Skip to content

Add INCITS 359-inspired authorization core and routing adapter#39

Draft
diasbruno with Copilot wants to merge 1 commit into
developmentfrom
copilot/explore-authorization
Draft

Add INCITS 359-inspired authorization core and routing adapter#39
diasbruno with Copilot wants to merge 1 commit into
developmentfrom
copilot/explore-authorization

Conversation

Copilot AI commented May 30, 2026

Copy link
Copy Markdown
Contributor

This introduces an authorization module built around INCITS 359 RBAC concepts and a composable policy DSL. It adds a core authorization layer plus a routing adapter so request handling can evaluate policies against sessions, roles, and permissions.

  • Core authorization model

    • Adds user, role, permission, and session entities.
    • Introduces pluggable store generics for user-role assignment, role-permission lookup, role hierarchy, and session lifecycle.
    • Implements default session authorization by evaluating active roles plus inherited senior roles.
  • Composable policy DSL

    • Adds lazy policy constructors: require-authenticated, require-role, require-permission, require-predicate.
    • Adds composition operators: all-of, any-of, invert.
    • Adds policy-set combiners: deny-overrides, permit-overrides, first-applicable.
    • Adds defpolicy and defpolicy-set for named policy definitions.
  • Routing integration

    • Adds wrap-authorization middleware for request-scoped policy evaluation.
    • Adds default request extractors for subject, action, resource, and merged authorization context.
    • Persists the authorization decision in request data and maps deny outcomes to 401 or 403 based on session presence.
  • Project wiring

    • Adds new ASDF systems for core, routing, and their test suites.
    • Registers the new authorization systems in the umbrella test system.
    • Updates the README feature list to include authorization.

Example:

(defpolicy can-read-users
  (all-of (require-authenticated)
          (any-of (require-role :admin)
                  (require-role :reader))))

(defpolicy-set api-policies
  :combiner deny-overrides
  :policies (list can-read-users
                  (require-predicate #'account-active-p)))

(defparameter auth-middleware
  (io.github.cl-sdk.wst.authorization.routing:wrap-authorization
   :policy api-policies))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants