) GetTrustedIssuer (ctx context.Context , req * authorizerv1.GetTrustedIssuerRequest ) (* authorizerv1.GetTrustedIssuerResponse , error ) {
582+ res , _ , err := h .Service .TrustedIssuer (ctx , transport .MetaFromGRPC (ctx ), & model.TrustedIssuerRequest {
583+ ID : req .GetId (),
584+ })
585+ if err != nil {
586+ return nil , err
587+ }
588+ return & authorizerv1.GetTrustedIssuerResponse {TrustedIssuer : projectTrustedIssuer (res )}, nil
589+ }
590+
591+ // TrustedIssuers delegates to service.TrustedIssuers and projects the paginated
592+ // result. service_account_id is optional. Requires super-admin auth.
593+ func (h * AdminHandler ) TrustedIssuers (ctx context.Context , req * authorizerv1.TrustedIssuersRequest ) (* authorizerv1.TrustedIssuersResponse , error ) {
594+ res , _ , err := h .Service .TrustedIssuers (ctx , transport .MetaFromGRPC (ctx ), & model.ListTrustedIssuersRequest {
595+ ServiceAccountID : req .ServiceAccountId ,
596+ Pagination : modelPaginatedRequest (req .GetPagination ()),
597+ })
598+ if err != nil {
599+ return nil , err
600+ }
601+ return projectTrustedIssuers (res ), nil
602+ }
0 commit comments