kimberlite-abac 0.9.1

Attribute-Based Access Control (ABAC) for Kimberlite
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

//! # kimberlite-abac: Attribute-Based Access Control
//!
//! Provides context-aware access decisions based on user, resource, and environment attributes.
//! Extends RBAC with fine-grained, dynamic access control.
//!
//! ## Architecture
//!
//! ```text
//! ┌─────────────────────────────────────────────┐
//! │  Access Request                              │
//! │  (User + Resource + Environment Attributes)  │
//! └─────────────────┬───────────────────────────┘
//!//!//! ┌─────────────────────────────────────────────┐
//! │  ABAC Evaluator                              │
//! │  ├─ Evaluate rules by priority               │
//! │  ├─ Match conditions against attributes      │
//! │  └─ Return Allow/Deny decision               │
//! └─────────────────┬───────────────────────────┘
//!//!//! ┌─────────────────────────────────────────────┐
//! │  Decision                                    │
//! │  - Effect (Allow/Deny)                       │
//! │  - Matched rule name                         │
//! │  - Human-readable reason                     │
//! └─────────────────────────────────────────────┘
//! ```
//!
//! ## Standard Policies
//!
//! Pre-built policies for common compliance frameworks:
//!
//! - **HIPAA**: PHI access only during business hours with clearance >= 2
//! - **`FedRAMP`**: Deny access from outside the US
//! - **PCI DSS**: PCI data only from server devices with clearance >= 2
//!
//! ## Examples
//!
//! ```
//! use kimberlite_abac::policy::{AbacPolicy, Rule, Condition, Effect};
//! use kimberlite_abac::attributes::{UserAttributes, ResourceAttributes, EnvironmentAttributes, DeviceType};
//! use kimberlite_abac::evaluator;
//! use kimberlite_types::DataClass;
//! use chrono::Utc;
//!
//! // Create a policy that denies access outside business hours
//! let policy = AbacPolicy::new(Effect::Allow)
//!     .with_rule(Rule {
//!         name: "deny-after-hours".to_string(),
//!         effect: Effect::Deny,
//!         conditions: vec![
//!             Condition::Not(Box::new(Condition::BusinessHoursOnly)),
//!         ],
//!         priority: 10,
//!     })
//!     .expect("unique rule name");
//!
//! let user = UserAttributes::new("analyst", "engineering", 1);
//! let resource = ResourceAttributes::new(DataClass::Confidential, 1, "metrics");
//! let env = EnvironmentAttributes::from_timestamp(Utc::now(), "US");
//!
//! let decision = evaluator::evaluate(&policy, &user, &resource, &env);
//! // Decision depends on whether it is currently business hours (UTC)
//! ```

pub mod attributes;
pub mod evaluator;
pub mod policy;

// Kani proofs for bounded model checking
#[cfg(any(test, kani))]
mod kani_proofs;

pub use attributes::{EnvironmentAttributes, ResourceAttributes, UserAttributes};
pub use evaluator::{Decision, evaluate};
pub use policy::{AbacPolicy, Condition, Effect as PolicyEffect, Rule};

/// Errors raised when constructing or mutating an `AbacPolicy`.
#[derive(Debug, thiserror::Error, PartialEq, Eq)]
pub enum AbacError {
    /// A rule with this name already exists in the policy. Rule names
    /// serve as audit-log identifiers — duplicate names would create
    /// ambiguous audit trails.
    #[error("duplicate rule name: {0}")]
    DuplicateRuleName(String),
}