-
Notifications
You must be signed in to change notification settings - Fork 0
/
rbac.rego
61 lines (48 loc) · 1.34 KB
/
rbac.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
package permit.rbac
import future.keywords
# Santizied query
input_query := {
"action": input.action,
"user": {"key": input.user.key},
"resource": {
# "key": input.resource.key,
"type": input.resource.type,
"tenant": input.resource.tenant,
},
}
# By default, deny requests.
default allow := false
# Allow the action if the user is granted permission to perform the action.
allow {
count(matching_grants) > 0
}
matching_grants[grant] {
# Find grants for the user.
some grant in grants
# Check if the grant permits the action.
input_query.action == grant
}
tenant := tenant_key {
input_query.resource.tenant != null
tenant_key := input_query.resource.tenant
}
#tenant := tenant_key {
# q.resource.tenant == null
# q.resource.key != null
# q.resource.type != null
# data.resources[q.resource.type]
# tenant_key := data.resources[q.resource.type][q.resource.key].tenant
#}
user_roles[role_key] {
some role_key in data.users[input_query.user.key].roleAssignments[tenant]
}
default roles_resource := "__tenant"
roles_resource := data.roles_resource
grants[grant] {
some role_key in user_roles
some grant in data.role_permissions[roles_resource][role_key].grants[input_query.resource.type]
}
allowing_roles[role_key] {
some role_key in user_roles
input.action in data.role_permissions[roles_resource][role_key].grants[input_query.resource.type]
}