Skip to main content

adk_auth/
lib.rs

1//! # adk-auth
2//!
3//! Access control and authentication for ADK-Rust.
4//!
5//! ## Overview
6//!
7//! This crate provides enterprise-grade access control:
8//!
9//! - [`Permission`] - Tool and agent permissions
10//! - [`Role`] - Role with allow/deny rules
11//! - [`AccessControl`] - Permission checking
12//! - [`ScopeGuard`] - Declarative scope-based tool authorization
13//! - [`AuditSink`] - Audit logging trait
14//!
15//! ## Features
16//!
17//! - `sso` - Enable SSO/OAuth/OIDC support
18//! - `auth-bridge` - Enable JWT request context extraction for `adk-server`
19//! - `aws-secrets` - Enable AWS Secrets Manager provider
20//! - `azure-keyvault` - Enable Azure Key Vault provider
21//! - `gcp-secrets` - Enable GCP Secret Manager provider
22//!
23//! ## Quick Start
24//!
25//! ```rust,ignore
26//! use adk_auth::{Permission, Role, AccessControl};
27//!
28//! let admin = Role::new("admin")
29//!     .allow(Permission::AllTools)
30//!     .allow(Permission::AllAgents);
31//!
32//! let user = Role::new("user")
33//!     .allow(Permission::Tool("search".into()))
34//!     .deny(Permission::Tool("code_exec".into()));
35//!
36//! let ac = AccessControl::builder()
37//!     .role(admin)
38//!     .role(user)
39//!     .assign("alice@example.com", "admin")
40//!     .build()?;
41//!
42//! ac.check("alice@example.com", &Permission::AllTools)?;
43//! ```
44
45mod access_control;
46mod audit;
47mod error;
48mod middleware;
49mod permission;
50mod role;
51pub mod scope;
52
53#[cfg(feature = "auth-bridge")]
54pub mod auth_bridge;
55
56// SSO module (feature-gated)
57#[cfg(feature = "sso")]
58pub mod sso;
59
60// Cloud secret manager integration
61pub mod secrets;
62
63// Enterprise audit sinks (feature-gated)
64#[cfg(feature = "otlp-audit")]
65pub mod audit_otlp;
66#[cfg(feature = "postgres-audit")]
67pub mod audit_postgres;
68
69pub use access_control::{AccessControl, AccessControlBuilder};
70pub use audit::{
71    AuditEvent, AuditEventType, AuditFilter, AuditOutcome, AuditSink, FileAuditSink,
72    InMemoryAuditSink,
73};
74pub use error::{AccessDenied, AuthError};
75pub use middleware::{AuthMiddleware, ProtectedTool, ProtectedToolDyn, ToolExt};
76pub use permission::Permission;
77pub use role::Role;
78pub use scope::{
79    ContextScopeResolver, ScopeDenied, ScopeGuard, ScopeResolver, ScopeToolExt, ScopedTool,
80    ScopedToolDyn, StaticScopeResolver, check_scopes,
81};
82
83#[cfg(feature = "auth-bridge")]
84pub use auth_bridge::{JwtRequestContextExtractor, JwtRequestContextExtractorBuilder};
85
86#[cfg(feature = "otlp-audit")]
87pub use audit_otlp::OtlpAuditSink;
88#[cfg(feature = "postgres-audit")]
89pub use audit_postgres::PostgresAuditSink;