auth-policy

auth-policy is a work-in-progress Rust crate for evaluating authorization decisions against declarative policies. It aims to make it easy to express who can do what in your application, apply those rules consistently, and audit the decisions that were made.

Why this crate would be useful

• Declarative policy model: Define allow/deny rules once and reuse them anywhere in your stack without scattering if statements throughout the codebase.
• Policy layering: Combine organization-wide rules with team, resource, or user specific overrides while keeping evaluation deterministic.
• Attribute-aware decisions: Evaluate policies against arbitrary attributes about the actor, action, resource, or environment (time, IP, etc.).
• Consistent auditing: Produce decision traces so you can explain why a request was authorized or denied.

Proposed feature set

• Policy builder DSL and parser (JSON/YAML/Serde-friendly) for authoring rules.
• Evaluation engine that supports allow, deny, and conditional effects with explicit precedence.
• Pluggable data providers for loading subject, resource, and environmental attributes at decision time.
• Decision logging hooks that integrate with tracing and observability stacks.
• Extensible condition library (time windows, string/regex matchers, numeric comparisons, set membership).

Example (future API)

use auth_policy::{
    decision::{Decision, Effect},
    engine::PolicyEngine,
    policy::{Condition, Policy, Target},
    request::Request,
};

// Build a policy set that allows team members to read a document they own.
let policy = Policy::builder("document-read")
    .target(Target::action("document:read"))
    .condition(Condition::equals("resource.owner_id", "actor.id"))
    .effect(Effect::Permit)
    .build()?;

let engine = PolicyEngine::from_policies([policy]);

let request = Request::new()
    .actor_attr("id", "user-123")
    .action("document:read")
    .resource_attr("owner_id", "user-123");

let decision = engine.evaluate(&request)?;
assert_eq!(decision, Decision::Permit);

Notice

⚠️ This crate is in early development. The API above is aspirational and serves as a design target while the crate is being implemented.

Getting started

1. Add the crate once it is published:

   [dependencies]
   auth-policy = "0.1"

2. Model your authorization rules using the built-in policy DSL or load them from JSON/YAML.

3. Instantiate a PolicyEngine, feed it the incoming request, and handle the returned decision.

Roadmap ideas

• MVP policy evaluator with explicit allow/deny semantics.
• Condition library for common comparison operators and trait-based extension points.
• Optional storage adapters (in-memory, file-backed, database-backed) for policies.
• WASM-friendly core so the same engine can run on the server or at the edge.
• CLI tooling to validate policies, visualize decision flows, and run test scenarios.

Contributing

The project is at an early prototyping stage. Feel free to open issues to discuss design questions or submit pull requests that move the proposed functionality forward. Consistent formatting (cargo fmt) and test coverage (cargo test) keep the codebase healthy.

License

Distributed under the MIT license. See LICENCE for details.