Created
August 30, 2018 18:09
-
-
Save danesparza/1b5399f560f325caa705c76d8acdbf2b to your computer and use it in GitHub Desktop.
Simple laydon test
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"log" | |
. "github.com/ory/ladon" | |
manager "github.com/ory/ladon/manager/memory" | |
) | |
func main() { | |
// Create our policy | |
log.Println("Creating policies...") | |
var pols = []Policy{ | |
&DefaultPolicy{ | |
ID: "1", | |
Description: `This policy allows max, peter, zac and ken to create, delete and get the listed resources, | |
but only if the client ip matches and the request states that they are the owner of those resources as well.`, | |
Subjects: []string{"max", "peter", "<zac|ken>"}, | |
Resources: []string{"myrn:some.domain.com:resource:123", "myrn:some.domain.com:resource:345", "myrn:something:foo:<.+>"}, | |
Actions: []string{"<create|delete>", "get"}, | |
Effect: AllowAccess, | |
Conditions: Conditions{ | |
"owner": &EqualsSubjectCondition{}, | |
"clientIP": &CIDRCondition{ | |
CIDR: "127.0.0.1/32", | |
}, | |
}, | |
}, | |
&DefaultPolicy{ | |
ID: "2", | |
Description: "This policy allows max to update any resource", | |
Subjects: []string{"max"}, | |
Actions: []string{"update"}, | |
Resources: []string{"<.*>"}, | |
Effect: AllowAccess, | |
}, | |
&DefaultPolicy{ | |
ID: "3", | |
Description: "This policy denies max to broadcast any of the resources", | |
Subjects: []string{"max"}, | |
Actions: []string{"broadcast"}, | |
Resources: []string{"<.*>"}, | |
Effect: DenyAccess, | |
}, | |
} | |
// Create the memory managed warden: | |
log.Println("Creating a memory based warden...") | |
warden := &Ladon{ | |
Manager: manager.NewMemoryManager(), | |
} | |
// Add the policies: | |
log.Println("Adding the policies to the warden...") | |
for _, pol := range pols { | |
err := warden.Manager.Create(pol) | |
if err != nil { | |
log.Fatalf("There was a problem adding the policy: %s", err) | |
} | |
} | |
// Now check to see if the person is allowed based on the policy: | |
if err := warden.IsAllowed(&Request{ | |
Subject: "peter", | |
Action: "delete", | |
Resource: "myrn:some.domain.com:resource:123", | |
Context: Context{ | |
"owner": "peter", | |
"clientIP": "127.0.0.1", | |
}, | |
}); err != nil { | |
log.Fatal("First check: Access denied") | |
} | |
if err := warden.IsAllowed(&Request{ | |
Subject: "peter", | |
Action: "get", | |
Resource: "myrn:some.domain.com:resource:123", | |
Context: Context{ | |
/*"owner": "peter",*/ // Omitting this will cause the check to fail | |
"clientIP": "127.0.0.1", | |
}, | |
}); err != nil { | |
log.Fatal("Second check: Access denied") | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Taken shamelessly from the laydon unit tests