cerberus-xacml 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: aa2fcbe67119bdcbe8d407da3b16a6a9c1fc1524d09297757c7de2144d78c9a2
+  data.tar.gz: d6a73081d99d03083e6d74f478b51d8df4db0fa2cf48902e455527780af22c4f
+SHA512:
+  metadata.gz: 26e19a1f5fa1d0d0984b57a32dc90a9df2fba2d3bff8e711f49dcda8ccb27c982c3ce322e3da9383ca161a33f0b43baf8133870a21b5bcc8b0f038aed542e87a
+  data.tar.gz: 117eb9ff293e721104ff8bbf8efce9416a6ebc1b0d179610723b355fd14db48ba6f3a56298f8c8aff6b5b66b6764535c44ad266f87639e6eb4d7c29fa42a87fe

data/CHANGELOG.md

@@ -0,0 +1,3 @@
+## [0.1.0] - 2026-04-04
+
+- Initial release

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2026 Nasibullin Danil
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,230 @@
+# Cerberus
+
+Cerberus is a rule engine for Ruby applications inspired by the XACML (eXtensible Access Control Markup Language) standard.
+
+👉 Learn more about XACML: https://en.wikipedia.org/wiki/XACML
+
+It provides a structured way to define, manage, and evaluate rules and policies in a consistent and scalable manner. It provides a structured way to define, manage, and evaluate rules and policies in a consistent and scalable manner.
+
+While internally it follows a modular architecture with pluggable adapters and dependency injection, its primary goal is to offer a familiar policy-based approach similar to XACML, adapted for Ruby applications.
+
+---
+
+## 📋 Requirements
+
+- Ruby >= 3.1
+- Rails >= 7.0 (only for ActiveRecord adapter)
+- PostgreSQL (recommended, due to JSONB support)
+
+---
+
+## ✨ Features
+
+* Decoupled domain and infrastructure layers
+* Pluggable persistence adapters (ActiveRecord, future: Sequel, etc.)
+* Dependency injection via container
+* Composable operations (use-cases)
+* Flexible rule and expression system
+
+---
+
+## 🚀 Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'cerberus-xacml'
+```
+
+And then execute:
+
+```bash
+bundle install
+```
+
+---
+
+## ⚙️ Configuration
+
+Create an initializer:
+
+```ruby
+# config/initializers/cerberus.rb
+
+Cerberus::Base.plugin :active_record
+```
+
+---
+
+## 🧱 Database Setup
+
+### Install migrations
+
+#### Create task
+
+```ruby
+Cerberus::Generators::Migrations.install!(:active_record, 'path/to/migrations/dir')
+```
+
+```bash
+bin/rails db:migrate
+```
+
+---
+
+### Manual migration example
+
+If you prefer to manage schema manually:
+
+```ruby
+class InitCerberusMigration < ActiveRecord::Migration[7.0]
+  create_table :cerberus_policies do |t|
+    t.string :action, null: false
+    t.string :resource_type, null: false
+    t.string :strategy, null: false
+
+    t.timestamp
+  end
+
+  add_index :cerberus_policies, %i[action resource_type], unique: true, name: 'index_cerberus_policies_uniqueness'
+
+  create_table :cerberus_rules do |t|
+    t.string :effect, null: false
+
+    t.timestamps
+  end
+
+  create_table :cerberus_policy_rules do |t|
+    t.belongs_to :policy, foreign_key: { to_table: :cerberus_policies }
+    t.belongs_to :rule, foreign_key: { to_table: :cerberus_rules }
+
+    t.timestamps
+  end
+
+  create_table :cerberus_operands do |t|
+    t.string :kind, null: false
+    t.string :value
+    t.string :name
+    t.string :value_type
+
+    t.timestamps
+  end
+
+  create_table :cerberus_expressions do |t|
+    t.string :type, null: false
+    t.string :operator, null: false
+    t.belongs_to :rule, foreign_key: { to_table: :cerberus_rules }
+    t.belongs_to :parent, foreign_key: { to_table: :cerberus_expressions }
+    t.belongs_to :left_operand, foreign_key: { to_table: :cerberus_operands }
+    t.belongs_to :right_operand, foreign_key: { to_table: :cerberus_operands }
+
+    t.timestamps
+  end
+end
+```
+
+---
+
+## 🧩 Usage
+
+### Create a rule
+
+```ruby
+rule = Cerberus::Domain::Rule.create(name: "Test rule")
+```
+
+### Add expressions
+
+```ruby
+rule.expressions.create!(kind: "equals", payload: { field: "status", value: "active" })
+```
+
+---
+
+### Using operations
+
+```ruby
+result = Cerberus::Operations::Rules::Create.call(name: "Test")
+
+if result.success?
+  rule = result.value!
+else
+  puts result.failure
+end
+```
+
+⚠️ Do not use infrastructure models directly in your application. Always go through domain or operations layer.
+
+---
+
+## 🧪 Testing
+
+Example with RSpec:
+
+```ruby
+RSpec.describe Cerberus::Domain::Rule do
+  it 'creates a rule' do
+    expect { described_class.create(name: 'Test') }
+      .to change(described_class, :count).by(1)
+  end
+end
+```
+
+---
+
+## 🏗 Architecture
+
+```
+cerberus/
+  domain/        # Pure business logic
+  infra/         # Adapters (ActiveRecord, etc.)
+  operations/    # Use cases
+  plugins/       # Set up for plugins
+```
+
+---
+
+## ⚠️ Important Notes
+
+* Do not depend on `infra` layer directly
+* Always use public API (operations, domain interfaces)
+* Database schema may evolve — check migrations on upgrade
+
+---
+
+## 🛠 Roadmap
+
+* [ ] Sequel adapter
+* [ ] ROM adapter
+* [ ] YAML adapter
+* [ ] Async evaluation
+* [ ] Rule builder DSL
+
+---
+
+## 💡 Example Workflow
+
+```ruby
+# seeds
+op1 = operand.create!(kind: :resource, name: 'nested.role')
+op2 = operand.create!(kind: :subject, name: 'role')
+
+r1 = rule.create!(effect: :permit)
+c1 = condition.create!(rule: r1, operator: :eq, left_operand: op1, right_operand: op2)
+p = policy.create!(action: :update, resource_type: :vehicle, strategy: :permit_overrides)
+p.rules << r1
+
+# usage
+Cerberus::Base.authorize!(
+  action: :update,
+  resource_type: :vehicle,
+  subject: Struct.new(:id, :role).new(1, 'admin'),
+  resource: Struct.new(:nested).new(Struct.new(:role).new('admin'))
+)
+```
+
+---
+
+## 📄 License
+
+MIT

