marcaurele/cloud.rego

## cloud.rego
package httpapi.authorization.project

import input

# Very important!, default to deny!
default allow_reading = false
default allow_editing = false
default allow_processing = false

role_allow_processing = {"MANAGER", "OWNER"}
role_allow_editing = {"EDITOR"} | role_allow_processing
role_allow_reading = {"READER"} | role_allow_editing

allow_processing {
  some uuid                                             # for a given uuid
  input.method == "POST"                                # if the method is POST
  input.path = ["project", uuid, "processing"]          # for the given uuid in the path
  input.project.uuid == uuid                            # the given uuid matched the project uuid
  membership := input.user.memberOf[_]                  # a membership exists in the list of the user where
  membership.type == "ORG"                              # it contains a entity of type ORG and
  role_allow_processing[membership.role]                # the membership role is in the set of allowed role for processing
#  membership.role == "OWNER"                            # it has the role OWNER and
  membership.uuid == input.project.organization.uuid    # the entity uuid matches the project organization uuid
}

allow_editing {
  some uuid                                             # for a given uuid
  input.method == "POST"                                # if the method is POST
  input.path = ["project", uuid]                        # for the given uuid in the path
  input.project.uuid == uuid                            # the given uuid matched the project uuid
  membership := input.user.memberOf[_]                  # a membership exists in the list of the user where
  membership.type == "ORG"                              # it contains a entity of type ORG and
  role_allow_editing[membership.role]                   # the membership role is in the set of allowed role for processing
  membership.uuid == input.project.organization.uuid    # the entity uuid matches the project organization uuid
}

allow_reading {
  some uuid                                             # for a given uuid
  input.method == "GET"                                 # if the method is GET
  input.path = ["project", uuid]                        # for the given uuid in the path
  input.project.uuid == uuid                            # the given uuid matched the project uuid
  membership := input.user.memberOf[_]                  # a membership exists in the list of the user where
  membership.type == "ORG"                              # it contains a entity of type ORG and
  role_allow_reading[membership.role]                   # it has a role in the allowed for reading
  membership.uuid == input.project.organization.uuid    # the entity uuid matches the project organization uuid
}
	package httpapi.authorization.project

	import input

	# Very important!, default to deny!
	default allow_reading = false
	default allow_editing = false
	default allow_processing = false

	role_allow_processing = {"MANAGER", "OWNER"}
	role_allow_editing = {"EDITOR"} \| role_allow_processing
	role_allow_reading = {"READER"} \| role_allow_editing

	allow_processing {
	some uuid # for a given uuid
	input.method == "POST" # if the method is POST
	input.path = ["project", uuid, "processing"] # for the given uuid in the path
	input.project.uuid == uuid # the given uuid matched the project uuid
	membership := input.user.memberOf[_] # a membership exists in the list of the user where
	membership.type == "ORG" # it contains a entity of type ORG and
	role_allow_processing[membership.role] # the membership role is in the set of allowed role for processing
	# membership.role == "OWNER" # it has the role OWNER and
	membership.uuid == input.project.organization.uuid # the entity uuid matches the project organization uuid
	}

	allow_editing {
	some uuid # for a given uuid
	input.method == "POST" # if the method is POST
	input.path = ["project", uuid] # for the given uuid in the path
	input.project.uuid == uuid # the given uuid matched the project uuid
	membership := input.user.memberOf[_] # a membership exists in the list of the user where
	membership.type == "ORG" # it contains a entity of type ORG and
	role_allow_editing[membership.role] # the membership role is in the set of allowed role for processing
	membership.uuid == input.project.organization.uuid # the entity uuid matches the project organization uuid
	}

	allow_reading {
	some uuid # for a given uuid
	input.method == "GET" # if the method is GET
	input.path = ["project", uuid] # for the given uuid in the path
	input.project.uuid == uuid # the given uuid matched the project uuid
	membership := input.user.memberOf[_] # a membership exists in the list of the user where
	membership.type == "ORG" # it contains a entity of type ORG and
	role_allow_reading[membership.role] # it has a role in the allowed for reading
	membership.uuid == input.project.organization.uuid # the entity uuid matches the project organization uuid
	}