Struct RbacPolicy

Source

#[non_exhaustive]
pub struct RbacPolicy { /* private fields */ }

Expand description

Compiled RBAC policy for fast lookup.

Built from RbacConfig at startup. All lookups are O(n) over the role’s allow/deny/host lists, which is fine for the expected cardinality (a handful of roles with tens of entries each).

Implementations§

Source §

impl RbacPolicy

Source

pub fn new(config: &RbacConfig) -> Self

Build a policy from config. When config.enabled is false, all checks return RbacDecision::Allow.

Source

pub fn disabled() -> Self

Create a policy that always allows (RBAC disabled).

Source

pub fn is_enabled(&self) -> bool

Whether RBAC enforcement is active.

Source

pub fn summary(&self) -> RbacPolicySummary

Summarize the policy for diagnostics (admin endpoint).

Returns (enabled, role_count, per_role_stats) where each stat is (name, allow_count, deny_count, host_count, argument_allowlist_count).

Source

pub fn check_operation(&self, role: &str, operation: &str) -> RbacDecision

Check whether role may perform operation (ignoring host).

Use this for tools that don’t target a specific host (e.g. ping, list_hosts).

Source

pub fn check(&self, role: &str, operation: &str, host: &str) -> RbacDecision

Check whether role may perform operation on host.

Evaluation order:

If RBAC is disabled, allow.
Check operation permission (deny overrides allow).
Check host visibility via glob matching.

Source

pub fn host_visible(&self, role: &str, host: &str) -> bool

Check whether role can see host at all (for list_hosts filtering).

Source

pub fn host_patterns(&self, role: &str) -> Option<&[String]>

Get the list of hosts patterns for a role.

Source

pub fn argument_allowed( &self, role: &str, tool: &str, argument: &str, value: &str, ) -> bool

Check whether value passes the argument allowlists for tool under role.

If the role has no matching argument_allowlists entry for the tool, all values are allowed. When a matching entry exists, value is tokenized using POSIX-shell-like lexical rules (shlex::split) and its first argv element (or the /-basename of that element) must appear in the allowed list.

Scope of the contract. This matcher targets consumers that interpret string arguments as POSIX-shell-like command lines on Unix-like systems (e.g. anything that subsequently feeds the value through shlex or an equivalent splitter before execve). It does not model real shell execution grammar (FOO=1 cmd, expansion, command substitution, redirection, operators) or Windows command-line tokenization (CommandLineToArgvW, cmd.exe, PowerShell). Consumers in those regimes remain subject to a parser differential and must validate at their own boundary.

Fail-closed cases (all return false when a matching allowlist entry exists):

value fails to parse as a POSIX-shell-like command line (e.g. unbalanced quotes, dangling escape).
value parses to zero tokens (empty input).
The first parsed token is the empty string (e.g. value = r#""""# parses to Some(vec![""])). An empty argv element is never a runnable executable, so we reject even when "" is in the allowlist.

Source

pub fn has_argument_allowlist( &self, role: &str, tool: &str, argument: &str, ) -> bool

Return true if (role, tool, argument) has any non-empty allowlist entry configured.

Used by the tools/call middleware to decide whether non-string JSON values must be rejected (M2 fix). When this returns true, the value at argument must be a JSON string and pass Self::argument_allowed; otherwise the call is denied with 403. When this returns false, the value is unconstrained by allowlist policy.

Source

pub fn redact_arg(&self, value: &str) -> String

HMAC-SHA256 the given argument value with this policy’s redaction salt and return the first 8 hex characters (4 bytes / 32 bits).

32 bits is enough entropy for log correlation (1-in-4-billion collision per pair) while being far short of any preimage attack surface for an attacker reading logs. The HMAC construction guarantees that even short or low-entropy values cannot be recovered without the key.