authrs 0.1.2

A comprehensive authentication library for Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255

//! # RBAC (Role-Based Access Control) 模块
//!
//! 提供基础的角色权限管理功能,包括:
//!
//! - **角色定义**: 创建和管理角色
//! - **权限检查**: 定义和验证权限
//! - **策略引擎**: 基于策略的访问控制决策
//!
//! ## 基本概念
//!
//! - **Permission(权限)**: 表示对特定资源的特定操作能力
//! - **Role(角色)**: 一组权限的集合
//! - **Policy(策略)**: 定义访问控制规则,可以是允许或拒绝
//!
//! ## 使用示例
//!
//! ### 基本权限检查
//!
//! ```rust
//! use authrs::rbac::{Permission, Role, RoleBuilder};
//!
//! // 创建权限
//! let read_posts = Permission::new("posts", "read");
//! let write_posts = Permission::new("posts", "write");
//! let delete_posts = Permission::new("posts", "delete");
//!
//! // 创建角色
//! let editor = RoleBuilder::new("editor")
//!     .description("Content editor")
//!     .permission(read_posts.clone())
//!     .permission(write_posts.clone())
//!     .build();
//!
//! // 检查权限
//! assert!(editor.has_permission(&read_posts));
//! assert!(editor.has_permission(&write_posts));
//! assert!(!editor.has_permission(&delete_posts));
//! ```
//!
//! ### 使用通配符权限
//!
//! ```rust
//! use authrs::rbac::{Permission, Role, RoleBuilder};
//!
//! // 创建管理员角色,拥有所有权限
//! let admin = RoleBuilder::new("admin")
//!     .permission(Permission::wildcard()) // 所有资源的所有操作
//!     .build();
//!
//! // 创建文章管理员,拥有文章的所有操作权限
//! let posts_admin = RoleBuilder::new("posts_admin")
//!     .permission(Permission::resource_wildcard("posts")) // posts:*
//!     .build();
//!
//! let read_posts = Permission::new("posts", "read");
//! let read_users = Permission::new("users", "read");
//!
//! assert!(admin.has_permission(&read_posts));
//! assert!(admin.has_permission(&read_users));
//! assert!(posts_admin.has_permission(&read_posts));
//! assert!(!posts_admin.has_permission(&read_users));
//! ```
//!
//! ### 使用策略引擎
//!
//! ```rust
//! use authrs::rbac::{
//!     Permission, Role, RoleBuilder, PolicyEngine, Policy,
//!     PolicyEffect, PolicyEvaluator, Subject, Resource, Action,
//! };
//!
//! // 创建策略引擎
//! let mut engine = PolicyEngine::new();
//!
//! // 添加策略:允许 editor 角色读写文章
//! engine.add_policy(
//!     Policy::allow("editor-posts-policy")
//!         .role("editor")
//!         .resource("posts")
//!         .actions(["read", "write"])
//!         .build()
//! );
//!
//! // 添加策略:拒绝所有用户删除文章(优先级更高)
//! engine.add_policy(
//!     Policy::deny("no-delete-posts")
//!         .resource("posts")
//!         .action("delete")
//!         .priority(100) // 更高优先级
//!         .build()
//! );
//!
//! // 创建主体(用户)
//! let user = Subject::new("user123").with_role("editor");
//!
//! // 评估访问请求
//! let can_read = engine.evaluate(&user, &Resource::new("posts"), &Action::new("read"));
//! let can_delete = engine.evaluate(&user, &Resource::new("posts"), &Action::new("delete"));
//!
//! assert!(can_read.is_allowed());
//! assert!(can_delete.is_denied());
//! ```
//!
//! ### 角色继承
//!
//! ```rust
//! use authrs::rbac::{Permission, Role, RoleBuilder, RoleManager};
//!
//! # tokio::runtime::Runtime::new().unwrap().block_on(async {
//! let manager = RoleManager::new();
//!
//! // 创建基础角色
//! let viewer = RoleBuilder::new("viewer")
//!     .permission(Permission::new("posts", "read"))
//!     .build();
//!
//! // 创建继承角色
//! let editor = RoleBuilder::new("editor")
//!     .inherit("viewer") // 继承 viewer 的权限
//!     .permission(Permission::new("posts", "write"))
//!     .build();
//!
//! manager.add_role(viewer).await;
//! manager.add_role(editor).await;
//!
//! // editor 拥有继承的 read 权限和自己的 write 权限
//! let effective = manager.get_effective_permissions("editor").await;
//! assert!(effective.contains(&Permission::new("posts", "read")));
//! assert!(effective.contains(&Permission::new("posts", "write")));
//! # });
//! ```

