DEV Community: 0xsmrpn The latest articles on DEV Community by 0xsmrpn (@smrpn). https://dev.to/smrpn https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F506759%2F3b7f4bbc-c425-4e19-b4be-505b913a4c39.ico DEV Community: 0xsmrpn https://dev.to/smrpn en How to use casbin authorization in your rust web-app [Part - 3] 0xsmrpn Sat, 12 Jun 2021 04:17:21 +0000 https://dev.to/smrpn/how-to-use-casbin-authorization-in-your-rust-web-app-part-3-4g2f https://dev.to/smrpn/how-to-use-casbin-authorization-in-your-rust-web-app-part-3-4g2f <p>In this blog we'll make a new project in which we'll use the authorization model talked about in the previous blog.<br> Here is the link to the github repository for reference - <br> <a href="https://github.com/casbin-rs/examples/tree/master/actix-middleware-example">https://github.com/casbin-rs/examples/tree/master/actix-middleware-example</a></p> <p>We'll make a simple anonynous forum app using Actix-web, Casbin and Diesel, with JWT support.<br> There will be 2 roles in this app - <code>admin</code> and <code>user</code></p> <p>So, let's start.<br> First, configure the <code>Cargo.toml</code> -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[dependencies]</span> <span class="py">http</span> <span class="p">=</span> <span class="s">"0.2.1"</span> <span class="py">actix</span> <span class="p">=</span> <span class="s">"0.11.0"</span> <span class="py">actix-web</span> <span class="p">=</span> <span class="s">"3.3.2"</span> <span class="py">actix-service</span> <span class="p">=</span> <span class="s">"2.0.0"</span> <span class="py">actix-rt</span> <span class="p">=</span> <span class="s">"1.1.1"</span> <span class="py">actix-cors</span> <span class="p">=</span> <span class="s">"0.4.0"</span> <span class="py">futures</span> <span class="p">=</span> <span class="s">"0.3.5"</span> <span class="py">failure</span> <span class="p">=</span> <span class="s">"0.1.8"</span> <span class="py">serde</span> <span class="p">=</span> <span class="s">"1.0.116"</span> <span class="py">serde_derive</span> <span class="p">=</span> <span class="s">"1.0.116"</span> <span class="py">serde_json</span> <span class="p">=</span> <span class="s">"1.0.57"</span> <span class="py">derive_more</span> <span class="p">=</span> <span class="s">"0.99.10"</span> <span class="nn">chrono</span> <span class="o">=</span> <span class="p">{</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.4.18"</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="nn">["serde"]</span> <span class="p">}</span> <span class="nn">diesel</span> <span class="o">=</span> <span class="p">{</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"1.4.5"</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="p">[</span><span class="s">"postgres"</span><span class="p">,</span><span class="s">"r2d2"</span><span class="p">,</span> <span class="s">"chrono"</span><span class="p">]</span> <span class="p">}</span> <span class="py">diesel_migrations</span> <span class="p">=</span> <span class="s">"1.4.0"</span> <span class="py">dotenv</span> <span class="p">=</span> <span class="s">"0.15.0"</span> <span class="py">env_logger</span> <span class="p">=</span> <span class="s">"0.8.1"</span> <span class="py">log</span> <span class="p">=</span> <span class="s">"0.4.11"</span> <span class="py">jsonwebtoken</span> <span class="p">=</span> <span class="s">"7.2.0"</span> <span class="py">bcrypt</span> <span class="p">=</span> <span class="s">"0.9.0"</span> <span class="py">csv</span> <span class="p">=</span> <span class="s">"1.1.3"</span> <span class="py">walkdir</span> <span class="p">=</span> <span class="s">"2.3.1"</span> <span class="nn">actix-casbin</span><span class="o">=</span> <span class="p">{</span><span class="py">version</span> <span class="p">=</span> <span class="s">"0.4.2"</span><span class="p">,</span> <span class="py">default-features</span> <span class="p">=</span> <span class="kc">false</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="p">[</span> <span class="s">"runtime-async-std"</span> <span class="p">]}</span> <span class="nn">actix-casbin-auth</span> <span class="o">=</span> <span class="p">{</span><span class="py">version</span> <span class="p">=</span> <span class="s">"0.4.4"</span><span class="p">,</span> <span class="py">default-features</span> <span class="p">=</span> <span class="kc">false</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="p">[</span> <span class="s">"runtime-async-std"</span> <span class="p">]}</span> <span class="nn">diesel-adapter</span> <span class="o">=</span> <span class="p">{</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.8.1"</span><span class="p">,</span> <span class="py">default-features</span> <span class="p">=</span> <span class="kc">false</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="nn">["postgres","runtime-async-std"]</span> <span class="p">}</span> <span class="nn">uuid</span> <span class="o">=</span> <span class="p">{</span><span class="py">version</span> <span class="p">=</span> <span class="s">"0.8.1"</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="nn">["v4"]</span> <span class="p">}</span> </code></pre> </div> <p>Include the <code>casbin.conf</code>. (see repo)<br> And the <code>preset_policy.csv</code>. (see the repo)<br> Create a <code>.env</code> -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>APP_HOST=127.0.0.1 APP_PORT=8080 DATABASE_URL=postgres://databasename:password@127.0.0.1:5432/test POOL_SIZE=8 HASH_ROUNDS=12 </code></pre> </div> <p>Then, in the src folder, modify the <code>main.rs</code> - <br> Import external crates first and modules(to be made later) -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="nd">#![allow(proc_macro_derive_resolution_fallback)]</span> <span class="nd">#[macro_use]</span> <span class="k">extern</span> <span class="k">crate</span> <span class="n">diesel</span><span class="p">;</span> <span class="nd">#[macro_use]</span> <span class="k">extern</span> <span class="k">crate</span> <span class="k">log</span><span class="p">;</span> <span class="nd">#[macro_use]</span> <span class="k">extern</span> <span class="k">crate</span> <span class="n">diesel_migrations</span><span class="p">;</span> <span class="nd">#[macro_use]</span> <span class="k">extern</span> <span class="k">crate</span> <span class="n">serde_derive</span><span class="p">;</span> <span class="nd">#[macro_use]</span> <span class="k">extern</span> <span class="k">crate</span> <span class="n">serde_json</span><span class="p">;</span> <span class="k">use</span> <span class="k">crate</span><span class="p">::</span><span class="nn">utils</span><span class="p">::</span><span class="nn">csv_utils</span><span