Skip to main content

CompiledExpr

auths_policy::compiled

Enum CompiledExpr 

Source 
#[non_exhaustive]
pub enum CompiledExpr {

Show 35 variants    True,
    False,
    And(Vec<CompiledExpr>),
    Or(Vec<CompiledExpr>),
    Not(Box<CompiledExpr>),
    HasCapability(CanonicalCapability),
    HasAllCapabilities(Vec<CanonicalCapability>),
    HasAnyCapability(Vec<CanonicalCapability>),
    IssuerIs(CanonicalDid),
    IssuerIn(Vec<CanonicalDid>),
    SubjectIs(CanonicalDid),
    DelegatedBy(CanonicalDid),
    NotRevoked,
    NotExpired,
    ExpiresAfter(i64),
    IssuedWithin(i64),
    RoleIs(String),
    RoleIn(Vec<String>),
    RepoIs(String),
    RepoIn(Vec<String>),
    RefMatches(ValidatedGlob),
    PathAllowed(Vec<ValidatedGlob>),
    EnvIs(String),
    EnvIn(Vec<String>),
    WorkloadIssuerIs(CanonicalDid),
    WorkloadClaimEquals {
        key: String,
        value: String,
    },
    IsAgent,
    IsHuman,
    IsWorkload,
    MaxChainDepth(u32),
    AttrEquals {
        key: String,
        value: String,
    },
    AttrIn {
        key: String,
        values: Vec<String>,
    },
    MinAssurance(AssuranceLevel),
    AssuranceLevelIs(AssuranceLevel),
    ApprovalGate {
        inner: Box<CompiledExpr>,
        approvers: Vec<CanonicalDid>,
        ttl_seconds: u64,
        scope: ApprovalScope,
    },

}
Expand description

Compiled policy expression — validated, canonical, ready to evaluate.

Constructed only via compile. Cannot be built directly. All string fields have been parsed into canonical typed forms.

Variants (Non-exhaustive)§

This enum is marked as non-exhaustive
Non-exhaustive enums could have additional variants added in future. Therefore, when matching against variants of non-exhaustive enums, an extra wildcard arm must be added to account for any future variants.
§

True

Always allow.

§

False

Always deny.

§

And(Vec<CompiledExpr>)

All children must evaluate to Allow.

§

Or(Vec<CompiledExpr>)

At least one child must evaluate to Allow.

§

Not(Box<CompiledExpr>)

Invert the child’s outcome.

§

HasCapability(CanonicalCapability)

Subject must have this capability.

§

HasAllCapabilities(Vec<CanonicalCapability>)

Subject must have all listed capabilities.

§

HasAnyCapability(Vec<CanonicalCapability>)

Subject must have at least one of the listed capabilities.

§

IssuerIs(CanonicalDid)

Issuer DID must match exactly.

§

IssuerIn(Vec<CanonicalDid>)

Issuer DID must be in the set.

§

SubjectIs(CanonicalDid)

Subject DID must match exactly.

§

DelegatedBy(CanonicalDid)

Attestation must be delegated by this DID.

§

NotRevoked

Attestation must not be revoked.

§

NotExpired

Attestation must not be expired.

§

ExpiresAfter(i64)

Attestation must have at least this many seconds remaining.

§

IssuedWithin(i64)

Attestation must have been issued within this many seconds.

§

RoleIs(String)

Subject’s role must match exactly.

§

RoleIn(Vec<String>)

Subject’s role must be in the set.

§

RepoIs(String)

Repository must match exactly.

§

RepoIn(Vec<String>)

Repository must be in the set.

§

RefMatches(ValidatedGlob)

Git ref must match the glob pattern.

§

PathAllowed(Vec<ValidatedGlob>)

All paths must match at least one of the glob patterns.

§

EnvIs(String)

Environment must match exactly.

§

EnvIn(Vec<String>)

Environment must be in the set.

§

WorkloadIssuerIs(CanonicalDid)

Workload issuer DID must match exactly.

§

WorkloadClaimEquals

Workload claim must equal the expected value.

Fields

§key: String

Claim key.

§value: String

Expected value.

§

IsAgent

Signer must be an AI agent.

§

IsHuman

Signer must be a human.

§

IsWorkload

Signer must be a workload (CI/CD).

§

MaxChainDepth(u32)

Delegation chain depth must not exceed this value.

§

AttrEquals

Match a flat string attribute.

Fields

§key: String

Attribute key.

§value: String

Expected value.

§

AttrIn

Attribute must be one of the values.

Fields

§key: String

Attribute key.

§values: Vec<String>

Allowed values.

§

MinAssurance(AssuranceLevel)

Assurance level must be at least this level (uses Ord comparison).

§

AssuranceLevelIs(AssuranceLevel)

Assurance level must match exactly.

§

ApprovalGate

Approval gate: if inner evaluates to Allow, return RequiresApproval.

Fields

§inner: Box<CompiledExpr>

The compiled inner expression.

§approvers: Vec<CanonicalDid>

Validated DIDs of allowed approvers.

§ttl_seconds: u64

Approval request TTL in seconds.

§scope: ApprovalScope

Approval scope controlling hash binding.

Trait Implementations§

Source§

impl Clone for CompiledExpr

Source§

fn clone(&self) -> CompiledExpr

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for CompiledExpr

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl PartialEq for CompiledExpr

Source§

fn eq(&self, other: &CompiledExpr) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl StructuralPartialEq for CompiledExpr

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.