Crate authz_core

Expand description

authz-core — Zanzibar-style Fine-Grained Authorization engine.

This crate is the database- and transport-agnostic core of an authorization system. It provides everything needed to define, parse, and evaluate an authorization model without depending on any specific datastore or runtime.

§Overview

The main workflow:

Write a model in the built-in DSL (OpenFGA-inspired syntax).
Parse it with model_parser::parse_dsl into a model_ast::ModelFile.
Build a type_system::TypeSystem from the parsed model.
Implement the traits::TupleReader trait for your datastore.
Construct a core_resolver::CoreResolver and call resolver::CheckResolver::resolve_check to evaluate permissions.

§Example

use authz_core::model_parser::parse_dsl;
use authz_core::type_system::TypeSystem;
use authz_core::policy_provider::StaticPolicyProvider;
use authz_core::core_resolver::CoreResolver;
use authz_core::resolver::{CheckResolver, CheckResult, ResolveCheckRequest};

let model = parse_dsl(r#"
    type user {}
    type document {
        relations
            define owner:  [user]
            define viewer: [user]
        permissions
            define can_view = viewer + owner
    }
"#)?;

let type_system = TypeSystem::new(model);
let provider    = StaticPolicyProvider::new(type_system);

// `MyStore` implements TupleReader — connect to your real datastore here.
let resolver = CoreResolver::new(MyStore, provider);

let req = ResolveCheckRequest::new(
    "document".into(), "doc-42".into(), "can_view".into(),
    "user".into(),     "alice".into(),
);

match resolver.resolve_check(req).await? {
    CheckResult::Allowed                   => println!("allowed"),
    CheckResult::Denied                    => println!("denied"),
    CheckResult::ConditionRequired(params) => println!("need: {:?}", params),
}

§Modules

Module	Purpose
`model_ast`	AST types produced by the parser
`model_parser`	Parse the model DSL into a `model_ast::ModelFile`
`model_validator`	Semantic validation of a parsed model
`type_system`	In-memory model index; tuple validation
`traits`	Core data types and async datastore traits
`resolver`	`resolver::CheckResolver` trait and request/result types
`core_resolver`	Built-in graph-walking resolver implementation
`policy_provider`	Policy loading abstraction + `policy_provider::StaticPolicyProvider`
`dispatcher`	Fan-out dispatcher trait + `dispatcher::LocalDispatcher`
`cache`	Pluggable cache abstraction + `cache::NoopCache`
`cel`	CEL (Common Expression Language) condition evaluation
`tenant_schema`	`tenant_schema::ChangelogReader` for the Watch API
`error`	`error::AuthzError` — all error variants

§Feature flags

This crate has no optional feature flags. All components are always compiled.

§MSRV

Rust 1.85 or later (edition 2024).

Modules§

cache: Generic cache abstraction for authz resolution caches.
cel: CEL condition compilation and evaluation.
core_resolver: CoreResolver - implements CheckResolver by walking the authorization model.
dispatcher: Dispatcher trait and LocalDispatcher stub.
error: Structured error types for authz-core.
model_ast: Abstract Syntax Tree (AST) for the authorization model DSL.
model_parser: Parser for the authorization model DSL.
model_validator: Model semantic validation — checks for duplicate types, undefined relations, cycles, etc.
policy_provider: PolicyProvider trait — abstracts authorization policy (TypeSystem) loading.
resolver: CheckResolver trait and CheckResult enum.
tenant_schema: ChangelogReader trait for Watch API.
traits: Core datastore traits — TupleReader, TupleWriter, PolicyReader, PolicyWriter.
type_system: TypeSystem — in-memory representation of a parsed authorization model. Provides query methods for type/relation lookups and tuple validation.

Crate authz_core

Crate authz_core Copy item path

§Overview

§Example

§Modules

§Feature flags

§MSRV

Modules§

Crate authz_core