class="p">::{</span><span class="n">load_csv</span><span class="p">,</span> <span class="n">walk_csv</span><span class="p">};</span> <span class="k">use</span> <span class="nn">actix</span><span class="p">::</span><span class="n">Supervisor</span><span class="p">;</span> <span class="k">use</span> <span class="nn">actix_casbin</span><span class="p">::</span><span class="nn">casbin</span><span class="p">::{</span> <span class="nn">function_map</span><span class="p">::</span><span class="n">key_match2</span><span class="p">,</span> <span class="n">CachedEnforcer</span><span class="p">,</span> <span class="n">CoreApi</span><span class="p">,</span> <span class="n">DefaultModel</span><span class="p">,</span> <span class="n">MgmtApi</span><span class="p">,</span> <span class="nb">Result</span><span class="p">,</span> <span class="p">};</span> <span class="k">use</span> <span class="nn">actix_casbin</span><span class="p">::</span><span class="n">CasbinActor</span><span class="p">;</span> <span class="k">use</span> <span class="nn">actix_casbin_auth</span><span class="p">::</span><span class="n">CasbinService</span><span class="p">;</span> <span class="k">use</span> <span class="nn">actix_cors</span><span class="p">::</span><span class="n">Cors</span><span class="p">;</span> <span class="k">use</span> <span class="nn">actix_web</span><span class="p">::</span><span class="nn">middleware</span><span class="p">::</span><span class="nn">normalize</span><span class="p">::</span><span class="n">TrailingSlash</span><span class="p">;</span> <span class="k">use</span> <span class="nn">actix_web</span><span class="p">::</span><span class="nn">middleware</span><span class="p">::</span><span class="n">Logger</span><span class="p">;</span> <span class="k">use</span> <span class="nn">actix_web</span><span class="p">::</span><span class="nn">middleware</span><span class="p">::</span><span class="n">NormalizePath</span><span class="p">;</span> <span class="k">use</span> <span class="nn">actix_web</span><span class="p">::{</span><span class="n">App</span><span class="p">,</span> <span class="n">HttpServer</span><span class="p">};</span> <span class="k">use</span> <span class="nn">diesel_adapter</span><span class="p">::</span><span class="n">DieselAdapter</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="n">env</span><span class="p">;</span> <span class="k">mod</span> <span class="n">api</span><span class="p">;</span> <span class="k">mod</span> <span class="n">config</span><span class="p">;</span> <span class="k">mod</span> <span class="n">constants</span><span class="p">;</span> <span class="k">mod</span> <span class="n">errors</span><span class="p">;</span> <span class="k">mod</span> <span class="n">middleware</span><span class="p">;</span> <span class="k">mod</span> <span class="n">models</span><span class="p">;</span> <span class="k">mod</span> <span class="n">routers</span><span class="p">;</span> <span class="k">mod</span> <span class="n">schema</span><span class="p">;</span> <span class="k">mod</span> <span class="n">services</span><span class="p">;</span> <span class="k">mod</span> <span class="n">utils</span><span class="p">;</span> </code></pre> </div> <p>We spawn a server using <code>HttpServer</code>.<br> All default values such as <code>APP_HOST</code> are defined in the <code>.env</code>.<br> We define a connection pool -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">pool</span> <span class="o">=</span> <span class="nn">config</span><span class="p">::</span><span class="nn">db</span><span class="p">::</span><span class="nf">migrate_and_config_db</span><span class="p">(</span><span class="o">&amp;</span><span class="n">database_url</span><span class="p">,</span> <span class="n">pool_size</span><span class="p">);</span> </code></pre> </div> <p>With a default pool size of 8.<br> We import our casbin model -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">model</span> <span class="o">=</span> <span class="nn">DefaultModel</span><span class="p">::</span><span class="nf">from_file</span><span class="p">(</span><span class="s">"casbin.conf"</span><span class="p">)</span><span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">adapter</span> <span class="o">=</span> <span class="nn">DieselAdapter</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">database_url</span><span class="p">,</span> <span class="n">pool_size</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">casbin_middleware</span> <span class="o">=</span> <span class="nn">CasbinService</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">model</span><span class="p">,</span> <span class="n">adapter</span><span class="p">)</span><span class="k">.await</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="n">casbin_middleware</span> <span class="nf">.write</span><span class="p">()</span> <span class="k">.await</span> <span class="nf">.get_role_manager</span><span class="p">()</span> <span class="nf">.write</span><span class="p">()</span> <span class="nf">.unwrap</span><span class="p">()</span> <span class="nf">.matching_fn</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">key_match2</span><span class="p">),</span> <span class="nb">None</span><span class="p">);</span> <span class="k">let</span> <span class="n">share_enforcer</span> <span class="o">=</span> <span class="n">casbin_middleware</span><span class="nf">.get_enforcer</span><span class="p">();</span> <span class="k">let</span> <span class="n">clone_enforcer</span> <span class="o">=</span> <span class="n">share_enforcer</span><span class="nf">.clone</span><span class="p">();</span> <span class="k">let</span> <span class="n">casbin_actor</span> <span class="o">=</span> <span class="nn">CasbinActor</span><span class="p">::</span><span class="o">&lt;</span><span class="n">CachedEnforcer</span><span class="o">&gt;</span><span class="p">::</span><span class="nf">set_enforcer</span><span class="p">(</span><span class="n">share_enforcer</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">started_actor</span> <span class="o">=</span> <span class="nn">Supervisor</span><span class="p">::</span><span class="nf">start</span><span class="p">(|</span><span class="n">_</span><span class="p">|</span> <span class="n">casbin_actor</span><span class="p">);</span> <span class="k">let</span> <span class="n">preset_rules</span> <span class="o">=</span> <span class="nf">load_csv</span><span class="p">(</span><span class="nf">walk_csv</span><span class="p">(</span><span class="s">"."