openstack-experimental
diff --git a/‎README.md‎
Lines changed: 2 additions & 2 deletions b/‎README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎doc/src/intro.md‎
Lines changed: 2 additions & 2 deletions b/‎doc/src/intro.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎rustfmt.toml‎
Lines changed: 3 additions & 3 deletions b/‎rustfmt.toml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/api/auth.rs‎
Lines changed: 1 addition & 1 deletion b/‎src/api/auth.rs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/api/error.rs‎
Lines changed: 8 additions & 0 deletions b/‎src/api/error.rs‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/api/types.rs‎
Lines changed: 1 addition & 1 deletion b/‎src/api/types.rs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/api/v3/auth/token/delete.rs‎
Lines changed: 9 additions & 9 deletions b/‎src/api/v3/auth/token/delete.rs‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎src/api/v3/auth/token/show.rs‎
Lines changed: 19 additions & 28 deletions b/‎src/api/v3/auth/token/show.rs‎
Lines changed: 19 additions & 28 deletions
@@ -20,7 +20,7 @@ Python Keystone service in place for existing users and workflows.
 As development progressed, however, the breadth of new functionality (and the
 opportunity to revisit some of the existing limitations) led to a partial
 re-implementation of certain core identity flows in Rust. This allows us to
-benefit from Rust’s memory safety, concurrency model, performance, and modern
+benefit from Rust's memory safety, concurrency model, performance, and modern
 tooling, while still preserving the upstream Keystone Python service as the
 canonical “master” identity service, routing only the new endpoints and
 capabilities through the Rust component.
@@ -58,7 +58,7 @@ the trusted, mature baseline and incrementally build the “Keystone-NG” Rust
 service as the complement.
 
 We believe this approach allows the best of both worlds: the trusted maturity
-of Keystone’s Python code-base, combined with the modern, high-safety,
+of Keystone's Python code-base, combined with the modern, high-safety,
 high-performance capabilities of Rust where they matter most.
 
 ## Documentation
 
@@ -20,7 +20,7 @@ Keystone service in place for existing users and workflows.
 As development progressed, however, the breadth of new functionality (and the
 opportunity to revisit some of the existing limitations) led to a partial
 re-implementation of certain core identity flows in Rust. This allows us to
-benefit from Rust’s memory safety, concurrency model, performance, and modern
+benefit from Rust's memory safety, concurrency model, performance, and modern
 tooling, while still preserving the upstream Keystone Python service as the
 canonical “master” identity service, routing only the new endpoints and
 capabilities through the Rust component.
@@ -57,7 +57,7 @@ trusted, mature baseline and incrementally build the “Keystone-NG” Rust serv
 as the complement.
 
 We believe this approach allows the best of both worlds: the trusted maturity of
-Keystone’s Python code-base, combined with the modern, high-safety,
+Keystone's Python code-base, combined with the modern, high-safety,
 high-performance capabilities of Rust where they matter most.
 
 ## Compatibility
 
@@ -1,3 +1,3 @@
-# format_code_in_doc_comments = true
-# unstable_features = true
-# wrap_comments = true
+format_code_in_doc_comments = true
+unstable_features = true
+wrap_comments = true
@@ -51,7 +51,7 @@ where
         let token = state
             .provider
             .get_token_provider()
-            .validate_token(&state, auth_header, Some(false), None, Some(true))
+            .validate_token(&state, auth_header, Some(false), None)
             .await
             .inspect_err(|e| error!("{:#?}", e))
             .map_err(|_| KeystoneApiError::Unauthorized(None))?;
 
