pub async fn validate_session_access(
infra: &InfraContext<'_>,
token: &str,
session_name: &str,
) -> Result<CfsSessionGetResponse, Error>Expand description
Fetch a session by name and validate that the caller is allowed to act on it.
Access is granted when every HSM group named in the session’s
target.groups overlaps the caller’s accessible groups (the union
returned by InfraContext::get_group_name_available). A session
that targets no HSM groups (e.g. a runtime session) is treated as
not gated by group access.
Returns the fetched session so the caller doesn’t double-GET.
NotFound when the session doesn’t exist; BadRequest when any
target group is outside the accessible set — matching the
access-denial shape used by
crate::service::authorization::validate_user_group_access.