laye 0.1.0

A framework-agnostic role and permission based access control library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299

#![cfg(feature = "actix-web")]

use actix_web::dev::Service;
use actix_web::test::{call_service, init_service, TestRequest};
use actix_web::{web, App, HttpMessage, HttpResponse};

use laye::actix::{AuthPrincipal, MaybeAuthPrincipal};
use laye::principal::Principal;
use laye::{AccessPolicy, AccessRule};

#[derive(Clone)]
struct TestUser {
    roles: Vec<String>,
    permissions: Vec<String>,
    authenticated: bool,
}

impl TestUser {
    fn new(roles: &[&str]) -> Self {
        Self {
            roles: roles.iter().map(|s| s.to_string()).collect(),
            permissions: vec![],
            authenticated: true,
        }
    }

    fn with_permissions(roles: &[&str], permissions: &[&str]) -> Self {
        Self {
            roles: roles.iter().map(|s| s.to_string()).collect(),
            permissions: permissions.iter().map(|s| s.to_string()).collect(),
            authenticated: true,
        }
    }
}

impl Principal for TestUser {
    fn roles(&self) -> &[String] {
        &self.roles
    }
    fn permissions(&self) -> &[String] {
        &self.permissions
    }
    fn is_authenticated(&self) -> bool {
        self.authenticated
    }
}

#[actix_web::test]
async fn middleware_allows_request_when_policy_passes() {
    let policy = AccessPolicy::require_all().add_rule(AccessRule::Role("admin".into()));
    let user = TestUser::new(&["admin"]);
    let app = init_service(
        App::new()
            .wrap(policy.into_actix_middleware::<TestUser>())
            .wrap_fn(move |req, srv| {
                req.extensions_mut().insert(user.clone());
                srv.call(req)
            })
            .route("/", web::get().to(|| async { HttpResponse::Ok().finish() })),
    )
    .await;
    let res = call_service(&app, TestRequest::get().uri("/").to_request()).await;
    assert_eq!(res.status(), 200, "admin should get 200");
}

#[actix_web::test]
async fn middleware_returns_403_when_role_missing() {
    let policy = AccessPolicy::require_all().add_rule(AccessRule::Role("admin".into()));
    let user = TestUser::new(&[]);
    let app = init_service(
        App::new()
            .wrap(policy.into_actix_middleware::<TestUser>())
            .wrap_fn(move |req, srv| {
                req.extensions_mut().insert(user.clone());
                srv.call(req)
            })
            .route("/", web::get().to(|| async { HttpResponse::Ok().finish() })),
    )
    .await;
    let res = call_service(&app, TestRequest::get().uri("/").to_request()).await;
    assert_eq!(res.status(), 403, "missing role should get 403");
}

#[actix_web::test]
async fn middleware_returns_401_when_no_principal_in_extensions() {
    let policy = AccessPolicy::require_all().add_rule(AccessRule::Authenticated);
    let app = init_service(
        App::new()
            .wrap(policy.into_actix_middleware::<TestUser>())
            .route("/", web::get().to(|| async { HttpResponse::Ok().finish() })),
    )
    .await;
    let res = call_service(&app, TestRequest::get().uri("/").to_request()).await;
    assert_eq!(res.status(), 401, "no principal should get 401");
}

#[actix_web::test]
async fn auth_principal_extractor_injects_principal_into_handler() {
    let policy = AccessPolicy::require_all().add_rule(AccessRule::Authenticated);
    let user = TestUser::new(&["user"]);
    let app = init_service(
        App::new()
            .wrap(policy.into_actix_middleware::<TestUser>())
            .wrap_fn(move |req, srv| {
                req.extensions_mut().insert(user.clone());
                srv.call(req)
            })
            .route(
                "/",
                web::get().to(|p: AuthPrincipal<TestUser>| async move {
                    assert!(p.0.has_role("user"), "extracted user should have 'user' role");
                    HttpResponse::Ok().finish()
                }),
            ),
    )
    .await;
    let res = call_service(&app, TestRequest::get().uri("/").to_request()).await;
    assert_eq!(res.status(), 200, "handler should receive principal and return 200");
}

#[actix_web::test]
async fn auth_principal_extractor_returns_401_when_missing() {
    let policy = AccessPolicy::require_all().add_rule(AccessRule::Guest);
    let app = init_service(
        App::new()
            .wrap(policy.into_actix_middleware::<TestUser>())
            .route(
                "/",
                web::get()
                    .to(|_: AuthPrincipal<TestUser>| async { HttpResponse::Ok().finish() }),
            ),
    )
    .await;
    let res = call_service(&app, TestRequest::get().uri("/").to_request()).await;
    assert_eq!(res.status(), 401, "missing principal in extractor should return 401");
}

#[actix_web::test]
async fn maybe_auth_principal_returns_some_when_present() {
    let policy = AccessPolicy::require_all().add_rule(AccessRule::Authenticated);
    let user = TestUser::new(&[]);
    let app = init_service(
        App::new()
            .wrap(policy.into_actix_middleware::<TestUser>())
            .wrap_fn(move |req, srv| {
                req.extensions_mut().insert(user.clone());
                srv.call(req)
            })
            .route(
                "/",
                web::get().to(|m: MaybeAuthPrincipal<TestUser>| async move {
                    assert!(m.0.is_some(), "MaybeAuthPrincipal should be Some when extension present");
                    HttpResponse::Ok().finish()
                }),
            ),
    )
    .await;
    let res = call_service(&app, TestRequest::get().uri("/").to_request()).await;
    assert_eq!(res.status(), 200, "should succeed");
}

