secure_authz 0.1.0

Deny-by-default authorization with RBAC, ABAC, tenant isolation, and web middleware.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

//! Minimal runnable demonstration of
//! `secure_authz::testing::assert_every_route_has_policy`.
//!
//! Build & run:
//!
//! ```sh
//! cargo run --example route_coverage -p secure_authz
//! ```
//!
//! The example defines a tiny catalogue of three routes, two fixtures
//! (reader, editor), and an authorizer configured with a deliberate
//! coverage gap. The helper identifies the unmapped route and prints a
//! diagnostic a CI pipeline can fail on.

use std::pin::Pin;
use std::sync::{Arc, Mutex};

use secure_authz::action::Action;
use secure_authz::decision::{Decision, DenyReason};
use secure_authz::enforcer::Authorizer;
use secure_authz::resource::ResourceRef;
use secure_authz::subject::Subject;
use secure_authz::testing::{assert_every_route_has_policy, PolicyFixture, RouteDescriptor};

struct RuleAuthorizer {
    rules: Arc<Mutex<Vec<(String, String, String)>>>,
}

impl Authorizer for RuleAuthorizer {
    fn authorize<'a>(
        &'a self,
        subject: &'a Subject,
        action: &'a Action,
        resource: &'a ResourceRef,
    ) -> Pin<Box<dyn std::future::Future<Output = Decision> + Send + 'a>> {
        let rules = self.rules.clone();
        let resource_kind = resource.kind.clone();
        let action_str = action.to_string();
        let roles: Vec<String> = subject.roles.iter().cloned().collect();
        Box::pin(async move {
            let rules = rules.lock().unwrap();
            for role in &roles {
                if rules
                    .iter()
                    .any(|(r, a, ro)| r == &resource_kind && a == &action_str && ro == role)
                {
                    return Decision::Allow {
                        obligations: vec![],
                    };
                }
            }
            Decision::Deny {
                reason: DenyReason::NoPolicyMatch,
            }
        })
    }
}

fn main() {
    let authz = RuleAuthorizer {
        rules: Arc::new(Mutex::new(vec![
            // Policy for /articles (read) — covered.
            ("article".to_owned(), "read".to_owned(), "reader".to_owned()),
            // Policy for /articles (write) — covered.
            (
                "article".to_owned(),
                "write".to_owned(),
                "editor".to_owned(),
            ),
            // Intentionally NO policy for /admin/users (delete) — uncovered gap.
        ])),
    };

    let routes = vec![
        RouteDescriptor {
            method: "GET".to_owned(),
            path: "/articles".to_owned(),
            action: Action::Read,
            resource: ResourceRef::new("article"),
        },
        RouteDescriptor {
            method: "POST".to_owned(),
            path: "/articles".to_owned(),
            action: Action::Write,
            resource: ResourceRef::new("article"),
        },
        RouteDescriptor {
            method: "DELETE".to_owned(),
            path: "/admin/users/{id}".to_owned(),
            action: Action::Delete,
            resource: ResourceRef::new("admin_user"),
        },
    ];

    let fixtures = vec![
        PolicyFixture {
            subject: Subject {
                actor_id: "fixture-reader".to_owned(),
                tenant_id: None,
                roles: smallvec::smallvec!["reader".to_owned()],
                attributes: Default::default(),
            },
        },
        PolicyFixture {
            subject: Subject {
                actor_id: "fixture-editor".to_owned(),
                tenant_id: None,
                roles: smallvec::smallvec!["editor".to_owned()],
                attributes: Default::default(),
            },
        },
    ];

    match assert_every_route_has_policy(&authz, &routes, &fixtures) {
        Ok(()) => {
            println!("all routes covered");
        }
        Err(unmapped) => {
            eprintln!(
                "\nroute-policy coverage failed for {} route(s):",
                unmapped.len()
            );
            for u in &unmapped {
                eprintln!(
                    "  - {} {} (action={}, resource={}): {}",
                    u.route.method, u.route.path, u.route.action, u.route.resource.kind, u.reason
                );
            }
            // In real CI this would be `std::process::exit(1)`.
            eprintln!("\nexiting 0 so the example runs to completion, but CI would fail here.");
        }
    }
}