</span><span class="p">));</span> <span class="k">for</span> <span class="k">mut</span> <span class="n">policy</span> <span class="k">in</span> <span class="n">preset_rules</span> <span class="p">{</span> <span class="k">let</span> <span class="n">ptype</span> <span class="o">=</span> <span class="n">policy</span><span class="nf">.remove</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="k">if</span> <span class="n">ptype</span><span class="nf">.starts_with</span><span class="p">(</span><span class="sc">'p'</span><span class="p">)</span> <span class="p">{</span> <span class="k">match</span> <span class="n">clone_enforcer</span><span class="nf">.write</span><span class="p">()</span><span class="k">.await</span><span class="nf">.add_policy</span><span class="p">(</span><span class="n">policy</span><span class="p">)</span><span class="k">.await</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">_</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Preset policies(p) add successfully"</span><span class="p">),</span> <span class="nf">Err</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="nd">error!</span><span class="p">(</span><span class="s">"Preset policies(p) add error: {}"</span><span class="p">,</span> <span class="n">err</span><span class="nf">.to_string</span><span class="p">()),</span> <span class="p">};</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="n">ptype</span><span class="nf">.starts_with</span><span class="p">(</span><span class="sc">'g'</span><span class="p">)</span> <span class="p">{</span> <span class="k">match</span> <span class="n">clone_enforcer</span> <span class="nf">.write</span><span class="p">()</span> <span class="k">.await</span> <span class="nf">.add_named_grouping_policy</span><span class="p">(</span><span class="o">&amp;</span><span class="n">ptype</span><span class="p">,</span> <span class="n">policy</span><span class="p">)</span> <span class="k">.await</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">_</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Preset policies(p) add successfully"</span><span class="p">),</span> <span class="nf">Err</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="nd">error!</span><span class="p">(</span><span class="s">"Preset policies(g) add error: {}"</span><span class="p">,</span> <span class="n">err</span><span class="nf">.to_string</span><span class="p">()),</span> <span class="p">};</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nd">unreachable!</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Then we can define our modules.<br> Inside the <code>src/</code> dir, make the following dirs - <code>api/</code>, <code>config/</code>, <code>middleware/</code>, <code>models/</code>, <code>routers/</code>, <code>services/</code> and <code>utils/</code>.<br> Also make these files - <code>constants.rs</code> and <code>errors.rs</code>.<br> Create models in <code>models/</code> - <br> <code>post.rs</code>, <code>response.rs</code>, <code>user.rs</code> and <code>user_token.rs</code></p> <p>Run the following command in the root of the project -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cargo install diesel_cli --no-default-features --features postgres </code></pre> </div> <p>.env DATABASE_URL property that Diesel will use to get the connection details of your Postgres instance.<br> Now run <code>diesel setup</code> in the project root folder . Diesel will create a new database (confessions), as well as a set of empty migrations.</p> <p>Now run -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>diesel migration generate casbin_rules post users ⏎ diesel migration run </code></pre> </div> <p>This creates the <code>schema.rs</code> in the <code>src/</code> dir. You can check that out.<br> In the <code>config/</code> dir created before, define the database config -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">pub</span> <span class="k">fn</span> <span class="nf">migrate_and_config_db</span><span class="p">(</span><span class="n">url</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">,</span> <span class="n">pool_size</span><span class="p">:</span> <span class="nb">u32</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">Pool</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Migrating and configurating database..."</span><span class="p">);</span> <span class="k">let</span> <span class="n">manager</span> <span class="o">=</span> <span class="nn">ConnectionManager</span><span class="p">::</span><span class="o">&lt;</span><span class="n">Connection</span><span class="o">&gt;</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">url</span><span class="p">);</span> <span class="k">let</span> <span class="n">pool</span> <span class="o">=</span> <span class="nn">r2d2</span><span class="p">::</span><span class="nn">Pool</span><span class="p">::</span><span class="nf">builder</span><span class="p">()</span> <span class="nf">.connection_timeout</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">10</span><span class="p">))</span> <span class="nf">.max_size</span><span class="p">(</span><span class="n">pool_size</span><span class="p">)</span> <span class="nf">.build</span><span class="p">(</span><span class="n">manager</span><span class="p">)</span> <span class="nf">.expect</span><span class="p">(</span><span class="s">"Failed to create pool."</span><span class="p">);</span> <span class="nn">embedded_migrations</span><span class="p">::</span><span class="nf">run</span><span class="p">(</span><span class="o">&amp;</span><span class="n">pool</span><span class="nf">.get</span><span class="p">()</span><span class="nf">.expect</span><span class="p">(</span><span class="s">"Failed to migrate."</span><span class="p">))</span> <span class="nf">.expect</span><span class="p">(</span><span class="s">"Failed to migrate."</span><span class="p">);</span> <span class="n">pool</span> <span class="p">}</span> </code></pre> </div> <p>Now, let's write the middleware. In the <code>middleware/</code> dir, make a file <code>authn.rs</code>. <br> This is where we implement role-Based HTTP authorization.<br> Import the external crates and libs -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="nd">#![allow(clippy::type_complexity)]</span> <span class="k">use</span> <span class="k">crate</span><span class="p">::{</span> <span class="nn">config</span><span class="p">::</span><span class="nn">db</span><span class="p">::</span><span class="n">Pool</span><span class="p">,</span> <span class="n">constants</span><span class="p">,</span> <span class="nn">models</span><span class="p">::</span><span class="nn">response</span><span class="p">::</span><span class="n">ResponseBody</span><span class="p">,</span> <span class="nn">utils</span><span class="p">::</span><span class="n">token_utils</span><span class="p">,</span> <span class="p">};</span> <span class="k">use</span> <span class="nn">actix_casbin_auth</span><span class="p">::</span><span class="n">CasbinVals</span><span class="p">;</span> <span class="k">use</span> <span class="nn">actix_service</span><span class="p">::{</span><span class="n">Service</span><span class="p">,</span> <span class="n">Transform</span><span class="p">};</span> <span class="k">use</span> <span class="nn">actix_web</span><span class="p">::{</span> <span class="nn">dev</span><span class="p">::{</span><span class="n">ServiceRequest</span><span class="p">,</span> <span class="n">ServiceResponse</span><span class="p">},</span> <span class="nn">http</span><span class="p">::{</span><span class="n">HeaderName</span><span class="p">,</span> <span class="n">HeaderValue</span><span class="p">,</span> <span class="n">Method</span><span class="p">},</span> <span class="nn">web</span><span class="p">::</span><span class="n">Data</span><span class="p">,</span> <span class="n">Error</span><span class="p">,</span> <span class="n">HttpMessage</span><span class="p">,</span> <span class="n">HttpResponse</span><span class="p">,</span> <span class="p">};</span> <span class="k">use</span> <span class="nn">futures</span><span class="p">::{</span> <span class="nn">future</span><span class="p">::{</span><span class="n">ok</span><span class="p">,</span> <span class="n">Ready</span><span class="p">},</span> <span class="n">Future</span><span class="p">,</span> <span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">cell</span><span class="p">::</span><span class="n">RefCell</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">rc</span><span class="p">::</span><span class="nb">Rc</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::{</span> <span class="nn">pin</span><span class="p">::</span><span class="nb">Pin</span><span class="p">,</span> <span class="nn">task</span><span class="p">::{</span><span class="n">Context</span><span class="p">,</span> <span class="n">Poll</span><span class="p">},</span> <span class="p">};</span> </code></pre> </div> <p>Then we'll create a public struct -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">pub</span> <span class="k">struct</span> <span class="n">Authentication</span><span class="p">;</span> </code></pre> </div> <p>Now implement a trait <code>Transform</code> (see docs) -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">impl</span><span class="o">&lt;</span><span class="n">S</span><span class="p">,</span> <span class="n">B</span><span class="o">&gt;</span> <span class="n">Transform</span><span class="o">&lt;</span><span class="n">S</span><span class="p">,</span> <span class="n">ServiceRequest</span><span class="o">&gt;</span> <span class="k">for</span> <span class="n">Authentication</span> <span class="k">where</span> <span class="n">S</span><span class="p">:</span> <span class="n">Service</span><span class="o">&lt;</span><span class="n">ServiceRequest</span><span class="p">,</span> <span class="n">Response</span> <span class="o">=</span> <span class="n">ServiceResponse</span><span class="o">&lt;</span><span class="n">B</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">Error</span> <span class="o">=</span> <span class="n">Error</span><span class="o">&gt;</span> <span class="o">+</span> <span class="k">'static</span><span class="p">,</span> <span class="n">B</span><span class="p">:</span> <span class="n">MessageBody</span><span class="p">,</span> <span class="p">{</span> <span class="k">type</span> <span class="n">Response</span> <span class="o">=</span> <span class="n">ServiceResponse</span><span class="o">&lt;</span><span class="n">B</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">type</span> <span class="n">Error</span> <span class="o">=</span> <span class="n">Error</span><span class="p">;</span> <span class="k">type</span> <span class="n">InitError</span> <span class="o">=</span> <span class="p">();</span> <span class="k">type</span> <span class="n">Transform</span> <span class="o">=</span> <span class="n">AuthenticationMiddleware</span><span class="o">&lt;</span><span class="n">S</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">type</span> <span class="n">Future</span> <span class="o">=</span> <span class="n">Ready</span><span class="o">&lt;</span><span class="nb">Result</span><span class="o">&lt;</span><span class="k">Self</span><span class="p">::</span><span class="n">Transform</span><span class="p">,</span> <span class="k">Self</span><span class="p">::</span><span class="n">InitError</span><span class="o">&gt;&gt;</span><span class="p">;</span> <span class="k">fn</span> <span class="nf">new_transform</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">service</span><span class="p">:</span> <span class="n">S</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">Future</span> <span class="p">{</span> <span class="nf">ok</span><span class="p">(</span><span class="n">AuthenticationMiddleware</span> <span class="p">{</span> <span class="n">service</span><span class="p">:</span> <span class="nn">Rc</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">RefCell</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">service</span><span class="p">)),</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><code>Response</code>, <code>Error</code>, <code>InitError</code>, <code>Transform</code> and <code>Future</code> are all associated types defined in the default implementations of the trait <code>Transform</code>.<br> The <code>new_transform</code> function returns a <code>Future</code>.</p> <p>We make another public struct <code>AuthenticationMiddleware</code> -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">pub</span> <span class="k">struct</span> <span class="n">AuthenticationMiddleware</span><span class="o">&lt;</span><span class="n">S</span><span class="o">&gt;</span> <span class="p">{</span> <span class="n">service</span><span class="p">:</span> <span class="nb">Rc</span><span class="o">&lt;</span><span class="n">RefCell</span><span class="o">&lt;</span><span class="n">S</span><span class="o">&gt;&gt;</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>Implement <code>Service</code> for <code>AuthenticationMiddleware</code> (see docs) -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">impl</span><span class="o">&lt;</span><span class="n">S</span><span class="p">,</span> <span class="n">B</span><span class="o">&gt;</span> <span class="n">Service</span><span class="o">&lt;</span><span class="n">ServiceRequest</span><span class="o">&gt;</span> <span class="k">for</span> <span class="n">AuthenticationMiddleware</span><span