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+require 'rubocop/rake_task'
+
+RuboCop::RakeTask.new
+
+task default: %i[spec rubocop]

data/lib/cerberus/application/authorizer.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Application
+    class Authorizer
+      attr_reader :resolver
+
+      def initialize(resolver:)
+        @resolver = resolver
+      end
+
+      def authorized?(action:, resource_type:, subject: nil, resource: nil, env: {})
+        policy = resolver.resolve(action:, resource_type:)
+        policy&.evaluate(subject:, resource:, env:) == :permit
+      end
+
+      def authorize!(action:, resource_type:, **args)
+        authorized?(action:, resource_type:, **args) ||
+          (raise NotAuthorized, "Not authorized #{resource_type} to #{action}")
+      end
+    end
+  end
+end

data/lib/cerberus/application/resolver.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Application
+    class Resolver
+      def initialize(repository:, mapper:)
+        @repository = repository
+        @mapper     = mapper
+      end
+
+      def resolve(action:, resource_type:)
+        record = repository.find(action:, resource_type:)
+        return unless record
+
+        mapper.call(record)
+      end
+
+      private
+
+      attr_reader :repository, :mapper
+    end
+  end
+end

data/lib/cerberus/configuration.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Cerberus
+  class Configuration
+    attr_accessor :authorizer
+
+    def plugins
+      @plugins ||= []
+    end
+  end
+end

data/lib/cerberus/domain/condition.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Domain
+    class Condition
+      attr_reader :left, :right, :operator
+
+      def initialize(left:, right:, operator:)
+        @left = left
+        @right = right
+        @operator = operator
+      end
+
+      def evaluate(context)
+        left.resolve(context).public_send(
+          operator,
+          right.resolve(context)
+        )
+      end
+    end
+  end
+end

data/lib/cerberus/domain/node.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Domain
+    class Node
+      attr_reader :operator, :children
+
+      def initialize(operator:, children:)
+        @operator = operator
+        @children = children
+      end
+
+      def evaluate(context)
+        return children.all? { |child| child.evaluate(context) } if operator == :and
+
+        children.any? { |child| child.evaluate(context) }
+      end
+    end
+  end
+end

data/lib/cerberus/domain/operand.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Domain
+    class Operand
+      attr_reader :kind, :name, :value, :value_type, :types
+
+      def initialize(kind:, name: nil, value: nil, value_type: nil, types: Infra::Types)
+        @kind = kind
+        @name = name
+        @value = value
+        @value_type = value_type
+        @types = types
+      end
+
+      def resolve(context)
+        return types.cast(value, value_type) if kind == :constant
+
+        keys = name.is_a?(String) ? name.split('.') : Array(name)
+        object = context.fetch(kind)
+
+        keys.reduce(object) do |memo, key|
+          memo.is_a?(Hash) ? memo.fetch(key.to_sym) : memo.public_send(key)
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/domain/policy.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require 'cerberus/domain/strategies/deny_overrides'
+require 'cerberus/domain/strategies/deny_unless_permit'
+require 'cerberus/domain/strategies/permit_overrides'
+require 'cerberus/domain/strategies/permit_unless_deny'
+
+module Cerberus
+  module Domain
+    class Policy
+      attr_reader :rules, :strategy
+
+      STRATEGIES = {
+        permit_overrides:   Strategies::PermitOverrides,
+        permit_unless_deny: Strategies::PermitUnlessDeny,
+        deny_overrides:     Strategies::DenyOverrides,
+        deny_unless_permit: Strategies::DenyUnlessPermit
+      }.freeze
+
+      def initialize(rules:, strategy: :permit_overrides)
+        @rules = rules
+        @strategy = strategy.to_sym
+      end
+
+      def evaluate(context)
+        STRATEGIES.fetch(strategy).combine(rules, context)
+      end
+    end
+  end
+end

data/lib/cerberus/domain/rule.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Domain
+    class Rule
+      attr_reader :effect, :expression
+
+      def initialize(effect:, expression:)
+        @effect = effect
+        @expression = expression
+      end
+
+      def evaluate(context)
+        effect.to_sym if expression.evaluate(context)
+      end
+    end
+  end
+end

