beep-authz 0.3.0

Authorization library for Beep services
Documentation

๐Ÿ”’ beep-authz

A Rust authorization library with SpiceDB integration for fine-grained permissions.

Crates.io Documentation Rust

Powerful, flexible authorization with Google Zanzibar-inspired permission checks

๐Ÿ“– Documentation | ๐Ÿš€ Getting Started | ๐Ÿ’ก Examples

โœจ Features

๐Ÿ” SpiceDB Integration

  • Native support for SpiceDB/AuthZed
  • Fine-grained permission checks
  • Relationship-based access control (ReBAC)

โšก High Performance

  • Async/await support with Tokio
  • Connection pooling
  • gRPC-based communication

๐ŸŽฏ Type-Safe Permissions

  • Strongly-typed permission system
  • Object-based resource modeling
  • Compile-time safety

๐Ÿ›ก๏ธ Enterprise Ready

  • Production-tested
  • Comprehensive error handling
  • Token-based authentication

๐Ÿš€ Quick Start

Installation

Add beep-authz to your Cargo.toml:

[dependencies]
beep-authz = "0.1.0"
tokio = { version = "1.48", features = ["full"] }

Basic Usage

use authz::{SpiceDbRepository, SpiceDbConfig, SpiceDbObject, Permissions};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // ๐Ÿ”ง Configure SpiceDB connection
    let config = SpiceDbConfig {
        endpoint: "localhost:50051".to_string(),
        token: Some("your-preshared-key".to_string()),
    };

    // ๐Ÿ”Œ Connect to SpiceDB
    let authz = SpiceDbRepository::new(config).await?;

    // ๐Ÿ” Check if user can view a channel
    let result = authz.check_permissions(
        SpiceDbObject::Channel("channel-123".to_string()),
        Permissions::ViewChannels,
        SpiceDbObject::User("user-456".to_string()),
    ).await;

    if result.has_permissions() {
        println!("โœ… User has permission to view channel");
    } else {
        println!("โŒ Access denied");
    }

    Ok(())
}

๐Ÿ“‹ Supported Permissions

The library includes built-in permissions for common scenarios:

  • Administrator - Full access to all resources
  • ManageServer - Update server settings
  • ManageRoles - Create and manage roles
  • CreateInvitation - Generate invite links
  • ManageChannels - Full channel management
  • ManageWebhooks - Webhook CRUD operations
  • ViewChannels - Read channel contents
  • SendMessages - Post messages
  • ManageNicknames - Update user nicknames
  • ChangeNickname - Update own nickname
  • ManageMessages - Moderate messages
  • AttachFiles - Upload files

๐Ÿ—๏ธ Architecture

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚           SpiceDbRepository             โ”‚
โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”‚
โ”‚  โ”‚   check_permissions()             โ”‚  โ”‚
โ”‚  โ”‚   check_permissions_raw()         โ”‚  โ”‚
โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                    โ”‚
                    โ”‚ gRPC
                    โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚             SpiceDB Server              โ”‚
โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”‚
โ”‚  โ”‚  Permission Engine                โ”‚  โ”‚
โ”‚  โ”‚  โ€ข Check relationships            โ”‚  โ”‚
โ”‚  โ”‚  โ€ข Evaluate permissions           โ”‚  โ”‚
โ”‚  โ”‚  โ€ข Return authorization result    โ”‚  โ”‚
โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

๐Ÿ”ง Configuration

Configure SpiceDB connection via environment variables or command-line arguments:

# Environment variables
export SPICEDB_ENDPOINT="grpc.authzed.com:443"
export SPICEDB_TOKEN="your-preshared-key"

# Or use command-line arguments
cargo run -- --spicedb-endpoint localhost:50051 --spicedb-token your-key

๐ŸŒ SpiceDB Setup

This library works with:

  • SpiceDB - Open-source authorization system
  • AuthZed - Managed SpiceDB service

๐Ÿ“š Learn More

๐Ÿงช Testing

Run the test suite:

cargo test

๐Ÿ“„ License

Licensed under Apache License 2.0. See LICENSE for details.