Skip to content

constraint_enforcement

Module: enforcement::constraint_enforcement

Section titled “Module: enforcement::constraint_enforcement”

Structs

Enums

  • PolicyVerdict - The verdict a policy engine returns for one evaluated action.

Traits

  • PolicyEvaluation - Trait for policy evaluation — abstracts Cedar or any other policy engine.

firma_sidecar::enforcement::constraint_enforcement::ConstraintEnforcer

Section titled “firma_sidecar::enforcement::constraint_enforcement::ConstraintEnforcer”

Struct

Stage 2: Constraint Enforcement Engine (CEE).

Performs scope check (action within token’s allowed set), builds the Cedar evaluation context, and evaluates policies. Fully local.

Target: < 200us p95.

Methods:

  • fn new(policy: Arc<dyn PolicyEvaluation>) -> Self
  • fn policy_version(self: &Self) -> Option<String> - Return the active policy bundle version, if one has been installed.
  • fn evaluate(self: &Self, envelope: &NormalizedEnvelope, claims: &CapabilityClaims, signals: &RuntimeSignals) -> Result<PolicyVerdict, EnforcementDecision> - Evaluate the request against Cedar policies.
  • fn evaluate_with_timeout(self: &Self, envelope: &NormalizedEnvelope, claims: &CapabilityClaims, signals: &RuntimeSignals, timeout: Duration) -> Result<PolicyVerdict, EnforcementDecision> - Timeout-aware Stage 2 evaluation.

firma_sidecar::enforcement::constraint_enforcement::PolicyEvaluation

Section titled “firma_sidecar::enforcement::constraint_enforcement::PolicyEvaluation”

Trait

Trait for policy evaluation — abstracts Cedar or any other policy engine.

The sidecar uses this trait rather than firma-core’s PolicyEvaluator because it needs a richer context (three-layer attributes). The concrete Cedar implementation will be provided when unit 003 is built.

Methods:

  • evaluate: Evaluate policy against the given context attributes.
  • evaluate_verdict: Evaluate policy and return the full AARM R4 verdict, including
  • is_fresh: Check if the policy bundle is still fresh (TTL not expired).
  • is_available: Check if a policy bundle is currently available.
  • version: Get the current policy bundle version.

firma_sidecar::enforcement::constraint_enforcement::PolicyVerdict

Section titled “firma_sidecar::enforcement::constraint_enforcement::PolicyVerdict”

Enum

The verdict a policy engine returns for one evaluated action.

Cedar natively produces only Allow/Deny. The three remediation variants (Modify, StepUp, Defer) are sourced from @modify / @step_up / @defer annotations on forbid policies — see CedarPolicyEvaluator. This is the AARM R4 five-decision set at the engine layer; the pipeline lifts it into [EnforcementDecision].

Variants:

  • Allow - Request authorized. Proceed to envelope assembly + dispatch.
  • Deny - Request denied by policy. Mapped to a hard
  • Modify{ modifications: firma_core::ModificationSpec } - AARM R4 MODIFY: execute a transformed version. modifications
  • StepUp{ challenge: firma_core::StepUpSpec } - AARM R4 STEP_UP: require human approval / stronger authn before
  • Defer{ backoff: std::time::Duration } - AARM R4 DEFER: delay execution pending additional context or

Traits: Eq

Trait Implementations:

  • Clone
    • fn clone(self: &Self) -> PolicyVerdict
  • PartialEq
    • fn eq(self: &Self, other: &PolicyVerdict) -> bool
  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result