data/lib/cerberus/domain/strategies/deny_overrides.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Domain
+    module Strategies
+      class DenyOverrides
+        def self.combine(rules, context)
+          permit = nil
+
+          rules.each do |rule|
+            case rule.evaluate(context)
+            when :deny
+              return :deny
+            when :permit
+              permit = :permit
+            end
+          end
+
+          permit
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/domain/strategies/deny_unless_permit.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Domain
+    module Strategies
+      class DenyUnlessPermit
+        def self.combine(rules, context)
+          rules.any? { |rule| rule.evaluate(context) == :permit } ? :permit : :deny
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/domain/strategies/permit_overrides.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Domain
+    module Strategies
+      class PermitOverrides
+        def self.combine(rules, context)
+          deny = nil
+
+          rules.each do |rule|
+            case rule.evaluate(context)
+            when :permit
+              return :permit
+            when :deny
+              deny = :deny
+            end
+          end
+
+          deny
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/domain/strategies/permit_unless_deny.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Domain
+    module Strategies
+      class PermitUnlessDeny
+        def self.combine(rules, context)
+          rules.any? { |rule| rule.evaluate(context) == :deny } ? :deny : :permit
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/generators/migrations/active_record/000_cerberus_init.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+class InitCerberusMigration < ActiveRecord::Migration
+  create_table :cerberus_policies do |t|
+    t.string :action, null: false
+    t.string :resource_type, null: false
+    t.string :strategy, null: false
+
+    t.timestamp
+  end
+
+  add_index :cerberus_policies, %i[action resource_type], unique: true, name: 'index_cerberus_policies_uniqueness'
+
+  create_table :cerberus_rules do |t|
+    t.string :effect, null: false
+
+    t.timestamps
+  end
+
+  create_table :cerberus_policy_rules do |t|
+    t.belongs_to :policy, foreign_key: { to_table: :cerberus_policies }
+    t.belongs_to :rule, foreign_key: { to_table: :cerberus_rules }
+
+    t.timestamps
+  end
+
+  create_table :cerberus_operands do |t|
+    t.string :kind, null: false
+    t.string :value
+    t.string :name
+    t.string :value_type
+
+    t.timestamps
+  end
+
+  create_table :cerberus_expressions do |t|
+    t.string :type, null: false
+    t.string :operator, null: false
+    t.belongs_to :rule, foreign_key: { to_table: :cerberus_rules }
+    t.belongs_to :parent, foreign_key: { to_table: :cerberus_expressions }
+    t.belongs_to :left_operand, foreign_key: { to_table: :cerberus_operands }
+    t.belongs_to :right_operand, foreign_key: { to_table: :cerberus_operands }
+
+    t.timestamps
+  end
+end

data/lib/cerberus/generators/migrations.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Generators
+    class Migrations
+      def install!(plugin, to)
+        Dir[File.join(migrations_path(plugin), '*.rb')].each { |file| copy_migration(file, to) }
+      end
+
+      private
+
+      def migrations_path(plugin)
+        File.expand_path("migrations/#{plugin}", __dir__)
+      end
+
+      def copy_migration(file, target_dir)
+        filename = File.basename(file).sub(/^\d{3}_/, '')
+        return if migration_exists?(filename, target_dir)
+
+        target = File.join(target_dir, timestamped(filename))
+        FileUtils.cp(file, target)
+      end
+
+      def migration_exists?(filename, target_dir)
+        Dir[File.join(target_dir, "*_#{filename}")].any?
+      end
+
+      def timestamped(filename)
+        "#{Time.now.utc.strftime('%Y%m%d%H%M%S')}_#{filename}"
+      end
+    end
+  end
+end

