Polar - impersonation (annotated)

gistfile1.txt

actor User {
    permissions = ["impersonate"];
}

resource Document {
  permissions = ["read"];
}

# a user can do anything some other user can do
# if they are allowed to impersonate that user and
# are currently impersonating them
allow(user: User, action: String, resource: Resource) if
    other_user matches User and
    has_permission(user, "impersonate", other_user) and
    is_impersonating(user, other_user) and
    has_permission(other_user, action, resource);

# we need to specify the default allow rule here
# because we added our own custom one above
allow(user: User, action: String, resource: Resource) if
    has_permission(user, action, resource);

# Test the policy above
test "impersonation" {
    setup {
        # Grant bob read access on the document directly
        has_permission(User{"bob"}, "read", Document{"Bob's Document"});
        
        # Grant alice permission to impersonate bob
        has_permission(User{"alice"}, "impersonate", User{"bob"});
        # Set alice up to impersonate bob
        is_impersonating(User{"alice"}, User{"bob"});
    }

    # bob can read the document through direct permission assigmnent
    #     has_permission(User{"bob"}, "read", Document{"Bob's Document"});
    assert allow(User{"bob"}, "read", Document{"thing"});

    # alice can the document by impersonating Bob
    #     has_permission(User{"alice"}, "impersonate", User{"bob"});
    #     is_impersonating(User{"alice"}, User{"bob"});
    assert allow(User{"alice"}, "read", Document{"Bob's Document"});

    # charlie has neither direct access nor permission to impersonate Bob,
    # so charlie cannot read the document
    assert_not allow(User{"charlie"}, "read", Document{"Bob's Document"});
}