pandrs 0.3.0

A high-performance DataFrame library for Rust, providing pandas-like API with advanced features including SIMD optimization, parallel processing, and distributed computing capabilities
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320

//! Permission schema definitions for ReBAC
//!
//! This module provides schema definitions that describe how permissions
//! are computed from relationships (similar to Zanzibar, Auth0 FGA).

use serde::{Deserialize, Serialize};
use std::collections::HashMap;

/// Permission schema defining how relations work
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct PermissionSchema {
    /// Type definitions (e.g., "document", "folder")
    pub types: HashMap<String, TypeDefinition>,
}

impl PermissionSchema {
    /// Create a new empty schema
    pub fn new() -> Self {
        PermissionSchema {
            types: HashMap::new(),
        }
    }

    /// Add a type definition
    pub fn add_type(&mut self, name: impl Into<String>, type_def: TypeDefinition) {
        self.types.insert(name.into(), type_def);
    }

    /// Get a type definition
    pub fn get_type(&self, name: &str) -> Option<&TypeDefinition> {
        self.types.get(name)
    }

    /// Create a default schema for common patterns
    pub fn default_schema() -> Self {
        let mut schema = Self::new();

        // Document type
        let mut document_type = TypeDefinition::new();
        document_type.add_relation(
            "owner",
            RelationDefinition {
                description: Some("Direct owner of the document".to_string()),
                rewrite: RewriteRule::This,
            },
        );
        document_type.add_relation(
            "editor",
            RelationDefinition {
                description: Some("Can edit the document (includes owners)".to_string()),
                rewrite: RewriteRule::Union(vec![
                    RewriteRule::This,
                    RewriteRule::ComputedUserset {
                        relation: "owner".to_string(),
                    },
                ]),
            },
        );
        document_type.add_relation(
            "viewer",
            RelationDefinition {
                description: Some("Can view the document (includes editors)".to_string()),
                rewrite: RewriteRule::Union(vec![
                    RewriteRule::This,
                    RewriteRule::ComputedUserset {
                        relation: "editor".to_string(),
                    },
                ]),
            },
        );
        schema.add_type("document", document_type);

        // Folder type
        let mut folder_type = TypeDefinition::new();
        folder_type.add_relation(
            "owner",
            RelationDefinition {
                description: Some("Direct owner of the folder".to_string()),
                rewrite: RewriteRule::This,
            },
        );
        folder_type.add_relation(
            "viewer",
            RelationDefinition {
                description: Some("Can view the folder".to_string()),
                rewrite: RewriteRule::Union(vec![
                    RewriteRule::This,
                    RewriteRule::ComputedUserset {
                        relation: "owner".to_string(),
                    },
                ]),
            },
        );
        schema.add_type("folder", folder_type);

        // Team type
        let mut team_type = TypeDefinition::new();
        team_type.add_relation(
            "member",
            RelationDefinition {
                description: Some("Member of the team".to_string()),
                rewrite: RewriteRule::This,
            },
        );
        team_type.add_relation(
            "admin",
            RelationDefinition {
                description: Some("Administrator of the team".to_string()),
                rewrite: RewriteRule::This,
            },
        );
        schema.add_type("team", team_type);

        // Tenant type
        let mut tenant_type = TypeDefinition::new();
        tenant_type.add_relation(
            "admin",
            RelationDefinition {
                description: Some("Administrator of the tenant".to_string()),
                rewrite: RewriteRule::This,
            },
        );
        tenant_type.add_relation(
            "manager",
            RelationDefinition {
                description: Some("Manager in the tenant".to_string()),
                rewrite: RewriteRule::This,
            },
        );
        tenant_type.add_relation(
            "member",
            RelationDefinition {
                description: Some("Member of the tenant".to_string()),
                rewrite: RewriteRule::Union(vec![
                    RewriteRule::This,
                    RewriteRule::ComputedUserset {
                        relation: "admin".to_string(),
                    },
                    RewriteRule::ComputedUserset {
                        relation: "manager".to_string(),
                    },
                ]),
            },
        );
        schema.add_type("tenant", tenant_type);

        schema
    }
}

impl Default for PermissionSchema {
    fn default() -> Self {
        Self::default_schema()
    }
}

