Created
January 28, 2020 11:20
-
-
Save FredrikAppelros/848d630561601e4af31a0c00b8c61205 to your computer and use it in GitHub Desktop.
OPA partial evaluation issue
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package authz | |
| import input.user.name | |
| import input.resource.name | |
| import input.operation | |
| default allow = false | |
| roles := { | |
| "admin": ["*"] | |
| } | |
| bindings := [ | |
| { | |
| "role": "admin", | |
| "groups": ["admins"], | |
| "resources": ["*"] | |
| } | |
| ] | |
| allow { | |
| some role | |
| binding := active_bindings[_] | |
| binding.role == role | |
| operation := roles[role][_] | |
| glob.match(operation, [], input.operation) | |
| } | |
| active_bindings[binding] { | |
| binding := bindings[_] | |
| binding.groups[_] == input.user.groups[_] | |
| glob.match(binding.resources[_], [], input.resource.name) | |
| } | |
| test_deny_unauthenticated_request { | |
| req := { | |
| "resource": { | |
| "name": "foo" | |
| }, | |
| "operation": "foo.read" | |
| } | |
| not allow with input as req | |
| } | |
| test_deny_unbound_user { | |
| req := { | |
| "user": { | |
| "name": "eve" | |
| }, | |
| "resource": { | |
| "name": "foo" | |
| }, | |
| "operation": "foo.read" | |
| } | |
| not allow with input as req | |
| } | |
| test_allow_user_in_admin_group { | |
| req := { | |
| "user": { | |
| "name": "bob", | |
| "groups": ["admins"] | |
| }, | |
| "resource": { | |
| "name": "foo" | |
| }, | |
| "operation": "foo.read" | |
| } | |
| allow with input as req | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment