fraiseql_core/security/security_context.rs
1//! Security context for runtime authorization
2//!
3//! This module provides the `SecurityContext` struct that flows through the executor,
4//! carrying information about the authenticated user and their permissions.
5//!
6//! The security context is extracted from:
7//! - JWT claims (user_id from 'sub', roles from 'roles', etc.)
8//! - HTTP headers (request_id, tenant_id, etc.)
9//! - Configuration (OAuth provider, scopes, etc.)
10//!
11//! # Architecture
12//!
13//! ```text
14//! HTTP Request with Authorization header
15//! ↓
16//! AuthMiddleware → AuthenticatedUser
17//! ↓
18//! SecurityContext (created from AuthenticatedUser + request metadata)
19//! ↓
20//! Executor (with context available for RLS policy evaluation)
21//! ```
22//!
23//! # RLS Integration
24//!
25//! The SecurityContext is passed to RLSPolicy::evaluate() to determine what
26//! rows a user can access. Policies are compiled into schema.compiled.json
27//! and evaluated at runtime with the SecurityContext.
28
29use std::collections::HashMap;
30
31use chrono::{DateTime, Utc};
32use serde::{Deserialize, Serialize};
33
34use crate::security::AuthenticatedUser;
35
36/// Security context for authorization evaluation.
37///
38/// Carries information about the authenticated user and their permissions
39/// throughout the request lifecycle.
40///
41/// # Fields
42///
43/// - `user_id`: Unique identifier for the authenticated user (from JWT 'sub' claim)
44/// - `roles`: User's roles (e.g., ["admin", "moderator"], from JWT 'roles' claim)
45/// - `tenant_id`: Organization/tenant identifier for multi-tenant systems
46/// - `scopes`: OAuth/permission scopes (e.g., ["read:user", "write:post"])
47/// - `attributes`: Custom claims from JWT (e.g., department, region, tier)
48/// - `request_id`: Correlation ID for audit logging and tracing
49/// - `ip_address`: Client IP address for geolocation and fraud detection
50/// - `authenticated_at`: When the JWT was issued
51/// - `expires_at`: When the JWT expires
52/// - `issuer`: Token issuer for multi-issuer systems
53/// - `audience`: Token audience for validation
54#[derive(Debug, Clone, Serialize, Deserialize)]
55pub struct SecurityContext {
56 /// User ID (from JWT 'sub' claim)
57 pub user_id: String,
58
59 /// User's roles (e.g., ["admin", "moderator"])
60 ///
61 /// Extracted from JWT 'roles' claim or derived from other claims.
62 /// Used for role-based access control (RBAC) decisions.
63 pub roles: Vec<String>,
64
65 /// Tenant/organization ID (for multi-tenancy)
66 ///
67 /// When present, RLS policies can enforce tenant isolation.
68 /// Extracted from JWT 'tenant_id' or X-Tenant-Id header.
69 pub tenant_id: Option<String>,
70
71 /// OAuth/permission scopes
72 ///
73 /// Format: `{action}:{resource}` or `{action}:{type}.{field}`
74 /// Examples:
75 /// - `read:user`
76 /// - `write:post`
77 /// - `read:User.email`
78 /// - `admin:*`
79 ///
80 /// Extracted from JWT 'scope' claim.
81 pub scopes: Vec<String>,
82
83 /// Custom attributes from JWT claims
84 ///
85 /// Arbitrary key-value pairs from JWT payload.
86 /// Examples: "department", "region", "tier", "country"
87 ///
88 /// Used by custom RLS policies that need domain-specific attributes.
89 pub attributes: HashMap<String, serde_json::Value>,
90
91 /// Request correlation ID for audit trails
92 ///
93 /// Extracted from X-Request-Id header or generated.
94 /// Used for tracing and audit logging across services.
95 pub request_id: String,
96
97 /// Client IP address
98 ///
99 /// Extracted from X-Forwarded-For or connection socket.
100 /// Used for geolocation and fraud detection in RLS policies.
101 pub ip_address: Option<String>,
102
103 /// When the JWT was issued
104 pub authenticated_at: DateTime<Utc>,
105
106 /// When the JWT expires
107 pub expires_at: DateTime<Utc>,
108
109 /// Token issuer (for multi-issuer systems)
110 pub issuer: Option<String>,
111
112 /// Token audience (for audience validation)
113 pub audience: Option<String>,
114}
115
116impl SecurityContext {
117 /// Create a security context from an authenticated user and request metadata.
