Created
November 8, 2023 15:23
-
-
Save gsarjeant/b78367731424629ceceba565df237843 to your computer and use it in GitHub Desktop.
Polar - impersonation (annotated)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
actor User { | |
permissions = ["impersonate"]; | |
} | |
resource Document { | |
permissions = ["read"]; | |
} | |
# a user can do anything some other user can do | |
# if they are allowed to impersonate that user and | |
# are currently impersonating them | |
allow(user: User, action: String, resource: Resource) if | |
other_user matches User and | |
has_permission(user, "impersonate", other_user) and | |
is_impersonating(user, other_user) and | |
has_permission(other_user, action, resource); | |
# we need to specify the default allow rule here | |
# because we added our own custom one above | |
allow(user: User, action: String, resource: Resource) if | |
has_permission(user, action, resource); | |
# Test the policy above | |
test "impersonation" { | |
setup { | |
# Grant bob read access on the document directly | |
has_permission(User{"bob"}, "read", Document{"Bob's Document"}); | |
# Grant alice permission to impersonate bob | |
has_permission(User{"alice"}, "impersonate", User{"bob"}); | |
# Set alice up to impersonate bob | |
is_impersonating(User{"alice"}, User{"bob"}); | |
} | |
# bob can read the document through direct permission assigmnent | |
# has_permission(User{"bob"}, "read", Document{"Bob's Document"}); | |
assert allow(User{"bob"}, "read", Document{"thing"}); | |
# alice can the document by impersonating Bob | |
# has_permission(User{"alice"}, "impersonate", User{"bob"}); | |
# is_impersonating(User{"alice"}, User{"bob"}); | |
assert allow(User{"alice"}, "read", Document{"Bob's Document"}); | |
# charlie has neither direct access nor permission to impersonate Bob, | |
# so charlie cannot read the document | |
assert_not allow(User{"charlie"}, "read", Document{"Bob's Document"}); | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment