Function evaluate_policy

Source

pub fn evaluate_policy(
    policy: &CommandPolicy,
    context: &CommandPolicyContext,
) -> CommandAccess

Expand description

Evaluates a single policy against the supplied runtime context.

Visibility and runnability are evaluated separately. For example, an authenticated-only command stays visible to unauthenticated users, but is denied at execution time.

§Examples

use osp_cli::core::command_policy::{
    AccessReason, CommandPath, CommandPolicy, CommandPolicyContext,
    CommandRunnable, CommandVisibility, VisibilityMode, evaluate_policy,
};

let policy = CommandPolicy::new(CommandPath::new(["orch", "approval", "decide"]))
    .visibility(VisibilityMode::CapabilityGated)
    .require_capability("orch.approval.decide");

let denied = evaluate_policy(
    &policy,
    &CommandPolicyContext::default().authenticated(true),
);
assert_eq!(denied.visibility, CommandVisibility::Visible);
assert_eq!(denied.runnable, CommandRunnable::Denied);
assert_eq!(denied.reasons, vec![AccessReason::MissingCapabilities]);

let allowed = evaluate_policy(
    &policy,
    &CommandPolicyContext::default()
        .authenticated(true)
        .with_capabilities(["orch.approval.decide"]),
);
assert!(allowed.is_runnable());

evaluate_policy

Function evaluate_policy Copy item path

§Examples

Function evaluate_policy