118 ///
119 /// # Arguments
120 ///
121 /// * `user` - Authenticated user from JWT validation
122 /// * `request_id` - Correlation ID for this request
123 ///
124 /// # Example
125 ///
126 /// ```ignore
127 /// let context = SecurityContext::from_user(authenticated_user, "req-123")?;
128 /// ```
129 pub fn from_user(user: AuthenticatedUser, request_id: String) -> Self {
130 SecurityContext {
131 user_id: user.user_id.clone(),
132 roles: vec![], // Will be populated from JWT claims
133 tenant_id: None,
134 scopes: user.scopes.clone(),
135 attributes: HashMap::new(),
136 request_id,
137 ip_address: None,
138 authenticated_at: Utc::now(),
139 expires_at: user.expires_at,
140 issuer: None,
141 audience: None,
142 }
143 }
144
145 /// Check if the user has a specific role.
146 ///
147 /// # Arguments
148 ///
149 /// * `role` - Role name to check (e.g., "admin", "moderator")
150 ///
151 /// # Returns
152 ///
153 /// `true` if the user has the specified role, `false` otherwise.
154 #[must_use]
155 pub fn has_role(&self, role: &str) -> bool {
156 self.roles.iter().any(|r| r == role)
157 }
158
159 /// Check if the user has a specific scope.
160 ///
161 /// Supports wildcards: `admin:*` matches any admin scope.
162 ///
163 /// # Arguments
164 ///
165 /// * `scope` - Scope to check (e.g., "read:user", "write:post")
166 ///
167 /// # Returns
168 ///
169 /// `true` if the user has the specified scope, `false` otherwise.
170 #[must_use]
171 pub fn has_scope(&self, scope: &str) -> bool {
172 self.scopes.iter().any(|s| {
173 if s == scope {
174 return true;
175 }
176 // Support wildcard matching: "admin:*" matches "admin:read"
177 if s.ends_with(':') {
178 scope.starts_with(s)
179 } else if s.ends_with("*") {
180 let prefix = &s[..s.len() - 1];
181 scope.starts_with(prefix)
182 } else {
183 false
184 }
185 })
186 }
187
188 /// Get a custom attribute from the JWT claims.
189 ///
190 /// # Arguments
191 ///
192 /// * `key` - Attribute name
193 ///
194 /// # Returns
195 ///
196 /// The attribute value if present, `None` otherwise.
197 #[must_use]
198 pub fn get_attribute(&self, key: &str) -> Option<&serde_json::Value> {
199 self.attributes.get(key)
200 }
201
202 /// Check if the token has expired.
203 ///
204 /// # Returns
205 ///
206 /// `true` if the JWT has expired, `false` otherwise.
207 #[must_use]
208 pub fn is_expired(&self) -> bool {
209 self.expires_at <= Utc::now()
210 }
211
212 /// Get time until expiry in seconds.
213 ///
214 /// # Returns
215 ///
216 /// Seconds until JWT expiry, negative if already expired.
217 #[must_use]
218 pub fn ttl_secs(&self) -> i64 {
219 (self.expires_at - Utc::now()).num_seconds()
220 }
221
222 /// Check if the user is an admin.
223 ///
224 /// # Returns
225 ///
226 /// `true` if the user has the "admin" role, `false` otherwise.
227 #[must_use]
228 pub fn is_admin(&self) -> bool {
229 self.has_role("admin")
230 }
231
232 /// Check if the context has a tenant ID (multi-tenancy enabled).
233 ///
234 /// # Returns
235 ///
236 /// `true` if tenant_id is present, `false` otherwise.
237 #[must_use]
238 pub fn is_multi_tenant(&self) -> bool {
239 self.tenant_id.is_some()
240 }
241
242 /// Set or override a role (for testing or runtime role modification).
243 pub fn with_role(mut self, role: String) -> Self {
244 self.roles.push(role);
245 self
246 }
247
248 /// Set or override scopes (for testing or runtime permission modification).
249 pub fn with_scopes(mut self, scopes: Vec<String>) -> Self {
250 self.scopes = scopes;
251 self
252 }
253
254 /// Set tenant ID (for multi-tenancy).
255 pub fn with_tenant(mut self, tenant_id: String) -> Self {
256 self.tenant_id = Some(tenant_id);
257 self
258 }
259
260 /// Set a custom attribute (for testing or runtime attribute addition).
