cedar_policy

Struct Authorizer

Source
pub struct Authorizer(/* private fields */);
Expand description

Authorizer object, which provides responses to authorization queries

Implementations§

Source§

impl Authorizer

Source

pub fn new() -> Self

Create a new Authorizer

The authorizer uses the stacker crate to manage stack size and tries to use a sane default. If the default is not right for you, you can try wrapping the authorizer or individual calls to is_authorized in stacker::grow.

let authorizer = Authorizer::new();
let r = authorizer.is_authorized(&request, &policy, &entities);
Source

pub fn is_authorized( &self, r: &Request, p: &PolicySet, e: &Entities, ) -> Response

Returns an authorization response for r with respect to the given PolicySet and Entities.

The language spec and formal model give a precise definition of how this is computed.

// create a request
let p_eid = EntityId::from_str("alice").unwrap();
let p_name: EntityTypeName = EntityTypeName::from_str("User").unwrap();
let p = EntityUid::from_type_name_and_id(p_name, p_eid);

let a_eid = EntityId::from_str("view").unwrap();
let a_name: EntityTypeName = EntityTypeName::from_str("Action").unwrap();
let a = EntityUid::from_type_name_and_id(a_name, a_eid);

let r_eid = EntityId::from_str("trip").unwrap();
let r_name: EntityTypeName = EntityTypeName::from_str("Album").unwrap();
let r = EntityUid::from_type_name_and_id(r_name, r_eid);

let c = Context::empty();

let request: Request = Request::new(p, a, r, c, None).unwrap();

// create a policy
let s = r#"
permit (
  principal == User::"alice",
  action == Action::"view",
  resource == Album::"trip"
)
when { principal.ip_addr.isIpv4() };
"#;
let policy = PolicySet::from_str(s).expect("policy error");

// create entities
let e = r#"[
    {
        "uid": {"type":"User","id":"alice"},
        "attrs": {
            "age":19,
            "ip_addr":{"__extn":{"fn":"ip", "arg":"10.0.1.101"}}
        },
        "parents": []
    }
]"#;
let entities = Entities::from_json_str(e, None).expect("entity error");

let authorizer = Authorizer::new();
let response = authorizer.is_authorized(&request, &policy, &entities);
assert_eq!(response.decision(), Decision::Allow);
Source

pub fn is_authorized_partial( &self, query: &Request, policy_set: &PolicySet, entities: &Entities, ) -> PartialResponse

Available on crate feature partial-eval only.

A partially evaluated authorization request. The Authorizer will attempt to make as much progress as possible in the presence of unknowns. If the Authorizer can reach a response, it will return that response. Otherwise, it will return a list of residual policies that still need to be evaluated.

This feature is experimental. For more information see https://github.com/cedar-policy/rfcs/blob/main/README.md#experimental-features

Trait Implementations§

Source§

impl Debug for Authorizer

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for Authorizer

Source§

fn default() -> Self

Returns the “default value” for a type. Read more
Source§

impl RefCast for Authorizer

Source§

type From = Authorizer

Source§

fn ref_cast(_from: &Self::From) -> &Self

Source§

fn ref_cast_mut(_from: &mut Self::From) -> &mut Self

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.