1 unstable release
0.1.0 | Feb 25, 2023 |
---|
#30 in #cdk
20KB
473 lines
Departure Labs Authorize
Supports Departure Labs DLIP 3
This is a library for creating and evaluating resource based policies.
The core components of a policy are Effect
, Statement
, Request
, and Policy
:
Effect
: An enum representing the effect of a statement on a requestStatement
: A set of conditions (e.g. identity, resource, operation) that determine the effect of a requestRequest
: An object containing information about the action, resource and caller of a requestPolicy
: A collection of statements
How it works
A Policy
is a set of rules, represented as a list of Statement
objects, used to determine whether a Request
should be authorized or not. Each Statement
has an Effect
which specifies whether the statement allows or denies access to a particular resource. When multiple statements apply to the same Request, the policy must select the Effect
from the least permissive statement.
By using a Policy
and a Request
together, this authorization system can evaluate whether a particular request should be authorized or not based on the rules set forth in the Policy
.
Usage
Creating a Policy
Create a policy by instantiating a Policy
and adding Statement
s to it:
let mut policy = Policy::default();
let statement1 = Statement::new(
Effect::Allow,
vec![StatementIdentity::Any],
vec!["read".to_string()],
vec![StatementResource::Resource("/path/to/resource".to_string())],
);
policy.add_statement(statement1);
let statement2 = Statement::new(
Effect::Deny,
vec![StatementIdentity::Identity(Principal::User("bob".to_string()))],
vec!["write".to_string(), "delete".to_string()],
vec![StatementResource::Resource("/path/to/resource".to_string())],
);
policy.add_statement(statement2);
Evaluating a Policy
Evaluate a policy by instantiating a Request
and passing it to the Policy::get_effect
method:
let request = Request::new(
"read".to_string(),
RequestResourceBuilder::new("/path/to/resource").build(),
Principal::User("bob".to_string()),
);
let effect = policy.get_effect(&request);
assert_eq!(effect, Effect::Deny);
Dependencies
~7–15MB
~187K SLoC