Struct Authorizer

pub struct Authorizer(/* private fields */);

Authorizer object, which provides responses to authorization queries

Implementations

impl Authorizer

pub fn new() -> Self

Create a new Authorizer

The authorizer uses the stacker crate to manage stack size and tries to use a sane default. If the default is not right for you, you can try wrapping the authorizer or individual calls to is_authorized in stacker::grow. Note that on platforms not supported by stacker (e.g., Wasm, Android), the authorizer will simply assume that the stack size is sufficient. As a result, large inputs may result in stack overflows and crashing the process. But on all platforms supported by stacker (Linux, macOS, …), Cedar will return the graceful error RecursionLimit instead of crashing.

let authorizer = Authorizer::new();
let r = authorizer.is_authorized(&request, &policy, &entities);

pub fn is_authorized( &self, r: &Request, p: &PolicySet, e: &Entities, ) -> Response

Returns an authorization response for r with respect to the given PolicySet and Entities.

The language spec and formal model give a precise definition of how this is computed.

// create a request
let p_eid = EntityId::from_str("alice").unwrap();
let p_name: EntityTypeName = EntityTypeName::from_str("User").unwrap();
let p = EntityUid::from_type_name_and_id(p_name, p_eid);

let a_eid = EntityId::from_str("view").unwrap();
let a_name: EntityTypeName = EntityTypeName::from_str("Action").unwrap();
let a = EntityUid::from_type_name_and_id(a_name, a_eid);

let r_eid = EntityId::from_str("trip").unwrap();
let r_name: EntityTypeName = EntityTypeName::from_str("Album").unwrap();
let r = EntityUid::from_type_name_and_id(r_name, r_eid);

let c = Context::empty();

let request: Request = Request::new(p, a, r, c, None).unwrap();

// create a policy
let s = r#"
permit (
  principal == User::"alice",
  action == Action::"view",
  resource == Album::"trip"
)
when { principal.ip_addr.isIpv4() };
"#;
let policy = PolicySet::from_str(s).expect("policy error");

// create entities
let e = r#"[
    {
        "uid": {"type":"User","id":"alice"},
        "attrs": {
            "age":19,
            "ip_addr":{"__extn":{"fn":"ip", "arg":"10.0.1.101"}}
        },
        "parents": []
    }
]"#;
let entities = Entities::from_json_str(e, None).expect("entity error");

let authorizer = Authorizer::new();
let response = authorizer.is_authorized(&request, &policy, &entities);
assert_eq!(response.decision(), Decision::Allow);

pub fn is_authorized_partial( &self, query: &Request, policy_set: &PolicySet, entities: &Entities, ) -> PartialResponse

Available on crate feature partial-eval only.

A partially evaluated authorization request. The Authorizer will attempt to make as much progress as possible in the presence of unknowns. If the Authorizer can reach a response, it will return that response. Otherwise, it will return a list of residual policies that still need to be evaluated.

This feature is experimental. For more information see https://github.com/cedar-policy/rfcs/blob/main/README.md#experimental-features

Trait Implementations

impl Clone for Authorizer

fn clone(&self) -> Authorizer

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Authorizer

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for Authorizer

fn default() -> Self

Returns the “default value” for a type.

impl RefCast for Authorizer

type From = Authorizer

fn ref_cast(_from: &Self::From) -> &Self

fn ref_cast_mut(_from: &mut Self::From) -> &mut Self