gatehouse
| Crates.io | gatehouse |
| lib.rs | gatehouse |
| version | 0.1.3 |
| created_at | 2025-03-24 04:51:52.221813+00 |
| updated_at | 2025-03-25 03:48:48.539484+00 |
| description | A flexible authorization library that combines role-based (RBAC), attribute-based (ABAC), and relationship-based (ReBAC) access control policies. |
| homepage | |
| repository | https://github.com/thepartly/gatehouse |
| max_upload_size | |
| id | 1603384 |
| size | 147,205 |
Brian Thorne (hardbyte)
documentation
README
Gatehouse
A flexible authorization library that combines role-based (RBAC), attribute-based (ABAC), and relationship-based (ReBAC) access control policies.
Features
- Multi-paradigm Authorization: Support for RBAC, ABAC, and ReBAC patterns
- Policy Composition: Combine policies with logical operators (
AND,OR,NOT) - Detailed Evaluation Tracing: Complete decision trace for debugging and auditing
- Fluent Builder API: Construct custom policies with a PolicyBuilder.
- Type Safety: Strongly typed resources/actions/contexts
- Async Ready: Built with async/await support
Core Components
Policy Trait
The foundation of the authorization system:
#[async_trait]
trait Policy<Subject, Resource, Action, Context> {
async fn evaluate_access(
&self,
subject: &Subject,
action: &Action,
resource: &Resource,
context: &Context,
) -> PolicyEvalResult;
}
PermissionChecker
Aggregates multiple policies (e.g. RBAC, ABAC) with OR logic by default: if any policy grants access, permission is granted.
let mut checker = PermissionChecker::new();
checker.add_policy(rbac_policy);
checker.add_policy(owner_policy);
// Check if access is granted
let result = checker.evaluate_access(&user, &action, &resource, &context).await;
if result.is_granted() {
// Access allowed
} else {
// Access denied
}
PolicyBuilder
The PolicyBuilder provides a fluent API to construct custom policies by chaining predicate functions for
subjects, actions, resources, and context. Once built, the policy can be added to a [PermissionChecker].
let custom_policy = PolicyBuilder::<MySubject, MyResource, MyAction, MyContext>::new("CustomPolicy")
.subjects(|s| /* ... */)
.actions(|a| /* ... */)
.resources(|r| /* ... */)
.context(|c| /* ... */)
.when(|s, a, r, c| /* ... */)
.build();
Built-in Policies
- RbacPolicy: Role-based access control
- AbacPolicy: Attribute-based access control
- RebacPolicy: Relationship-based access control
Combinators
AndPolicy: Grants access only if all inner policies allow access OrPolicy: Grants access if any inner policy allows access NotPolicy: Inverts the decision of an inner policy
Examples
See the examples directory for complete demonstration of:
- Role-based access control (
rbac_policy) - Relationship-based access control (
rebac_policy) - Policy combinators (
combinator_policy)
Run with:
cargo run --example rbac_policy