auth_framework/authentication/
advanced_auth.rs

1//! Delegation, ABAC, Resource Mapping, and Backup Code Management
2//! Core data models and traits for advanced authorization features
3
4use chrono::{DateTime, Utc};
5use serde::{Deserialize, Serialize};
6use std::collections::HashMap;
7
8// Delegation types
9#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
10pub enum DelegationType {
11    UserToUser,
12    UserToRole,
13    RoleToRole,
14}
15
16#[derive(Debug, Clone, Serialize, Deserialize)]
17pub struct Delegation {
18    pub id: String,
19    pub delegator: String, // user or role id
20    pub delegatee: String, // user or role id
21    pub delegation_type: DelegationType,
22    pub scopes: Vec<String>,
23    pub start_time: Option<DateTime<Utc>>,
24    pub end_time: Option<DateTime<Utc>>,
25    pub explicit: bool,
26    pub revoked: bool,
27    pub created_at: DateTime<Utc>,
28    pub revoked_at: Option<DateTime<Utc>>,
29    pub audit_log: Vec<String>, // log entries
30}
31
32// ABAC Policy DSL (initial design)
33#[derive(Debug, Clone, Serialize, Deserialize)]
34pub struct AbacPolicy {
35    pub id: String,
36    pub name: String,
37    pub dsl: String,                         // DSL string for policy
38    pub attributes: HashMap<String, String>, // attribute bindings
39    pub enabled: bool,
40    pub dynamic: bool, // true if stored in DB
41    pub created_at: DateTime<Utc>,
42    pub updated_at: Option<DateTime<Utc>>,
43}
44
45// Resource mapping
46#[derive(Debug, Clone, Serialize, Deserialize)]
47pub struct ManagedResource {
48    pub id: String,
49    pub resource_type: String, // e.g., "file", "api", "custom"
50    pub uri: String,
51    pub attributes: HashMap<String, String>,
52    pub registered_by: String,
53    pub registered_at: DateTime<Utc>,
54    pub permissions: Vec<String>, // fine/coarse-grained
55}
56
57// Backup code management
58#[derive(Debug, Clone, Serialize, Deserialize)]
59pub struct BackupCodeConfig {
60    pub code_count: usize,
61    pub code_length: usize,
62    pub code_format: String,     // e.g., "numeric", "alphanumeric"
63    pub code_complexity: String, // e.g., "simple", "strong"
64    pub expiry_seconds: u64,
65    pub rotate_on_use: bool,
66}
67
68#[derive(Debug, Clone, Serialize, Deserialize)]
69pub struct UserBackupCodes {
70    pub user_id: String,
71    pub codes: Vec<String>,
72    pub used_codes: Vec<String>,
73    pub generated_at: DateTime<Utc>,
74    pub expires_at: DateTime<Utc>,
75    pub config: BackupCodeConfig,
76}
77
78// Traits for storage and management
79pub trait DelegationManager {
80    fn create_delegation(&mut self, delegation: Delegation) -> Result<(), String>;
81    fn revoke_delegation(&mut self, delegation_id: &str, by: &str) -> Result<(), String>;
82    fn get_delegations_for(&self, user_or_role: &str) -> Vec<Delegation>;
83    fn audit_delegation(&mut self, delegation_id: &str, entry: &str);
84}
85
86pub trait AbacPolicyManager {
87    fn add_policy(&mut self, policy: AbacPolicy) -> Result<(), String>;
88    fn update_policy(&mut self, policy_id: &str, dsl: &str) -> Result<(), String>;
89    fn evaluate_policy(&self, policy_id: &str, attributes: &HashMap<String, String>) -> bool;
90}
91
92pub trait ResourceManager {
93    fn register_resource(&mut self, resource: ManagedResource) -> Result<(), String>;
94    fn update_resource(
95        &mut self,
96        resource_id: &str,
97        attributes: &HashMap<String, String>,
98    ) -> Result<(), String>;
99    fn get_resource(&self, resource_id: &str) -> Option<ManagedResource>;
100}
101
102pub trait BackupCodeManager {
103    fn generate_codes(&mut self, user_id: &str, config: &BackupCodeConfig) -> UserBackupCodes;
104    fn verify_code(&mut self, user_id: &str, code: &str) -> bool;
105    fn rotate_codes(&mut self, user_id: &str);
106}
107
108
auth_framework/authentication/advanced_auth.rs

auth_framework/authentication/
advanced_auth.rs