data/lib/cerberus/infra/active_record/builder.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Infra
+    module ActiveRecord
+      class Builder
+        def initialize(**args)
+          @node_model       = args.fetch(:node_model, Models::Expressions::Node)
+          @condition_model  = args.fetch(:condition_model, Models::Expressions::Condition)
+          @domain_node      = args.fetch(:domain_node, Domain::Node)
+          @domain_condition = args.fetch(:domain_condition, Domain::Condition)
+          @domain_operand   = args.fetch(:domain_operand, Domain::Operand)
+        end
+
+        def build(record)
+          build_record(record)
+        end
+
+        private
+
+        attr_reader :node_model, :condition_model, :domain_node, :domain_condition, :domain_operand
+
+        def build_record(record)
+          case record
+          when node_model
+            build_node(record)
+          when condition_model
+            build_condition(record)
+          end
+        end
+
+        def build_node(node)
+          domain_node.new(
+            operator: node.operator.to_sym,
+            children: node.children.map { |child| build_record(child) }
+          )
+        end
+
+        def build_condition(condition)
+          domain_condition.new(
+            left:     build_operand(condition.left_operand),
+            operator: condition.operator_before_type_cast,
+            right:    build_operand(condition.right_operand)
+          )
+        end
+
+        def build_operand(operand)
+          domain_operand.new(
+            kind:       operand.kind.to_sym,
+            name:       operand.name,
+            value:      operand.value,
+            value_type: operand.value_type
+          )
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/infra/active_record/mapper.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Infra
+    module ActiveRecord
+      class Mapper
+        attr_reader :domain_policy, :domain_rule, :builder
+
+        def initialize(domain_policy:, domain_rule:, builder:)
+          @domain_policy = domain_policy
+          @domain_rule   = domain_rule
+          @builder       = builder
+        end
+
+        def call(record)
+          domain_policy.new(
+            strategy: record.strategy.to_sym,
+            rules:    record.rules.map { |rule| build_rule(rule) }
+          )
+        end
+
+        private
+
+        def build_rule(rule)
+          domain_rule.new(
+            effect:     rule.effect.to_sym,
+            expression: builder.build(rule.expression)
+          )
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/infra/active_record/models/application_record.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Infra
+    module ActiveRecord
+      module Models
+        class ApplicationRecord < ::ActiveRecord::Base
+          self.abstract_class = true
+          self.table_name_prefix = 'cerberus_'
+
+          def self.namespace
+            'Cerberus::Infra::ActiveRecord::Models::'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/infra/active_record/models/expression.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Infra
+    module ActiveRecord
+      module Models
+        class Expression < ApplicationRecord
+          belongs_to :rule, class_name: "#{namespace}Rule", optional: true
+          belongs_to :parent, class_name: "#{namespace}Expression", optional: true
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/infra/active_record/models/expressions/condition.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Infra
+    module ActiveRecord
+      module Models
+        module Expressions
+          class Condition < Expression
+            OPERATORS = { eq: '==', neq: '!=', gt: '>', gteq: '>=', lt: '<', lteq: '<=' }.freeze
+
+            belongs_to :left_operand, class_name: "#{namespace}Operand"
+            belongs_to :right_operand, class_name: "#{namespace}Operand"
+
+            enum :operator, OPERATORS
+          end
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/infra/active_record/models/expressions/node.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Infra
+    module ActiveRecord
+      module Models
+        module Expressions
+          class Node < Expression
+            OPERATORS = { or: 'or', and: 'and' }.freeze
+
+            has_many :children,