mod permission;
mod policy;
mod role;

pub use permission::{Action, Permission, PermissionSet, Resource};
pub use policy::{
    Decision, DecisionReason, Policy, PolicyBuilder, PolicyEffect, PolicyEngine, PolicyEvaluator,
    Subject,
};
pub use role::{InMemoryRoleStore, Role, RoleBuilder, RoleManager, RoleStore};

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_basic_rbac_workflow() {
        // 创建权限
        let read_posts = Permission::new("posts", "read");
        let write_posts = Permission::new("posts", "write");
        let delete_posts = Permission::new("posts", "delete");

        // 创建角色
        let editor = RoleBuilder::new("editor")
            .description("Content editor")
            .permission(read_posts.clone())
            .permission(write_posts.clone())
            .build();

        // 验证权限
        assert!(editor.has_permission(&read_posts));
        assert!(editor.has_permission(&write_posts));
        assert!(!editor.has_permission(&delete_posts));
    }

    #[test]
    fn test_policy_engine_workflow() {
        let mut engine = PolicyEngine::new();

        // 添加允许策略
        engine.add_policy(
            Policy::allow("editor-posts-read")
                .role("editor")
                .resource("posts")
                .action("read")
                .build(),
        );

        // 添加拒绝策略(高优先级)
        engine.add_policy(
            Policy::deny("no-delete")
                .resource("posts")
                .action("delete")
                .priority(100)
                .build(),
        );

        let user = Subject::new("user1").with_role("editor");

        // 测试允许的操作
        let decision = engine.evaluate(&user, &Resource::new("posts"), &Action::new("read"));
        assert!(decision.is_allowed());

        // 测试拒绝的操作
        let decision = engine.evaluate(&user, &Resource::new("posts"), &Action::new("delete"));
        assert!(decision.is_denied());

        // 测试未定义的操作(默认拒绝)
        let decision = engine.evaluate(&user, &Resource::new("users"), &Action::new("read"));
        assert!(decision.is_denied());
    }

    #[tokio::test]
    async fn test_role_inheritance() {
        let manager = RoleManager::new();

        // 基础角色
        let viewer = RoleBuilder::new("viewer")
            .permission(Permission::new("posts", "read"))
            .build();

        // 继承角色
        let editor = RoleBuilder::new("editor")
            .inherit("viewer")
            .permission(Permission::new("posts", "write"))
            .build();

        manager.add_role(viewer).await;
        manager.add_role(editor).await;

        // 验证继承的权限
        let effective = manager.get_effective_permissions("editor").await;
        assert!(effective.contains(&Permission::new("posts", "read")));
        assert!(effective.contains(&Permission::new("posts", "write")));
    }

    #[test]
    fn test_wildcard_permissions() {
        // 超级管理员
        let super_admin = RoleBuilder::new("super_admin")
            .permission(Permission::wildcard())
            .build();

        // 资源管理员
        let posts_admin = RoleBuilder::new("posts_admin")
            .permission(Permission::resource_wildcard("posts"))
            .build();

        let read_posts = Permission::new("posts", "read");
        let delete_posts = Permission::new("posts", "delete");
        let read_users = Permission::new("users", "read");

        // 超级管理员拥有所有权限
        assert!(super_admin.has_permission(&read_posts));
        assert!(super_admin.has_permission(&delete_posts));
        assert!(super_admin.has_permission(&read_users));

        // posts_admin 只有 posts 资源的权限
        assert!(posts_admin.has_permission(&read_posts));
        assert!(posts_admin.has_permission(&delete_posts));
        assert!(!posts_admin.has_permission(&read_users));
    }
}