Skip to main content

Module auth

fakecloud_core

Module auth 

Source
Expand description

Authentication and authorization primitives shared across services.

This module defines the opt-in modes for SigV4 signature verification and IAM policy enforcement, plus the reserved “root bypass” identity that short-circuits both checks when enabled.

Neither feature is enforced at this layer — the types are plumbed through crate::dispatch::DispatchConfig and consulted later by dispatch and service handlers once the corresponding batches land. See /docs/reference/security (added in a later batch) for the user-facing contract.

Structs§

ConditionContext
Request-time values consulted when a policy statement carries a Condition block. Populated at dispatch time from the resolved Principal and the incoming HTTP request, then handed to IamPolicyEvaluator::evaluate.
IamAction
One IAM action that the dispatch layer should evaluate against the caller’s effective policy set.
MultiResourcePolicyProvider
Composite ResourcePolicyProvider that delegates to a list of sub-providers in order, returning the first Some hit.
ParseIamModeError
Parse error for IamMode from string.
Principal
Identity of the caller making a request, once its credentials have been resolved. Attached to crate::service::AwsRequest::principal so handlers can make identity-based decisions without re-parsing the Authorization header.
ResolvedCredential
Credentials resolved from an access key ID.

Enums§

IamDecision
Result of evaluating a request against an identity’s effective policy set. Abstract over the concrete evaluator [Decision] in fakecloud-iam::evaluator so fakecloud-core can consume it without depending on fakecloud-iam.
IamMode
How IAM identity policies are evaluated for incoming requests.
PrincipalType
Kind of principal a set of credentials resolves to.

Traits§

CredentialResolver
Abstraction over “given an access key ID, return the secret and resolved principal.” Implemented by the IAM crate against IamState; the core crate depends only on the trait so there’s no circular dependency.
IamPolicyEvaluator
Abstraction over “given a principal, an action, and request-time condition keys, say Allow / Deny”. Implemented by fakecloud-iam against IamState + the evaluator. Dispatch calls this for every request when FAKECLOUD_IAM != off and the target service opts in.
ResourcePolicyProvider
Abstraction over “given a service + a fully-qualified resource ARN, return the resource-based policy attached to that resource, if any.”
ScpResolver
Abstraction over “given a principal, return the inherited SCP documents that form the top-of-chain allow-list ceiling for the principal’s account”. Implemented by fakecloud-organizations.

Functions§

is_root_bypass
Reserved root-identity convention.