@@ -258,10 +258,18 @@ impl From<TokenProviderError> for KeystoneApiError {
     fn from(value: TokenProviderError) -> Self {
         match value {
             TokenProviderError::AuthenticationInfo(source) => source.into(),
+            TokenProviderError::DomainDisabled(x) => Self::NotFound {
+                resource: "domain".into(),
+                identifier: x,
+            },
             TokenProviderError::TokenRestrictionNotFound(x) => Self::NotFound {
                 resource: "token restriction".into(),
                 identifier: x,
             },
+            TokenProviderError::ProjectDisabled(x) => Self::NotFound {
+                resource: "project".into(),
+                identifier: x,
+            },
             other => Self::InternalError(other.to_string()),
         }
     }
 
@@ -222,7 +222,7 @@ impl From<Vec<(Service, Vec<ProviderEndpoint>)>> for Catalog {
 /// ID is sufficient to uniquely identify a project but if a project is
 /// specified by name, then the domain of the project must also be specified in
 /// order to uniquely identify the project by name. A domain scope may be
-/// specified by either the domain’s ID or name with equivalent results.
+/// specified by either the domain's ID or name with equivalent results.
 #[derive(Clone, Debug, Deserialize, PartialEq, Serialize, ToSchema)]
 #[serde(rename_all = "lowercase")]
 pub enum Scope {
 
@@ -67,7 +67,7 @@ pub(super) async fn delete(
     let token = state
         .provider
         .get_token_provider()
-        .validate_token(&state, &subject_token, None, None, None)
+        .validate_token(&state, &subject_token, None, None)
         .await
         .inspect_err(|e| error!("{:?}", e.to_string()))
         .map_err(|_| KeystoneApiError::NotFound {
@@ -126,8 +126,8 @@ mod tests {
         let decoded_auth_token_clone1 = decoded_auth_token.clone();
         token_mock
             .expect_validate_token()
-            .withf(|_, token: &'_ str, _, _, _| token == "foo")
-            .returning(move |_, _, _, _, _| Ok(decoded_auth_token_clone1.clone()));
+            .withf(|_, token: &'_ str, _, _| token == "foo")
+            .returning(move |_, _, _, _| Ok(decoded_auth_token_clone1.clone()));
         // auth-token expanded
         let decoded_auth_token_clone2 = decoded_auth_token.clone();
         token_mock
@@ -161,8 +161,8 @@ mod tests {
         let decoded_subject_token_clone = decoded_subject_token.clone();
         token_mock
             .expect_validate_token()
-            .withf(|_, token: &'_ str, _, _, _| token == "baz")
-            .returning(move |_, _, _, _, _| Ok(decoded_subject_token_clone.clone()));
+            .withf(|_, token: &'_ str, _, _| token == "baz")
+            .returning(move |_, _, _, _| Ok(decoded_subject_token_clone.clone()));
 
         let mut revoke_mock = MockRevokeProvider::default();
         // subject token revoked
@@ -215,8 +215,8 @@ mod tests {
         // subject token validated
         token_mock
             .expect_validate_token()
-            .withf(|_, token: &'_ str, _, _, _| token == "baz")
-            .returning(move |_, _, _, _, _| Err(TokenProviderError::Expired));
+            .withf(|_, token: &'_ str, _, _| token == "baz")
+            .returning(move |_, _, _, _| Err(TokenProviderError::Expired));
 
         let provider = Provider::mocked_builder()
             .token(token_mock)
@@ -260,8 +260,8 @@ mod tests {
         // subject token validated
         token_mock
             .expect_validate_token()
-            .withf(|_, token: &'_ str, _, _, _| token == "baz")
-            .returning(move |_, _, _, _, _| Err(TokenProviderError::TokenRevoked));
+            .withf(|_, token: &'_ str, _, _| token == "baz")
+            .returning(move |_, _, _, _| Err(TokenProviderError::TokenRevoked));
 
         let provider = Provider::mocked_builder()
             .token(token_mock)
 
