1 unstable release

0.1.0 Feb 25, 2023

#30 in #cdk

MIT license

20KB
473 lines

Departure Labs Authorize

Supports Departure Labs DLIP 3

This is a library for creating and evaluating resource based policies.

The core components of a policy are Effect, Statement, Request, and Policy:

  • Effect: An enum representing the effect of a statement on a request
  • Statement: A set of conditions (e.g. identity, resource, operation) that determine the effect of a request
  • Request: An object containing information about the action, resource and caller of a request
  • Policy: A collection of statements

How it works

A Policy is a set of rules, represented as a list of Statement objects, used to determine whether a Request should be authorized or not. Each Statement has an Effect which specifies whether the statement allows or denies access to a particular resource. When multiple statements apply to the same Request, the policy must select the Effect from the least permissive statement.

By using a Policy and a Request together, this authorization system can evaluate whether a particular request should be authorized or not based on the rules set forth in the Policy.

Usage

Creating a Policy

Create a policy by instantiating a Policy and adding Statements to it:

let mut policy = Policy::default();

let statement1 = Statement::new(
    Effect::Allow,
    vec![StatementIdentity::Any],
    vec!["read".to_string()],
    vec![StatementResource::Resource("/path/to/resource".to_string())],
);

policy.add_statement(statement1);

let statement2 = Statement::new(
    Effect::Deny,
    vec![StatementIdentity::Identity(Principal::User("bob".to_string()))],
    vec!["write".to_string(), "delete".to_string()],
    vec![StatementResource::Resource("/path/to/resource".to_string())],
);

policy.add_statement(statement2);

Evaluating a Policy

Evaluate a policy by instantiating a Request and passing it to the Policy::get_effect method:

let request = Request::new(
    "read".to_string(),
    RequestResourceBuilder::new("/path/to/resource").build(),
    Principal::User("bob".to_string()),
);
let effect = policy.get_effect(&request);
assert_eq!(effect, Effect::Deny);


Dependencies

~7–15MB
~187K SLoC