Implement working tiled authentication

Author: DiamondJoseph

policy/diamond/policy/session/session.rego

@@ -56,8 +56,11 @@ write_to_beamline_visit if {
 	matches_beamline
 }
 
-user_sessions contains session if {
-	subject := token.claims.fedid
+user_sessions contains user_session if {
 	some session in data.diamond.data.sessions
-	access_session(subject, session.proposal_number, session.visit_number)
+	access_session(token.claims.fedid, session.proposal_number, session.visit_number)
+	user_session := sprintf(
+		`{"proposal": %d, "visit": %d, "beamline": "%s"}`,
+		[session.proposal_number, session.visit_number, session.beamline],
+	)
 }

policy/diamond/policy/session/session_test.rego

@@ -1,7 +1,6 @@
 package diamond.policy.session_test
 
 import data.diamond.policy.session
-import data.diamond.policy.token
 import rego.v1
 
 diamond_data := {
@@ -21,6 +20,16 @@ diamond_data := {
 			"proposals": [],
 			"sessions": [],
 		},
+		"desmond": {
+			"permissions": [],
+			"proposals": [2],
+			"sessions": [13],
+		},
+		"edna": {
+			"permissions": [],
+			"proposals": [2],
+			"sessions": [13, 14],
+		},
 		"oscar": {
 			"permissions": [],
 			"proposals": [],
@@ -38,12 +47,28 @@ diamond_data := {
 			"proposal_number": 1,
 			"visit_number": 2,
 		},
+		"13": {
+			"beamline": "b07",
+			"proposal_number": 2,
+			"visit_number": 1,
+		},
+		"14": {
+			"beamline": "b07",
+			"proposal_number": 2,
+			"visit_number": 2,
+		},
 	},
-	"proposals": {"1": {"sessions": {
-		"1": 11,
-		"2": 12,
-	}}},
-	"beamlines": {"i03": {"sessions": [11]}, "b07": {"sessions": [12]}},
+	"proposals": {
+		"1": {"sessions": {
+			"1": 11,
+			"2": 12,
+		}},
+		"2": {"sessions": {
+			"1": 13,
+			"2": 14,
+		}},
+	},
+	"beamlines": {"i03": {"sessions": [11]}, "b07": {"sessions": [12, 13, 14]}},
 	"admin": {"b07_admin": ["b07"]},
 }
 
@@ -184,8 +209,35 @@ test_session_beamline if {
 }
 
 test_user_session_tags if {
-	session.user_sessions == set() with data.diamond.data as diamond_data with data.diamond.policy.token.claims as {"fedid": "oscar"}
-	session.user_sessions == {{"proposal_number": 1, "visit_number": 2, "beamline": "b07"}, {"proposal_number": 1, "visit_number": 1, "beamline": "i03"}} with data.diamond.data as diamond_data with data.diamond.policy.token.claims as {"fedid": "alice"}
-	session.user_sessions == {{"proposal_number": 1, "visit_number": 2, "beamline": "b07"}, {"proposal_number": 1, "visit_number": 1, "beamline": "i03"}} with data.diamond.data as diamond_data with data.diamond.policy.token.claims as {"fedid": "bob"}
-	session.user_sessions == {{"proposal_number": 1, "visit_number": 2, "beamline": "b07"}, {"proposal_number": 1, "visit_number": 1, "beamline": "i03"}} with data.diamond.data as diamond_data with data.diamond.policy.token.claims as {"fedid": "carol"}
+	session.user_sessions == set() with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "oscar"}
+	session.user_sessions == {
+		`{"proposal": 1, "visit": 2, "beamline": "b07"}`,
+		`{"proposal": 1, "visit": 1, "beamline": "i03"}`,
+	} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "alice"}
+	session.user_sessions == {
+		`{"proposal": 1, "visit": 2, "beamline": "b07"}`,
+		`{"proposal": 1, "visit": 1, "beamline": "i03"}`,
+		`{"proposal": 2, "visit": 1, "beamline": "b07"}`,
+		`{"proposal": 2, "visit": 2, "beamline": "b07"}`,
+	} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "bob"}
+	session.user_sessions == {
+		`{"proposal": 1, "visit": 2, "beamline": "b07"}`,
+		`{"proposal": 1, "visit": 1, "beamline": "i03"}`,
+		`{"proposal": 2, "visit": 1, "beamline": "b07"}`,
+		`{"proposal": 2, "visit": 2, "beamline": "b07"}`,
+	} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "carol"}
+	session.user_sessions == {
+		`{"proposal": 2, "visit": 1, "beamline": "b07"}`,
+		`{"proposal": 2, "visit": 2, "beamline": "b07"}`,
+	} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "desmond"}
+	session.user_sessions == {
+		`{"proposal": 2, "visit": 1, "beamline": "b07"}`,
+		`{"proposal": 2, "visit": 2, "beamline": "b07"}`,
+	} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "edna"}
 }

policy/diamond/policy/tiled/tiled.rego

@@ -2,32 +2,32 @@ package diamond.policy.tiled
 
 import data.diamond.policy.token
 
-read_scopes = {
-    "read:metadata",
-    "read:data",
+read_scopes := {
+	"read:metadata",
+	"read:data",
 }
 
-write_scopes = {
-    "write:metadata",
-    "write:data",
-    "create",
-    "register",
+write_scopes := {
+	"write:metadata",
+	"write:data",
+	"create",
+	"register",
 }
 
-default scopes := set()
-
-scopes_for(claims) := read_scopes & write_scopes if {
-    "azp" in object.keys(claims)
-	endswith(claims.azp,  "-blueapi")
+scopes_for(claims) := read_scopes | write_scopes if {
+	"azp" in object.keys(claims)
+	endswith(claims.azp, "-blueapi")
 }
 
 scopes_for(claims) := read_scopes if {
-    "azp" in object.keys(claims)
-	not endswith(claims.azp,  "-blueapi")
+	"azp" in object.keys(claims)
+	not endswith(claims.azp, "-blueapi")
 }
 
 scopes_for(claims) := read_scopes if {
-    not "azp" in object.keys(claims)
+	not "azp" in object.keys(claims)
 }
 
+default scopes := set()
+
 scopes := scopes_for(token.claims)

policy/diamond/policy/tiled/tiled_test.rego

@@ -15,5 +15,12 @@ test_wrong_azp_read_scopes if {
 }
 
 test_blueapi_given_write_scopes if {
-	tiled.scopes == tiled.read_scopes & tiled.write_scopes with token.claims as {"azp": "foo-blueapi"}
+	tiled.scopes == {
+		"read:metadata",
+		"read:data",
+		"write:metadata",
+		"write:data",
+		"create",
+		"register",
+	} with token.claims as {"azp": "foo-blueapi"}
 }