@@ -83,14 +83,7 @@ pub(super) async fn show(
     let token = state
         .provider
         .get_token_provider()
-        .validate_token(
-            &state,
-            &subject_token,
-            query.allow_expired,
-            None,
-            // Do not expand the token for the policy evaluation
-            Some(true),
-        )
+        .validate_token(&state, &subject_token, query.allow_expired, None)
         .await
         .inspect_err(|e| error!("{:?}", e.to_string()))
         .map_err(|_| KeystoneApiError::NotFound {
@@ -180,14 +173,12 @@ mod tests {
                 }))
             });
         let mut token_mock = MockTokenProvider::default();
-        token_mock
-            .expect_validate_token()
-            .returning(|_, _, _, _, _| {
-                Ok(ProviderToken::Unscoped(UnscopedPayload {
-                    user_id: "bar".into(),
-                    ..Default::default()
-                }))
-            });
+        token_mock.expect_validate_token().returning(|_, _, _, _| {
+            Ok(ProviderToken::Unscoped(UnscopedPayload {
+                user_id: "bar".into(),
+                ..Default::default()
+            }))
+        });
         token_mock
             .expect_expand_token_information()
             .returning(|_, _| {
@@ -280,19 +271,19 @@ mod tests {
         let mut token_mock = MockTokenProvider::default();
         token_mock
             .expect_validate_token()
-            .withf(|_, token: &'_ str, _, _, _| token == "foo")
-            .returning(|_, _, _, _, _| {
+            .withf(|_, token: &'_ str, _, _| token == "foo")
+            .returning(|_, _, _, _| {
                 Ok(ProviderToken::Unscoped(UnscopedPayload {
                     user_id: "bar".into(),
                     ..Default::default()
                 }))
             });
         token_mock
             .expect_validate_token()
-            .withf(|_, token: &'_ str, allow_expired: &Option<bool>, _, _| {
+            .withf(|_, token: &'_ str, allow_expired: &Option<bool>, _| {
                 token == "bar" && *allow_expired == Some(true)
             })
-            .returning(|_, _, _, _, _| {
+            .returning(|_, _, _, _| {
                 Ok(ProviderToken::Unscoped(UnscopedPayload {
                     user_id: "bar".into(),
                     ..Default::default()
@@ -354,17 +345,17 @@ mod tests {
         let mut token_mock = MockTokenProvider::default();
         token_mock
             .expect_validate_token()
-            .withf(|_, token: &'_ str, _, _, _| token == "foo")
-            .returning(|_, _, _, _, _| {
+            .withf(|_, token: &'_ str, _, _| token == "foo")
+            .returning(|_, _, _, _| {
                 Ok(ProviderToken::Unscoped(UnscopedPayload {
                     user_id: "bar".into(),
                     ..Default::default()
                 }))
             });
         token_mock
             .expect_validate_token()
-            .withf(|_, token: &'_ str, _, _, _| token == "baz")
-            .returning(|_, _, _, _, _| Err(TokenProviderError::Expired));
+            .withf(|_, token: &'_ str, _, _| token == "baz")
+            .returning(|_, _, _, _| Err(TokenProviderError::Expired));
 
         let provider = Provider::mocked_builder()
             .token(token_mock)
@@ -406,17 +397,17 @@ mod tests {
         let mut token_mock = MockTokenProvider::default();
         token_mock
             .expect_validate_token()
-            .withf(|_, token: &'_ str, _, _, _| token == "foo")
-            .returning(|_, _, _, _, _| {
+            .withf(|_, token: &'_ str, _, _| token == "foo")
+            .returning(|_, _, _, _| {
                 Ok(ProviderToken::Unscoped(UnscopedPayload {
                     user_id: "bar".into(),
                     ..Default::default()
                 }))
             });
         token_mock
             .expect_validate_token()
-            .withf(|_, token: &'_ str, _, _, _| token == "baz")
-            .returning(|_, _, _, _, _| Err(TokenProviderError::TokenRevoked));
+            .withf(|_, token: &'_ str, _, _| token == "baz")
+            .returning(|_, _, _, _| Err(TokenProviderError::TokenRevoked));
 
         let provider = Provider::mocked_builder()
             .token(token_mock)