auth trust-relationships: support audience, default permissions, and default token duration (#1703)

hugosantos · ampagent · web-flow · commit adbcd125940a · 2026-02-10T08:33:58.000Z
Add --audience, --grant, and --default_token_duration flags to `nsc auth
trust-relationships add`, and display them in `list`. Add `-o json`
output to `list`.

---------

Co-authored-by: Amp &lt;amp@ampcode.com&gt;
diff --git a/internal/cli/cmd/auth/trust.go b/internal/cli/cmd/auth/trust.go
@@ -6,9 +6,13 @@ package auth
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
+	"strings"
 
+	v1beta "buf.build/gen/go/namespace/cloud/protocolbuffers/go/proto/namespace/cloud/iam/v1beta"
 	"github.com/spf13/cobra"
+	"namespacelabs.dev/foundation/internal/cli/cmd/token"
 	"namespacelabs.dev/foundation/internal/cli/fncobra"
 	"namespacelabs.dev/foundation/internal/console"
 	"namespacelabs.dev/foundation/internal/fnapi"
@@ -38,6 +42,9 @@ func newTrustAddCmd() *cobra.Command {
 
 	issuer := cmd.Flags().String("issuer", "", "Token issuer (required).")
 	subjectMatch := cmd.Flags().String("subject-match", "", "Subject match pattern (required).")
+	audience := cmd.Flags().String("audience", "", "Expected audience value.")
+	defaultPermissions := cmd.Flags().StringArray("grant", nil, `Grant default permission as JSON object (can be specified multiple times). Format: {"resource_type":"...","resource_id":"...","actions":["..."]}`)
+	defaultTokenDuration := cmd.Flags().String("default_token_duration", "", `Default token duration (e.g. "3600s").`)
 
 	return fncobra.Cmd(cmd).Do(func(ctx context.Context) error {
 		if *issuer == "" {
@@ -48,7 +55,12 @@ func newTrustAddCmd() *cobra.Command {
 			return fnerrors.Newf("--subject-match is required")
 		}
 
-		return addTrustRelationship(ctx, *issuer, *subjectMatch)
+		permissions, err := token.ParseGrants(*defaultPermissions)
+		if err != nil {
+			return err
+		}
+
+		return addTrustRelationship(ctx, *issuer, *subjectMatch, *audience, permissions, *defaultTokenDuration)
 	})
 }
 
@@ -60,8 +72,10 @@ func newTrustListCmd() *cobra.Command {
 		Args:  cobra.NoArgs,
 	}
 
+	output := cmd.Flags().StringP("output", "o", "", "Output format: json")
+
 	return fncobra.Cmd(cmd).Do(func(ctx context.Context) error {
-		return listTrustRelationships(ctx)
+		return listTrustRelationships(ctx, *output)
 	})
 }
 
@@ -84,8 +98,7 @@ func newTrustRemoveCmd() *cobra.Command {
 	})
 }
 
-func addTrustRelationship(ctx context.Context, issuer, subjectMatch string) error {
-	// Get current trust relationships
+func addTrustRelationship(ctx context.Context, issuer, subjectMatch, audience string, defaultPermissions []*v1beta.Permission, defaultTokenDuration string) error {
 	current, err := fnapi.ListTrustRelationships(ctx)
 	if err != nil {
 		return err
@@ -95,16 +108,16 @@ func addTrustRelationship(ctx context.Context, issuer, subjectMatch string) erro
 	fmt.Fprintf(console.Stderr(ctx), "Issuer: %s\n", issuer)
 	fmt.Fprintf(console.Stderr(ctx), "Subject Match: %s\n", subjectMatch)
 
-	// Create new trust relationship (ID and CreatorJson will be set server-side)
 	newTrustRelationship := fnapi.StoredTrustRelationship{
-		Issuer:       issuer,
-		SubjectMatch: subjectMatch,
+		Issuer:               issuer,
+		SubjectMatch:         subjectMatch,
+		Audience:             audience,
+		DefaultPermissions:   defaultPermissions,
+		DefaultTokenDuration: defaultTokenDuration,
 	}
 
-	// Add to existing trust relationships
 	updatedTrustRelationships := append(current.TrustRelationships, newTrustRelationship)
 
-	// Update trust relationships
 	if err := fnapi.UpdateTrustRelationships(ctx, current.Generation, updatedTrustRelationships); err != nil {
 		return err
 	}
@@ -113,13 +126,22 @@ func addTrustRelationship(ctx context.Context, issuer, subjectMatch string) erro
 	return nil
 }
 
-func listTrustRelationships(ctx context.Context) error {
+func listTrustRelationships(ctx context.Context, output string) error {
 	response, err := fnapi.ListTrustRelationships(ctx)
 	if err != nil {
 		return err
 	}
 
