Skip to main content

fraiseql_core/security/
mod.rs

1//! Security features
2//!
3//! This module provides core security infrastructure:
4//! - Security profiles (STANDARD, REGULATED)
5//! - Security headers configuration
6//! - Sensitive field masking for PII/regulated data
7//! - Field selection filtering for access control
8//! - Security error types
9//! - Authentication middleware (JWT, Auth0, Clerk)
10//! - OIDC/JWKS support for any OIDC-compliant provider
11//! - Query validation (depth, complexity)
12//! - Audit logging
13//! - TLS enforcement
14//! - Introspection control
15//! - Error formatting
16
17pub mod actor_type;
18pub mod audit;
19#[cfg(feature = "audit-syslog")]
20pub mod audit_export_syslog;
21#[cfg(feature = "audit-webhook")]
22pub mod audit_export_webhook;
23pub mod auth_middleware;
24pub mod authorizer;
25pub mod error_formatter;
26pub mod errors;
27pub mod field_authorizer;
28pub mod field_filter;
29pub mod field_masking;
30pub mod headers;
31pub mod introspection_enforcer;
32pub mod kms;
33pub mod oidc;
34pub mod profiles;
35pub mod query_validator;
36pub mod rls_policy;
37pub mod security_context;
38pub mod tls_enforcer;
39pub mod validation_audit;
40
41// Re-export key types for convenience
42pub use actor_type::{ActorType, derive_actor};
43pub use audit::{
44    AuditEntry, AuditExportConfig, AuditExporter, AuditLevel, AuditLogger, AuditStats,
45    SyslogExportConfig, WebhookExportConfig,
46};
47#[cfg(feature = "audit-syslog")]
48pub use audit_export_syslog::SyslogAuditExporter;
49#[cfg(feature = "audit-webhook")]
50pub use audit_export_webhook::WebhookAuditExporter;
51pub use auth_middleware::{AuthConfig, AuthMiddleware, AuthRequest, AuthenticatedUser, SigningKey};
52pub use authorizer::{Authorizer, AuthzDecision, AuthzRequest, OperationKind};
53pub use error_formatter::{DetailLevel, ErrorFormatter};
54pub use errors::SecurityError;
55pub use field_authorizer::{FieldAuthorizer, FieldAuthzDecision, FieldAuthzRequest};
56pub use field_filter::{FieldAccessError, FieldFilter, FieldFilterBuilder, FieldFilterConfig};
57pub use field_masking::{FieldMasker, FieldSensitivity};
58pub use headers::SecurityHeaders;
59pub use introspection_enforcer::{IntrospectionEnforcer, IntrospectionPolicy};
60pub use kms::{
61    BaseKmsProvider, DataKeyPair, EncryptedData, KeyPurpose, KeyReference, KeyState, KmsError,
62    KmsResult, RotationPolicy, VaultConfig, VaultKmsProvider,
63};
64pub use oidc::{OidcConfig, OidcValidator};
65pub use profiles::SecurityProfile;
66pub use query_validator::{QueryValidator, QueryValidatorConfig};
67pub use rls_policy::{CompiledRLSPolicy, DefaultRLSPolicy, NoRLSPolicy, RLSPolicy, RlsWhereClause};
68pub use security_context::SecurityContext;
69pub use tls_enforcer::{TlsConfig, TlsConnection, TlsEnforcer, TlsVersion};
70pub use validation_audit::{
71    RedactionPolicy, ValidationAuditEntry, ValidationAuditLogger, ValidationAuditLoggerConfig,
72};
73
74pub use crate::graphql::complexity::QueryMetrics;
75
76#[cfg(test)]
77mod tests;