rbacx 0.1.0__tar.gz

rbacx-0.1.0/LICENSE

@@ -0,0 +1,22 @@
+
+MIT License
+
+Copyright (c) 2025 RBACX (Cheater121)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

rbacx-0.1.0/MANIFEST.in

@@ -0,0 +1,14 @@
+
+include LICENSE
+include README.md
+include pyproject.toml
+
+recursive-include src *
+
+prune .github
+prune docs
+prune tests
+prune examples
+prune site
+prune build
+prune dist

rbacx-0.1.0/PKG-INFO

@@ -0,0 +1,179 @@
+Metadata-Version: 2.4
+Name: rbacx
+Version: 0.1.0
+Summary: RBAC/ABAC policy engine for Python with policy sets, condition DSL, and hot reload
+Author-email: Cheater121 <cheater1211@gmail.com>
+License: 
+        MIT License
+        
+        Copyright (c) 2025 RBACX (Cheater121)
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+        
+Project-URL: Homepage, https://github.com/Cheater121/rbacx
+Project-URL: Repository, https://github.com/Cheater121/rbacx
+Project-URL: Issues, https://github.com/Cheater121/rbacx/issues
+Project-URL: Changelog, https://github.com/Cheater121/rbacx/blob/main/CHANGELOG.md
+Keywords: rbac,abac,policy,authorization
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Typing :: Typed
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Provides-Extra: adapters-fastapi
+Requires-Dist: fastapi>=0.110; extra == "adapters-fastapi"
+Requires-Dist: starlette>=0.37; extra == "adapters-fastapi"
+Provides-Extra: adapters-flask
+Requires-Dist: flask>=2.3; extra == "adapters-flask"
+Provides-Extra: adapters-drf
+Requires-Dist: django>=4.2; extra == "adapters-drf"
+Requires-Dist: djangorestframework>=3.14; extra == "adapters-drf"
+Provides-Extra: metrics
+Requires-Dist: prometheus-client>=0.14; extra == "metrics"
+Requires-Dist: opentelemetry-api>=1.25; extra == "metrics"
+Provides-Extra: dates
+Requires-Dist: python-dateutil>=2.8; extra == "dates"
+Provides-Extra: http
+Requires-Dist: requests>=2.28; extra == "http"
+Provides-Extra: s3
+Requires-Dist: boto3>=1.26; extra == "s3"
+Provides-Extra: otel
+Requires-Dist: opentelemetry-api>=1.19; extra == "otel"
+Requires-Dist: opentelemetry-sdk>=1.19; extra == "otel"
+Provides-Extra: dev
+Requires-Dist: pytest; extra == "dev"
+Requires-Dist: pytest-cov; extra == "dev"
+Requires-Dist: pre-commit>=3.7; extra == "dev"
+Requires-Dist: build>=1.2; extra == "dev"
+Requires-Dist: ruff>=0.6; extra == "dev"
+Requires-Dist: twine; extra == "dev"
+Requires-Dist: mypy>=1.8; extra == "dev"
+Provides-Extra: tests
+Requires-Dist: pytest>=8; extra == "tests"
+Requires-Dist: pytest-asyncio>=0.23; extra == "tests"
+Requires-Dist: coverage>=7; extra == "tests"
+Provides-Extra: docs
+Requires-Dist: mkdocs>=1.6; extra == "docs"
+Requires-Dist: mkdocs-material>=9.5; extra == "docs"
+Provides-Extra: examples
+Requires-Dist: uvicorn>=0.30; extra == "examples"
+Requires-Dist: fastapi>=0.110; extra == "examples"
+Requires-Dist: starlette>=0.37; extra == "examples"
+Requires-Dist: flask>=2.3; extra == "examples"
+Requires-Dist: django>=4.2; extra == "examples"
+Requires-Dist: djangorestframework>=3.14; extra == "examples"
+Requires-Dist: litestar>=2.8; extra == "examples"
+Provides-Extra: validate
+Requires-Dist: jsonschema>=4.18; extra == "validate"
+Dynamic: license-file
+
+# RBACX
+
+<!-- 
+[![CI](https://github.com/Cheater121/rbacx/actions/workflows/ci.yml/badge.svg)](https://github.com/Cheater121/rbacx/actions/workflows/ci.yml)
