neo3/neo_fs/acl.rs
1// Copyright (c) 2023-2025 R3E Network
2// Licensed under the Apache License, Version 2.0 (the "License");
3// you may not use this file except in compliance with the License.
4// You may obtain a copy of the License at
5//
6// http://www.apache.org/licenses/LICENSE-2.0
7//
8// Unless required by applicable law or agreed to in writing, software
9// distributed under the License is distributed on an "AS IS" BASIS,
10// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11// See the License for the specific language governing permissions and
12// limitations under the License.
13
14//! # NeoFS Access Control
15//!
16//! This module provides types and functions for working with NeoFS access control.
17
18use chrono::{DateTime, Utc};
19use serde::{Deserialize, Serialize};
20
21use crate::neo_fs::types::{AccessPermission, ContainerId, OwnerId};
22
23/// Operation that can be performed on an object or container
24#[derive(Debug, Clone, Serialize, Deserialize)]
25pub enum Operation {
26 /// Container operations
27 Container(ContainerOperation),
28 /// Object operations
29 Object(ObjectOperation),
30}
31
32/// Container operations
33#[derive(Debug, Clone, Serialize, Deserialize)]
34pub enum ContainerOperation {
35 /// Get container metadata
36 Get,
37 /// Update container metadata
38 Put,
39 /// Delete container
40 Delete,
41 /// Get extended ACL
42 GetEACL,
43 /// Set extended ACL
44 SetEACL,
45}
46
47/// Object operations
48#[derive(Debug, Clone, Serialize, Deserialize)]
49pub enum ObjectOperation {
50 /// Get object data
51 Get,
52 /// Upload object
53 Put,
54 /// Get object metadata
55 Head,
56 /// Search objects
57 Search,
58 /// Delete object
59 Delete,
60 /// Get object range (partial data)
61 Range,
62 /// Get object hash
63 Hash,
64}
65
66/// Access target for EACL rules
67#[derive(Debug, Clone, Serialize, Deserialize)]
68pub struct Target {
69 /// Role that the target applies to
70 pub role: TargetRole,
71 /// Keys that define the target
72 pub keys: Vec<String>,
73}
74
75/// Target role in EACL
76#[derive(Debug, Clone, Serialize, Deserialize)]
77pub enum TargetRole {
78 /// Target is an object/container owner
79 Owner,
80 /// Target is part of a specific group
81 Group,
82 /// Target refers to specific users
83 Users,
84 /// Target includes any authenticated user
85 Others,
86}
87
88/// Action to perform for matching EACL rule
89#[derive(Debug, Clone, Serialize, Deserialize)]
90pub enum Action {
91 /// Allow the operation
92 Allow,
93 /// Deny the operation
94 Deny,
95}
96
97/// Filter for EACL rules
98#[derive(Debug, Clone, Serialize, Deserialize)]
99pub struct Filter {
100 /// Header key to match
101 pub key: String,
102 /// Value to match
103 pub value: String,
104 /// Matching operation
105 pub operation: FilterOperation,
106}
107
108/// Filter operation types
109#[derive(Debug, Clone, Serialize, Deserialize)]
110pub enum FilterOperation {
111 /// Equals
112 Eq,
113 /// Not equals
114 Ne,
115 /// Greater than
116 Gt,
117 /// Greater than or equals
118 Ge,
119 /// Less than
120 Lt,
121 /// Less than or equals
122 Le,
123}
124
125/// Single EACL rule
126#[derive(Debug, Clone, Serialize, Deserialize)]
127pub struct EACLRecord {
128 /// Operation the rule applies to
129 pub operation: Operation,
130 /// Action to take (allow/deny)
131 pub action: Action,
132 /// Target the rule applies to
133 pub target: Target,
134 /// Filters for additional matching
135 pub filters: Vec<Filter>,
136}
137
138/// Extended Access Control List
139#[derive(Debug, Clone, Serialize, Deserialize)]
140pub struct EACL {
141 /// Container the EACL applies to
142 pub container_id: ContainerId,
143 /// EACL records (rules)
144 pub records: Vec<EACLRecord>,
145}
146
147impl EACL {
148 /// Creates a new EACL for the specified container
149 pub fn new(container_id: ContainerId) -> Self {
150 Self { container_id, records: Vec::new() }
151 }
152
153 /// Adds a record to the EACL
154 pub fn add_record(&mut self, record: EACLRecord) {
155 self.records.push(record);
156 }
157}
158
159/// Bearer token for delegated access to NeoFS resources
160#[derive(Debug, Clone, Serialize, Deserialize)]
161pub struct BearerToken {
162 /// Token owner
163 pub owner_id: OwnerId,
164 /// Token ID
165 pub token_id: String,
166 /// When the token expires
167 pub expiration: DateTime<Utc>,
168 /// Allowed operations
169 pub operations: Vec<AccessPermission>,
170 /// Container this token grants access to
171 pub container_id: ContainerId,
172 /// Signature to validate the token
173 pub signature: Vec<u8>,
174}
175
176/// Session token for authenticated access to NeoFS resources
177#[derive(Debug, Clone, Serialize, Deserialize)]
178pub struct SessionToken {
179 /// Token ID
180 pub token_id: String,
181 /// Identity of the user
182 pub owner_id: OwnerId,
183 /// When the session expires
184 pub expiration: DateTime<Utc>,
185 /// Session key
186 pub session_key: String,
187 /// Signature to validate the session
188 pub signature: Vec<u8>,
189}