Skip to content

Commit ce394ee

Browse files
DiamondJosephDiamondJoseph
committed
feat(policy): add policies for Tiled authz
1 parent 0e9837b commit ce394ee

File tree

4 files changed

+133
-5
lines changed

4 files changed

+133
-5
lines changed

policy/diamond/policy/session/session.rego

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,3 +55,12 @@ write_to_beamline_visit if {
5555
access
5656
matches_beamline
5757
}
58+
59+
user_sessions contains user_session if {
60+
some session in data.diamond.data.sessions
61+
access_session(token.claims.fedid, session.proposal_number, session.visit_number)
62+
user_session := sprintf(
63+
`{"proposal": %d, "visit": %d, "beamline": "%s"}`,
64+
[session.proposal_number, session.visit_number, session.beamline],
65+
)
66+
}

policy/diamond/policy/session/session_test.rego

Lines changed: 65 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,16 @@ diamond_data := {
2020
"proposals": [],
2121
"sessions": [],
2222
},
23+
"desmond": {
24+
"permissions": [],
25+
"proposals": [2],
26+
"sessions": [13],
27+
},
28+
"edna": {
29+
"permissions": [],
30+
"proposals": [2],
31+
"sessions": [13, 14],
32+
},
2333
"oscar": {
2434
"permissions": [],
2535
"proposals": [],
@@ -37,12 +47,28 @@ diamond_data := {
3747
"proposal_number": 1,
3848
"visit_number": 2,
3949
},
50+
"13": {
51+
"beamline": "b07",
52+
"proposal_number": 2,
53+
"visit_number": 1,
54+
},
55+
"14": {
56+
"beamline": "b07",
57+
"proposal_number": 2,
58+
"visit_number": 2,
59+
},
60+
},
61+
"proposals": {
62+
"1": {"sessions": {
63+
"1": 11,
64+
"2": 12,
65+
}},
66+
"2": {"sessions": {
67+
"1": 13,
68+
"2": 14,
69+
}},
4070
},
41-
"proposals": {"1": {"sessions": {
42-
"1": 11,
43-
"2": 12,
44-
}}},
45-
"beamlines": {"i03": {"sessions": [11]}, "b07": {"sessions": [12]}},
71+
"beamlines": {"i03": {"sessions": [11]}, "b07": {"sessions": [12, 13, 14]}},
4672
"admin": {"b07_admin": ["b07"]},
4773
}
4874

@@ -181,3 +207,37 @@ test_session_beamline if {
181207
with data.diamond.data as diamond_data
182208
bl2 == "b07"
183209
}
210+
211+
test_user_session_tags if {
212+
session.user_sessions == set() with data.diamond.data as diamond_data
213+
with data.diamond.policy.token.claims as {"fedid": "oscar"}
214+
session.user_sessions == {
215+
`{"proposal": 1, "visit": 2, "beamline": "b07"}`,
216+
`{"proposal": 1, "visit": 1, "beamline": "i03"}`,
217+
} with data.diamond.data as diamond_data
218+
with data.diamond.policy.token.claims as {"fedid": "alice"}
219+
session.user_sessions == {
220+
`{"proposal": 1, "visit": 2, "beamline": "b07"}`,
221+
`{"proposal": 1, "visit": 1, "beamline": "i03"}`,
222+
`{"proposal": 2, "visit": 1, "beamline": "b07"}`,
223+
`{"proposal": 2, "visit": 2, "beamline": "b07"}`,
224+
} with data.diamond.data as diamond_data
225+
with data.diamond.policy.token.claims as {"fedid": "bob"}
226+
session.user_sessions == {
227+
`{"proposal": 1, "visit": 2, "beamline": "b07"}`,
228+
`{"proposal": 1, "visit": 1, "beamline": "i03"}`,
229+
`{"proposal": 2, "visit": 1, "beamline": "b07"}`,
230+
`{"proposal": 2, "visit": 2, "beamline": "b07"}`,
231+
} with data.diamond.data as diamond_data
232+
with data.diamond.policy.token.claims as {"fedid": "carol"}
233+
session.user_sessions == {
234+
`{"proposal": 2, "visit": 1, "beamline": "b07"}`,
235+
`{"proposal": 2, "visit": 2, "beamline": "b07"}`,
236+
} with data.diamond.data as diamond_data
237+
with data.diamond.policy.token.claims as {"fedid": "desmond"}
238+
session.user_sessions == {
239+
`{"proposal": 2, "visit": 1, "beamline": "b07"}`,
240+
`{"proposal": 2, "visit": 2, "beamline": "b07"}`,
241+
} with data.diamond.data as diamond_data
242+
with data.diamond.policy.token.claims as {"fedid": "edna"}
243+
}

policy/diamond/policy/tiled/tiled.rego

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
package diamond.policy.tiled
2+
3+
import data.diamond.policy.token
4+
5+
read_scopes := {
6+
"read:metadata",
7+
"read:data",
8+
}
9+
10+
write_scopes := {
11+
"write:metadata",
12+
"write:data",
13+
"create",
14+
"register",
15+
}
16+
17+
scopes_for(claims) := read_scopes | write_scopes if {
18+
"azp" in object.keys(claims)
19+
endswith(claims.azp, "-blueapi")
20+
}
21+
22+
scopes_for(claims) := read_scopes if {
23+
"azp" in object.keys(claims)
24+
not endswith(claims.azp, "-blueapi")
25+
}
26+
27+
scopes_for(claims) := read_scopes if {
28+
not "azp" in object.keys(claims)
29+
}
30+
31+
default scopes := set()
32+
33+
scopes := scopes_for(token.claims)

policy/diamond/policy/tiled/tiled_test.rego

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
package diamond.policy.tiled_test
2+
3+
import data.diamond.policy.tiled
4+
import data.diamond.policy.token
5+
import rego.v1
6+
7+
test_default_no_scopes if {
8+
tiled.scopes == set()
9+
}
10+
11+
test_wrong_azp_read_scopes if {
12+
tiled.scopes == tiled.read_scopes with token.claims as {}
13+
tiled.scopes == tiled.read_scopes with token.claims as {"sub": "foo"}
14+
tiled.scopes == tiled.read_scopes with token.claims as {"azp": "foo"}
15+
}
16+
17+
test_blueapi_given_write_scopes if {
18+
tiled.scopes == {
19+
"read:metadata",
20+
"read:data",
21+
"write:metadata",
22+
"write:data",
23+
"create",
24+
"register",
25+
} with token.claims as {"azp": "foo-blueapi"}
26+
}

0 commit comments

Comments
 (0)