+[![Docs](https://img.shields.io/badge/docs-website-blue)](https://cheater121.github.io/rbacx/)
+-->
+[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
+<!-- After publishing to PyPI:
+[![PyPI](https://img.shields.io/pypi/v/rbacx)](https://pypi.org/project/rbacx/)
+[![Python](https://img.shields.io/pypi/pyversions/rbacx)](https://pypi.org/project/rbacx/)
+-->
+
+Universal **RBAC/ABAC** policy engine for Python with a clean core, policy sets, a compact condition DSL (including time ops), and adapters for common web frameworks.
+
+## Features
+- Algorithms: `deny-overrides` (default), `permit-overrides`, `first-applicable`
+- Conditions: `==`, `!=`, `<`, `<=`, `>`, `>=`, `contains`, `in`, `hasAll`, `hasAny`, `startsWith`, `endsWith`, `before`, `after`, `between`
+- Explainability: `decision`, `reason`, `rule_id`/`last_rule_id`, `obligations`
+- Policy sets: combine multiple policies with the same algorithms
+- Hot reload: file/HTTP/S3 sources with ETag and a polling manager
+- Types & lint: mypy-friendly core, Ruff-ready
+
+## Installation
+```bash
+pip install rbacx
+```
+
+## Quickstart
+```python
+from rbacx.core.engine import Guard
+from rbacx.core.model import Subject, Action, Resource, Context
+
+policy = {
+    "algorithm": "deny-overrides",
+    "rules": [
+        {
+            "id": "doc_read",
+            "effect": "permit",
+            "actions": ["read"],
+            "resource": {"type": "doc", "attrs": {"visibility": ["public", "internal"]}},
+            "condition": {"hasAny": [ {"attr": "subject.roles"}, ["reader", "admin"] ]},
+            "obligations": [{"mfa": True}]
+        },
+        {"id": "doc_deny_archived", "effect": "deny", "actions": ["*"], "resource": {"type": "doc", "attrs": {"archived": True}}},
+    ],
+}
+
+g = Guard(policy)
+
+d = g.evaluate_sync(
+    subject=Subject(id="u1", roles=["reader"]),
+    action=Action("read"),
+    resource=Resource(type="doc", id="42", attrs={"visibility": "public"}),
+    context=Context(attrs={"mfa": True}),
+)
+
+assert d.allowed is True
+assert d.effect == "permit"
+print(d.reason, d.rule_id)  # "matched", "doc_read"
+```
+
+### Decision schema
+- `decision`: `"permit"` or `"deny"`
+- `reason`: `"matched"`, `"explicit_deny"`, `"action_mismatch"`, `"resource_mismatch"`, `"condition_mismatch"`, `"condition_type_mismatch"`, `"no_match"`
+- `rule_id` / `last_rule_id`
+- `obligations`: list passed to the obligation checker
+
+### Policy sets
+```python
+from rbacx.core.policyset import decide as decide_policyset
+
+policyset = {"algorithm":"deny-overrides", "policies":[ policy, {"rules":[...]} ]}
+result = decide_policyset(policyset, {"subject":..., "action":"read", "resource":...})
+```
+
+## Hot reloading
+```python
+from rbacx.core.engine import Guard
+from rbacx.storage import FilePolicySource   # from rbacx.storage import HotReloader if you prefer
+from rbacx.store.manager import PolicyManager
+
+guard = Guard(policy={})
+mgr = PolicyManager(guard, FilePolicySource("policy.json"))
+mgr.poll_once()        # initial load
+mgr.start_polling(10)  # background polling thread
+```
+
+## Packaging
+- We ship `py.typed` so type checkers pick up annotations.
+- Standard PyPA flow: `python -m build`, then `twine upload` to (Test)PyPI.
+
+## License
+MIT