+                     class_name:  "#{namespace}Expression",
+                     foreign_key: :parent_id,
+                     dependent:   :destroy
+
+            enum :operator, OPERATORS, prefix: true
+          end
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/infra/active_record/models/operand.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Infra
+    module ActiveRecord
+      module Models
+        class Operand < ApplicationRecord
+          KINDS = {
+            subject:  'subject',
+            resource: 'resource',
+            env:      'env',
+            constant: 'constant'
+          }.freeze
+
+          VALUE_TYPES = {
+            string:   'string',
+            integer:  'integer',
+            float:    'float',
+            boolean:  'boolean',
+            time:     'time',
+            date:     'date',
+            datetime: 'datetime',
+            json:     'json',
+            nil:      'nil'
+          }.freeze
+
+          has_many :left_conditions,
+                   class_name: "#{namespace}Expressions::Condition",
+                   inverse_of: :left_operand,
+                   dependent:  :restrict_with_exception
+          has_many :right_conditions,
+                   class_name: "#{namespace}Expressions::Condition",
+                   inverse_of: :right_operand,
+                   dependent:  :restrict_with_exception
+
+          enum :kind, KINDS, prefix: true
+          enum :value_type, VALUE_TYPES, prefix: true
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/infra/active_record/models/policy.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Infra
+    module ActiveRecord
+      module Models
+        class Policy < ApplicationRecord
+          STRATEGIES = {
+            permit_overrides:   'permit_overrides',
+            permit_unless_deny: 'permit_unless_deny',
+            deny_overrides:     'deny_overrides',
+            deny_unless_permit: 'deny_unless_permit'
+          }.freeze
+
+          has_many :policy_rules, class_name: "#{namespace}PolicyRule", dependent: :destroy
+          has_many :rules, class_name: "#{namespace}Rule", through: :policy_rules
+
+          enum :strategy, STRATEGIES
+
+          validates :action, :strategy, presence: true
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/infra/active_record/models/policy_rule.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Infra
+    module ActiveRecord
+      module Models
+        class PolicyRule < ApplicationRecord
+          belongs_to :policy, class_name: "#{namespace}Policy"
+          belongs_to :rule, class_name: "#{namespace}Rule"
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/infra/active_record/models/rule.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Infra
+    module ActiveRecord
+      module Models
+        class Rule < ApplicationRecord
+          EFFECTS = { permit: 'permit', deny: 'deny' }.freeze
+
+          has_many :policy_rules, class_name: "#{namespace}PolicyRule", dependent: :destroy
+          has_many :policies, class_name: "#{namespace}Policy", through: :policy_rules
+          has_one :expression, class_name: "#{namespace}Expression", dependent: :destroy
+
+          enum :effect, EFFECTS
+
+          validates :effect, presence: true
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/infra/active_record/repository.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Infra
+    module ActiveRecord
+      class Repository
+        attr_reader :model
+
+        def initialize(model:)
+          @model = model
+        end
+
+        def find(action:, resource_type:)
+          model.find_by(action:, resource_type:)
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/infra/types.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Cerberus
+  module Infra
+    class Types
+      MAPPER = {
+        string:   ->(value) { value },
+        integer:  ->(value) { Integer(value) },
+        float:    ->(value) { Float(value) },
+        boolean:  ->(value) { value == 'true' },
+        time:     ->(value) { Time.parse(value) },
+        date:     ->(value) { Date.parse(value) },
+        datetime: ->(value) { DateTime.parse(value) },
+        json:     ->(value) { JSON.parse(value) }
+      }.freeze
+
+      def self.cast(value, type)
+        MAPPER.fetch(type.to_sym, ->(_) {}).call(value)
+      end
+    end
+  end
+end