class="o">&lt;</span><span class="n">S</span><span class="o">&gt;</span> <span class="k">where</span> <span class="n">S</span><span class="p">:</span> <span class="n">Service</span><span class="o">&lt;</span><span class="n">ServiceRequest</span><span class="p">,</span> <span class="n">Response</span> <span class="o">=</span> <span class="n">ServiceResponse</span><span class="o">&lt;</span><span class="n">B</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">Error</span> <span class="o">=</span> <span class="n">Error</span><span class="o">&gt;</span> <span class="o">+</span> <span class="k">'static</span><span class="p">,</span> <span class="n">B</span><span class="p">:</span> <span class="n">MessageBody</span><span class="p">,</span> <span class="p">{</span> <span class="k">type</span> <span class="n">Response</span> <span class="o">=</span> <span class="n">ServiceResponse</span><span class="o">&lt;</span><span class="n">B</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">type</span> <span class="n">Error</span> <span class="o">=</span> <span class="n">Error</span><span class="p">;</span> <span class="k">type</span> <span class="n">Future</span> <span class="o">=</span> <span class="nb">Pin</span><span class="o">&lt;</span><span class="nb">Box</span><span class="o">&lt;</span><span class="k">dyn</span> <span class="n">Future</span><span class="o">&lt;</span><span class="n">Output</span> <span class="o">=</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="k">Self</span><span class="p">::</span><span class="n">Response</span><span class="p">,</span> <span class="k">Self</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;&gt;&gt;&gt;</span><span class="p">;</span> <span class="o">..</span> <span class="o">..</span> </code></pre> </div> <p><code>poll_ready</code> is an underlying method that makes a <code>Future</code> work, similar to the regular <code>poll</code> on the <code>Future</code> trait.<br> Define a function <code>call</code> inside the <code>Service</code> impl<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">call</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="k">self</span><span class="p">,</span> <span class="k">mut</span> <span class="n">req</span><span class="p">:</span> <span class="n">ServiceRequest</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">Future</span> <span class="p">{</span> <span class="o">..</span> <span class="o">..</span> <span class="p">}</span> </code></pre> </div> <p>Inside the <code>call</code> function, we define certain variables.<br> We store the casbin <code>service</code> which is a smart pointer in rust - <code>Rc&lt;RefCell&lt;S&gt;&gt;</code>. <br> Why do we use <code>Rc&lt;RefCell&lt;&gt;&gt;</code>? - Well, that is because the the actix <code>actor</code> is single-threaded, whereas our casbin <code>enforcer</code> is multi-threaded, hence the service is a pointer to each thread.<br> Then we have <code>authenticate_pass</code>, <code>public_route</code> and <code>authenticate_username</code> -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="k">mut</span> <span class="n">srv</span> <span class="o">=</span> <span class="k">self</span><span class="py">.service</span><span class="nf">.clone</span><span class="p">();</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">authenticate_pass</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="k">false</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">public_route</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="k">false</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">authenticate_username</span><span class="p">:</span> <span class="nb">String</span> <span class="o">=</span> <span class="nn">String</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">""</span><span class="p">);</span> <span class="c1">// Bypass some account routes</span> <span class="k">let</span> <span class="n">headers</span> <span class="o">=</span> <span class="n">req</span><span class="nf">.headers_mut</span><span class="p">();</span> <span class="n">headers</span><span class="nf">.append</span><span class="p">(</span> <span class="nn">HeaderName</span><span class="p">::</span><span class="nf">from_static</span><span class="p">(</span><span class="s">"content-length"</span><span class="p">),</span> <span class="nn">HeaderValue</span><span class="p">::</span><span class="nf">from_static</span><span class="p">(</span><span class="s">"true"</span><span class="p">),</span> <span class="p">);</span> </code></pre> </div> <p>This is the main logic in this file -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code> <span class="k">if</span> <span class="nn">Method</span><span class="p">::</span><span class="n">OPTIONS</span> <span class="o">==</span> <span class="o">*</span><span class="n">req</span><span class="nf">.method</span><span class="p">()</span> <span class="p">{</span> <span class="n">authenticate_pass</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">for</span> <span class="n">ignore_route</span> <span class="k">in</span> <span class="nn">constants</span><span class="p">::</span><span class="n">IGNORE_ROUTES</span><span class="nf">.iter</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="n">req</span><span class="nf">.path</span><span class="p">()</span><span class="nf">.starts_with</span><span class="p">(</span><span class="n">ignore_route</span><span class="p">)</span> <span class="p">{</span> <span class="n">authenticate_pass</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span> <span class="n">public_route</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="o">!</span><span class="n">authenticate_pass</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">pool</span><span class="p">)</span> <span class="o">=</span> <span class="n">req</span><span class="py">.app_data</span><span class="p">::</span><span class="o">&lt;</span><span class="n">Data</span><span class="o">&lt;</span><span class="n">Pool</span><span class="o">&gt;&gt;</span><span class="p">()</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Connecting to database..."</span><span class="p">);</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">authen_header</span><span class="p">)</span> <span class="o">=</span> <span class="n">req</span><span class="nf">.headers</span><span class="p">()</span><span class="nf">.get</span><span class="p">(</span><span class="nn">constants</span><span class="p">::</span><span class="n">AUTHORIZATION</span><span class="p">)</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Parsing authorization header..."