-	fmt.Fprintf(console.Stdout(ctx), "Trust Relationships (Generation: %s):\n\n", response.Generation)
+	if output == "json" {
+		bb, err := json.MarshalIndent(response.TrustRelationships, "", "  ")
+		if err != nil {
+			return err
+		}
+		fmt.Fprintln(console.Stdout(ctx), string(bb))
+		return nil
+	}
+
+	fmt.Fprintf(console.Stdout(ctx), "Trust Relationships:\n\n")
 
 	if len(response.TrustRelationships) == 0 {
 		fmt.Fprintf(console.Stdout(ctx), "No trust relationships configured.\n")
@@ -130,6 +152,22 @@ func listTrustRelationships(ctx context.Context) error {
 		fmt.Fprintf(console.Stdout(ctx), "ID: %s\n", tr.Id)
 		fmt.Fprintf(console.Stdout(ctx), "  Issuer: %s\n", tr.Issuer)
 		fmt.Fprintf(console.Stdout(ctx), "  Subject Match: %s\n", tr.SubjectMatch)
+		if tr.Audience != "" {
+			fmt.Fprintf(console.Stdout(ctx), "  Audience: %s\n", tr.Audience)
+		}
+		if len(tr.DefaultPermissions) > 0 {
+			fmt.Fprintf(console.Stdout(ctx), "  Default Permissions:\n")
+			for _, p := range tr.DefaultPermissions {
+				fmt.Fprintf(console.Stdout(ctx), "    - %s: %s", p.ResourceType, strings.Join(p.Actions, ", "))
+				if p.ResourceId != "" {
+					fmt.Fprintf(console.Stdout(ctx), " (resource_id: %s)", p.ResourceId)
+				}
+				fmt.Fprintf(console.Stdout(ctx), "\n")
+			}
+		}
+		if tr.DefaultTokenDuration != "" {
+			fmt.Fprintf(console.Stdout(ctx), "  Default Token Duration: %s\n", tr.DefaultTokenDuration)
+		}
 		if tr.CreatedAt != nil {
 			fmt.Fprintf(console.Stdout(ctx), "  Created At: %s\n", tr.CreatedAt.Format("2006-01-02 15:04:05 UTC"))
 		}
diff --git a/internal/cli/cmd/token/token.go b/internal/cli/cmd/token/token.go
@@ -130,7 +130,7 @@ func NewCreateCmd() *cobra.Command {
 		}
 		defer client.Close()
 
-		permissions, err := parseGrants(*grants)
+		permissions, err := ParseGrants(*grants)
 		if err != nil {
 			return fnerrors.BadInputError("failed to parse grants: %w", err)
 		}
@@ -316,7 +316,7 @@ func writeTokenToFile(path string, bearerToken string) error {
 	return os.WriteFile(path, bb, 0600)
 }
 
-func parseGrants(grants []string) ([]*v1beta.Permission, error) {
+func ParseGrants(grants []string) ([]*v1beta.Permission, error) {
 	var permissions []*v1beta.Permission
 
 	for _, grant := range grants {
diff --git a/internal/fnapi/tenants.go b/internal/fnapi/tenants.go
@@ -8,6 +8,7 @@ import (
 	"context"
 	"time"
 
+	v1beta "buf.build/gen/go/namespace/cloud/protocolbuffers/go/proto/namespace/cloud/iam/v1beta"
 	"namespacelabs.dev/foundation/internal/fnerrors"
 )
 
@@ -260,6 +261,10 @@ type StoredTrustRelationship struct {
 	CreatedAt    *time.Time `json:"created_at,omitempty"`
 	Issuer       string     `json:"issuer,omitempty"`
 	SubjectMatch string     `json:"subject_match,omitempty"`
+	Audience     string     `json:"audience,omitempty"`
+
+	DefaultPermissions   []*v1beta.Permission `json:"default_permissions,omitempty"`
+	DefaultTokenDuration string               `json:"default_token_duration,omitempty"`
 }
 
 type UpdateTrustRelationshipsRequest struct {

Original file line number	Diff line number	Diff line change
`@@ -130,7 +130,7 @@ func NewCreateCmd() *cobra.Command {`
`130`	`130`	`}`
`131`	`131`	`defer client.Close()`
`132`	`132`
`133`		`- permissions, err := parseGrants(*grants)`
	`133`	`+ permissions, err := ParseGrants(*grants)`
`134`	`134`	`if err != nil {`
`135`	`135`	`return fnerrors.BadInputError("failed to parse grants: %w", err)`
`136`	`136`	`}`
`@@ -316,7 +316,7 @@ func writeTokenToFile(path string, bearerToken string) error {`
`316`	`316`	`return os.WriteFile(path, bb, 0600)`
`317`	`317`	`}`
`318`	`318`
`319`		`-func parseGrants(grants []string) ([]*v1beta.Permission, error) {`
	`319`	`+func ParseGrants(grants []string) ([]*v1beta.Permission, error) {`
`320`	`320`	`var permissions []*v1beta.Permission`
`321`	`321`
`322`	`322`	`for _, grant := range grants {`