#[actix_web::test]
async fn maybe_auth_principal_returns_none_when_absent() {
    let policy = AccessPolicy::require_all().add_rule(AccessRule::Guest);
    let app = init_service(
        App::new()
            .wrap(policy.into_actix_middleware::<TestUser>())
            .route(
                "/",
                web::get().to(|m: MaybeAuthPrincipal<TestUser>| async move {
                    assert!(m.0.is_none(), "MaybeAuthPrincipal should be None when no extension");
                    HttpResponse::Ok().finish()
                }),
            ),
    )
    .await;
    let res = call_service(&app, TestRequest::get().uri("/").to_request()).await;
    assert_eq!(res.status(), 200, "guest route with no principal should succeed");
}

#[actix_web::test]
async fn and_policy_blocks_when_one_condition_fails() {
    let policy = AccessPolicy::require_all()
        .add_rule(AccessRule::Authenticated)
        .add_rule(AccessRule::Role("admin".into()));
    let user = TestUser::new(&["user"]);
    let app = init_service(
        App::new()
            .wrap(policy.into_actix_middleware::<TestUser>())
            .wrap_fn(move |req, srv| {
                req.extensions_mut().insert(user.clone());
                srv.call(req)
            })
            .route("/", web::get().to(|| async { HttpResponse::Ok().finish() })),
    )
    .await;
    let res = call_service(&app, TestRequest::get().uri("/").to_request()).await;
    assert_eq!(res.status(), 403, "AND policy should block when role condition fails");
}

#[actix_web::test]
async fn not_role_allows_user_without_banned_role() {
    let policy = AccessPolicy::require_all()
        .add_rule(AccessRule::Authenticated)
        .add_rule(AccessRule::NotRole("banned".into()));
    let user = TestUser::new(&["editor"]);
    let app = init_service(
        App::new()
            .wrap(policy.into_actix_middleware::<TestUser>())
            .wrap_fn(move |req, srv| {
                req.extensions_mut().insert(user.clone());
                srv.call(req)
            })
            .route("/", web::get().to(|| async { HttpResponse::Ok().finish() })),
    )
    .await;
    let res = call_service(&app, TestRequest::get().uri("/").to_request()).await;
    assert_eq!(res.status(), 200, "user without banned role should get 200");
}

#[actix_web::test]
async fn not_role_blocks_user_with_banned_role() {
    let policy = AccessPolicy::require_all()
        .add_rule(AccessRule::Authenticated)
        .add_rule(AccessRule::NotRole("banned".into()));
    let user = TestUser::new(&["editor", "banned"]);
    let app = init_service(
        App::new()
            .wrap(policy.into_actix_middleware::<TestUser>())
            .wrap_fn(move |req, srv| {
                req.extensions_mut().insert(user.clone());
                srv.call(req)
            })
            .route("/", web::get().to(|| async { HttpResponse::Ok().finish() })),
    )
    .await;
    let res = call_service(&app, TestRequest::get().uri("/").to_request()).await;
    assert_eq!(res.status(), 403, "user with banned role should get 403");
}

#[actix_web::test]
async fn not_permission_allows_user_without_restricted_permission() {
    let policy = AccessPolicy::require_all()
        .add_rule(AccessRule::Authenticated)
        .add_rule(AccessRule::NotPermission("delete".into()));
    let user = TestUser::with_permissions(&[], &["read"]);
    let app = init_service(
        App::new()
            .wrap(policy.into_actix_middleware::<TestUser>())
            .wrap_fn(move |req, srv| {
                req.extensions_mut().insert(user.clone());
                srv.call(req)
            })
            .route("/", web::get().to(|| async { HttpResponse::Ok().finish() })),
    )
    .await;
    let res = call_service(&app, TestRequest::get().uri("/").to_request()).await;
    assert_eq!(res.status(), 200, "user without delete permission should get 200");
}

#[actix_web::test]
async fn not_permission_blocks_user_with_restricted_permission() {
    let policy = AccessPolicy::require_all()
        .add_rule(AccessRule::Authenticated)
        .add_rule(AccessRule::NotPermission("delete".into()));
    let user = TestUser::with_permissions(&[], &["read", "delete"]);
    let app = init_service(
        App::new()
            .wrap(policy.into_actix_middleware::<TestUser>())
            .wrap_fn(move |req, srv| {
                req.extensions_mut().insert(user.clone());
                srv.call(req)
            })
            .route("/", web::get().to(|| async { HttpResponse::Ok().finish() })),
    )
    .await;
    let res = call_service(&app, TestRequest::get().uri("/").to_request()).await;
    assert_eq!(res.status(), 403, "user with delete permission should get 403");
}

#[actix_web::test]
async fn or_policy_allows_when_one_condition_passes() {
    let policy = AccessPolicy::require_any()
        .add_rule(AccessRule::Role("admin".into()))
        .add_rule(AccessRule::Role("editor".into()));
    let user = TestUser::new(&["editor"]);
    let app = init_service(
        App::new()
            .wrap(policy.into_actix_middleware::<TestUser>())
            .wrap_fn(move |req, srv| {
                req.extensions_mut().insert(user.clone());
                srv.call(req)
            })
            .route("/", web::get().to(|| async { HttpResponse::Ok().finish() })),
    )
    .await;
    let res = call_service(&app, TestRequest::get().uri("/").to_request()).await;
    assert_eq!(res.status(), 200, "OR policy should allow when one role matches");
}