herocode/rhailib
12
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7619e3b944
rhailib/examples/access_control/README.md
Timur Gordon 7619e3b944 move dsl's to rhailib
2025-06-25 03:22:03 +02:00

2.4 KiB
Raw Blame History

Access Control Demonstration

This example demonstrates a practical access control scenario using rhailib. It showcases how a user, Alice, can manage her own data within her Rhai worker, grant specific access rights to another user, Bob, and deny access to an unauthorized user, Charlie.

Overview

The example involves three key participants:

  1. Alice (alice_pk): The owner of the Rhai worker. She runs alice.rhai to populate her database with various objects and collections. Some of these are private, while others are explicitly shared with Bob.

  2. Bob (bob_pk): A user who has been granted some access rights by Alice. In this example, he attempts to run bob.rhai, which tries to write data to Alice's worker.

  3. Charlie (charlie_pk): An unauthorized user. He attempts to run charlie.rhai, which is identical to Bob's script.

The core of the access control mechanism lies within the rhailib_worker. When a script is submitted for execution, the worker automatically enforces that the CALLER_PUBLIC_KEY matches the worker's own CIRCLE_PUBLIC_KEY for any write operations. This ensures that only the owner (Alice) can modify her data.

Scenario and Expected Outcomes

  1. Alice Populates Her Database: Alice's script (alice.rhai) runs first. It successfully creates:

    • A private object.
    • An object shared with Bob.
    • A private collection containing a private book and slides that are individually shared with Bob.
    • A shared collection. This demonstrates that the owner of the worker can freely write to her own database.

  2. Bob's Query: Bob's script (bob.rhai) is executed next. The script attempts to create new objects in Alice's database. This operation fails with an Insufficient authorization error. The logs will show that bob_pk does not match the circle's public key, alice_pk.

  3. Charlie's Query: Charlie's script (charlie.rhai) also fails with the same authorization error, as he is not the owner of the worker.

This example clearly illustrates the built-in ownership and write protection provided by the Rhai worker.

Running the Example

Ensure Redis is running and accessible at redis://127.0.0.1/.

From the rhailib root directory, run:

cargo run --example access_control

Observe the logs to see Alice's script complete successfully, followed by the authorization errors for Bob and Charlie, confirming that the access control is working as expected.