Expand description
Authorization primitives for role-, group-, and permission-based access control.
This module is where you define who should be allowed through and how to evaluate that decision against an account.
If you are new to webgates-core, the usual flow is:
- create or load an
crate::accounts::Account - build an
access_policy::AccessPolicythat describes the requirement - evaluate it with
authorization_service::AuthorizationService
§Main types
access_hierarchy::AccessHierarchydefines how custom role types support supervisor checksaccess_policy::AccessPolicydeclares role, group, and permission requirementsauthorization_service::AuthorizationServiceevaluates a policy against an accounterrors::AuthzErrorcontains authorization-related error values
Import items directly from their owning submodule for a single canonical path.
§Quick start
use webgates_core::accounts::Account;
use webgates_core::authz::access_policy::AccessPolicy;
use webgates_core::authz::authorization_service::AuthorizationService;
use webgates_core::groups::Group;
use webgates_core::roles::Role;
let account = Account::<Role, Group>::new("user@example.com")
.with_groups(vec![Group::new("engineering")]);
let policy = AccessPolicy::<Role, Group>::require_group(Group::new("engineering"));
let authz = AuthorizationService::new(policy);
assert!(authz.is_authorized(&account));§Policy composition
Policies use OR semantics. Authorization succeeds when any configured role, group, or permission requirement matches.
use webgates_core::authz::access_policy::AccessPolicy;
use webgates_core::groups::Group;
use webgates_core::roles::Role;
let policy = AccessPolicy::<Role, Group>::require_role(Role::Admin)
.or_require_group(Group::new("security-team"))
.or_require_permission("emergency:access");
assert!(policy.has_requirements());§Hierarchical roles
Use access_policy::AccessPolicy::<R, G>::require_role_or_supervisor when a
higher-privileged role should satisfy a lower-privileged requirement.
use webgates_core::authz::access_policy::AccessPolicy;
use webgates_core::groups::Group;
use webgates_core::roles::Role;
let policy = AccessPolicy::<Role, Group>::require_role_or_supervisor(Role::Moderator);
assert!(policy.has_requirements());Modules§
- access_
hierarchy - Trait that marks a type as participating in role-hierarchy checks.
- access_
policy - Domain object describing who may access a protected resource.
- authorization_
service - Domain service for evaluating access policies against accounts.
- errors
- Authorization-category error values. Authorization-related error values.