</span><span class="p">);</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">authen_str</span><span class="p">)</span> <span class="o">=</span> <span class="n">authen_header</span><span class="nf">.to_str</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="n">authen_str</span><span class="nf">.starts_with</span><span class="p">(</span><span class="s">"bearer"</span><span class="p">)</span> <span class="p">||</span> <span class="n">authen_str</span><span class="nf">.starts_with</span><span class="p">(</span><span class="s">"Bearer"</span><span class="p">)</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Parsing token..."</span><span class="p">);</span> <span class="k">let</span> <span class="n">token</span> <span class="o">=</span> <span class="n">authen_str</span><span class="p">[</span><span class="mi">6</span><span class="o">..</span><span class="p">]</span><span class="nf">.trim</span><span class="p">();</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">token_data</span><span class="p">)</span> <span class="o">=</span> <span class="nn">token_utils</span><span class="p">::</span><span class="nf">decode_token</span><span class="p">(</span><span class="n">token</span><span class="nf">.to_string</span><span class="p">())</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Decoding token..."</span><span class="p">);</span> <span class="k">if</span> <span class="nn">token_utils</span><span class="p">::</span><span class="nf">verify_token</span><span class="p">(</span><span class="o">&amp;</span><span class="n">token_data</span><span class="p">,</span> <span class="n">pool</span><span class="p">)</span> <span class="nf">.is_ok</span><span class="p">()</span> <span class="p">{</span> <span class="nd">info!</span><span class="p">(</span><span class="s">"Valid token"</span><span class="p">);</span> <span class="n">authenticate_username</span> <span class="o">=</span> <span class="n">token_data</span><span class="py">.claims.user</span><span class="p">;</span> <span class="n">authenticate_pass</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nd">error!</span><span class="p">(</span><span class="s">"Invalid token"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Pretty straightforward - connect to db, get auth token from headers, parse token, decode token, verify token, authenticate. <br> Then casbin checks if the particular user is authorized to access the route -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">if</span> <span class="n">authenticate_pass</span> <span class="p">{</span> <span class="k">if</span> <span class="n">public_route</span> <span class="p">{</span> <span class="k">let</span> <span class="n">vals</span> <span class="o">=</span> <span class="n">CasbinVals</span> <span class="p">{</span> <span class="n">subject</span><span class="p">:</span> <span class="s">"anonymous"</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="n">domain</span><span class="p">:</span> <span class="nb">None</span><span class="p">,</span> <span class="p">};</span> <span class="n">req</span><span class="nf">.extensions_mut</span><span class="p">()</span><span class="nf">.insert</span><span class="p">(</span><span class="n">vals</span><span class="p">);</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">pin</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="n">srv</span><span class="nf">.call</span><span class="p">(</span><span class="n">req</span><span class="p">)</span><span class="k">.await</span> <span class="p">})</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">let</span> <span class="n">vals</span> <span class="o">=</span> <span class="n">CasbinVals</span> <span class="p">{</span> <span class="n">subject</span><span class="p">:</span> <span class="n">authenticate_username</span><span class="p">,</span> <span class="n">domain</span><span class="p">:</span> <span class="nb">None</span><span class="p">,</span> <span class="p">};</span> <span class="n">req</span><span class="nf">.extensions_mut</span><span class="p">()</span><span class="nf">.insert</span><span class="p">(</span><span class="n">vals</span><span class="p">);</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">pin</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="n">srv</span><span class="nf">.clone</span><span class="p">()</span><span class="nf">.call</span><span class="p">(</span><span class="n">req</span><span class="p">)</span><span class="k">.await</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nn">Box</span><span class="p">::</span><span class="nf">pin</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">req</span><span class="nf">.into_response</span><span class="p">(</span> <span class="nn">HttpResponse</span><span class="p">::</span><span class="nf">Unauthorized</span><span class="p">()</span> <span class="nf">.json</span><span class="p">(</span><span class="nn">ResponseBody</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="nn">constants</span><span class="p">::</span><span class="n">MESSAGE_INVALID_TOKEN</span><span class="p">,</span> <span class="nn">constants</span><span class="p">::</span><span class="n">EMPTY</span><span class="p">,</span> <span class="p">))</span> <span class="nf">.into_body</span><span class="p">(),</span> <span class="p">))</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>We then use this <code>authn.rs</code> in our <code>main.rs</code> when we spawn the our http server -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code> <span class="nn">HttpServer</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="k">move</span> <span class="p">||</span> <span class="p">{</span> <span class="nn">App</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="nf">.data</span><span class="p">(</span><span class="n">pool</span><span class="nf">.clone</span><span class="p">())</span> <span class="nf">.data</span><span class="p">(</span><span class="n">started_actor</span><span class="nf">.clone</span><span class="p">())</span> <span class="nf">.wrap</span><span class="p">(</span> <span class="nn">Cors</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="nf">.send_wildcard</span><span class="p">()</span> <span class="nf">.allowed_methods</span><span class="p">(</span><span class="nd">vec!</span><span class="p">[</span><span class="s">"GET"</span><span class="p">,</span> <span class="s">"POST"</span><span class="p">,</span> <span class="s">"DELETE"</span><span class="p">])</span> <span class="nf">.allowed_headers</span><span class="p">(</span><span class="nd">vec!