Supports Departure Labs DLIP 3
This is a library for creating and evaluating resource based policies.
The core components of a policy are Effect, Statement, Request, and Policy:
Effect: An enum representing the effect of a statement on a requestStatement: A set of conditions (e.g. identity, resource, operation) that determine the effect of a requestRequest: An object containing information about the action, resource and caller of a requestPolicy: A collection of statementsA Policy is a set of rules, represented as a list of Statement objects, used to determine whether a Request should be authorized or not. Each Statement has an Effect which specifies whether the statement allows or denies access to a particular resource. When multiple statements apply to the same Request, the policy must select the Effect from the least permissive statement.
By using a Policy and a Request together, this authorization system can evaluate whether a particular request should be authorized or not based on the rules set forth in the Policy.
Create a policy by instantiating a Policy and adding Statements to it:
```rust let mut policy = Policy::default();
let statement1 = Statement::new( Effect::Allow, vec![StatementIdentity::Any], vec!["read".tostring()], vec![StatementResource::Resource("/path/to/resource".tostring())], );
policy.add_statement(statement1);
let statement2 = Statement::new( Effect::Deny, vec![StatementIdentity::Identity(Principal::User("bob".tostring()))], vec!["write".tostring(), "delete".tostring()], vec![StatementResource::Resource("/path/to/resource".tostring())], );
policy.add_statement(statement2); ```
Evaluate a policy by instantiating a Request and passing it to the Policy::get_effect method:
```rust let request = Request::new( "read".tostring(), RequestResourceBuilder::new("/path/to/resource").build(), Principal::User("bob".tostring()), ); let effect = policy.geteffect(&request); asserteq!(effect, Effect::Deny);