/// Type definition in the schema
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TypeDefinition {
    /// Relations defined for this type
    pub relations: HashMap<String, RelationDefinition>,
}

impl TypeDefinition {
    /// Create a new type definition
    pub fn new() -> Self {
        TypeDefinition {
            relations: HashMap::new(),
        }
    }

    /// Add a relation definition
    pub fn add_relation(&mut self, name: impl Into<String>, relation: RelationDefinition) {
        self.relations.insert(name.into(), relation);
    }

    /// Get a relation definition
    pub fn get_relation(&self, name: &str) -> Option<&RelationDefinition> {
        self.relations.get(name)
    }
}

impl Default for TypeDefinition {
    fn default() -> Self {
        Self::new()
    }
}

/// Relation definition describing how a relation is computed
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct RelationDefinition {
    /// Description of this relation
    pub description: Option<String>,
    /// Rewrite rule for computing this relation
    pub rewrite: RewriteRule,
}

/// Rewrite rules define how permissions are computed
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "type", rename_all = "snake_case")]
pub enum RewriteRule {
    /// Direct relation (this)
    This,

    /// Computed userset: derive from another relation
    ComputedUserset {
        /// Relation name to compute from
        relation: String,
    },

    /// Tuple to userset: follow a relation and then check another relation
    TupleToUserset {
        /// Tupleset relation to follow
        tupleset_relation: String,
        /// Computed userset relation to check
        computed_relation: String,
    },

    /// Union: subject has permission if ANY of the rules match
    Union(Vec<RewriteRule>),

    /// Intersection: subject has permission if ALL of the rules match
    Intersection(Vec<RewriteRule>),

    /// Exclusion: subject has permission from base but not in exclusion
    Exclusion {
        /// Base rule
        base: Box<RewriteRule>,
        /// Exclusion rule
        subtract: Box<RewriteRule>,
    },
}

impl RewriteRule {
    /// Check if this is a simple "This" rule
    pub fn is_this(&self) -> bool {
        matches!(self, RewriteRule::This)
    }

    /// Check if this is a union rule
    pub fn is_union(&self) -> bool {
        matches!(self, RewriteRule::Union(_))
    }

    /// Check if this is a computed userset
    pub fn is_computed_userset(&self) -> bool {
        matches!(self, RewriteRule::ComputedUserset { .. })
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_schema_creation() {
        let schema = PermissionSchema::default_schema();

        // Check document type exists
        let doc_type = schema.get_type("document");
        assert!(doc_type.is_some());

        let doc_type = doc_type.expect("document type should exist");

        // Check owner relation
        let owner_rel = doc_type.get_relation("owner");
        assert!(owner_rel.is_some());

        // Check viewer relation
        let viewer_rel = doc_type.get_relation("viewer");
        assert!(viewer_rel.is_some());

        let viewer_rel = viewer_rel.expect("viewer relation should exist");
        assert!(viewer_rel.rewrite.is_union());
    }

    #[test]
    fn test_custom_schema() {
        let mut schema = PermissionSchema::new();

        let mut my_type = TypeDefinition::new();
        my_type.add_relation(
            "admin",
            RelationDefinition {
                description: Some("Administrator".to_string()),
                rewrite: RewriteRule::This,
            },
        );

        schema.add_type("my_resource", my_type);

        let resource_type = schema.get_type("my_resource");
        assert!(resource_type.is_some());
    }

    #[test]
    fn test_rewrite_rule_checks() {
        let this_rule = RewriteRule::This;
        assert!(this_rule.is_this());

        let union_rule = RewriteRule::Union(vec![RewriteRule::This]);
        assert!(union_rule.is_union());

        let computed_rule = RewriteRule::ComputedUserset {
            relation: "owner".to_string(),
        };
        assert!(computed_rule.is_computed_userset());
    }

    #[test]
    fn test_default_schema_types() {
        let schema = PermissionSchema::default_schema();

        // Verify all default types exist
        assert!(schema.get_type("document").is_some());
        assert!(schema.get_type("folder").is_some());
        assert!(schema.get_type("team").is_some());
        assert!(schema.get_type("tenant").is_some());
    }
}