Skip to main content

adk_auth/
lib.rs

1//! # adk-auth
2//!
3//! Access control and authentication for ADK-Rust.
4//!
5//! ## Overview
6//!
7//! This crate provides enterprise-grade access control:
8//!
9//! - [`Permission`] - Tool and agent permissions
10//! - [`Role`] - Role with allow/deny rules
11//! - [`AccessControl`] - Permission checking
12//! - [`ScopeGuard`] - Declarative scope-based tool authorization
13//! - [`AuditSink`] - Audit logging trait
14//!
15//! ## Features
16//!
17//! - `sso` - Enable SSO/OAuth/OIDC support
18//! - `auth-bridge` - Enable JWT request context extraction for `adk-server`
19//! - `aws-secrets` - Enable AWS Secrets Manager provider
20//! - `azure-keyvault` - Enable Azure Key Vault provider
21//! - `gcp-secrets` - Enable GCP Secret Manager provider
22//!
23//! ## Quick Start
24//!
25//! ```rust,ignore
26//! use adk_auth::{Permission, Role, AccessControl};
27//!
28//! let admin = Role::new("admin")
29//!     .allow(Permission::AllTools)
30//!     .allow(Permission::AllAgents);
31//!
32//! let user = Role::new("user")
33//!     .allow(Permission::Tool("search".into()))
34//!     .deny(Permission::Tool("code_exec".into()));
35//!
36//! let ac = AccessControl::builder()
37//!     .role(admin)
38//!     .role(user)
39//!     .assign("alice@example.com", "admin")
40//!     .build()?;
41//!
42//! ac.check("alice@example.com", &Permission::AllTools)?;
43//! ```
44
45mod access_control;
46mod audit;
47mod error;
48mod middleware;
49mod permission;
50mod role;
51pub mod scope;
52
53#[cfg(feature = "auth-bridge")]
54pub mod auth_bridge;
55
56// SSO module (feature-gated)
57#[cfg(feature = "sso")]
58pub mod sso;
59
60// Cloud secret manager integration
61pub mod secrets;
62
63pub use access_control::{AccessControl, AccessControlBuilder};
64pub use audit::{AuditEvent, AuditEventType, AuditOutcome, AuditSink, FileAuditSink};
65pub use error::{AccessDenied, AuthError};
66pub use middleware::{AuthMiddleware, ProtectedTool, ProtectedToolDyn, ToolExt};
67pub use permission::Permission;
68pub use role::Role;
69pub use scope::{
70    ContextScopeResolver, ScopeDenied, ScopeGuard, ScopeResolver, ScopeToolExt, ScopedTool,
71    ScopedToolDyn, StaticScopeResolver, check_scopes,
72};
73
74#[cfg(feature = "auth-bridge")]
75pub use auth_bridge::{JwtRequestContextExtractor, JwtRequestContextExtractorBuilder};