feat: Normalize the policy enforcer structure

CONTRIBUTING.md

@@ -36,7 +36,11 @@ Here are some important resources:
   the error propagation.
 - **Async/Await**: The project is heavily asynchronous, built on top of `tokio`.
 - **Policy Enforcement**: Uses Open Policy Agent (OPA) logic, with `.rego` files
-  located in the `policy/` directory.
+  located in the `policy/` directory. The policy name passed to
+  `state.policy_enforcer.enforce()` corresponds to the policy's `package`
+  identifier with dots replaced by slashes. Policy documentation must include
+  the original Rust structure name (e.g., `UserCreate`) to facilitate future
+  updates.
 - Pass by reference when receiver is not supposed to take ownership.
 - Code should be reasonably commented.
 
@@ -81,6 +85,14 @@ Here are some important resources:
   - for authentication handlers:
     - at least one successful unittest.
 - Policy Enforcement rules (`state.policy_enforcement.enforce`):
+  - The policy name corresponds to the Rego `package` identifier (e.g.,
+    `identity.user.show` is found in `policy/identity/user/show.rego`) and
+    invoked from the API handler as `identity/user/show`.
+  - Input structures follow ADR-0002:
+    - Create: `input.target` = payload, `input.existing` = `null`.
+    - Update: `input.target` = patch, `input.existing` = stored resource.
+    - Show/Delete: `input.target` = stored resource, `input.existing` = `null`.
+    - List: `input.target` = query parameters, `input.existing` = `null`.
   - For create operation the new object is passed to enforcer before the
     creation.
   - For remove operation first the current state is fetched, it is then passed

crates/core/src/policy.rs

@@ -105,8 +105,10 @@ pub trait PolicyEnforcer: Send + Sync {
     /// # Parameters
     /// - `policy_name`: The name of the policy to enforce.
     /// - `credentials`: The credentials of the user requesting the action.
-    /// - `target`: The target resource of the action.
-    /// - `update`: Optional update data for the resource.
+    /// - `target`: The object the action is acting upon (new object for create,
+    ///   patch for update, query params for list, `Value::Null` for show/delete).
+    /// - `existing`: The existing/stored object before the action (for update
+    ///   operations), or `None` for create/list/show/delete.
     ///
     /// # Returns
     /// - `Ok(PolicyEvaluationResult)` if the policy was evaluated successfully.
@@ -116,7 +118,7 @@ pub trait PolicyEnforcer: Send + Sync {
         policy_name: &'static str,
         credentials: &ValidatedSecurityContext,
         target: Value,
-        update: Option<Value>,
+        existing: Option<Value>,
     ) -> Result<PolicyEvaluationResult, PolicyError>;
 
     /// Performs a health check of the policy enforcer.

crates/keystone/Cargo.toml

@@ -61,7 +61,7 @@ spiffe = { workspace = true, features = ["x509-source"] }
 spiffe-rustls = "0.6"
 spiffe-rustls-tokio = "0.3"
 thiserror.workspace = true
-tokio = { workspace = true, features = ["fs", "macros", "signal", "rt-multi-thread"] }
+tokio = { workspace = true, features = ["fs", "macros", "process", "signal", "rt-multi-thread"] }
 tokio-rustls.workspace = true
 tokio-util.workspace = true
 tonic = { workspace = true, features = ["server", "tls-aws-lc" ] }

crates/keystone/src/api/v3/group/create.rs

@@ -12,6 +12,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 use axum::{Json, debug_handler, extract::State, http::StatusCode, response::IntoResponse};
+use serde_json::json;
 use validator::Validate;
 
 use super::types::{Group, GroupCreateRequest, GroupResponse};
@@ -42,7 +43,7 @@ pub async fn create(
         .enforce(
             "identity/group/create",
             &user_auth,
-            serde_json::to_value(&req.group)?,
+            json!({"group": req.group}),
             None,
         )
         .await?;

crates/keystone/src/api/v3/group/delete.rs

@@ -16,6 +16,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
+use serde_json::json;
 
 use crate::api::auth::Auth;
 use crate::api::error::KeystoneApiError;
@@ -50,7 +51,7 @@ pub async fn delete(
         .enforce(
             "identity/group/delete",
             &user_auth,
-            serde_json::to_value(&current)?,
+            json!({"group": current}),
             None,
         )
         .await?;

