Trait PolicyBackend 

pub trait PolicyBackend: Send + Sync {
    // Required methods
    fn evaluate(
        &self,
        subject: &ObjectId,
        target: &ObjectId,
        operation: &Operation,
        exposure_labels: &[ExposureLabel],
    ) -> PolicyDecision;
    fn classification(&self, target: &ObjectId) -> Vec<ExposureLabel>;
    fn list_grants(&self, subject: &ObjectId) -> Vec<CapabilityGrant>;
    fn can_delegate(&self, subject: &ObjectId) -> bool;

    // Provided methods
    fn all_grants(&self) -> Vec<(ObjectId, CapabilityGrant)> { ... }
    fn parent(&self, _subject: &ObjectId) -> Option<ObjectId> { ... }
    fn has_grant(
        &self,
        subject: &ObjectId,
        target: &ObjectId,
        operation: &Operation,
    ) -> bool { ... }
    fn lookup_grant(
        &self,
        subject: &ObjectId,
        target: &ObjectId,
        operation: &Operation,
    ) -> Option<CapabilityGrant> { ... }
}

Pluggable policy backend trait.

Implementations evaluate capability requests against their policy model. The default implementation is the CList backend in hessra-cap-policy.

Required Methods

fn evaluate( &self, subject: &ObjectId, target: &ObjectId, operation: &Operation, exposure_labels: &[ExposureLabel], ) -> PolicyDecision

Evaluate whether a subject can access a target with the given operation, considering any exposure labels from the subject’s context.

fn classification(&self, target: &ObjectId) -> Vec<ExposureLabel>

Get the data classification (exposure labels) for a target.

When the engine mints a capability for a classified target, these labels are automatically added to the subject’s context token.

fn list_grants(&self, subject: &ObjectId) -> Vec<CapabilityGrant>

List all capability grants for a subject (for introspection and audit).

fn can_delegate(&self, subject: &ObjectId) -> bool

Check if a subject can delegate capabilities to other objects.

Provided Methods

fn all_grants(&self) -> Vec<(ObjectId, CapabilityGrant)>

Enumerate every (subject, grant) pair the policy declares. Used by the engine to cross-validate static designations against schemas at construction time. The default implementation returns an empty vector, which disables schema cross-validation; backends that store grants statically (e.g., CList) should override this.

fn parent(&self, _subject: &ObjectId) -> Option<ObjectId>

The immediate parent principal of subject in the principal graph, if subject is a sub-identity. Returns None for root principals or principals not declared in this backend.

Used by the engine’s chain check at mint time. The default returns None, modeling a flat principal graph; backends that represent parent-child relationships (e.g., CList via ObjectConfig.parent) should override this.

fn has_grant( &self, subject: &ObjectId, target: &ObjectId, operation: &Operation, ) -> bool

Whether subject holds a grant for (target, operation), ignoring any current exposure context. Used by the engine’s chain check to verify ancestor authority without conflating exposure (which is the requesting subject’s own running state, not an inherited property).

The default delegates to Self::lookup_grant. Backends may override for efficiency.

fn lookup_grant( &self, subject: &ObjectId, target: &ObjectId, operation: &Operation, ) -> Option<CapabilityGrant>

Look up the full grant subject holds for (target, operation), if any. The returned CapabilityGrant carries the grant’s static designations and anchor binding, which the engine uses for designation-containment enforcement during the chain check.

The default scans Self::list_grants. Backends with a direct (subject, target, op) -> grant lookup may override for efficiency.

Implementors