authz-core 0.1.0

Zanzibar-style authorization engine — model parser, resolver, policy traits, and CEL condition evaluation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105

//! Generic cache abstraction for authz resolution caches.
//!
//! Provides `AuthzCache<V>` trait and a `NoopCache` implementation that never
//! stores entries.  The trait is intentionally minimal so that `authz-core`
//! stays dependency-light — concrete backends (e.g. moka) live in downstream
//! crates.

use std::sync::Arc;

/// Cache performance metrics.
pub trait CacheMetrics: Send + Sync {
    /// Total number of cache hits.
    fn hits(&self) -> u64;

    /// Total number of cache misses.
    fn misses(&self) -> u64;

    /// Hit rate as a percentage (0.0 to 100.0).
    fn hit_rate(&self) -> f64 {
        let total = self.hits() + self.misses();
        if total == 0 {
            0.0
        } else {
            (self.hits() as f64 / total as f64) * 100.0
        }
    }
}

/// Generic cache abstraction for authz resolution caches.
///
/// Implementations must be `Send + Sync` so they can be shared across threads
/// and stored behind `Arc`.
pub trait AuthzCache<V: Clone + Send + Sync>: Send + Sync {
    /// Look up a cached value by key.  Returns `None` on miss.
    fn get(&self, key: &str) -> Option<V>;

    /// Insert a value into the cache.
    fn insert(&self, key: &str, value: V);

    /// Remove a single entry by key.
    fn invalidate(&self, key: &str);

    /// Remove all entries from the cache.
    fn invalidate_all(&self);

    /// Get cache performance metrics.
    fn metrics(&self) -> Box<dyn CacheMetrics>;
}

/// A cache that never stores anything — every `get` returns `None`.
///
/// Used as the default when caching is disabled (TTL = 0) and in unit tests.
pub struct NoopCache;

/// Metrics for NoopCache (always returns zeros).
struct NoopMetrics;

impl CacheMetrics for NoopMetrics {
    fn hits(&self) -> u64 {
        0
    }

    fn misses(&self) -> u64 {
        0
    }
}

impl<V: Clone + Send + Sync> AuthzCache<V> for NoopCache {
    fn get(&self, _key: &str) -> Option<V> {
        None
    }

    fn insert(&self, _key: &str, _value: V) {}

    fn invalidate(&self, _key: &str) {}

    fn invalidate_all(&self) {}

    fn metrics(&self) -> Box<dyn CacheMetrics> {
        Box::new(NoopMetrics)
    }
}

/// Convenience helper: create a `NoopCache` wrapped in an `Arc`.
pub fn noop_cache<V: Clone + Send + Sync + 'static>() -> Arc<dyn AuthzCache<V>> {
    Arc::new(NoopCache)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn noop_cache_always_misses() {
        let cache: Arc<dyn AuthzCache<String>> = noop_cache();
        cache.insert("key", "value".to_string());
        assert_eq!(cache.get("key"), None);
    }

    #[test]
    fn noop_cache_invalidate_is_safe() {
        let cache: Arc<dyn AuthzCache<i32>> = noop_cache();
        cache.invalidate_all(); // should not panic
    }
}