Add policy violation for too many devices

reivilibre · reivilibre · commit 1b318a5ebe97 · 2025-11-06T09:12:54.000Z
diff --git a/policies/authorization_grant/authorization_grant.rego b/policies/authorization_grant/authorization_grant.rego
@@ -153,3 +153,18 @@ violation contains {"msg": sprintf(
 )} if {
 	common.requester_banned(input.requester, data.requester)
 }
+
+violation contains {
+    "code": "too-many-sessions",
+    "msg": "user has too many active sessions"
+} if {
+    # Only apply if session limits are enabled in the config
+    data.session_limit != null
+    # Only apply if it's a user logging in (who therefore has countable sessions)
+    input.session_counts != null
+    # For OAuth 2 login, a violation occurs when the soft limit has already been
+    # reached or exceeded.
+    # We use the soft limit because the user will be able to interactively remove
+    # sessions to return under the limit.
+    data.session_limit.soft_limit <= input.session_counts.total
+}
diff --git a/policies/authorization_grant/authorization_grant_test.rego b/policies/authorization_grant/authorization_grant_test.rego
@@ -222,3 +222,35 @@ test_mas_scopes if {
 		with input.grant_type as "authorization_code"
 		with input.scope as "urn:mas:admin"
 }
+
+test_session_limiting if {
+    authorization_grant.allow with input.user as user
+		with input.session_counts as {"total": 1}
+		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
+
+    authorization_grant.allow with input.user as user
+		with input.session_counts as {"total": 31}
+		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
+
+    not authorization_grant.allow with input.user as user
+		with input.session_counts as {"total": 32}
+		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
+
+    not authorization_grant.allow with input.user as user
+		with input.session_counts as {"total": 42}
+		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
+
+	not authorization_grant.allow with input.user as user
+		with input.session_counts as {"total": 65}
+		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
+
+	# No limit configured
+	authorization_grant.allow with input.user as user
+		with input.session_counts as {"total": 1}
+		with data.session_limit as null
+
+	# Client credentials grant
+	authorization_grant.allow with input.user as user
+		with input.session_counts as null
+		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
+}