data/lib/cerberus/plugins/active_record.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Cerberus
+  class Plugins
+    class ActiveRecord
+      class << self
+        def apply(config, **)
+          load_dependencies
+
+          config.authorizer = Application::Authorizer.new(
+            resolver: Application::Resolver.new(
+              repository: Infra::ActiveRecord::Repository.new(
+                model: Infra::ActiveRecord::Models::Policy
+              ),
+              mapper:     Infra::ActiveRecord::Mapper.new(
+                domain_policy: Domain::Policy,
+                domain_rule:   Domain::Rule,
+                builder:       Infra::ActiveRecord::Builder.new
+              )
+            )
+          )
+        end
+
+        private
+
+        def load_dependencies
+          require 'active_record'
+          require_relative '../infra/active_record/models/application_record'
+          require_relative '../infra/active_record/repository'
+          require_relative '../infra/active_record/builder'
+          require_relative '../infra/active_record/mapper'
+          require_relative '../infra/active_record/models/policy'
+          require_relative '../infra/active_record/models/rule'
+          require_relative '../infra/active_record/models/policy_rule'
+          require_relative '../infra/active_record/models/operand'
+          require_relative '../infra/active_record/models/expression'
+          require_relative '../infra/active_record/models/expressions/node'
+          require_relative '../infra/active_record/models/expressions/condition'
+        end
+      end
+    end
+  end
+end

data/lib/cerberus/plugins.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Cerberus
+  class Plugins
+    def self.load(config, name, **opts)
+      require "cerberus/plugins/#{name}"
+
+      config.plugins << name
+
+      const_get(name.to_s.split('_').map(&:capitalize).join)
+        .apply(config, **opts)
+    end
+  end
+end

data/lib/cerberus/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Cerberus
+  VERSION = '0.1.0'
+end