rbacx-0.1.0/README.md

@@ -0,0 +1,93 @@
+# RBACX
+
+<!-- 
+[![CI](https://github.com/Cheater121/rbacx/actions/workflows/ci.yml/badge.svg)](https://github.com/Cheater121/rbacx/actions/workflows/ci.yml)
+[![Docs](https://img.shields.io/badge/docs-website-blue)](https://cheater121.github.io/rbacx/)
+-->
+[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
+<!-- After publishing to PyPI:
+[![PyPI](https://img.shields.io/pypi/v/rbacx)](https://pypi.org/project/rbacx/)
+[![Python](https://img.shields.io/pypi/pyversions/rbacx)](https://pypi.org/project/rbacx/)
+-->
+
+Universal **RBAC/ABAC** policy engine for Python with a clean core, policy sets, a compact condition DSL (including time ops), and adapters for common web frameworks.
+
+## Features
+- Algorithms: `deny-overrides` (default), `permit-overrides`, `first-applicable`
+- Conditions: `==`, `!=`, `<`, `<=`, `>`, `>=`, `contains`, `in`, `hasAll`, `hasAny`, `startsWith`, `endsWith`, `before`, `after`, `between`
+- Explainability: `decision`, `reason`, `rule_id`/`last_rule_id`, `obligations`
+- Policy sets: combine multiple policies with the same algorithms
+- Hot reload: file/HTTP/S3 sources with ETag and a polling manager
+- Types & lint: mypy-friendly core, Ruff-ready
+
+## Installation
+```bash
+pip install rbacx
+```
+
+## Quickstart
+```python
+from rbacx.core.engine import Guard
+from rbacx.core.model import Subject, Action, Resource, Context
+
+policy = {
+    "algorithm": "deny-overrides",
+    "rules": [
+        {
+            "id": "doc_read",
+            "effect": "permit",
+            "actions": ["read"],
+            "resource": {"type": "doc", "attrs": {"visibility": ["public", "internal"]}},
+            "condition": {"hasAny": [ {"attr": "subject.roles"}, ["reader", "admin"] ]},
+            "obligations": [{"mfa": True}]
+        },
+        {"id": "doc_deny_archived", "effect": "deny", "actions": ["*"], "resource": {"type": "doc", "attrs": {"archived": True}}},
+    ],
+}
+
+g = Guard(policy)
+
+d = g.evaluate_sync(
+    subject=Subject(id="u1", roles=["reader"]),
+    action=Action("read"),
+    resource=Resource(type="doc", id="42", attrs={"visibility": "public"}),
+    context=Context(attrs={"mfa": True}),
+)
+
+assert d.allowed is True
+assert d.effect == "permit"
+print(d.reason, d.rule_id)  # "matched", "doc_read"
+```
+
+### Decision schema
+- `decision`: `"permit"` or `"deny"`
+- `reason`: `"matched"`, `"explicit_deny"`, `"action_mismatch"`, `"resource_mismatch"`, `"condition_mismatch"`, `"condition_type_mismatch"`, `"no_match"`
+- `rule_id` / `last_rule_id`
+- `obligations`: list passed to the obligation checker
+
+### Policy sets
+```python
+from rbacx.core.policyset import decide as decide_policyset
+
+policyset = {"algorithm":"deny-overrides", "policies":[ policy, {"rules":[...]} ]}
+result = decide_policyset(policyset, {"subject":..., "action":"read", "resource":...})
+```
+
+## Hot reloading
+```python
+from rbacx.core.engine import Guard
+from rbacx.storage import FilePolicySource   # from rbacx.storage import HotReloader if you prefer
+from rbacx.store.manager import PolicyManager
+
+guard = Guard(policy={})
+mgr = PolicyManager(guard, FilePolicySource("policy.json"))
+mgr.poll_once()        # initial load
+mgr.start_polling(10)  # background polling thread
+```
+
+## Packaging
+- We ship `py.typed` so type checkers pick up annotations.
+- Standard PyPA flow: `python -m build`, then `twine upload` to (Test)PyPI.
+
+## License
+MIT