261 pub fn with_attribute(mut self, key: String, value: serde_json::Value) -> Self {
262 self.attributes.insert(key, value);
263 self
264 }
265
266 /// Check if user can access a field based on role definitions.
267 ///
268 /// Takes a required scope and checks if any of the user's roles grant that scope.
269 ///
270 /// # Arguments
271 ///
272 /// * `security_config` - Security config from compiled schema with role definitions
273 /// * `required_scope` - Scope required to access the field (e.g., "read:User.email")
274 ///
275 /// # Returns
276 ///
277 /// `true` if user's roles grant the required scope, `false` otherwise.
278 ///
279 /// # Example
280 ///
281 /// ```ignore
282 /// let config = SecurityConfig::new();
283 /// let can_access = context.can_access_scope(&config, "read:User.email")?;
284 /// ```
285 #[must_use]
286 pub fn can_access_scope(
287 &self,
288 security_config: &crate::schema::SecurityConfig,
289 required_scope: &str,
290 ) -> bool {
291 // Check if any of user's roles grant this scope
292 self.roles
293 .iter()
294 .any(|role_name| security_config.role_has_scope(role_name, required_scope))
295 }
296}
297
298impl std::fmt::Display for SecurityContext {
299 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
300 write!(
301 f,
302 "SecurityContext(user_id={}, roles={:?}, scopes={}, tenant={:?})",
303 self.user_id,
304 self.roles,
305 self.scopes.len(),
306 self.tenant_id
307 )
308 }
309}
310
311#[cfg(test)]
312mod tests {
313 use super::*;
314
315 #[test]
316 fn test_has_role() {
317 let context = SecurityContext {
318 user_id: "user123".to_string(),
319 roles: vec!["admin".to_string(), "moderator".to_string()],
320 tenant_id: None,
321 scopes: vec![],
322 attributes: HashMap::new(),
323 request_id: "req-1".to_string(),
324 ip_address: None,
325 authenticated_at: Utc::now(),
326 expires_at: Utc::now() + chrono::Duration::hours(1),
327 issuer: None,
328 audience: None,
329 };
330
331 assert!(context.has_role("admin"));
332 assert!(context.has_role("moderator"));
333 assert!(!context.has_role("superadmin"));
334 }
335
336 #[test]
337 fn test_has_scope() {
338 let context = SecurityContext {
339 user_id: "user123".to_string(),
340 roles: vec![],
341 tenant_id: None,
342 scopes: vec!["read:user".to_string(), "write:post".to_string()],
343 attributes: HashMap::new(),
344 request_id: "req-1".to_string(),
345 ip_address: None,
346 authenticated_at: Utc::now(),
347 expires_at: Utc::now() + chrono::Duration::hours(1),
348 issuer: None,
349 audience: None,
350 };
351
352 assert!(context.has_scope("read:user"));
353 assert!(context.has_scope("write:post"));
354 assert!(!context.has_scope("admin:*"));
355 }
356
357 #[test]
358 fn test_wildcard_scopes() {
359 let context = SecurityContext {
360 user_id: "user123".to_string(),
361 roles: vec![],
362 tenant_id: None,
363 scopes: vec!["admin:*".to_string()],
364 attributes: HashMap::new(),
365 request_id: "req-1".to_string(),
366 ip_address: None,
367 authenticated_at: Utc::now(),
368 expires_at: Utc::now() + chrono::Duration::hours(1),
369 issuer: None,
370 audience: None,
371 };
372
373 assert!(context.has_scope("admin:read"));
374 assert!(context.has_scope("admin:write"));
375 assert!(!context.has_scope("user:read"));
376 }
377
378 #[test]
379 fn test_builder_pattern() {
380 let now = Utc::now();
381 let context = SecurityContext {
382 user_id: "user123".to_string(),
383 roles: vec![],
384 tenant_id: None,
385 scopes: vec![],
386 attributes: HashMap::new(),
387 request_id: "req-1".to_string(),
388 ip_address: None,
389 authenticated_at: now,
390 expires_at: now + chrono::Duration::hours(1),
391 issuer: None,
392 audience: None,
393 }
394 .with_role("admin".to_string())
395 .with_scopes(vec!["read:user".to_string()])
396 .with_tenant("tenant-1".to_string());
397
398 assert!(context.has_role("admin"));
399 assert!(context.has_scope("read:user"));
400 assert_eq!(context.tenant_id, Some("tenant-1".to_string()));
401 }
402}