Struct PolicyEngine

Source

pub struct PolicyEngine { /* private fields */ }

Implementations§

Source §

impl PolicyEngine

Source

pub fn new() -> Self

Create an empty engine that defaults to denying requests when no policy applies.

Source

pub fn from_policies(policies: I) -> Self
where I: IntoIterator<Item = Policy>,

Build an engine from an iterator of policies.

Examples found in repository ?

examples/basic.rs (line 15)

8fn main() -> Result<(), Box<dyn std::error::Error>> {
9    let policy = Policy::builder("document-read")
10        .target(Target::action("document:read"))
11        .condition(Condition::equals("resource.owner_id", "actor.id"))
12        .effect(Effect::Permit)
13        .build()?;
14
15    let engine = PolicyEngine::from_policies([policy]);
16
17    let request = Request::new()
18        .action("document:read")
19        .actor_attr("id", "user-123")
20        .resource_attr("owner_id", "user-123");
21
22    let decision = engine.evaluate(&request)?;
23    println!("decision: {:?}", decision);
24    assert_eq!(decision, Decision::Permit);
25
26    Ok(())
27}

More examples

Hide additional examples

examples/default_deny.rs (lines 10-13)

8fn main() -> Result<(), Box<dyn std::error::Error>> {
9    // Engine denies by default when no policy matches.
10    let engine = PolicyEngine::from_policies([Policy::builder("allow-write")
11        .target(Target::action("document:write"))
12        .effect(Effect::Permit)
13        .build()?]);
14
15    let read_request = Request::new()
16        .action("document:read")
17        .actor_attr("id", "user-123");
18
19    let decision = engine.evaluate(&read_request)?;
20    println!("decision: {:?}", decision);
21    assert_eq!(decision, Decision::Deny);
22
23    // Override the default effect to allow unmatched requests.
24    let permissive_engine = PolicyEngine::from_policies(Vec::<Policy>::new())
25        .with_default_effect(Effect::Permit);
26
27    let read_request = Request::new().action("document:read");
28    let decision = permissive_engine.evaluate(&read_request)?;
29    println!("permissive decision: {:?}", decision);
30    assert_eq!(decision, Decision::Permit);
31
32    Ok(())
33}

Source

pub fn with_default_effect(self, effect: Effect) -> Self

Set the default effect returned when no policy matches.

Examples found in repository ?

examples/default_deny.rs (line 25)

8fn main() -> Result<(), Box<dyn std::error::Error>> {
9    // Engine denies by default when no policy matches.
10    let engine = PolicyEngine::from_policies([Policy::builder("allow-write")
11        .target(Target::action("document:write"))
12        .effect(Effect::Permit)
13        .build()?]);
14
15    let read_request = Request::new()
16        .action("document:read")
17        .actor_attr("id", "user-123");
18
19    let decision = engine.evaluate(&read_request)?;
20    println!("decision: {:?}", decision);
21    assert_eq!(decision, Decision::Deny);
22
23    // Override the default effect to allow unmatched requests.
24    let permissive_engine = PolicyEngine::from_policies(Vec::<Policy>::new())
25        .with_default_effect(Effect::Permit);
26
27    let read_request = Request::new().action("document:read");
28    let decision = permissive_engine.evaluate(&read_request)?;
29    println!("permissive decision: {:?}", decision);
30    assert_eq!(decision, Decision::Permit);
31
32    Ok(())
33}

Source

pub fn add_policy(&mut self, policy: Policy)

Add a policy to the engine.

Source

pub fn evaluate(&self, request: &Request) -> Result<Decision>

Evaluate the request against the configured policies.

Examples found in repository ?

examples/basic.rs (line 22)

8fn main() -> Result<(), Box<dyn std::error::Error>> {
9    let policy = Policy::builder("document-read")
10        .target(Target::action("document:read"))
11        .condition(Condition::equals("resource.owner_id", "actor.id"))
12        .effect(Effect::Permit)
13        .build()?;
14
15    let engine = PolicyEngine::from_policies([policy]);
16
17    let request = Request::new()
18        .action("document:read")
19        .actor_attr("id", "user-123")
20        .resource_attr("owner_id", "user-123");
21
22    let decision = engine.evaluate(&request)?;
23    println!("decision: {:?}", decision);
24    assert_eq!(decision, Decision::Permit);
25
26    Ok(())
27}

More examples

Hide additional examples

examples/default_deny.rs (line 19)

8fn main() -> Result<(), Box<dyn std::error::Error>> {
9    // Engine denies by default when no policy matches.
10    let engine = PolicyEngine::from_policies([Policy::builder("allow-write")
11        .target(Target::action("document:write"))
12        .effect(Effect::Permit)
13        .build()?]);
14
15    let read_request = Request::new()
16        .action("document:read")
17        .actor_attr("id", "user-123");
18
19    let decision = engine.evaluate(&read_request)?;
20    println!("decision: {:?}", decision);
21    assert_eq!(decision, Decision::Deny);
22
23    // Override the default effect to allow unmatched requests.
24    let permissive_engine = PolicyEngine::from_policies(Vec::<Policy>::new())
25        .with_default_effect(Effect::Permit);
26
27    let read_request = Request::new().action("document:read");
28    let decision = permissive_engine.evaluate(&read_request)?;
29    println!("permissive decision: {:?}", decision);
30    assert_eq!(decision, Decision::Permit);
31
32    Ok(())
33}