kimberlite_rbac/lib.rs
1//! # kimberlite-rbac: Role-Based Access Control
2//!
3//! Provides fine-grained access control for Kimberlite:
4//! - **Role-based access control** (4 roles: Admin, Analyst, User, Auditor)
5//! - **Field-level security** (column filtering)
6//! - **Row-level security** (RLS with WHERE clause injection)
7//! - **Policy enforcement** at query time
8//!
9//! ## Architecture
10//!
11//! ```text
12//! ┌─────────────────────────────────────────────┐
13//! │ Query Request │
14//! └─────────────────┬───────────────────────────┘
15//! │
16//! ▼
17//! ┌─────────────────────────────────────────────┐
18//! │ PolicyEnforcer │
19//! │ ├─ Stream-level access control │
20//! │ ├─ Column filtering (field-level security) │
21//! │ └─ Row filtering (RLS) │
22//! └─────────────────┬───────────────────────────┘
23//! │
24//! ▼
25//! ┌─────────────────────────────────────────────┐
26//! │ Rewritten Query │
27//! │ - Unauthorized columns removed │
28//! │ - WHERE clause injected │
29//! └─────────────────────────────────────────────┘
30//! ```
31//!
32//! ## Roles
33//!
34//! | Role | Read | Write | Delete | Export | Cross-Tenant | Audit Logs |
35//! |----------|------|-------|--------|--------|--------------|------------|
36//! | Auditor | ✓ | ✗ | ✗ | ✗ | ✗ | ✓ |
37//! | User | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ |
38//! | Analyst | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ |
39//! | Admin | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
40//!
41//! ## Examples
42//!
43//! ### Standard Policies
44//!
45//! ```
46//! use kimberlite_rbac::policy::StandardPolicies;
47//! use kimberlite_types::TenantId;
48//!
49//! // Admin: full access
50//! let admin_policy = StandardPolicies::admin();
51//!
52//! // User: tenant-isolated access
53//! let user_policy = StandardPolicies::user(TenantId::new(42));
54//!
55//! // Analyst: cross-tenant read, no write
56//! let analyst_policy = StandardPolicies::analyst();
57//!
58//! // Auditor: audit logs only
59//! let auditor_policy = StandardPolicies::auditor();
60//! ```
61//!
62//! ### Custom Policies
63//!
64//! ```
65//! use kimberlite_rbac::policy::{AccessPolicy, RowFilter, RowFilterOperator};
66//! use kimberlite_rbac::roles::Role;
67//! use kimberlite_types::TenantId;
68//!
69//! let policy = AccessPolicy::new(Role::User)
70//! .with_tenant(TenantId::new(42))
71//! .allow_stream("patient_*") // Only patient streams
72//! .deny_stream("patient_sensitive") // Except sensitive data
73//! .allow_column("*")
74//! .deny_column("ssn") // No SSN access
75//! .with_row_filter(RowFilter::new(
76//! "tenant_id",
77//! RowFilterOperator::Eq,
78//! "42",
79//! ));
80//! ```
81//!
82//! ### Policy Enforcement
83//!
84//! ```
85//! use kimberlite_rbac::enforcement::PolicyEnforcer;
86//! use kimberlite_rbac::policy::StandardPolicies;
87//! use kimberlite_types::TenantId;
88//!
89//! let policy = StandardPolicies::user(TenantId::new(42));
90//! let enforcer = PolicyEnforcer::new(policy);
91//!
92//! // Check stream access
93//! enforcer.enforce_stream_access("patient_records")?;
94//!
95//! // Filter columns
96//! let requested = vec!["name".to_string(), "ssn".to_string()];
97//! let allowed = enforcer.filter_columns(&requested);
98//!
99//! // Generate WHERE clause for row-level security
100//! let where_clause = enforcer.generate_where_clause()?;
101//! // Result: "tenant_id = 42"
102//! # Ok::<(), Box<dyn std::error::Error>>(())
103//! ```
104//!
105//! ## Compliance
106//!
107//! RBAC supports multi-framework compliance:
108//!
109//! - **HIPAA § 164.312(a)(1)**: Role-based access controls
110//! - **GDPR Article 32(1)(b)**: Access controls and confidentiality
111//! - **SOC 2 CC6.1**: Logical access controls
112//! - **PCI DSS Requirement 7**: Restrict access to cardholder data
113//! - **ISO 27001 A.5.15**: Access control policy
114//! - **`FedRAMP` AC-3**: Access enforcement
115//!
116//! ## Formal Verification
117//!
118//! All RBAC properties are formally verified:
119//!
120//! - **TLA+ Specification**: `specs/tla/compliance/RBAC.tla`
121//! - `NoUnauthorizedAccess` theorem
122//! - `PolicyCompleteness` theorem
123//! - `AuditTrailComplete` theorem
124//!
125//! - **Kani Proofs**: `src/lib.rs` (bounded model checking)
126//! - Proof #33: Role separation
127//! - Proof #34: Column filter completeness
128//! - Proof #35: Row filter enforcement
129//! - Proof #36: Audit completeness
130//!
131//! - **VOPR Scenarios**: `kimberlite-sim/src/scenarios/`
132//! - `unauthorized_column_access`
133//! - `role_escalation_attack`
134//! - `row_level_security`
135//! - `audit_trail_completeness`
136
137pub mod enforcement;
138pub mod masking;
139pub mod permissions;
140pub mod policy;
141pub mod roles;
142pub mod smart_on_fhir;
143
144// Re-export commonly used types
145pub use enforcement::{EnforcementError, PolicyEnforcer};
146pub use permissions::{Permission, PermissionSet};
147pub use policy::{
148 AccessPolicy, ColumnFilter, RowFilter, RowFilterOperator, StandardPolicies, StreamFilter,
149};
150pub use roles::Role;
151
152// Kani proofs for bounded model checking
153#[cfg(kani)]
154mod kani_proofs;