rbacx-0.1.0/pyproject.toml

@@ -0,0 +1,62 @@
+[project]
+name = "rbacx"
+version = "0.1.0"
+description = "RBAC/ABAC policy engine for Python with policy sets, condition DSL, and hot reload"
+readme = "README.md"
+requires-python = ">=3.8"
+license = { file = "LICENSE" }
+authors = [{ name = "Cheater121", email = "cheater1211@gmail.com" }]
+keywords = ["rbac", "abac", "policy", "authorization"]
+classifiers = [
+  "Programming Language :: Python :: 3",
+  "License :: OSI Approved :: MIT License",
+  "Typing :: Typed",
+]
+
+[project.urls]
+Homepage   = "https://github.com/Cheater121/rbacx"
+Repository = "https://github.com/Cheater121/rbacx"
+Issues     = "https://github.com/Cheater121/rbacx/issues"
+Changelog  = "https://github.com/Cheater121/rbacx/blob/main/CHANGELOG.md"
+# Documentation = "https://cheater121.github.io/rbacx/"
+
+[project.optional-dependencies]
+adapters-fastapi = ["fastapi>=0.110","starlette>=0.37"]
+adapters-flask = ["flask>=2.3"]
+adapters-drf = ["django>=4.2","djangorestframework>=3.14"]
+metrics = ["prometheus-client>=0.14", "opentelemetry-api>=1.25"]
+dates = ["python-dateutil>=2.8"]
+http = ["requests>=2.28"]
+s3 = ["boto3>=1.26"]
+otel = ["opentelemetry-api>=1.19", "opentelemetry-sdk>=1.19"]
+dev = ["pytest", "pytest-cov", "pre-commit>=3.7", "build>=1.2", "ruff>=0.6", "twine", "mypy>=1.8"]
+tests = ["pytest>=8", "pytest-asyncio>=0.23", "coverage>=7"]
+docs = ["mkdocs>=1.6", "mkdocs-material>=9.5"]
+examples = ["uvicorn>=0.30", "fastapi>=0.110", "starlette>=0.37", "flask>=2.3", "django>=4.2", "djangorestframework>=3.14", "litestar>=2.8"]
+validate = ["jsonschema>=4.18"]
+
+[project.scripts]
+rbacx = "rbacx.cli:main"
+
+[tool.ruff]
+line-length = 100
+
+[tool.ruff.lint]
+extend-select = ["I", "B"]
+
+[tool.coverage.run]
+source = ["rbacx"]
+branch = true
+
+[tool.coverage.report]
+show_missing = true
+
+[tool.setuptools]
+package-dir = {"" = "src"}
+include-package-data = true
+
+[tool.setuptools.packages.find]
+where = ["src"]
+
+[tool.setuptools.package-data]
+rbacx = ["py.typed", "dsl/policy.schema.json"]

rbacx-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

rbacx-0.1.0/src/rbacx/__init__.py

@@ -0,0 +1,20 @@
+
+from __future__ import annotations
+
+try:
+    from importlib.metadata import PackageNotFoundError, version  # py3.8+
+except Exception:  # pragma: no cover
+    version = None  # type: ignore
+    PackageNotFoundError = Exception  # type: ignore
+
+__all__ = ["core", "adapters", "storage", "obligations", "__version__"]
+
+def _detect_version() -> str:
+    try:
+        if version is None:
+            raise PackageNotFoundError  # type: ignore
+        return version("rbacx")
+    except Exception:
+        return "0.1.0"
+
+__version__ = _detect_version()

