Allow-me
An authorization library with json-based policy definition.
Define your authorization rules in a simple Identity
(I), Operation
(O), Resource
(R) model. Evaluate requests against your policy rules.
Getting Started
[]
= "0.1"
Example Usage
Json definition
A simple example for a policy with one statement and a request evaluated against that policy.
let json = r#"{
"statements": [
{
"effect": "allow",
"identities": [
"actor_a"
],
"operations": [
"write"
],
"resources": [
"resource_1"
]
}
]
}"#;
// Construct the policy.
let policy = from_json.build?;
// Prepare request (e.g. from user input).
let request = new?;
// Evaluate the request.
match policy.evaluate? ;
Try it
cargo run --example json
Variable rules
The following example shows a rule that allows any identity to read/write to it's own resource.
let json = r#"{
"statements": [
{
"effect": "allow",
"identities": [
"{{any}}"
],
"operations": [
"read",
"write"
],
"resources": [
"/home/{{identity}}/"
]
}
]
}"#;
// Construct the policy.
let policy = from_json
// use "starts with" matching for resources.
.with_matcher
.with_default_decision
.build?;
// Prepare request (e.g. from user input).
let request = new?;
// Evaluate the request.
match policy.evaluate? ;
Try it
cargo run --example vars
Rules ordering
Order of rules matter. In case of conflicting rules, the first rule wins. In the example below, we allow actor_a
write to resource_1
, and deny write to anything else. Note that any other request will be allowed (default decision).
let json = r#"{
"statements": [
{
"effect": "allow",
"identities": [
"actor_a"
],
"operations": [
"write"
],
"resources": [
"resource_1"
]
},
{
"effect": "deny",
"identities": [
"actor_a"
],
"operations": [
"write"
],
"resources": [
"{{any}}"
]
}
]
}"#;
// Construct the policy.
let policy = from_json
// default to Allow all requests.
.with_default_decision
.build?;
// Prepare request (e.g. from user input).
let request = new?;
// Evaluate specific request.
match policy.evaluate? ;
let request = new?;
// Everything else denies.
assert_matches!;
Try it
cargo run --example order
Customizations
There are several extension points in the library:
ResourceMatcher
trait - responsible for performing resource matching logic.Substituter
trait - you can add custom variables that can be substituted.Validator
trait - validates policy definition. If your need custom validation for policy rules.- Request Context - you can have custom datatype associated with
Request
. Useful with customSubstituter
orResourceMatcher
to implement custom variables or matching logic.
ResourceMatcher
Custom ResourceMatcher that implements "start with" matching.
;
Substituter and custom Request Context
Custom Substituter that supports {{any}}
and {{role}}
variables. {{role}}
variable substituted with a value from a request context.
// custom context
;
// custom substituter
;
Try it
cargo run --example customizations
Roadmap
- Fluent API for PolicyBuilder
- Regex support
- Benches
Contribution
All contributions and comments are welcome! Don't be afraid to open an issue or PR whenever you find a bug or have an idea to improve this crate.