Skip to main content

symbi_runtime/integrations/policy_engine/
mod.rs

1//! Policy Engine Module
2//!
3//! Provides resource access management through policy-based enforcement
4
5pub mod engine;
6pub mod types;
7
8// Re-export existing policy engine interface
9mod existing;
10pub use existing::{
11    MockPolicyEngine, Policy, PolicyDecision as ExistingPolicyDecision, PolicyEngine,
12};
13
14// Re-export new resource access management components
15pub use types::{
16    AccessContext, AccessDecision, AccessType, AllocationDecision, AllocationResult,
17    EnforcementStatistics, ResourceAccessRequest, ResourceAllocationRequest, ResourceType,
18    SourceInfo,
19};
20// Re-export PolicyError from crate::types to avoid conflicts
21pub use crate::types::PolicyError;
22pub use engine::{DefaultPolicyEnforcementPoint, MockPolicyEnforcementPoint};
23
24use crate::types::*;
25use async_trait::async_trait;
26use std::sync::Arc;
27
28/// Resource Access Management Configuration
29#[derive(Debug, Clone)]
30pub struct ResourceAccessConfig {
31    /// Default deny mode - if true, deny access by default when no policy matches
32    pub default_deny: bool,
33    /// Enable policy caching for performance
34    pub enable_caching: bool,
35    /// Cache TTL for policy decisions
36    pub cache_ttl_secs: u64,
37    /// Path to policy definition files
38    pub policy_path: Option<String>,
39    /// Enable audit logging for all access decisions
40    pub enable_audit: bool,
41}
42
43impl Default for ResourceAccessConfig {
44    fn default() -> Self {
45        Self {
46            default_deny: true,
47            enable_caching: true,
48            cache_ttl_secs: 300, // 5 minutes
49            policy_path: None,
50            enable_audit: true,
51        }
52    }
53}
54
55/// Main Policy Enforcement Point for Resource Access Management
56#[async_trait]
57pub trait PolicyEnforcementPoint: Send + Sync {
58    /// Check if an agent can access a specific resource
59    async fn check_resource_access(
60        &self,
61        agent_id: AgentId,
62        resource: &ResourceAccessRequest,
63    ) -> Result<AccessDecision, PolicyError>;
64
65    /// Validate a resource allocation request
66    async fn validate_resource_allocation(
67        &self,
68        agent_id: AgentId,
69        allocation: &ResourceAllocationRequest,
70    ) -> Result<AllocationDecision, PolicyError>;
71
72    /// Load policies from configuration
73    async fn load_policies(&self, config: &ResourceAccessConfig) -> Result<(), PolicyError>;
74
75    /// Reload policies (e.g., after configuration changes)
76    async fn reload_policies(&self) -> Result<(), PolicyError>;
77
78    /// Get policy evaluation statistics
79    async fn get_enforcement_stats(&self) -> Result<EnforcementStatistics, PolicyError>;
80}
81
82/// Factory for creating policy enforcement points
83pub struct PolicyEnforcementFactory;
84
85impl PolicyEnforcementFactory {
86    /// Create a new policy enforcement point with the given configuration
87    pub async fn create_enforcement_point(
88        config: ResourceAccessConfig,
89    ) -> Result<Arc<dyn PolicyEnforcementPoint>, PolicyError> {
90        let enforcement_point = DefaultPolicyEnforcementPoint::new(config).await?;
91        Ok(Arc::new(enforcement_point))
92    }
93
94    /// Create a mock enforcement point for testing
95    pub fn create_mock_enforcement_point() -> Arc<dyn PolicyEnforcementPoint> {
96        Arc::new(MockPolicyEnforcementPoint::new())
97    }
98}