auth_kit 0.1.2

Toolkit for Authentication and Authorization in Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138

/// Provides authorization logic using various strategies such as ABAC, RBAC, and SBA (Scope-Based Access).
///
/// The `Authorization` struct supports different models of access control and delegates the actual
/// decision-making to the strategy selected at initialization.
use crate::auth::scope::{authorize_with_matcher, FlexibleMatcher};
use crate::error::AuthError;
use crate::model::{AuthContext, AuthStrategy, Identifiable, Resource};

/// Core struct representing the authorization engine.
///
/// This struct holds the selected `AuthStrategy` (e.g., ABAC, RBAC, SBA) and
/// performs access checks based on the provided context and parameters.
pub struct Authorization {
    strategy: AuthStrategy,
}

impl Authorization {
    /// Creates a new `Authorization` instance with the given strategy name.
    ///
    /// # Arguments
    /// * `strategy` - A string representing the strategy name (e.g., `"ABAC"`, `"RBAC"`, `"SBA"`).
    ///
    /// # Returns
    /// * `Ok(Self)` if the strategy name is valid.
    /// * `Err` if the strategy name is unknown or unsupported.
    ///
    /// # Example
    /// ```code
    /// let auth = Authorization::new("RBAC")?;
    /// ```
    pub fn new(strategy: &str) -> Result<Self, AuthError> {
        let strategy = AuthStrategy::from_str(strategy)?;
        Ok(Self { strategy })
    }

    /// Authorizes access to a given service and permission using the selected strategy.
    ///
    /// # Arguments
    /// * `context` - An `AuthContext` that holds the user, claims, and optional resource.
    /// * `service` - The target service being accessed.
    /// * `permission` - The required permission or action (e.g., `"read"`, `"create"`).
    /// * `delimiter` - Optional delimiter used in scope tokens (default is `"."` if None).
    ///
    /// # Returns
    /// * `Ok(())` if the access is granted.
    /// * `Err(AuthError)` if access is denied or required context is missing.
    ///
    /// # Behavior
    /// - **ABAC**: Compares user's department and clearance with resource requirements.
    /// - **RBAC**: Checks if the user's role contains the requested permission.
    /// - **SBA**: Matches candidate scope strings using the user's claims and a flexible matcher.
    pub fn authorize(
        &mut self,
        context: &AuthContext,
        service: &str,
        permission: &str,
        delimiter: Option<&str>,
    ) -> Result<(), AuthError> {
        match self.strategy {
            AuthStrategy::ABAC => {
                let user = context.user.clone().ok_or(AuthError::MissingUser)?;
                let resource = context.resource.clone().ok_or(AuthError::MissingResource)?;
                gen_authorize(&user, service, permission, |u, _, _| {
                    u.department == resource.department && u.clearance_level >= resource.required_level
                })
            }

            AuthStrategy::RBAC => {
                let user = context.user.clone().ok_or(AuthError::MissingUser)?;
                gen_authorize(&user, service, permission, |u, _, p| {
                    u.role.permissions.iter().any(|perm| format!("{:?}", perm).eq_ignore_ascii_case(p))
                })
            }

            AuthStrategy::SBA => {
                let claims = context.claims.clone().ok_or(AuthError::MissingClaims)?;
                let resource = context.resource.clone().unwrap_or_else(|| Resource {
                    department: "*".to_string(),
                    required_level: 0,
                });
                let delim = delimiter.unwrap_or(".");
                let candidates = vec![
                    format!("{}{}{}{}{}", service, delim, resource.department, delim, permission),
                    format!("{}{}{}", service, delim, permission),
                    format!("{}", permission),
                ];
                let scopes = claims.scopes.join(" ");

                gen_authorize(&claims, service, permission, |_, _, _| {
                    candidates.iter().any(|candidate| {
                        authorize_with_matcher::<FlexibleMatcher>(&scopes, candidate)
                    })
                })
            }
        }
    }
}

/// A generic authorization function that evaluates access by executing a permission check closure.
///
/// # Arguments
/// * `user` - A reference to an object implementing the `Identifiable` trait.
/// * `service` - The service being accessed.
/// * `permission` - The permission being requested.
/// * `check_permission` - A closure that performs the actual authorization logic.
///
/// # Returns
/// * `Ok(())` if access is granted.
/// * `Err(AuthError::AccessDenied)` if the permission check fails.
///
/// # Example
/// ```code
/// gen_authorize(&user, "admin_service", "read", |u, _, _| {
///     u.role.permissions.contains(&"admin_service.read".to_string())
/// })?;
/// ```
pub fn gen_authorize<U, S, P, F>(
    user: &U,
    service: S,
    permission: P,
    check_permission: F,
) -> Result<(), AuthError>
where
    F: Fn(&U, &S, &P) -> bool,
    U: Identifiable,
    S: ToString,
    P: ToString,
{
    if check_permission(user, &service, &permission) {
        Ok(())
    } else {
        Err(AuthError::AccessDenied {
            user: user.identity(),
            service: service.to_string(),
            permission: permission.to_string(),
        })
    }
}