</span><span class="p">[</span> <span class="nn">http</span><span class="p">::</span><span class="nn">header</span><span class="p">::</span><span class="n">AUTHORIZATION</span><span class="p">,</span> <span class="nn">http</span><span class="p">::</span><span class="nn">header</span><span class="p">::</span><span class="n">ACCEPT</span><span class="p">,</span> <span class="p">])</span> <span class="nf">.allowed_header</span><span class="p">(</span><span class="nn">http</span><span class="p">::</span><span class="nn">header</span><span class="p">::</span><span class="n">CONTENT_TYPE</span><span class="p">)</span> <span class="nf">.max_age</span><span class="p">(</span><span class="mi">3600</span><span class="p">)</span> <span class="nf">.finish</span><span class="p">(),</span> <span class="p">)</span> <span class="nf">.wrap</span><span class="p">(</span><span class="nn">NormalizePath</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">TrailingSlash</span><span class="p">::</span><span class="n">Trim</span><span class="p">))</span> <span class="nf">.wrap</span><span class="p">(</span><span class="nn">Logger</span><span class="p">::</span><span class="nf">default</span><span class="p">())</span> <span class="nf">.wrap</span><span class="p">(</span><span class="n">casbin_middleware</span><span class="nf">.clone</span><span class="p">())</span> <span class="nf">.wrap</span><span class="p">(</span><span class="k">crate</span><span class="p">::</span><span class="nn">middleware</span><span class="p">::</span><span class="nn">authn</span><span class="p">::</span><span class="n">Authentication</span><span class="p">)</span> <span class="nf">.configure</span><span class="p">(</span><span class="nn">routers</span><span class="p">::</span><span class="n">routes</span><span class="p">)</span> <span class="p">})</span> <span class="nf">.bind</span><span class="p">(</span><span class="o">&amp;</span><span class="n">app_url</span><span class="p">)</span><span class="o">?</span> <span class="nf">.run</span><span class="p">()</span> <span class="k">.await</span><span class="o">?</span><span class="p">;</span> </code></pre> </div> <p>That's it.<br> This is how casbin can be used in an actix-web app.</p> casbin authorization rust How to use casbin authorization in your rust web-app [Part - 2] 0xsmrpn Thu, 13 May 2021 23:26:16 +0000 https://dev.to/smrpn/how-to-use-casbin-authorization-in-your-rust-web-app-part-2-1bnm https://dev.to/smrpn/how-to-use-casbin-authorization-in-your-rust-web-app-part-2-1bnm <p>This is the second part of the blog about casbin.<br> Here we will discuss about the casbin model that we shall use in our project application.</p> <p>Here is the <a href="https://github.com/casbin-rs/examples/blob/master/actix-middleware-example/preset_policy.csv">link</a> of a sample policy file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>p, user_role_post_publish, post_publish_group, (POST)|(GET) p, user_role_user, user_group, (DELETE)|(POST) p, admin_role_user_manage, user_manage_group, (GET)|(DELETE) p, admin_role_post_manage, post_manage_group, (GET)|(DELETE) g2, /api/post, post_publish_group g2, /api/admin/posts, post_manage_group g2, /api/user/logout, user_group g2, /api/user, user_group g2, /api/admin/users, user_manage_group g2, /api/admin/post/:id, post_manage_group g2, /api/admin/user/:id, user_manage_group g3, /api/post/:id, publicAction g3, /api/posts, publicAction g3, /api/auth/login, publicAction g3, /api/auth/signup, publicAction g, admin, admin_role_user_manage g, admin, admin_role_post_manage g, admin, user_role_post_publish g, admin, user_role_user </code></pre> </div> <p>Let's try to understand this - <br> <code>p</code> here represents policy. Policies generally have 3 parts -<br> <code>subject</code>, <code>object</code> and <code>action</code>. Here they can be understood as <code>user role</code>, <code>path</code> and <code>request method</code>. <br> Furthermore, we can assign a <code>group</code> to our <code>object</code> or as used here, <code>path</code>.<br> For example,<br> The first line of the file is<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>p, user_role_post_publish, post_publish_group, (POST)|(GET) </code></pre> </div> <p>This is a policy where all users that have the role <code>user_role_post_publish</code> can make a <code>POST</code> and <code>GET</code> request on the subject <code>post_publish_group</code>, which is a group. <code>post_publish_group</code> has the <code>/api/post</code> path, as mentioned in the file -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>g2, /api/post, post_publish_group </code></pre> </div> <p>Similarly, when we write<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>p, user_role_user, user_group, (DELETE)|(POST) </code></pre> </div> <p>It simply means that users with <code>user_role_user</code> role can make <code>DELETE</code> and <code>POST</code> requests on url paths in the <code>user_group</code> group. These url paths are <code>/api/user/logout</code> and <code>/api/user</code>.</p> <p><code>publicAction</code> is a group which has paths which are accessible to every user regardless of role.</p> <p>A group can have multiple url paths, an url path cannot belong to more than one group.</p> <p>Next, the <code>.conf</code> file -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[request_definition] r = sub, obj, act [policy_definition] p = sub, obj, act [role_definition] g = _, _ g2 = _, _ g3 = _, _ g4 = _, _ [policy_effect] e = some(where (p.eft == allow)) [matchers] m = g(r.sub, p.sub) &amp;&amp; g2(r.obj, p.obj) &amp;&amp; regexMatch(r.act, p.act) || g3(r.obj, "publicAction") || r.sub == "root" </code></pre> </div> <p>As mentioned in the first blog, <code>request_definition</code> is the syntax of our request. First we have the subject, <code>sub</code>, then we have the object, <code>obj</code>, and then the action, <code>act</code>.<br> In our example, <code>sub</code> is the role, <code>obj</code> is the url path/group of url paths, and <code>act</code> is a HTTP method.<br> <code>policy_definition</code> should match with the <code>request_definition</code> for things to not break.(think of this as a schema)<br> Now we have <code>role_definition</code>, from where casbin reads what each role has access to(for example, let's say some <code>employee</code> role has access to <code>/api/tasks/:userId/today</code>).</p> <p>In <code>policy_effect</code> here, <code>e = some(where (p.eft == allow))</code> translates to - if the matching strategy result p.eft has the result of (some) allow, then the final result is true.</p> <p>In <code>matchers</code>, we are checking if the request and policy components are equal. We are using <code>regexMatch</code> to check actions because here they are HTTP methods.