Skip to main content

Crate secure_authz

Crate secure_authz 

Source
Expand description

secure_authz — Authorization enforcement (OWASP C7).

§Feature Overview

The crate ships a framework-neutral core plus optional HTTP framework adapters. Pick one or both:

Feature flagDefaultEnables
axummiddleware::AuthzLayer as a tower Layer
actix-web[actix::AuthzTransform] as an actix middleware

The standard subject/action/resource authorization path remains identity-agnostic: it depends on security_core::identity::AuthenticatedIdentity. Identity may come from secure_identity, Keycloak, Auth0, or any custom provider.

Native device-trust predicates are intentionally typed and live in device_trust. That module accepts secure_device_trust, secure_identity, and secure_network context so route policies can prove that user sessions stay pinned to verified session mTLS.

§What this crate gives you

  • Typed subjects, actions, and resources (no role strings in business code)
  • Pluggable policy engine (default: casbin RBAC)
  • Tenant isolation
  • Bounded LRU decision cache with TTL
  • Decision logging to security_events
  • Framework adapters (axum and actix-web 4) that share the same enforcement pipeline (crate::enforce::run_check).
  • Device-trust route predicates for native clients.

Re-exports§

pub use action::Action;
pub use decision::Decision;
pub use decision::DenyReason;
pub use enforcer::Authorizer;
pub use enforcer::DefaultAuthorizer;
pub use policy::DefaultPolicyEngine;
pub use resolver::DefaultSubjectResolver;
pub use resolver::SubjectResolver;
pub use resource::ResourceRef;
pub use subject::Subject;

Modules§

abac
Lightweight attribute-based access control helpers.
action
Typed action enumerations — no role strings in business code.
cache
Bounded LRU decision cache with TTL and policy-version keying.
decision
Authorization decision types.
decision_log
Decision event emission to security_events.
device_trust
Device-trust authorization predicates.
enforce
Framework-neutral enforcement primitives used by both the axum tower AuthzLayer and the actix-web 4 AuthzTransform.
enforcer
Authorizer trait and DefaultAuthorizer.
middleware
Axum middleware for authorization enforcement.
ownership
Tenant scoping and resource ownership helpers.
policy
PolicyEngine — sealed trait abstracting casbin.
resolver
SubjectResolver — converts AuthenticatedIdentity into Subject.
resource
Resource descriptor types.
subject
Subject — the actor requesting authorization.
temporal
Time-bounded permission helpers.
testing
Testing helpers that let services assert authorization-coverage invariants in their own CI. Intended to be consumed from test and integration-test code in downstream services.
testkit
Test helpers — MockAuthorizer and subject fixtures.