typesec-odrl 0.3.0

ODRL policy engine for typesec — W3C digital rights language subset
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

//! Audit log types for ODRL policy decisions.

use tracing::info;

use crate::model::OdrlRuleType;

/// A structured audit record for a single ODRL policy check.
#[derive(Debug)]
pub struct OdrlAuditEvent {
    /// The policy UID that produced this verdict.
    pub policy_uid: String,
    /// The matched rule type (or `None` if no rule matched).
    pub matched_rule: Option<OdrlRuleType>,
    /// The subject making the request.
    pub subject: String,
    /// The action requested.
    pub action: String,
    /// The target resource.
    pub target: String,
    /// The final verdict.
    pub verdict: OdrlVerdict,
    /// Constraint evaluation results.
    pub constraint_results: Vec<ConstraintEval>,
}

/// Verdict of an ODRL check.
#[derive(Debug, Clone)]
pub enum OdrlVerdict {
    /// A permission rule matched and all constraints passed.
    Permitted,
    /// A prohibition rule matched and all constraints passed (action blocked).
    Prohibited {
        /// Human-readable reason explaining why the action is prohibited.
        reason: String,
    },
    /// No matching rule found.
    NotApplicable,
    /// A permission rule matched but one or more constraints failed.
    ConstraintFailed {
        /// Description of the constraint that failed.
        constraint: String,
    },
}

/// Record of a single constraint's evaluation.
#[derive(Debug, Clone)]
pub struct ConstraintEval {
    /// The left operand (e.g., `"purpose"`).
    pub operand: String,
    /// Whether it passed.
    pub passed: bool,
}

impl OdrlAuditEvent {
    /// Emit this event to the `tracing` subscriber.
    pub fn log(&self) {
        let verdict_str = match &self.verdict {
            OdrlVerdict::Permitted => "permitted".to_owned(),
            OdrlVerdict::Prohibited { reason } => format!("prohibited: {reason}"),
            OdrlVerdict::NotApplicable => "not_applicable".to_owned(),
            OdrlVerdict::ConstraintFailed { constraint } => {
                format!("constraint_failed: {constraint}")
            }
        };

        info!(
            policy = %self.policy_uid,
            subject = %self.subject,
            action = %self.action,
            target = %self.target,
            verdict = %verdict_str,
            "odrl policy decision"
        );
    }
}