Add policies to enable Tiled

DiamondJoseph · DiamondJoseph · commit d004621ac5e0 · 2025-11-28T15:48:20.000Z
diff --git a/policy/diamond/policy/session/session.rego b/policy/diamond/policy/session/session.rego
@@ -55,3 +55,9 @@ write_to_beamline_visit if {
 	access
 	matches_beamline
 }
+
+user_sessions contains session if {
+	subject := token.claims.fedid
+	some session in data.diamond.data.sessions
+	access_session(subject, session.proposal_number, session.visit_number)
+}
diff --git a/policy/diamond/policy/session/session_test.rego b/policy/diamond/policy/session/session_test.rego
@@ -1,6 +1,7 @@
 package diamond.policy.session_test
 
 import data.diamond.policy.session
+import data.diamond.policy.token
 import rego.v1
 
 diamond_data := {
@@ -181,3 +182,10 @@ test_session_beamline if {
 		with data.diamond.data as diamond_data
 	bl2 == "b07"
 }
+
+test_user_session_tags if {
+	session.user_sessions == set() with data.diamond.data as diamond_data with data.diamond.policy.token.claims as {"fedid": "oscar"}
+	session.user_sessions == {{"proposal_number": 1, "visit_number": 2, "beamline": "b07"}, {"proposal_number": 1, "visit_number": 1, "beamline": "i03"}} with data.diamond.data as diamond_data with data.diamond.policy.token.claims as {"fedid": "alice"}
+	session.user_sessions == {{"proposal_number": 1, "visit_number": 2, "beamline": "b07"}, {"proposal_number": 1, "visit_number": 1, "beamline": "i03"}} with data.diamond.data as diamond_data with data.diamond.policy.token.claims as {"fedid": "bob"}
+	session.user_sessions == {{"proposal_number": 1, "visit_number": 2, "beamline": "b07"}, {"proposal_number": 1, "visit_number": 1, "beamline": "i03"}} with data.diamond.data as diamond_data with data.diamond.policy.token.claims as {"fedid": "carol"}
+}
diff --git a/policy/diamond/policy/tiled/tiled.rego b/policy/diamond/policy/tiled/tiled.rego
@@ -0,0 +1,33 @@
+package diamond.policy.tiled
+
+import data.diamond.policy.token
+
+read_scopes = {
+    "read:metadata",
+    "read:data",
+}
+
+write_scopes = {
+    "write:metadata",
+    "write:data",
+    "create",
+    "register",
+}
+
+default scopes := set()
+
+scopes_for(claims) := read_scopes & write_scopes if {
+    "azp" in object.keys(claims)
+	endswith(claims.azp,  "-blueapi")
+}
+
+scopes_for(claims) := read_scopes if {
+    "azp" in object.keys(claims)
+	not endswith(claims.azp,  "-blueapi")
+}
+
+scopes_for(claims) := read_scopes if {
+    not "azp" in object.keys(claims)
+}
+
+scopes := scopes_for(token.claims)
diff --git a/policy/diamond/policy/tiled/tiled_test.rego b/policy/diamond/policy/tiled/tiled_test.rego
@@ -0,0 +1,19 @@
+package diamond.policy.tiled_test
+
+import data.diamond.policy.tiled
+import data.diamond.policy.token
+import rego.v1
+
+test_default_no_scopes if {
+	tiled.scopes == set()
+}
+
+test_wrong_azp_read_scopes if {
+	tiled.scopes == tiled.read_scopes with token.claims as {}
+	tiled.scopes == tiled.read_scopes with token.claims as {"sub": "foo"}
+	tiled.scopes == tiled.read_scopes with token.claims as {"azp": "foo"}
+}
+
+test_blueapi_given_write_scopes if {
+	tiled.scopes == tiled.read_scopes & tiled.write_scopes with token.claims as {"azp": "foo-blueapi"}
+}
