author 0.1.0

Auth[entic|oris]ation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

use crate::{Error, Policy, Resource, Subject};
use std::collections::HashSet;
use std::hash::Hash;

pub mod config;

// pub struct Permission<Act, Res> {
//     action: Act,
//     resource: Res,
// }
//
// pub struct Role {
//     permissions: Vec<Permission>,
// }

pub trait GlobalRbacSubject: Subject {
    type GlobalRole: Hash + Eq;

    fn global_roles(&self) -> HashSet<Self::GlobalRole> {
        HashSet::new()
    }
}

pub trait RbacSubject: Subject {
    fn resource_roles<Res>(&self, resource: &Res) -> HashSet<Res::Role>
    where
        Res: RbacResourceWithRole,
    {
        HashSet::new()
    }
}

pub trait RbacResourceWithRole: RbacResource<Self::Role> {
    type Role: Hash + Eq;
}

pub trait RbacResource<Role>: Resource {
    fn allowed_roles(&self, action: &Self::Action) -> HashSet<Role> {
        HashSet::new()
    }
}

pub struct GlobalRbacPolicy {}

impl GlobalRbacPolicy {
    pub fn new() -> Self {
        GlobalRbacPolicy {}
    }
}

impl<Res, Subj> Policy<Res, Subj> for GlobalRbacPolicy
where
    Subj: GlobalRbacSubject,
    Res: RbacResource<Subj::GlobalRole>,
{
    fn authorise(&self, resource: &Res, subject: &Subj, action: &Res::Action) -> Result<(), Error> {
        let subject_global_roles = subject.global_roles();
        let allowed_global_roles = RbacResource::allowed_roles(resource, action);

        let matching_roles: HashSet<_> = allowed_global_roles
            .intersection(&subject_global_roles)
            .collect();

        if matching_roles.len() == 0 {
            return Err(Error::Forbidden);
        }

        Ok(())
    }
}

// pub struct ResourceRbacPolicy<Res, Role, Act>
// where
//     Res: Resource, {}
//
// impl<Res, Subj, Act> Policy<Res, Subj> for ResourceRbacPolicy<Res, Subj, Act> {}

// pub struct RbacPolicy<Res, Subj, Act>
// where
//     Res: Object,
//     Subj: Subject,
// {
//     config: RbacPolicyConfig<Res::Identifier, Subj::Role, Act>,
// }
//
// impl<Res, Subj, Act> RbacPolicy<Res, Subj, Act>
// where
//     Res: Object,
//     Subj: Subject,
// {
//     pub fn new() -> Self {
//         RbacPolicy {
//             config: RbacPolicyConfig::new(),
//         }
//     }
// }
//
// impl<Res, Subj, Act> Policy for RbacPolicy<Res, Subj, Act>
// where
//     Res: Object,
//     <Res as Object>::Identifier: Hash + Eq,
//     Subj: Subject,
//     <Subj as Subject>::Role: Hash + Eq,
//     Act: Hash + Eq,
// {
//     fn authorise<Res, Subj>(
//         &self,
//         resource: &Res,
//         subject: &Subj,
//         action: &Res::Action,
//     ) -> Result<(), Error> {
//         let resource_id = resource.identifier();
//         let subject_roles = subject.roles();
//
//         let allowed_roles = self
//             .config
//             .allowed
//             .get(&resource_id)
//             .and_then(|a| a.get(&action));
//
//         let allowed_roles = match allowed_roles {
//             Some(a) => a,
//             None => {
//                 return Err(Error::Forbidden);
//             }
//         };
//
//         let matching_roles: HashSet<_> = allowed_roles.intersection(&subject_roles).collect();
//
//         if matching_roles.len() == 0 {
//             return Err(Error::Forbidden);
//         }
//
//         Ok(())
//     }
// }

// impl<R1, R2, Subject, A1, A2> Policy<Resource, Subject, Action>
//     for RbacPolicy<Resource, Subject, Action>
// {
//     fn authorise(resource: Resource, subject: Subject, action: Action) -> Result<Resource, Error> {
//         todo!()
//     }
// }