Expand description
acl:origin value objects and enforcement helpers (WAC §4.3 / F4).
Implements the Origin gate described in
docs/design/jss-parity/03-wac-enforcement-context.md. The gate runs
after the existing agent / agent-class / mode / accessTo checks;
if any authorisation in the effective ACL declares acl:origin
triples, the request’s Origin header must match one of them.
This module is strictly additive: consumers that never pass an
Origin value object observe no behavioural change, because an
ACL with zero acl:origin triples yields OriginDecision::NoPolicySet.
§Ubiquitous language
- Origin: RFC 6454 web origin, canonicalised as
scheme://host[:port]with default ports (80/443) elided. - OriginPattern: a rule’s declared origin list entry; exact
origin, wildcard subdomain (
https://*.example.org), or global wildcard (*). Global wildcard disables the gate for that rule. - Origin gate: the additional check that runs after agent matching.
Structs§
- Origin
- Canonicalised web origin per RFC 6454.
Enums§
- Origin
Decision - Origin-gate decision for a request against an ACL document.
- Origin
Pattern - A rule-declared origin pattern.
Functions§
- check_
origin - Check whether the request origin is permitted by any authorisation’s origin patterns in the supplied ACL document.
- extract_
origin_ patterns - Extract
acl:originpatterns from a single authorisation.