nest-rs-authz 0.2.0

CASL-style authorization for nestrs: one ability definition driving an access gate, a SeaORM query pre-filter, and response field-masking. Transport bindings (`http`, `graphql`, `mcp`) live behind Cargo features; the database-coupled extractors (`Bind`, `bind`, `LoaderScope`, `WsDataContext`) live in `nest-rs-seaorm` so the engine stays free of a data-layer dependency.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

//! Fluent builder for `AbilityFactory`:
//! `ab.can(Action::Read, users::Entity).when(|p| …).fields([…])`.
//!
//! A [`RuleSpec`] commits on drop — the rule is finalized by ending the
//! statement, with no terminal call to forget.

use std::any::TypeId;

use sea_orm::{EntityTrait, IdenStatic};

use crate::ability::{Ability, FieldSet, Rule};
use crate::action::Action;
use crate::predicate::{Predicate, PredicateBuilder};

#[derive(Default)]
pub struct AbilityBuilder {
    ability: Ability,
}

impl AbilityBuilder {
    pub fn new() -> Self {
        Self::default()
    }

    /// Begin a grant. Narrow with [`when`](RuleSpec::when) / [`fields`](RuleSpec::fields).
    pub fn can<E>(&mut self, action: Action, _subject: E) -> RuleSpec<'_, E>
    where
        E: EntityTrait,
        E::Column: Send + Sync + 'static,
    {
        RuleSpec::new(self, action, false)
    }

    /// Begin a denial — a matching denial overrides a matching grant.
    pub fn cannot<E>(&mut self, action: Action, _subject: E) -> RuleSpec<'_, E>
    where
        E: EntityTrait,
        E::Column: Send + Sync + 'static,
    {
        RuleSpec::new(self, action, true)
    }

    pub fn build(self) -> Ability {
        self.ability
    }
}

/// One in-progress rule. Commits on drop — binding to a variable defers the
/// commit, and the builder cannot be reused while a spec is still alive.
pub struct RuleSpec<'a, E>
where
    E: EntityTrait,
    E::Column: Send + Sync + 'static,
{
    builder: &'a mut AbilityBuilder,
    action: Action,
    inverted: bool,
    predicate: Predicate<E>,
    fields: FieldSet,
}

impl<'a, E> RuleSpec<'a, E>
where
    E: EntityTrait,
    E::Column: Send + Sync + 'static,
{
    fn new(builder: &'a mut AbilityBuilder, action: Action, inverted: bool) -> Self {
        Self {
            builder,
            action,
            inverted,
            predicate: Predicate::Always,
            fields: FieldSet::All,
        }
    }

    /// `.when(|p| p.eq(users::Column::OrgId, actor.org_id))`.
    pub fn when(mut self, build: impl FnOnce(PredicateBuilder<E>) -> Predicate<E>) -> Self {
        self.predicate = build(PredicateBuilder::new());
        self
    }

    /// Restrict the rule to these columns — the response masker keeps only
    /// these fields. Without this, every field is permitted.
    pub fn fields(mut self, columns: impl IntoIterator<Item = E::Column>) -> Self {
        self.fields = FieldSet::Only(columns.into_iter().map(|c| c.as_str()).collect());
        self
    }
}

impl<'a, E> Drop for RuleSpec<'a, E>
where
    E: EntityTrait,
    E::Column: Send + Sync + 'static,
{
    fn drop(&mut self) {
        let condition = self.predicate.to_condition();
        let predicate = std::mem::take(&mut self.predicate);
        let fields = std::mem::take(&mut self.fields);
        self.builder.ability.add_rule(
            self.action,
            TypeId::of::<E>(),
            Rule {
                inverted: self.inverted,
                condition,
                predicate: Box::new(predicate),
                fields,
            },
        );
    }
}