iam-rs 0.1.1

Complete Rust library for parsing, validating, and evaluating IAM policies. Provider-agnostic authorization engine with full AWS IAM compatibility.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156

use super::context::Context;
use crate::{Arn, Principal};
use serde::{Deserialize, Serialize};

/// Core IAM request containing principal, action, and resource
///
/// ## Understanding the PARC model
///
/// The PARC model represents the request context based on the four JSON elements in the policy language:
///
/// * Principal – The entity making the request.
///   A principal represents a human user or programmatic workload that can be authenticated and
///   then authorized to perform actions in AWS accounts.
/// * Action – The operation being performed. Often the action will map to an API action.
/// * Resource – The AWS resource on which the action is being performed.
/// * Condition – Additional constraints that must be met for the request to be allowed.
///
/// The following shows an example of how the PARC model might represent a request context:
///
/// ```text
/// Principal: AIDA123456789EXAMPLE
/// Action: s3:CreateBucket
/// Resource: arn:aws:s3:::amzn-s3-demo-bucket1
/// Context:
/// - aws:UserId=AIDA123456789EXAMPLE:BobsSession
/// - aws:PrincipalAccount=123456789012
/// - aws:PrincipalOrgId=o-example
/// - aws:PrincipalARN=arn:aws:iam::AIDA123456789EXAMPLE:role/HR
/// - aws:MultiFactorAuthPresent=true
/// - aws:CurrentTime=...
/// - aws:EpochTime=...
/// - aws:SourceIp=...
/// - aws:PrincipalTag/dept=123
/// - aws:PrincipalTag/project=blue
/// - aws:RequestTag/dept=123
/// ```
///
/// <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic_policy-eval-reqcontext.html>
#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
#[cfg_attr(feature = "utoipa", derive(utoipa::ToSchema))]
pub struct IAMRequest {
    /// The principal making the request (e.g., AROA123456789EXAMPLE)
    #[serde(rename = "Principal")]
    pub principal: Principal,

    /// The action being requested (e.g., iam:DeactivateMFADevice)
    #[serde(rename = "Action")]
    pub action: String,

    /// The resource being accessed (e.g., `arn:aws:iam::user/martha`)
    #[serde(rename = "Resource")]
    pub resource: Arn,

    /// Additional context for condition evaluation
    #[serde(rename = "Context", default)]
    pub context: Context,
}

impl IAMRequest {
    /// Creates a new request
    #[must_use]
    pub fn new<S: Into<String>>(principal: Principal, action: S, resource: Arn) -> Self {
        let action = action.into();
        Self {
            principal,
            action,
            resource,
            context: Context::new(),
        }
    }

    /// Creates a request with context
    #[must_use]
    pub fn new_with_context<S: Into<String>>(
        principal: Principal,
        action: S,
        resource: Arn,
        context: Context,
    ) -> Self {
        let action = action.into();
        Self {
            principal,
            action,
            resource,
            context,
        }
    }
}

#[cfg(test)]
mod tests {
    use crate::PrincipalId;

    use super::*;

    #[test]
    fn test_parc_request_creation() {
        let request = IAMRequest::new(
            Principal::Aws(PrincipalId::String("AROA123456789EXAMPLE".into())),
            "iam:DeactivateMFADevice",
            Arn::parse("arn:aws:iam:::user/martha").unwrap(),
        );

        assert_eq!(
            request.principal,
            Principal::Aws(PrincipalId::String("AROA123456789EXAMPLE".into()))
        );
        assert_eq!(request.action, "iam:DeactivateMFADevice");
        assert_eq!(
            request.resource,
            Arn::parse("arn:aws:iam:::user/martha").unwrap()
        );
    }

    #[test]
    #[allow(clippy::float_cmp)]
    fn test_parc_request_with_context() {
        let context = Context::new()
            .with_string("aws:UserId", "AIDA123456789EXAMPLE:BobsSession")
            .with_boolean("aws:MultiFactorAuthPresent", true)
            .with_number("aws:EpochTime", 1_633_072_800.0);
        let request = IAMRequest::new_with_context(
            Principal::Aws(PrincipalId::String("principal".into())),
            "action",
            Arn::parse("arn:aws:iam:::user/martha").unwrap(),
            context,
        );

        assert_eq!(
            request
                .context
                .get("aws:UserId")
                .unwrap()
                .as_string()
                .unwrap(),
            "AIDA123456789EXAMPLE:BobsSession"
        );
        assert!(
            request
                .context
                .get("aws:MultiFactorAuthPresent")
                .unwrap()
                .as_boolean()
                .unwrap()
        );
        assert_eq!(
            request
                .context
                .get("aws:EpochTime")
                .unwrap()
                .as_number()
                .unwrap(),
            1_633_072_800.0
        );
    }
}