crates/keystone/src/api/v3/group/list.rs

@@ -17,6 +17,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
+use serde_json::json;
 use validator::Validate;
 
 use super::types::{Group, GroupList, GroupListParameters};
@@ -48,7 +49,7 @@ pub async fn list(
         .enforce(
             "identity/group/list",
             &user_auth,
-            serde_json::to_value(&query)?,
+            json!({"group": query}),
             None,
         )
         .await?;

crates/keystone/src/api/v3/group/show.rs

@@ -17,6 +17,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
+use serde_json::json;
 
 use super::types::{Group, GroupResponse};
 use crate::api::auth::Auth;
@@ -51,7 +52,7 @@ pub async fn show(
         .enforce(
             "identity/group/show",
             &user_auth,
-            serde_json::to_value(&current)?,
+            json!({"group": current}),
             None,
         )
         .await?;

crates/keystone/src/api/v3/project/create.rs

@@ -17,6 +17,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
+use serde_json::json;
 use validator::Validate;
 
 use super::types::{ProjectCreateRequest, ProjectResponse};
@@ -53,7 +54,7 @@ pub(super) async fn create(
         .enforce(
             "identity/project/create",
             &user_auth,
-            serde_json::to_value(&payload.project)?,
+            json!({"project": payload.project}),
             None,
         )
         .await?;

crates/keystone/src/api/v3/project/delete.rs

@@ -17,6 +17,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
+use serde_json::json;
 
 use crate::api::auth::Auth;
 use crate::api::error::KeystoneApiError;
@@ -51,7 +52,7 @@ pub async fn remove(
         .enforce(
             "identity/project/delete",
             &user_auth,
-            serde_json::to_value(&current)?,
+            json!({"project": current}),
             None,
         )
         .await?;

crates/keystone/src/api/v3/role/create.rs

@@ -17,6 +17,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
+use serde_json::json;
 use validator::Validate;
 
 use super::types::{RoleCreateRequest, RoleResponse};
@@ -50,7 +51,7 @@ pub(super) async fn create(
         .enforce(
             "identity/role/create",
             &user_auth,
-            serde_json::to_value(&payload.role)?,
+            json!({"role": payload.role}),
             None,
         )
         .await?;

crates/keystone/src/api/v3/role/list.rs

@@ -18,6 +18,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
+use serde_json::json;
 
 use super::types::{Role, RoleList, RoleListParameters};
 use crate::api::auth::Auth;
@@ -48,7 +49,7 @@ pub(super) async fn list(
         .enforce(
             "identity/role/list",
             &user_auth,
-            serde_json::to_value(&query)?,
+            json!({"role": query}),
             None,
         )
         .await?;

crates/keystone/src/api/v3/role/show.rs

@@ -18,6 +18,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
+use serde_json::json;
 
 use openstack_keystone_api_types::v3::role::{Role, RoleResponse};
 
@@ -55,7 +56,7 @@ pub(super) async fn show(
         .enforce(
             "identity/role/show",
             &user_auth,
-            serde_json::to_value(&current)?,
+            json!({"role": current}),
             None,
         )
         .await?;

crates/keystone/src/api/v3/role_assignment/list.rs

@@ -18,6 +18,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
+use serde_json::json;
 
 use crate::api::auth::Auth;
 use crate::api::error::KeystoneApiError;
@@ -54,7 +55,7 @@ pub(super) async fn list(
         .enforce(
             "identity/assignment/list",
             &user_auth,
-            serde_json::to_value(&query)?,
+            json!({"assignment": query}),
             None,
         )
         .await?;

crates/keystone/src/api/v3/user/create.rs

@@ -18,6 +18,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
+use serde_json::json;
 use validator::Validate;
 
 use super::types::{User, UserCreateRequest, UserListParameters, UserResponse};
@@ -50,7 +51,7 @@ pub(super) async fn create(
         .enforce(
             "identity/user/create",
             &user_auth,
-            serde_json::to_value(&req.user)?,
+            json!({"user": req.user}),
             None,
         )
         .await?;