rbacx-0.1.0/src/rbacx/adapters/asgi.py

@@ -0,0 +1,25 @@
+
+from __future__ import annotations
+
+import logging
+from typing import Any
+
+from ..core.engine import Guard
+
+logger = logging.getLogger("rbacx.adapters.asgi")
+
+class RbacxMiddleware:
+    def __init__(self, app: Any, *, guard: Guard, mode: str = "enforce", policy_reloader: Any | None = None) -> None:
+        self.app = app
+        self.guard = guard
+        self.mode = mode
+        self.reloader = policy_reloader
+
+    async def __call__(self, scope, receive, send):
+        if self.reloader:
+            try:
+                self.reloader.check_and_reload()
+            except Exception as e:
+                logger.exception("RBACX: policy reload failed", exc_info=e)
+        scope["rbacx_guard"] = self.guard
+        await self.app(scope, receive, send)

rbacx-0.1.0/src/rbacx/adapters/asgi_accesslog.py

@@ -0,0 +1,36 @@
+
+from __future__ import annotations
+
+import logging
+import time
+from typing import Any
+
+from ..logging.context import get_current_trace_id
+
+logger = logging.getLogger("rbacx.adapters.asgi.access")
+
+class AccessLogMiddleware:
+    def __init__(self, app: Any) -> None:
+        self.app = app
+
+    async def __call__(self, scope, receive, send):
+        if scope.get("type") != "http":
+            await self.app(scope, receive, send)
+            return
+        method = scope.get("method")
+        path = (scope.get("path") or "") + (("?" + scope.get("query_string", b"").decode("latin1")) if scope.get("query_string") else "")
+        start = time.time()
+        status = 0
+
+        async def send_wrapper(message):
+            nonlocal status
+            if message.get("type") == "http.response.start":
+                status = int(message.get("status", 0))
+            await send(message)
+
+        try:
+            await self.app(scope, receive, send_wrapper)
+        finally:
+            dur_ms = int((time.time() - start) * 1000)
+            rid = get_current_trace_id() or "-"
+            logger.info("access %s %s %s %sms trace_id=%s", method, path, status, dur_ms, rid)

rbacx-0.1.0/src/rbacx/adapters/asgi_logging.py

@@ -0,0 +1,46 @@
+
+from __future__ import annotations
+
+import logging
+from typing import Any, Iterable, Tuple
+
+from ..logging.context import clear_current_trace_id, gen_trace_id, set_current_trace_id
+
+logger = logging.getLogger("rbacx.adapters.asgi")
+
+class TraceIdMiddleware:
+    def __init__(self, app: Any, header_name: bytes = b"x-request-id") -> None:
+        self.app = app
+        self.header_name = header_name
+
+    async def __call__(self, scope, receive, send):
+        if scope.get("type") != "http":
+            await self.app(scope, receive, send)
+            return
+
+        req_headers: Iterable[Tuple[bytes, bytes]] = scope.get("headers", []) or []
+        rid = None
+        for k, v in req_headers:
+            if k.lower() == self.header_name:
+                rid = v.decode("latin1")
+                break
+        if not rid:
+            rid = gen_trace_id()
+
+        token = set_current_trace_id(rid)
+
+        async def send_wrapper(message):
+            if message.get("type") == "http.response.start":
+                headers = message.setdefault("headers", [])
+                try:
+                    # remove any existing header to avoid duplicates
+                    headers[:] = [h for h in headers if h[0].lower() != self.header_name]
+                    headers.append([self.header_name, rid.encode("latin1")])
+                except Exception:
+                    pass
+            await send(message)
+
+        try:
+            await self.app(scope, receive, send_wrapper)
+        finally:
+            clear_current_trace_id(token)

