crabka-authz 0.3.5

Shared Kafka-ACL authorization evaluator for the Crabka broker and gateway
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

//! Abstraction over "where ACL entries come from", so one evaluator serves both
//! the broker (a `MetadataImage` snapshot) and the gateway (a `Vec<AclEntry>`
//! cache fetched via `DescribeAcls`).

use crabka_metadata::{AclEntry, ResourceType};

/// A source of ACL entries the authorizer can match against. `matching_acls`
/// MUST return every entry whose resource pattern matches `(rt, name)`:
/// LITERAL entries equal to `name`, LITERAL `*` (wildcard), and PREFIXED
/// entries where `name.starts_with(entry.resource_name)`. (Mirror
/// [`crabka_metadata::MetadataImage::matching_acls`] —
/// `crates/metadata/src/image.rs`.)
pub trait AclSource {
    fn matching_acls<'a>(
        &'a self,
        rt: ResourceType,
        name: &'a str,
    ) -> Box<dyn Iterator<Item = &'a AclEntry> + 'a>;
}

// The broker's MetadataImage already implements the exact matching semantics;
// adapt its iterator. (Trait is local ⇒ orphan rule satisfied for the foreign
// MetadataImage type.)
impl AclSource for crabka_metadata::MetadataImage {
    fn matching_acls<'a>(
        &'a self,
        rt: ResourceType,
        name: &'a str,
    ) -> Box<dyn Iterator<Item = &'a AclEntry> + 'a> {
        Box::new(crabka_metadata::MetadataImage::matching_acls(
            self, rt, name,
        ))
    }
}