Skip to main content

Authorized

lion_core::step

Struct Authorized 

Source 
pub struct Authorized { /* private fields */ }
Expand description

Authorization witness carrying all proofs required for a host call.

Corresponds to Lean: structure Authorized (s : State) (a : Action)

In Lean, this structure contains proofs that cannot be forged. In Rust, we validate these conditions at runtime.

TOCTTOU Prevention: The Authorized witness is ONLY constructible via validate_atomic() which both validates AND returns the witness in a single atomic operation. This prevents the vulnerability where:

  1. Check capability validity
  2. (capability revoked here)
  3. Use capability

By making construction private and combining validation with use, we ensure authorization is always checked against the CURRENT state at the moment of execution.

Design rationale:

  • h_cap: Capability matches the action
  • h_pol: Policy permits the action
  • h_valid: Capability chain is valid
  • h_live: Target resource is live
  • h_conf: Rights are confined
  • h_biba: Biba integrity constraint for writes

Implementations§

Source§

impl Authorized

Source

pub fn validate_atomic( state: &State, cap: Capability, action: Action, ctx: PolicyContext, ) -> Result<Authorized, AuthorizationError>

Atomically validate and create an authorization witness.

TOCTTOU Prevention: This function validates ALL authorization conditions and returns the witness in a single atomic operation. The returned witness is ONLY valid for the state it was validated against.

Corresponds to Lean: constructing Authorized s a requires proofs for state s.

§Arguments
  • state - The CURRENT state to validate against
  • cap - The capability to use
  • action - The action to authorize
  • ctx - Policy evaluation context
§Errors

Returns AuthorizationError::HolderMismatch if the capability holder does not match the action subject. Returns AuthorizationError::TargetMismatch if the capability target does not match the action target. Returns AuthorizationError::InsufficientRights if the action requests rights not granted by the capability. Returns AuthorizationError::CapabilityNotHeld if the plugin does not hold the capability. Returns AuthorizationError::PolicyDenied if the policy does not permit the action. Returns AuthorizationError::CapabilityNotFound if the capability is not in the revocation table. Returns AuthorizationError::CapabilityRevoked if the capability or its parent is revoked. Returns AuthorizationError::ResourceNotLive if the target resource is not live. Returns AuthorizationError::BibaViolation if a write violates Biba integrity.

Source

pub fn cap(&self) -> &Capability

Get the capability (read-only access)

Source

pub fn action(&self) -> &Action

Get the action (read-only access)

Source

pub fn ctx(&self) -> &PolicyContext

Get the policy context (read-only access)

Source

pub fn cap_id(&self) -> CapId

Get the capability ID being used

Source

pub fn holder_has_cap(&self, state: &State) -> bool

Check if holder has the capability (theorem correspondence)

Corresponds to Lean: theorem Authorized.holder_has_cap

Source

pub fn policy_permitted(&self, state: &State) -> bool

Check if policy is permitted (theorem correspondence)

Corresponds to Lean: theorem Authorized.policy_permitted

Source

pub fn rights_confined(&self) -> bool

Check if rights are confined (theorem correspondence)

Corresponds to Lean: theorem Authorized.rights_confined

Source

pub fn biba_satisfied(&self, state: &State) -> bool

Check if Biba is satisfied (theorem correspondence)

Corresponds to Lean: theorem Authorized.biba_satisfied

Trait Implementations§

Source§

impl Clone for Authorized

Source§

fn clone(&self) -> Authorized

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Authorized

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.