ockam_abac 0.80.0

Attribute based authorization control
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

use crate::abac::Abac;
use crate::PolicyAccessControl;
use core::fmt::{Debug, Formatter};
use ockam_core::compat::boxed::Box;
use ockam_core::{async_trait, RelayMessage};
use ockam_core::{OutgoingAccessControl, Result};
use ockam_node::Context;
use tracing::debug;

pub struct OutgoingPolicyAccessControl {
    pub(super) ctx: Context,
    pub(super) policy_access_control: PolicyAccessControl,
}

impl Debug for OutgoingPolicyAccessControl {
    fn fmt(&self, f: &mut Formatter<'_>) -> core::fmt::Result {
        f.debug_struct("OutgoingPolicyAccessControl")
            .field("policy_access_control", &self.policy_access_control)
            .finish()
    }
}

#[async_trait]
impl OutgoingAccessControl for OutgoingPolicyAccessControl {
    async fn is_authorized(&self, relay_msg: &RelayMessage) -> Result<bool> {
        // Load the policy expression for resource and action:
        let expression = if let Some(expr) = self
            .policy_access_control
            .policies
            .get_expression_for_resource(
                &self.policy_access_control.resource,
                &self.policy_access_control.action,
            )
            .await?
        {
            debug!("found the policy {expr:?} to be used for outgoing access control");
            expr
        } else {
            // If no expression exists for this resource and action, access is denied:
            debug! {
                resource = %self.policy_access_control.resource,
                action   = %self.policy_access_control.action,
                "no policy found; access denied"
            }
            return Ok(false);
        };

        let identifier = match Abac::get_outgoing_identifier(&self.ctx, relay_msg)? {
            Some(identifier) => identifier,
            None => {
                debug! {
                    policy = %expression,
                    "identity identifier not found; access denied"
                }

                return Ok(false);
            }
        };

        self.policy_access_control
            .abac
            .is_identity_authorized(&identifier, &expression)
            .await
    }
}