typesec-rbac 0.10.0

RBAC policy engine for typesec — YAML → typed enforcement
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125

//! Code generator: RBAC YAML → Rust source.
//!
//! `typesec generate --policy rbac.yaml --out src/policy_gen.rs` calls
//! [`generate_rust`] and writes the result to a file.
//!
//! ## What gets generated?
//!
//! For each role in the YAML, the generator emits:
//!
//! ```rust,ignore
//! // Auto-generated by typesec-cli — DO NOT EDIT
//! use typesec_core::role::Role;
//!
//! pub struct Analyst;
//! impl Role for Analyst {
//!     fn name() -> &'static str { "analyst" }
//!     fn permission_names() -> &'static [&'static str] { &["read", "read_sensitive"] }
//!     fn resource_patterns() -> &'static [&'static str] { &["reports/*", "metrics/*"] }
//! }
//! ```
//!
//! These typed role structs let the compiler verify that the roles you reference
//! in application code actually exist in the policy file. If you rename a role in
//! YAML and regenerate, any code referencing the old name will fail to compile.

use crate::model::{RbacPolicy, walk_inheritance};

/// Generate Rust source code for the roles defined in `policy`.
///
/// The output is a complete `.rs` file ready to be `include!`'d or written to disk.
pub fn generate_rust(policy: &RbacPolicy) -> String {
    let mut out = String::new();

    out.push_str("// Auto-generated by typesec-cli — DO NOT EDIT\n");
    out.push_str("// Source: RBAC policy file\n");
    out.push_str("//\n");
    out.push_str("// Each struct below corresponds to a role in the policy YAML.\n");
    out.push_str("// Changing a role name in YAML and regenerating will cause compile\n");
    out.push_str("// errors in any code that references the old struct name — which is\n");
    out.push_str("// the point: the compiler enforces policy consistency.\n\n");
    out.push_str("#[allow(dead_code, non_camel_case_types)]\n");

    for role in &policy.roles {
        let struct_name = to_pascal_case(&role.name);

        out.push_str(&format!("/// Role `{}`.\n", role.name));
        if !role.permissions.is_empty() {
            out.push_str(&format!(
                "/// Permissions: {}.\n",
                role.permissions.join(", ")
            ));
        }
        if !role.resources.is_empty() {
            out.push_str(&format!("/// Resources: {}.\n", role.resources.join(", ")));
        }

        out.push_str("#[derive(Debug, Clone, Copy)]\n");
        out.push_str(&format!("pub struct {struct_name};\n\n"));

        out.push_str(&format!(
            "impl typesec_core::role::Role for {struct_name} {{\n"
        ));
        out.push_str(&format!(
            "    fn name() -> &'static str {{ {:?} }}\n",
            role.name
        ));

        // Build effective permission list (including inherited, flattened).
        let effective_perms = collect_all_permissions(&role.name, policy);
        let perms_literal = format_str_slice(&effective_perms);
        out.push_str(&format!(
            "    fn permission_names() -> &'static [&'static str] {{ &{perms_literal} }}\n"
        ));

        // Collect all resource patterns (own + inherited).
        let effective_resources = collect_all_resources(&role.name, policy);
        let resources_literal = format_str_slice(&effective_resources);
        out.push_str(&format!(
            "    fn resource_patterns() -> &'static [&'static str] {{ &{resources_literal} }}\n"
        ));

        out.push_str("}\n\n");
    }

    out
}

fn collect_all_permissions(role_name: &str, policy: &RbacPolicy) -> Vec<String> {
    let mut perms = std::collections::BTreeSet::new();
    let _ = walk_inheritance(role_name, policy, &mut |role| {
        perms.extend(role.permissions.iter().cloned());
    });
    perms.into_iter().collect()
}

fn collect_all_resources(role_name: &str, policy: &RbacPolicy) -> Vec<String> {
    let mut resources = std::collections::BTreeSet::new();
    let _ = walk_inheritance(role_name, policy, &mut |role| {
        resources.extend(role.resources.iter().cloned());
    });
    resources.into_iter().collect()
}

/// Convert `snake_case` or `kebab-case` to `PascalCase`.
fn to_pascal_case(s: &str) -> String {
    s.split(['_', '-'])
        .filter(|p| !p.is_empty())
        .map(|p| {
            let mut chars = p.chars();
            match chars.next() {
                None => String::new(),
                Some(c) => c.to_uppercase().collect::<String>() + chars.as_str(),
            }
        })
        .collect()
}

/// Format a `Vec<String>` as a Rust `[&'static str; N]` literal.
fn format_str_slice(items: &[String]) -> String {
    let inner: Vec<String> = items.iter().map(|s| format!("{s:?}")).collect();
    format!("[{}]", inner.join(", "))
}

#[cfg(test)]
mod tests;