Skip to content

Commit 1c102e6

Browse files
ZohebShaikhkeithralphs
ZohebShaikh
authored and
keithralphs
committed
feat: add tiled authz
1 parent ff4deba commit 1c102e6

File tree

2 files changed

+172
-0
lines changed

2 files changed

+172
-0
lines changed

policy/diamond/policy/tiled/tiled.rego

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
package diamond.policy.tiled
2+
3+
import data.diamond.policy.session
4+
import data.diamond.policy.token
5+
import rego.v1
6+
7+
read_scopes := {
8+
"read:metadata",
9+
"read:data",
10+
}
11+
12+
write_scopes := {
13+
"write:metadata",
14+
"write:data",
15+
"create",
16+
"register",
17+
}
18+
19+
scopes_for(claims) := read_scopes | write_scopes if {
20+
"azp" in object.keys(claims)
21+
endswith(claims.azp, "-blueapi")
22+
}
23+
24+
scopes_for(claims) := read_scopes if {
25+
"azp" in object.keys(claims)
26+
not endswith(claims.azp, "-blueapi")
27+
}
28+
29+
scopes_for(claims) := read_scopes if {
30+
not "azp" in object.keys(claims)
31+
}
32+
33+
default scopes := set()
34+
35+
scopes := scopes_for(token.claims)
36+
37+
user_sessions contains user_session if {
38+
some i in data.diamond.data.sessions
39+
session.access_session(token.claims.fedid, i.proposal_number, i.visit_number)
40+
user_session := sprintf(
41+
`{"proposal": %d, "visit": %d, "beamline": "%s"}`,
42+
[i.proposal_number, i.visit_number, i.beamline],
43+
)
44+
}

policy/diamond/policy/tiled/tiled_test.rego

Lines changed: 128 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,128 @@
1+
package diamond.policy.tiled_test
2+
3+
import data.diamond.policy.tiled
4+
import rego.v1
5+
6+
test_default_no_scopes if {
7+
tiled.scopes == set()
8+
}
9+
10+
test_wrong_azp_read_scopes if {
11+
tiled.scopes == tiled.read_scopes with data.diamond.policy.token.claims as {}
12+
tiled.scopes == tiled.read_scopes with data.diamond.policy.token.claims as {"sub": "foo"}
13+
tiled.scopes == tiled.read_scopes with data.diamond.policy.token.claims as {"azp": "foo"}
14+
}
15+
16+
test_blueapi_given_write_scopes if {
17+
tiled.scopes == {
18+
"read:metadata",
19+
"read:data",
20+
"write:metadata",
21+
"write:data",
22+
"create",
23+
"register",
24+
} with data.diamond.policy.token.claims as {"azp": "foo-blueapi"}
25+
}
26+
27+
diamond_data := {
28+
"subjects": {
29+
"alice": {
30+
"permissions": [],
31+
"proposals": [1],
32+
"sessions": [],
33+
},
34+
"bob": {
35+
"permissions": ["b07_admin"],
36+
"proposals": [],
37+
"sessions": [11],
38+
},
39+
"carol": {
40+
"permissions": ["super_admin"],
41+
"proposals": [],
42+
"sessions": [],
43+
},
44+
"desmond": {
45+
"permissions": [],
46+
"proposals": [2],
47+
"sessions": [13],
48+
},
49+
"edna": {
50+
"permissions": [],
51+
"proposals": [2],
52+
"sessions": [13, 14],
53+
},
54+
"oscar": {
55+
"permissions": [],
56+
"proposals": [],
57+
"sessions": [],
58+
},
59+
},
60+
"sessions": {
61+
"11": {
62+
"beamline": "i03",
63+
"proposal_number": 1,
64+
"visit_number": 1,
65+
},
66+
"12": {
67+
"beamline": "b07",
68+
"proposal_number": 1,
69+
"visit_number": 2,
70+
},
71+
"13": {
72+
"beamline": "b07",
73+
"proposal_number": 2,
74+
"visit_number": 1,
75+
},
76+
"14": {
77+
"beamline": "b07",
78+
"proposal_number": 2,
79+
"visit_number": 2,
80+
},
81+
},
82+
"proposals": {
83+
"1": {"sessions": {
84+
"1": 11,
85+
"2": 12,
86+
}},
87+
"2": {"sessions": {
88+
"1": 13,
89+
"2": 14,
90+
}},
91+
},
92+
"beamlines": {"i03": {"sessions": [11]}, "b07": {"sessions": [12, 13, 14]}},
93+
"admin": {"b07_admin": ["b07"]},
94+
}
95+
96+
test_user_session_tags if {
97+
tiled.user_sessions == set() with data.diamond.data as diamond_data
98+
with data.diamond.policy.token.claims as {"fedid": "oscar"}
99+
tiled.user_sessions == {
100+
`{"proposal": 1, "visit": 2, "beamline": "b07"}`,
101+
`{"proposal": 1, "visit": 1, "beamline": "i03"}`,
102+
} with data.diamond.data as diamond_data
103+
with data.diamond.policy.token.claims as {"fedid": "alice"}
104+
tiled.user_sessions == {
105+
`{"proposal": 1, "visit": 2, "beamline": "b07"}`,
106+
`{"proposal": 1, "visit": 1, "beamline": "i03"}`,
107+
`{"proposal": 2, "visit": 1, "beamline": "b07"}`,
108+
`{"proposal": 2, "visit": 2, "beamline": "b07"}`,
109+
} with data.diamond.data as diamond_data
110+
with data.diamond.policy.token.claims as {"fedid": "bob"}
111+
tiled.user_sessions == {
112+
`{"proposal": 1, "visit": 2, "beamline": "b07"}`,
113+
`{"proposal": 1, "visit": 1, "beamline": "i03"}`,
114+
`{"proposal": 2, "visit": 1, "beamline": "b07"}`,
115+
`{"proposal": 2, "visit": 2, "beamline": "b07"}`,
116+
} with data.diamond.data as diamond_data
117+
with data.diamond.policy.token.claims as {"fedid": "carol"}
118+
tiled.user_sessions == {
119+
`{"proposal": 2, "visit": 1, "beamline": "b07"}`,
120+
`{"proposal": 2, "visit": 2, "beamline": "b07"}`,
121+
} with data.diamond.data as diamond_data
122+
with data.diamond.policy.token.claims as {"fedid": "desmond"}
123+
tiled.user_sessions == {
124+
`{"proposal": 2, "visit": 1, "beamline": "b07"}`,
125+
`{"proposal": 2, "visit": 2, "beamline": "b07"}`,
126+
} with data.diamond.data as diamond_data
127+
with data.diamond.policy.token.claims as {"fedid": "edna"}
128+
}

0 commit comments

Comments
 (0)