Struct AbacPolicy 

pub struct AbacPolicy<S, R, A, C, F> { /* private fields */ }

An attribute-based access control policy. Define a condition closure that determines whether a subject is allowed to perform an action on a resource, given the additional context. If it returns true, access is granted. Otherwise, access is denied.

Example

We define simple types for a user, a resource, an action, and a context. We then create a built-in ABAC policy that grants access if the user “owns” a resource as determined by the resource’s owner_id.

// Define our core types.
#[derive(Debug, Clone)]
struct User {
    id: Uuid,
}

#[derive(Debug, Clone)]
struct Resource {
    owner_id: Uuid,
}

#[derive(Debug, Clone)]
struct Action;

#[derive(Debug, Clone)]
struct EmptyContext;

// Create an ABAC policy.
// This policy grants access if the user's ID matches the resource's owner.
let abac_policy = AbacPolicy::new(
    |user: &User, resource: &Resource, _action: &Action, _context: &EmptyContext| {
        user.id == resource.owner_id
    },
);

// Create a PermissionChecker and add the ABAC policy.
let mut checker = PermissionChecker::<User, Resource, Action, EmptyContext>::new();
checker.add_policy(abac_policy);

// Create a sample user
let user = User {
    id: Uuid::new_v4(),
};

// Create a resource owned by the user, and one that is not
let owned_resource = Resource { owner_id: user.id };
let other_resource = Resource { owner_id: Uuid::new_v4() };
let context = EmptyContext;

// This check should succeed because the user is the owner:
assert!(checker.evaluate_access(&user, &Action, &owned_resource, &context).await.is_granted());

// This check should fail because the user is not the owner:
assert!(!checker.evaluate_access(&user, &Action, &other_resource, &context).await.is_granted());

Implementations

impl<S, R, A, C, F> AbacPolicy<S, R, A, C, F>

pub fn new(condition: F) -> Self

Creates a new ABAC policy from a condition closure.

Examples found in repository

examples/axum.rs (lines 309-319)

fn payment_refund_policy() -> Box<dyn Policy<User, Resource, Action, RequestContext>> {
    // Alternatively, we can just do a single condition for finance_manager,
    // or combine them. Here let's say "finance_manager" or "refund_specialist".
    Box::new(AbacPolicy::new(
        |user: &User, resource: &Resource, action: &Action, _ctx: &RequestContext| {
            if let Resource::Payment(_) = resource {
                if matches!(action, Action::RefundPayment) {
                    return user.roles.contains(&"finance_manager".into())
                        || user.roles.contains(&"refund_specialist".into());
                }
            }
            false
        },
    ))
}

Trait Implementations

impl<S, R, A, C, F> Policy<S, R, A, C> for AbacPolicy<S, R, A, C, F>

where S: Sync + Send, R: Sync + Send, A: Sync + Send, C: Sync + Send, F: Fn(&S, &R, &A, &C) -> bool + Sync + Send,

fn evaluate_access<'life0, 'life1, 'life2, 'life3, 'life4, 'async_trait>( &'life0 self, subject: &'life1 S, action: &'life2 A, resource: &'life3 R, context: &'life4 C, ) -> Pin<Box<dyn Future<Output = PolicyEvalResult> + Send + 'async_trait>>

where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, 'life4: 'async_trait,

Evaluates whether access should be granted.

fn policy_type(&self) -> String

Policy name for debugging

fn security_rule(&self) -> SecurityRuleMetadata

Metadata describing the security rule that backs this policy.