refactor: move policies and entities in policies package

author: mo khan <mo@mokhan.ca> 2025-04-02 11:23:47 -0600
committer: mo khan <mo@mokhan.ca> 2025-04-02 11:23:47 -0600
commit: 3f54e2fc59f21029813863491b37e39bb6015115 (patch)
tree: 423d1d427e4d340d8030d3c9d98794084c0d5edb /pkg/policies
parent: e8708d505dfbe6c3ecbf41afb9732b73b6f1f156 (diff)
3 files changed, 115 insertions, 27 deletions
diff --git a/pkg/policies/entities.json b/pkg/policies/entities.json
new file mode 100644
index 00000000..e6d41459
--- /dev/null
+++ b/pkg/policies/entities.json
@@ -0,0 +1,47 @@
+[
+  {
+    "uid": {
+      "type": "User",
+      "id": "alice"
+    },
+    "attrs": {
+      "age": 18
+    },
+    "parents": []
+  },
+  {
+    "uid": {
+      "type": "Photo",
+      "id": "VacationPhoto94.jpg"
+    },
+    "attrs": {},
+    "parents": [
+      {
+        "type": "Album",
+        "id": "jane_vacation"
+      }
+    ]
+  },
+  {
+    "uid": {
+      "type": "User",
+      "id": "1"
+    }
+  },
+  {
+    "uid": {
+      "type": "Project",
+      "id": "3"
+    },
+    "parents": [
+      {
+        "type": "Group",
+        "id": "3"
+      },
+      {
+        "type": "Path",
+        "id": "/projects.json"
+      }
+    ]
+  }
+]
diff --git a/pkg/policies/init.go b/pkg/policies/init.go
index d455cb8f..cabfbecc 100644
--- a/pkg/policies/init.go
+++ b/pkg/policies/init.go
@@ -3,33 +3,21 @@ package policies
 import (
 	"embed"
 	_ "embed"
-	"encoding/json"
+	"fmt"
 	"io/fs"
 	"log"
+	"strings"
 
 	"github.com/cedar-policy/cedar-go"
 	"github.com/cedar-policy/cedar-go/types"
-	"github.com/xlgmokha/x/pkg/x"
 	xlog "gitlab.com/mokhax/spike/pkg/log"
 )
 
-//go:embed *.cedar
+//go:embed *.cedar *.json
 var files embed.FS
 
 var All *cedar.PolicySet = cedar.NewPolicySet()
-
-const entitiesJSON = `[
-  {
-    "uid": { "type": "User", "id": "alice" },
-    "attrs": { "age": 18 },
-    "parents": []
-  },
-  {
-    "uid": { "type": "Photo", "id": "VacationPhoto94.jpg" },
-    "attrs": {},
-    "parents": [{ "type": "Album", "id": "jane_vacation" }]
-  }
-]`
+var Entities cedar.EntityMap = cedar.EntityMap{}
 
 func init() {
 	err := fs.WalkDir(files, ".", func(path string, d fs.DirEntry, err error) error {
@@ -41,17 +29,30 @@ func init() {
 			return nil
 		}
 
-		content, err := fs.ReadFile(files, path)
-		if err != nil {
-			return err
-		}
+		if strings.HasSuffix(path, ".cedar") {
+			content, err := fs.ReadFile(files, path)
+			if err != nil {
+				return err
+			}
 
-		var policy cedar.Policy
-		if err := policy.UnmarshalCedar(content); err != nil {
-			return err
+			policy := cedar.Policy{}
+			if err := policy.UnmarshalCedar(content); err != nil {
+				return err
+			}
+			policy.SetFilename(path)
+
+			All.Add(cedar.PolicyID(path), &policy)
+		} else if strings.HasSuffix(path, ".json") {
+			content, err := fs.ReadFile(files, path)
+			if err != nil {
+				return err
+			}
+
+			if err := Entities.UnmarshalJSON(content); err != nil {
+				return err
+			}
 		}
 
-		All.Add(cedar.PolicyID(path), &policy)
 		return nil
 	})
 
@@ -61,10 +62,9 @@ func init() {
 }
 
 func Allowed(request cedar.Request) bool {
-	var entities cedar.EntityMap
-	x.Check(json.Unmarshal([]byte(entitiesJSON), &entities))
+	ok, diagnostic := All.IsAuthorized(Entities, request)
+	fmt.Printf("%v: %v -> %v %v%v\n", ok, request.Principal, request.Action, request.Context.Map(), request.Resource)
 
-	ok, diagnostic := All.IsAuthorized(entities, request)
 	if len(diagnostic.Errors) > 0 {
 		for err := range diagnostic.Errors {
 			xlog.Default.Printf("%v\n", err)
diff --git a/pkg/policies/rest.cedar b/pkg/policies/rest.cedar
new file mode 100644
index 00000000..a8896849
--- /dev/null
+++ b/pkg/policies/rest.cedar
@@ -0,0 +1,41 @@
+permit (
+    principal == Subject::"*",
+    action == Action::"GET",
+    resource in Path::"/projects.json"
+);
+
+permit (
+    principal == Subject::"gid://User/1",
+    action == Action::"GET",
+    resource in Path::"/*.json"
+);
+
+permit (
+    principal == Subject::"gid://User/1",
+    action == Action::"POST",
+    resource in Path::"/*.json"
+);
+
+permit (
+    principal == Subject::"gid://User/1",
+    action == Action::"PUT",
+    resource in Path::"/*.json"
+);
+
+permit (
+    principal == Subject::"gid://User/1",
+    action == Action::"PATCH",
+    resource in Path::"/*.json"
+);
+
+permit (
+    principal == Subject::"gid://User/1",
+    action == Action::"DELETE",
+    resource in Path::"/*.json"
+);
+
+permit (
+    principal == Subject::"gid://User/1",
+    action == Action::"HEAD",
+    resource in Path::"/*.json"
+);
author	mo khan <mo@mokhan.ca>	2025-04-02 11:23:47 -0600
committer	mo khan <mo@mokhan.ca>	2025-04-02 11:23:47 -0600
commit	3f54e2fc59f21029813863491b37e39bb6015115 (patch)
tree	423d1d427e4d340d8030d3c9d98794084c0d5edb /pkg/policies
parent	e8708d505dfbe6c3ecbf41afb9732b73b6f1f156 (diff)