cf-authz-resolver 0.1.3

AuthZ resolver module - discovers and routes to plugins
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

# AuthZ Resolver

Main module for authorization in CyberFabric. Discovers AuthZ plugins via GTS types-registry and routes policy evaluation to the selected plugin (PDP).

## Overview

The `cf-authz-resolver` module provides:

- **Plugin discovery** — Finds AuthZ plugins via GTS types-registry
- **Vendor-based selection** — Selects plugin by vendor and priority
- **Policy evaluation routing** — Delegates AuthZEN-based evaluation requests to the active PDP plugin
- **ClientHub integration** — Registers `AuthZResolverClient` for inter-module use

This is a **main module** — it contains no authorization logic itself. All operations are delegated to the active plugin (e.g., `cf-static-authz-plugin` for development, or a custom implementation).

## Architecture

```
Consumer Module (PEP)
PolicyEnforcer  (SDK helper — builds request, compiles response)
AuthZResolverClient  (SDK trait, registered in ClientHub)
authz-resolver gateway  (this crate — discovers & routes)
AuthZResolverPluginClient  (SDK trait, scoped by GTS instance ID)
Plugin implementation  (PDP — evaluates policies, returns constraints)
```

## Usage

Services act as Policy Enforcement Points (PEPs) using the `PolicyEnforcer` from the SDK:

```rust
use authz_resolver_sdk::pep::{PolicyEnforcer, ResourceType};
use modkit_security::pep_properties;

const USER: ResourceType = ResourceType {
    name: "gts.x.core.users.user.v1~",
    supported_properties: &[pep_properties::OWNER_TENANT_ID, pep_properties::RESOURCE_ID],
};

let authz = hub.get::<dyn AuthZResolverClient>()?;
let enforcer = PolicyEnforcer::new(authz.clone());

// Get access scope for a CRUD operation
let scope = enforcer.access_scope(&ctx, &USER, "list", None).await?;
// Use scope with SecureORM for row-level filtering
```

## Configuration

The module is configured via the server's YAML config. Plugin selection is automatic based on GTS registration. Use the `static-authz` feature flag to compile in the development plugin.

## Writing a Plugin

Implement the `AuthZResolverPluginClient` trait from `cf-authz-resolver-sdk` and register it with a GTS instance ID derived from the `AuthZResolverPluginSpecV1` schema.

## Testing

```bash
cargo test -p cf-authz-resolver
```

## License

Apache-2.0