Module auth 

Authentication & Authorization

Provides user management, RBAC, and token-based auth for RedDB.

Roles

• admin: Full access (user management, index ops, read, write)
• write: Read + write data
• read: Read-only access

Auth Methods

• User/Password login -> session token
• API key -> direct auth with assigned role

Modules

cert

Client-certificate authentication (Phase 3.4 PG parity).

column_policy_gate

Column-level IAM policy gate.

locks

Advisory locks (PG-compatible pg_advisory_* family).

middleware

Auth middleware helpers.

oauth

OAuth / OIDC token validation (Phase 3.4 PG parity).

policies

IAM-style policy kernel: data model, JSON codec, validator, evaluator, and simulator.

privileges

Granular RBAC: per-table/action privileges plus user attributes.

scope_cache

(tenant, principal, role) → HashSet<CollectionId> visibility cache.

scram

SCRAM-SHA-256 (RFC 5802 + RFC 7677) primitives.

store

AuthStore – manages users, sessions, and API keys in memory.

vault

Encrypted vault for auth state persistence.

Structs

ApiKey

A persistent API key bound to a user.

AuthCache

Visible-collections cache. Thread-safe; cheaply cloneable through an enclosing Arc. Construction uses Default::default() so the cache can sit on AuthStore without extra plumbing.

AuthCacheStats

Hit/miss/invalidate counters surfaced by AuthCache::stats().

AuthConfig

Configuration knobs for the auth subsystem.

AuthStore

Central in-process authority for auth state.

AuthzContext

Caller identity threaded through the privilege check.

CertAuthConfig

Per-deployment cert-auth policy. Enabled on a per-listener basis (the TLS listeners inject this into their accept loop).

CertAuthenticator

Stateless validator. Holds the config + lookup closure; TLS listeners wrap it in an Arc and call validate on every accepted connection.

CertIdentity

Parsed identity extracted from a validated client certificate.

ColumnAccessRequest

A set of resolved columns from one table-like source.

ColumnDecision

Per-column decision after table inheritance is applied.

ColumnPolicyGate

Thin evaluator wrapper over effective IAM policies.

ColumnPolicyOutcome

Full gate result for one projected table source.

ColumnRef

One resolved table column requested by a query path.

DecodedJwt

Parsed JWT header + payload that the validator consumes. Listeners wire an actual JWT parser (e.g. jsonwebtoken crate) and produce this struct; tests build one directly.

Grant

A single GRANT row.

GrantsView

Inputs to check_grant. Decoupled from AuthStore so unit tests can construct fixtures without booting a vault.

Jwk

A single key from the JWKS endpoint. Phase 3.4 keeps the JWK in pre-parsed form (algorithm-specific byte buffers) so the validator can delegate verification to any signing library the deployment chooses (ring, rsa, etc.) without tying the core module to a crypto dependency.

JwtClaims

JwtHeader

OAuthConfig

Configuration for OAuth/OIDC auth. Multiple issuers can be registered in parallel — the validator tries each until one’s signature verification succeeds.

OAuthIdentity

Identity produced after successful token validation.

OAuthValidator

ParsedClientCert

Subset of the cert surface the validator consumes. TLS listeners construct this from their rustls::Certificate payload via an ASN.1 parser (x509-parser or similar); we model the fields we actually look at so tests don’t need a real PEM.

PermissionCache

Compact (resource, action) lookup pre-built from a user’s grants

ScopeKey

Cache key — (tenant, principal, role). None tenant = platform tenant.

Session

An ephemeral session created by login.

User

A registered user in the RedDB auth system.

UserAttributes

Per-user account attributes that PG exposes via ALTER USER. None of these are tied to the underlying password hash — they live alongside the User record so they can be modified without rotating credentials.

UserId

Composite identity key: (tenant_id, username).

Enums

Action

SQL action covered by a grant. Mirrors PG’s privilege vocabulary.

AuthError

Errors produced by auth operations.

AuthzError

Privilege-check error.

CertAuthError

Errors raised while validating a client certificate.

CertIdentityMode

How to derive the RedDB username from a client certificate.

ColumnDecisionEffect

GrantPrincipal

Who the grant applies to.

OAuthError

OAuthIdentityMode

Resource

Object the grant covers. Schemas and tables form a hierarchy: a grant on Schema("public") implicitly covers every table in public.

Role

Access role within the RedDB authorization model.

Constants

DEFAULT_SCOPE_TTL

Default TTL for a visible_collections cache entry.

Functions

check_grant

Core privilege check. See module docstring for the resolution order.