inferadb 0.1.5

Official Rust SDK for InferaDB
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125

//! AuthorizationClient trait for dependency injection.

use std::future::Future;
use std::pin::Pin;

use crate::types::Context;
use crate::Error;

/// Object-safe trait for authorization operations.
///
/// This trait allows you to abstract over different authorization clients
/// (real, mock, in-memory) for testing and dependency injection.
///
/// ## Example
///
/// ```rust
/// use inferadb::testing::AuthorizationClient;
/// use inferadb::Error;
///
/// // Function that works with any authorization client
/// async fn check_access(
///     client: &dyn AuthorizationClient,
///     user_id: &str,
/// ) -> Result<bool, Error> {
///     client.check(
///         &format!("user:{}", user_id),
///         "view",
///         "dashboard:main",
///     ).await
/// }
///
/// // In production, use the real client
/// // In tests, use MockClient or InMemoryClient
/// ```
///
/// ## Object Safety
///
/// This trait is object-safe, so you can use `&dyn AuthorizationClient`
/// or `Box<dyn AuthorizationClient>` for dynamic dispatch.
pub trait AuthorizationClient: Send + Sync {
    /// Checks if a subject has a permission on a resource.
    ///
    /// Returns `Ok(true)` if allowed, `Ok(false)` if denied.
    fn check(
        &self,
        subject: &str,
        permission: &str,
        resource: &str,
    ) -> Pin<Box<dyn Future<Output = Result<bool, Error>> + Send + '_>>;

    /// Checks with ABAC context.
    fn check_with_context(
        &self,
        subject: &str,
        permission: &str,
        resource: &str,
        context: &Context,
    ) -> Pin<Box<dyn Future<Output = Result<bool, Error>> + Send + '_>>;
}

#[cfg(test)]
mod tests {
    use super::*;

    struct TestClient {
        allow_all: bool,
    }

    impl AuthorizationClient for TestClient {
        fn check(
            &self,
            _subject: &str,
            _permission: &str,
            _resource: &str,
        ) -> Pin<Box<dyn Future<Output = Result<bool, Error>> + Send + '_>> {
            let result = self.allow_all;
            Box::pin(async move { Ok(result) })
        }

        fn check_with_context(
            &self,
            _subject: &str,
            _permission: &str,
            _resource: &str,
            _context: &Context,
        ) -> Pin<Box<dyn Future<Output = Result<bool, Error>> + Send + '_>> {
            let result = self.allow_all;
            Box::pin(async move { Ok(result) })
        }
    }

    #[tokio::test]
    async fn test_trait_object() {
        let client: Box<dyn AuthorizationClient> = Box::new(TestClient { allow_all: true });
        let result = client.check("user:alice", "view", "doc:1").await;
        assert!(result.unwrap());
    }

    #[tokio::test]
    async fn test_deny() {
        let client = TestClient { allow_all: false };
        let result = client.check("user:alice", "view", "doc:1").await;
        assert!(!result.unwrap());
    }

    #[tokio::test]
    async fn test_check_with_context() {
        let client = TestClient { allow_all: true };
        let context = Context::new().with("env", "test");
        let result = client
            .check_with_context("user:alice", "view", "doc:1", &context)
            .await;
        assert!(result.unwrap());
    }

    #[tokio::test]
    async fn test_check_with_context_deny() {
        let client = TestClient { allow_all: false };
        let context = Context::new().with("env", "prod");
        let result = client
            .check_with_context("user:alice", "view", "doc:1", &context)
            .await;
        assert!(!result.unwrap());
    }
}