Trait wasmcloud_host::Authorizer

pub trait Authorizer: CloneAuthorizer + Sync + Send {
    fn can_load(&self, claims: &Claims<Actor>) -> bool;
    fn can_invoke(
        &self, 
        claims: &Claims<Actor>, 
        target: &WasmCloudEntity, 
        operation: &str
    ) -> bool;
}

An authorizer is responsible for determining whether an actor can be loaded as well as whether an actor can invoke another entity. For invocation checks, the authorizer is only ever invoked after an initial capability attestation check has been performed and passed. This has the net effect of making it impossible to override the base behavior of checking that an actor’s embedded JWT contains the right capability attestations.

Required methods

fn can_load(&self, claims: &Claims<Actor>) -> bool

This check is performed during the start_actor call, allowing the custom authorizer to do things like verify a provenance chain, make external calls, etc.

fn can_invoke(
    &self,
    claims: &Claims<Actor>,
    target: &WasmCloudEntity,
    operation: &str
) -> bool

This check will be performed for every invocation that has passed the base capability check, including the operation that occurs during set_link.

Implementors