cf-authz-resolver-sdk 0.3.0

SDK for authz_resolver module: evaluation API, constraints, PEP compiler
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

// Updated: 2026-04-14 by Constructor Tech
//! Constraint types for authorization decisions.
//!
//! Constraints represent row-level filtering conditions returned by the PDP.
//! They are compiled into `AccessScope` by the PEP compiler.
//!
//! ## Supported predicates
//!
//! - `Eq` / `In` - scalar value predicates (tenant scoping, resource ID)
//! - `InGroup` - group membership subquery: resource visible if member of any listed group
//! - `InGroupSubtree` - group subtree subquery: resource visible if member of any descendant of listed ancestors

use crate::pep::IntoPropertyValue;
use serde::{Deserialize, Serialize};
use serde_json::Value;

/// A constraint on a specific resource property.
///
/// Multiple constraints within a response are `ORed`:
/// a resource matches if it satisfies ANY constraint.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Constraint {
    /// The predicates within this constraint. All predicates are `ANDed`:
    /// a resource matches this constraint only if ALL predicates are satisfied.
    pub predicates: Vec<Predicate>,
}

/// A predicate comparing a resource property to a value or subquery.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "op", rename_all = "snake_case")]
pub enum Predicate {
    /// Equality: `resource_property = value`
    Eq(EqPredicate),
    /// Set membership: `resource_property IN (values)`
    In(InPredicate),
    /// Group membership: `resource_property IN (SELECT resource_id FROM membership WHERE group_id IN (group_ids))`
    InGroup(InGroupPredicate),
    /// Group subtree: `resource_property IN (SELECT resource_id FROM membership WHERE group_id IN (SELECT descendant_id FROM closure WHERE ancestor_id IN (ancestor_ids)))`
    InGroupSubtree(InGroupSubtreePredicate),
}

/// Equality predicate: `property = value`.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct EqPredicate {
    /// Resource property name (e.g., `pep_properties::OWNER_TENANT_ID`, `pep_properties::RESOURCE_ID`).
    pub property: String,
    /// The value to match (UUID string, plain string, number, bool, etc.).
    pub value: Value,
}

impl EqPredicate {
    /// Create an equality predicate with any convertible value.
    #[must_use]
    pub fn new(property: impl Into<String>, value: impl IntoPropertyValue) -> Self {
        Self {
            property: property.into(),
            value: value.into_filter_value(),
        }
    }
}

/// Set membership predicate: `property IN (values)`.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct InPredicate {
    /// Resource property name (e.g., `pep_properties::OWNER_TENANT_ID`, `pep_properties::RESOURCE_ID`).
    pub property: String,
    /// The set of values to match against.
    pub values: Vec<Value>,
}

impl InPredicate {
    /// Create an `IN` predicate from an iterator of convertible values.
    #[must_use]
    pub fn new<V: IntoPropertyValue>(
        property: impl Into<String>,
        values: impl IntoIterator<Item = V>,
    ) -> Self {
        Self {
            property: property.into(),
            values: values
                .into_iter()
                .map(IntoPropertyValue::into_filter_value)
                .collect(),
        }
    }
}

/// Group membership predicate: resource is visible if it belongs to any of the listed groups.
///
/// Compiles to: `property IN (SELECT resource_id FROM resource_group_membership WHERE group_id IN (group_ids))`
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct InGroupPredicate {
    /// Resource property to filter (e.g., `pep_properties::RESOURCE_ID`).
    pub property: String,
    /// Group UUIDs - the resource must be a member of at least one.
    pub group_ids: Vec<Value>,
}

impl InGroupPredicate {
    /// Create an `InGroup` predicate.
    #[must_use]
    pub fn new<V: IntoPropertyValue>(
        property: impl Into<String>,
        group_ids: impl IntoIterator<Item = V>,
    ) -> Self {
        Self {
            property: property.into(),
            group_ids: group_ids
                .into_iter()
                .map(IntoPropertyValue::into_filter_value)
                .collect(),
        }
    }
}

/// Group subtree predicate: resource is visible if it belongs to any group
/// that is a descendant of the listed ancestor groups.
///
/// Compiles to: `property IN (SELECT resource_id FROM resource_group_membership
///   WHERE group_id IN (SELECT descendant_id FROM resource_group_closure WHERE ancestor_id IN (ancestor_ids)))`
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct InGroupSubtreePredicate {
    /// Resource property to filter (e.g., `pep_properties::RESOURCE_ID`).
    pub property: String,
    /// Ancestor group UUIDs - the resource must be a member of any descendant.
    pub ancestor_ids: Vec<Value>,
}

impl InGroupSubtreePredicate {
    /// Create an `InGroupSubtree` predicate.
    #[must_use]
    pub fn new<V: IntoPropertyValue>(
        property: impl Into<String>,
        ancestor_ids: impl IntoIterator<Item = V>,
    ) -> Self {
        Self {
            property: property.into(),
            ancestor_ids: ancestor_ids
                .into_iter()
                .map(IntoPropertyValue::into_filter_value)
                .collect(),
        }
    }
}

#[cfg(test)]
#[path = "constraints_tests.rs"]
mod constraints_tests;