rbacx-0.1.0/src/rbacx/adapters/django/decorators.py

@@ -0,0 +1,25 @@
+from __future__ import annotations
+
+from functools import wraps
+
+from django.http import HttpRequest, HttpResponseForbidden  # type: ignore[import-untyped]
+
+from ...core.model import Action, Context, Resource, Subject
+
+
+def require(action: str, resource_type: str, *, audit: bool = False):
+    def deco(view_func):
+        @wraps(view_func)
+        def _wrapped(request: HttpRequest, *args, **kwargs):
+            guard = getattr(request, "rbacx_guard", None)
+            if guard is None:
+                return view_func(request, *args, **kwargs)
+            sub = Subject(id=str(getattr(getattr(request, 'user', None), 'id', 'anonymous')))
+            res = Resource(type=resource_type)
+            ctx = Context(attrs={})
+            ok = guard.is_allowed_sync(sub, Action(action), res, ctx)
+            if not ok and not audit:
+                return HttpResponseForbidden("Forbidden")
+            return view_func(request, *args, **kwargs)
+        return _wrapped
+    return deco

rbacx-0.1.0/src/rbacx/adapters/django/middleware.py

@@ -0,0 +1,38 @@
+from __future__ import annotations
+
+import logging
+from importlib import import_module
+from typing import Any, Callable
+
+from django.conf import settings  # type: ignore[import-untyped]
+
+logger = logging.getLogger("rbacx.adapters.django")
+
+
+def _load_dotted(path: str) -> Callable[[], Any]:
+    mod, _, attr = path.rpartition(".")
+    if not mod:
+        raise ImportError(f"Invalid dotted path: {path}")
+    m = import_module(mod)
+    obj = getattr(m, attr, None)
+    if obj is None:
+        raise ImportError(f"Attribute '{attr}' not found in module '{mod}'")
+    if not callable(obj):
+        raise TypeError(f"Object at '{path}' is not callable")
+    return obj
+
+
+class RbacxDjangoMiddleware:
+    def __init__(self, get_response: Callable) -> None:
+        self.get_response = get_response
+        self._guard: Any | None = None
+        factory_path = getattr(settings, "RBACX_GUARD_FACTORY", None)
+        if factory_path:
+            factory = _load_dotted(factory_path)
+            self._guard = factory()
+
+    def __call__(self, request):
+        if self._guard is not None:
+            request.rbacx_guard = self._guard
+        response = self.get_response(request)
+        return response

rbacx-0.1.0/src/rbacx/adapters/django/trace.py

@@ -0,0 +1,25 @@
+from __future__ import annotations
+
+from typing import Callable
+
+from ...logging.context import (
+    clear_current_trace_id,
+    gen_trace_id,
+    get_current_trace_id,
+    set_current_trace_id,
+)
+
+
+class TraceIdMiddleware:
+    def __init__(self, get_response: Callable) -> None:
+        self.get_response = get_response
+
+    def __call__(self, request):
+        rid = request.META.get("HTTP_X_REQUEST_ID") or gen_trace_id()
+        token = set_current_trace_id(rid)
+        response = self.get_response(request)
+        try:
+            response["X-Request-ID"] = get_current_trace_id() or rid
+        finally:
+            clear_current_trace_id(token)
+        return response

rbacx-0.1.0/src/rbacx/adapters/drf.py

@@ -0,0 +1,20 @@
+
+from __future__ import annotations
+
+from typing import Any, Callable
+
+from rest_framework.permissions import BasePermission  # type: ignore
+
+from ..core.engine import Guard
+from ..core.model import Action, Context, Resource, Subject
+
+
+def make_permission(guard: Guard, build_env: Callable[[Any], tuple[Subject, Action, Resource, Context]]):
+    class RBACXPermission(BasePermission):
+        message = "forbidden"
+        def has_permission(self, request, view):
+            subject, action, resource, context = build_env(request)
+            dec = guard.evaluate_sync(subject, action, resource, context)
+            self.message = f"forbidden: {dec.reason}"
+            return bool(dec.allowed)
+    return RBACXPermission