Crate authz_resolver_sdk

Expand description

AuthZ Resolver SDK

This crate provides the public API for the authz_resolver module:

AuthZResolverClient - Public API trait for consumers
AuthZResolverPluginClient - Plugin API trait for implementations
EvaluationRequest, EvaluationResponse - Evaluation models
Constraint, Predicate - Constraint types
AuthZResolverError - Error types
AuthZResolverPluginSpecV1 - GTS schema for plugin discovery
pep - PEP helpers (PolicyEnforcer, ResourceType, compiler)

§Usage

use authz_resolver_sdk::{
    AuthZResolverClient,
    pep::{AccessRequest, PolicyEnforcer, ResourceType},
};

const USER: ResourceType = ResourceType {
    name: "gts.x.core.users.user.v1~",
    supported_properties: &["owner_tenant_id", "id"],
};

// Get the client from ClientHub
let authz = hub.get::<dyn AuthZResolverClient>()?;

// Create an enforcer (once, during init — serves all resource types)
let enforcer = PolicyEnforcer::new(authz);

// All CRUD operations return AccessScope (PDP always returns constraints)
let scope = enforcer.access_scope(&ctx, &USER, "get", Some(id)).await?;

// CREATE — also returns AccessScope with constraints from PDP
let scope = enforcer.access_scope_with(
    &ctx, &USER, "create", None,
    &AccessRequest::new()
        .context_tenant_id(target_tenant_id)
        .resource_property("owner_tenant_id", target_tenant_id),
).await?;

Re-exports§

pub use api::AuthZResolverClient;
pub use constraints::Constraint;
pub use constraints::EqPredicate;
pub use constraints::InPredicate;
pub use constraints::Predicate;
pub use error::AuthZResolverError;
pub use gts::AuthZResolverPluginSpecV1;
pub use models::Action;
pub use models::BarrierMode;
pub use models::Capability;
pub use models::DenyReason;
pub use models::EvaluationRequest;
pub use models::EvaluationRequestContext;
pub use models::EvaluationResponse;
pub use models::EvaluationResponseContext;
pub use models::Resource;
pub use models::Subject;
pub use models::TenantContext;
pub use models::TenantMode;
pub use pep::AccessRequest;
pub use pep::EnforcerError;
pub use pep::IntoPropertyValue;
pub use pep::PolicyEnforcer;
pub use pep::ResourceType;
pub use plugin_api::AuthZResolverPluginClient;

Modules§

api: Public API trait for the AuthZ resolver.
constraints: Constraint types for authorization decisions.
error: Error types for the AuthZ resolver module.
gts: GTS schema definitions for AuthZ resolver plugins.
models: Domain models for the AuthZ resolver module.
pep: PEP (Policy Enforcement Point) helpers.
plugin_api: Plugin API trait for AuthZ resolver implementations.

Crate authz_resolver_sdk

Crate authz_resolver_sdk Copy item path

§Usage

Re-exports§

Modules§

Crate authz_resolver_sdk