PolicyRule

core_policy::policy

Struct PolicyRule 

Source 
pub struct PolicyRule {
    pub peer_id: String,
    pub action: Action,
    pub resource: Resource,
    pub expires_at: Option<u64>,
    pub attributes: BTreeMap<String, String>,
    pub context_expr: Option<ContextExpr>,
}
Expand description

A single policy rule with optional ABAC (Attribute-Based Access Control) features

Fields§

§peer_id: String

Peer ID that this rule applies to

§action: Action

Action allowed by this rule

§resource: Resource

Resource this rule applies to

§expires_at: Option<u64>

Optional expiration timestamp (Unix seconds) If set, the rule is only valid before this time

§attributes: BTreeMap<String, String>

Optional context attributes for conditional access (legacy - simple key-value matching) Examples: {“location”: “office”, “security_level”: “high”}

Uses BTreeMap for deterministic serialization (cryptographic safety)

Note: This is the legacy ABAC mechanism. For complex boolean logic, use context_expr instead.

§context_expr: Option<ContextExpr>

Optional context expression for advanced ABAC (boolean logic)

This provides more powerful conditional logic than simple attribute matching:

  • Boolean operators: AND, OR, NOT
  • Comparison operators: ==, !=, <, <=, >, >=
  • Attribute existence checks: HAS

Examples:

  • role == "admin" AND department == "IT"
  • (role == "admin" OR role == "moderator") AND active == "true"
  • NOT (status == "banned")

When both attributes and context_expr are present, both must match.

Implementations§

Source§

impl PolicyRule

Source

pub fn new(peer_id: String, action: Action, resource: Resource) -> Self

Create a new policy rule with basic RBAC

Source

pub fn with_expiration( peer_id: String, action: Action, resource: Resource, expires_at: u64, ) -> Self

Create a new policy rule with expiration (ABAC)

Source

pub const fn with_attributes( peer_id: String, action: Action, resource: Resource, attributes: BTreeMap<String, String>, ) -> Self

Create a new policy rule with attributes (ABAC)

Source

pub const fn expires_at(self, timestamp: u64) -> Self

Add an expiration time to this rule

Source

pub fn with_attribute( self, key: impl Into<String>, value: impl Into<String>, ) -> Self

Add an attribute to this rule

Source

pub fn with_context_expr(self, expr: ContextExpr) -> Self

Add a context expression to this rule (advanced ABAC)

§Example
use core_policy::{PolicyRule, Action, Resource, ContextExpr};

let rule = PolicyRule::new("alice".into(), Action::Read, Resource::All)
    .with_context_expr(ContextExpr::parse("role == \"admin\"").unwrap());
Source

pub fn is_expired(&self, current_time: u64) -> bool

Check if this rule has expired

Source

pub fn matches_context(&self, context: &BTreeMap<String, String>) -> bool

Check if this rule’s attributes match the given context

This method evaluates both legacy attribute matching and the new context expression:

  1. If attributes is non-empty, all attributes must match (legacy behavior)
  2. If context_expr is present, it must evaluate to true
  3. Both conditions must be satisfied if both are present

Returns true if all context constraints match.

Source

pub fn allows( &self, peer_id: &str, action: &Action, resource: &Resource, ) -> bool

Check if this rule allows a specific action on a resource for a peer Basic RBAC check (no time or context validation)

Source

pub fn allows_with_context( &self, peer_id: &str, action: &Action, resource: &Resource, current_time: u64, context: &BTreeMap<String, String>, ) -> bool

Check if this rule allows a specific action on a resource for a peer Includes time-based and attribute-based checks

Trait Implementations§

Source§

impl Clone for PolicyRule

Source§

fn clone(&self) -> PolicyRule

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for PolicyRule

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl<'de> Deserialize<'de> for PolicyRule

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl Serialize for PolicyRule

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,