<br> For example the final result is true when the request subject, <code>r.sub</code> is equal to <code>root</code>, in which case it has all the permissions. This entire expression <code>m = g(r.sub, p.sub) &amp;&amp; g2(r.obj, p.obj) &amp;&amp; regexMatch(r.act, p.act) || g3(r.obj, "publicAction") || r.sub == "root"</code> means, that if the requested parameters match with those in the policy, i.e., <code>sub</code>, <code>obj</code> and <code>act</code>, return the policy result ,<code>p.eft</code>, which is again rechecked in <code>policy_effect</code>.</p> <p>That is all for this blog. Hope the concepts are explained well enough.<br> In the next blog, i.e., we will use this model in our actix-web app.<br> Comments below are always welcome.</p> <p>And don't forget to star our repositories on Github.</p> casbin authorization rust How to use casbin authorization in your rust web-app [Part - 1] 0xsmrpn Thu, 13 May 2021 23:25:48 +0000 https://dev.to/smrpn/how-to-use-casbin-authorization-in-your-rust-web-app-part-1-4f8f https://dev.to/smrpn/how-to-use-casbin-authorization-in-your-rust-web-app-part-1-4f8f <p>Casbin is a mature and easy-to-use permission control library in rust.</p> <h4> What is Casbin? </h4> <p><a href="https://github.com/casbin/casbin">Casbin</a> is a permission control library based on Go language developed by <a href="https://github.com/hsluoyz">Dr. Luo Yang</a>. It supports common access control models such as ACL, RBAC, ABAC, etc.<br> <a href="https://github.com/casbin/casbin-rs">Casbin-rs</a> is a Rust port of the project, which has higher speed and memory security than the Go language version.</p> <h5> What Casbin does - </h5> <ul> <li>Casbin's configuration file consists of two parts, one is the Configuration file (can be understood as the model configuration file), which configures the model (Model) selection, group (Group) configuration, defines the request (Request) and policy (Policy) structure and the configuration of the matcher (Matcher), which will be described later. The other is the container for the policy (Policy), which can be a csv file or a database (MySQL/PostgreSQl). Policies in the container are derived from the configuration of the Model.</li> <li>Support multi-layer role inheritance in RBAC, not only subjects can have roles, resources can also have roles.</li> <li>Support super users, such as root or Administrator, super users can access any resources without being restricted by authorization policies. </li> <li>Support a variety of built-in operators, such as keyMatch, to facilitate the management of path-based resources, such as /book/1 can be mapped to /book/:id</li> </ul> <h5> What Casbin does not do - </h5> <ul> <li>For identity authentication (that is, to verify the user's user name and password), casbin is only responsible for access control. There should be other specialized components responsible for identity authentication, and then access control by casbin. The two are in a cooperative relationship.</li> <li>Manage user lists or role lists. Casbin believes that it is more appropriate to manage the user and role list by the project itself. Users usually have their passwords, but Casbin's design idea is not to use it as a container for storing passwords. Instead, it stores the mapping relationship between users and roles in the RBAC scheme.</li> </ul> <h5> A model configuration - </h5> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// model.conf # Request definition [request_definition] r = sub, obj, act # Policy definition [policy_definition] p = sub, obj, act # Policy effect [policy_effect] e = some(where (p.eft == allow)) # Matchers [matchers] m = r.sub == p.sub &amp;&amp; r.obj == p.obj &amp;&amp; r.act == p.act </code></pre> </div> <p>This is a model definition file, where <code>sub</code> represents the user, <code>obj</code> is the resource to be accessed, and <code>act</code> the operation performed on the resource. <br> When using casbin in a web app, <code>sub</code> corresponds to the username, <code>obj</code> corresponds to the URL Path accessed, and <code>act</code> represents a HTTP method (GET/POST/PUT/DELETE etc).</p> <p>Here, <code>request_definition</code> tells us what constitutes a request. <code>policy_definition</code> is the same as in request. <code>policy_effect</code> tells us when the rule is valid.<br> The job of the Matcher is to return a boolean value when the request and the policy satisfy a certain relation.</p> <p>If we want to add a super administrator, it can perform any operation, we can write:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[matchers] m = r.sub == p.sub &amp;&amp; r.obj == p.obj &amp;&amp; r.act == p.act || r.sub == "root" </code></pre> </div> <p>It is clearly visible here that <code>m</code> is true when the request subject is <code>root</code> , i.e., it has all the possible permissions.</p> <h5> Policy configuration </h5> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>p, alice, data1, read p, bob, data2, write </code></pre> </div> <p>This literally translates to - <code>alice</code> can <code>read</code> from <code>data1</code>, and <code>bob</code> can <code>write</code> to <code>data2</code>.</p> <h4> The Casbin Rust ecosystem </h4> <p><a href="https://github.com/casbin/casbin-rs">Casbin-RS</a> : Currently supports all features supported by Casbin Go version and is under active development</p> <p>At present, Casbin Rust is developing steadily. The currently supported components are:</p> <p><a href="https://github.com/casbin-rs/diesel-adapter">Casbin Diesel Adaper</a> : Adapter developed using the diesel ORM library, suppors MySQL/PostgreSQL/SQLite<br> <a href="https://github.com/casbin-rs/actix-casbin-auth">Casbin Actix-web Middleware</a> : Actix-web is the fastest web-framework. Casbin supports Actix middleware and automatically manages permissions for requests<br> <a href="https://github.com/casbin-rs/actix-casbin">Casbin Actix-web Actor</a> : Casbin is re-encapsulated under the Actix framework, which is convenient for use in Actix-web and encapsulates common functions<br> <a href="https://github.com/casbin-rs/sqlx-adapter">Casbin Sqlx Adapter</a> : Supports fully asynchronous database middleware with better performance, based on Sqlx. Support MySQL/PostgreSQL</p> <p><a href="https://casbin.org/">Casbin official website</a><br> <a href="https://forum.casbin.org/">Casbin Forum</a><br> Casbin also supports other languages ​​besides Go and Rust: Javascript, PHP, Python, C#(.NET), C++, Java etc</p> <p>In the next blog, i.e., Part 2, we will talk more about the casbin auth model that we will be using in our project.</p> <p>And don't forget to star our repositories on Github.</p> casbin authorization rust