Struct cedar_policy::Authorizer

pub struct Authorizer(/* private fields */);

Authorizer object, which provides responses to authorization queries

Implementations

impl Authorizer

pub fn new() -> Self

Create a new Authorizer

The authorizer uses the stacker crate to manage stack size and tries to use a sane default. If the default is not right for you, you can try wrapping the authorizer or individual calls to is_authorized in stacker::grow.

let authorizer = Authorizer::new();
let r = authorizer.is_authorized(&request, &policy, &entities);

pub fn is_authorized( &self, r: &Request, p: &PolicySet, e: &Entities ) -> Response

Returns an authorization response for r with respect to the given PolicySet and Entities.

The language spec and formal model give a precise definition of how this is computed.

// create a request
let p_eid = EntityId::from_str("alice").unwrap();
let p_name: EntityTypeName = EntityTypeName::from_str("User").unwrap();
let p = EntityUid::from_type_name_and_id(p_name, p_eid);

let a_eid = EntityId::from_str("view").unwrap();
let a_name: EntityTypeName = EntityTypeName::from_str("Action").unwrap();
let a = EntityUid::from_type_name_and_id(a_name, a_eid);

let r_eid = EntityId::from_str("trip").unwrap();
let r_name: EntityTypeName = EntityTypeName::from_str("Album").unwrap();
let r = EntityUid::from_type_name_and_id(r_name, r_eid);

let c = Context::empty();

let request: Request = Request::new(Some(p), Some(a), Some(r), c, None).unwrap();

// create a policy
let s = r#"
permit (
  principal == User::"alice",
  action == Action::"view",
  resource == Album::"trip"
)
when { principal.ip_addr.isIpv4() };
"#;
let policy = PolicySet::from_str(s).expect("policy error");

// create entities
let e = r#"[
    {
        "uid": {"type":"User","id":"alice"},
        "attrs": {
            "age":19,
            "ip_addr":{"__extn":{"fn":"ip", "arg":"10.0.1.101"}}
        },
        "parents": []
    }
]"#;
let entities = Entities::from_json_str(e, None).expect("entity error");

let authorizer = Authorizer::new();
let response = authorizer.is_authorized(&request, &policy, &entities);
assert_eq!(response.decision(), Decision::Allow);

pub fn is_authorized_partial( &self, query: &Request, policy_set: &PolicySet, entities: &Entities ) -> PartialResponse

Available on crate feature partial-eval only.

A partially evaluated authorization request. The Authorizer will attempt to make as much progress as possible in the presence of unknowns. If the Authorizer can reach a response, it will return that response. Otherwise, it will return a list of residual policies that still need to be evaluated.

This feature is experimental. For more information see https://github.com/cedar-policy/rfcs/blob/main/README.md#experimental-features

pub fn evaluate_policies_partial( &self, query: &Request, policy_set: &PolicySet, entities: &Entities ) -> EvaluationResponse

Available on crate feature partial-eval only.

Evaluate an authorization request and respond with results that always includes residuals even if the Authorizer already reached a decision.

This feature is experimental. For more information see https://github.com/cedar-policy/rfcs/blob/main/README.md#experimental-features

Trait Implementations

impl Debug for Authorizer

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for Authorizer

fn default() -> Self

Returns the “default value” for a type.

impl RefCast for Authorizer

type From = Authorizer

fn ref_cast(_from: &Self::From) -> &Self

fn ref_cast_mut(_from: &mut Self::From) -> &mut Self