data/lib/cerberus-xacml.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require_relative 'cerberus'

data/lib/cerberus.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require_relative 'cerberus/version'
+
+require 'time'
+require 'date'
+require 'json'
+
+require 'cerberus/infra/types'
+require 'cerberus/domain/operand'
+require 'cerberus/domain/condition'
+require 'cerberus/domain/node'
+require 'cerberus/domain/rule'
+require 'cerberus/domain/policy'
+
+require 'cerberus/application/authorizer'
+require 'cerberus/application/resolver'
+require 'cerberus/generators/migrations'
+require 'cerberus/plugins'
+require 'cerberus/configuration'
+
+module Cerberus
+  class NotAuthorized < StandardError; end
+
+  class Base
+    class << self
+      def configuration
+        @configuration ||= Cerberus::Configuration.new
+      end
+
+      def plugin(name, **opts)
+        Cerberus::Plugins.load(configuration, name, **opts)
+      end
+
+      def authorized?(**args)
+        configuration.authorizer.authorized?(**args)
+      end
+
+      def authorize!(**args)
+        configuration.authorizer.authorize!(**args)
+      end
+    end
+  end
+end

data/sig/cerberus.rbs

@@ -0,0 +1,4 @@
+module Cerberus
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata

@@ -0,0 +1,86 @@
+--- !ruby/object:Gem::Specification
+name: cerberus-xacml
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Danil Nasibullin
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2026-04-05 00:00:00.000000000 Z
+dependencies: []
+description: Cerberus is a policy evaluation engine implementing ABAC authorization
+  model.
+email:
+- dan.nasibullin@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/cerberus-xacml.rb
+- lib/cerberus.rb
+- lib/cerberus/application/authorizer.rb
+- lib/cerberus/application/resolver.rb
+- lib/cerberus/configuration.rb
+- lib/cerberus/domain/condition.rb
+- lib/cerberus/domain/node.rb
+- lib/cerberus/domain/operand.rb
+- lib/cerberus/domain/policy.rb
+- lib/cerberus/domain/rule.rb
+- lib/cerberus/domain/strategies/deny_overrides.rb
+- lib/cerberus/domain/strategies/deny_unless_permit.rb
+- lib/cerberus/domain/strategies/permit_overrides.rb
+- lib/cerberus/domain/strategies/permit_unless_deny.rb
+- lib/cerberus/generators/migrations.rb
+- lib/cerberus/generators/migrations/active_record/000_cerberus_init.rb
+- lib/cerberus/infra/active_record/builder.rb
+- lib/cerberus/infra/active_record/mapper.rb
+- lib/cerberus/infra/active_record/models/application_record.rb
+- lib/cerberus/infra/active_record/models/expression.rb
+- lib/cerberus/infra/active_record/models/expressions/condition.rb
+- lib/cerberus/infra/active_record/models/expressions/node.rb
+- lib/cerberus/infra/active_record/models/operand.rb
+- lib/cerberus/infra/active_record/models/policy.rb
+- lib/cerberus/infra/active_record/models/policy_rule.rb
+- lib/cerberus/infra/active_record/models/rule.rb
+- lib/cerberus/infra/active_record/repository.rb
+- lib/cerberus/infra/types.rb
+- lib/cerberus/plugins.rb
+- lib/cerberus/plugins/active_record.rb
+- lib/cerberus/version.rb
+- sig/cerberus.rbs
+homepage: https://github.com/D-Black-N/cerberus
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/D-Black-N/cerberus
+  source_code_uri: https://github.com/D-Black-N/cerberus
+  changelog_uri: https://github.com/D-Black-N/cerberus/blob/main/CHANGELOG.md
+  bug_tracker_uri: https://github.com/D-Black-N/cerberus/issues
+  allowed_push_host: https://rubygems.org
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.1'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.27
+signing_key:
+specification_version: 4
+summary: High-performance ABAC (Attribute-Based Access Control) engine for Ruby
+test_files: []