authly_common/policy/
code.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
//! Code definitions for the Authly policy engine.

use int_enum::IntEnum;

/// The outcome of a policy engine evaluation.
#[derive(Clone, Copy, Eq, PartialEq, Debug)]
pub enum Outcome {
    /// Represents denied access.
    Deny,
    /// Represents allowed access.
    Allow,
}

/// typed opcode representation for policy engine instructions.
#[derive(PartialEq, Eq, Debug)]
#[allow(missing_docs)]
pub enum OpCode {
    LoadSubjectId(u128),
    LoadSubjectAttrs,
    LoadResourceId(u128),
    LoadResourceAttrs,
    LoadConstId(u128),
    IsEq,
    SupersetOf,
    IdSetContains,
    And,
    Or,
    Not,
    TrueThenAllow,
    TrueThenDeny,
    FalseThenAllow,
    FalseThenDeny,
}

/// bytecode representation for policy engine instructions.
#[repr(u8)]
#[derive(IntEnum, Debug)]
#[allow(missing_docs)]
pub enum Bytecode {
    LoadSubjectId = 0,
    LoadSubjectAttrs = 1,
    LoadResourceId = 2,
    LoadResourceAttrs = 3,
    LoadConstId = 4,
    IsEq = 5,
    SupersetOf = 6,
    IdSetContains = 7,
    And = 8,
    Or = 9,
    Not = 10,
    TrueThenAllow = 11,
    TrueThenDeny = 12,
    FalseThenAllow = 13,
    FalseThenDeny = 14,
}

/// Convert slice of opcodes to bytecode.
pub fn to_bytecode(opcodes: &[OpCode]) -> Vec<u8> {
    let mut out = Vec::with_capacity(opcodes.len());

    for opcode in opcodes {
        match opcode {
            OpCode::LoadSubjectId(eid) => {
                out.push(Bytecode::LoadSubjectId as u8);
                out.extend(unsigned_varint::encode::u128(*eid, &mut Default::default()));
            }
            OpCode::LoadSubjectAttrs => {
                out.push(Bytecode::LoadSubjectAttrs as u8);
            }
            OpCode::LoadResourceId(eid) => {
                out.push(Bytecode::LoadResourceId as u8);
                out.extend(unsigned_varint::encode::u128(*eid, &mut Default::default()));
            }
            OpCode::LoadResourceAttrs => {
                out.push(Bytecode::LoadResourceAttrs as u8);
            }
            OpCode::LoadConstId(id) => {
                out.push(Bytecode::LoadConstId as u8);
                out.extend(unsigned_varint::encode::u128(*id, &mut Default::default()));
            }
            OpCode::IsEq => {
                out.push(Bytecode::IsEq as u8);
            }
            OpCode::SupersetOf => {
                out.push(Bytecode::SupersetOf as u8);
            }
            OpCode::IdSetContains => {
                out.push(Bytecode::IdSetContains as u8);
            }
            OpCode::And => {
                out.push(Bytecode::And as u8);
            }
            OpCode::Or => {
                out.push(Bytecode::Or as u8);
            }
            OpCode::Not => {
                out.push(Bytecode::Not as u8);
            }
            OpCode::TrueThenAllow => {
                out.push(Bytecode::TrueThenAllow as u8);
            }
            OpCode::TrueThenDeny => {
                out.push(Bytecode::TrueThenDeny as u8);
            }
            OpCode::FalseThenAllow => {
                out.push(Bytecode::FalseThenAllow as u8);
            }
            OpCode::FalseThenDeny => {
                out.push(Bytecode::FalseThenDeny as u8);
            }
        }
    }

    out
}