crabka-authz 0.2.0

Shared Kafka-ACL authorization evaluator for the Crabka broker and gateway
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

//! Default authorizer when authorization is unset. Returns `Allow` for
//! any request. Provides an explicit type so the "allow everything"
//! behavior is spelled out at config time rather than emerging from the
//! ACL impl's empty-input path.

use crate::{AclSource, AuthorizationRequest, AuthorizationResult, Authorizer};

/// Authorizer that always returns [`AuthorizationResult::Allow`].
/// Default authorizer value; chosen by `type = "allow_all"` (or omitted
/// entirely) in the broker / gateway config.
#[derive(Debug, Default)]
pub struct AllowAllAuthorizer;

impl Authorizer for AllowAllAuthorizer {
    fn authorize(
        &self,
        _source: &dyn AclSource,
        _req: &AuthorizationRequest<'_>,
    ) -> AuthorizationResult {
        AuthorizationResult::Allow
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use assert2::assert;
    use crabka_metadata::{AclOperation, MetadataImage, ResourceType};
    use crabka_security::{AuthMethod, Principal};
    use std::net::SocketAddr;
    use uuid::Uuid;

    #[test]
    fn allow_all_returns_allow_for_any_request() {
        let img = MetadataImage::new(Uuid::nil());
        let p = Principal {
            name: "alice".into(),
            auth_method: AuthMethod::SaslPlain,
            groups: vec![],
        };
        let host: SocketAddr = "1.2.3.4:9092".parse().unwrap();
        let req = AuthorizationRequest {
            principal: &p,
            host: &host,
            resource_type: ResourceType::Topic,
            resource_name: "anything",
            operation: AclOperation::Write,
        };
        assert!(AllowAllAuthorizer.authorize(&img, &req) == AuthorizationResult::Allow);
    }
}