crates/keystone/src/api/v3/user/delete.rs

@@ -17,6 +17,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
+use serde_json::json;
 
 use crate::api::auth::Auth;
 use crate::api::error::KeystoneApiError;
@@ -52,7 +53,7 @@ pub(super) async fn delete(
         .enforce(
             "identity/user/delete",
             &user_auth,
-            serde_json::to_value(&current)?,
+            json!({"user": current}),
             None,
         )
         .await?;

crates/keystone/src/api/v3/user/groups.rs

@@ -18,6 +18,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
+use serde_json::json;
 
 use crate::api::auth::Auth;
 use crate::api::error::KeystoneApiError;
@@ -63,7 +64,7 @@ pub(super) async fn groups(
         .enforce(
             "identity/user/show",
             &user_auth,
-            serde_json::to_value(&current)?,
+            json!({"user": current}),
             None,
         )
         .await?;

crates/keystone/src/api/v3/user/list.rs

@@ -18,6 +18,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
+use serde_json::json;
 use validator::Validate;
 
 use super::types::{User, UserList, UserListParameters};
@@ -50,7 +51,7 @@ pub(super) async fn list(
         .enforce(
             "identity/user/list",
             &user_auth,
-            serde_json::to_value(&query)?,
+            json!({"user": query}),
             None,
         )
         .await?;

crates/keystone/src/api/v3/user/show.rs

@@ -18,6 +18,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
+use serde_json::json;
 
 use super::types::{User, UserResponse};
 use crate::api::auth::Auth;
@@ -53,7 +54,7 @@ pub(super) async fn show(
         .enforce(
             "identity/user/show",
             &user_auth,
-            serde_json::to_value(&current)?,
+            json!({"user": current}),
             None,
         )
         .await?;

crates/keystone/src/api/v4/token/restriction/create.rs

@@ -14,6 +14,7 @@
 //! Token restriction: create.
 
 use axum::{Json, debug_handler, extract::State, http::StatusCode, response::IntoResponse};
+use serde_json::json;
 use validator::Validate;
 
 use crate::api::auth::Auth;
@@ -54,9 +55,9 @@ pub(super) async fn create(
     state
         .policy_enforcer
         .enforce(
-            "identity/token_restriction/create",
+            "identity/token/token_restriction/create",
             &user_auth,
-            serde_json::to_value(&req.restriction)?,
+            json!({"restriction": req.restriction}),
             None,
         )
         .await?;

crates/keystone/src/api/v4/token/restriction/delete.rs

@@ -19,6 +19,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
+use serde_json::json;
 
 use crate::api::auth::Auth;
 use crate::api::error::KeystoneApiError;
@@ -62,9 +63,9 @@ pub(super) async fn remove(
     state
         .policy_enforcer
         .enforce(
-            "identity/token_restriction/delete",
+            "identity/token/token_restriction/delete",
             &user_auth,
-            serde_json::to_value(&current)?,
+            json!({"restriction": current}),
             None,
         )
         .await?;

crates/keystone/src/api/v4/token/restriction/list.rs

@@ -19,7 +19,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
-use serde_json::to_value;
+use serde_json::json;
 
 use openstack_keystone_core_types::token::TokenRestrictionListParameters as ProviderTokenRestrictionListParameters;
 
@@ -60,9 +60,9 @@ pub(super) async fn list(
     state
         .policy_enforcer
         .enforce(
-            "identity/token_restriction/list",
+            "identity/token/token_restriction/list",
             &user_auth,
-            to_value(&query)?,
+            json!({"restriction": query}),
             None,
         )
         .await?;

crates/keystone/src/api/v4/token/restriction/show.rs

@@ -19,6 +19,7 @@ use axum::{
     http::StatusCode,
     response::IntoResponse,
 };
+use serde_json::json;
 
 use crate::api::auth::Auth;
 use crate::api::error::KeystoneApiError;
@@ -69,9 +70,9 @@ pub(super) async fn show(
     state
         .policy_enforcer
         .enforce(
-            "identity/token_restriction/show",
+            "identity/token/token_restriction/show",
             &user_auth,
-            serde_json::to_value(&current)?,
+            json!({"restriction": current}),
             None,
         )
         .await?;