diff options
| author | mo khan <mo@mokhan.ca> | 2025-04-02 11:40:37 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-04-02 11:40:37 -0600 |
| commit | 2a37de4a34552feac221771278236fb23f8e83c0 (patch) | |
| tree | 23479c2a4b5c01962d6078646c9ddc05f4d63d4d | |
| parent | 3f54e2fc59f21029813863491b37e39bb6015115 (diff) | |
refactor: update cedar entities to match hierarchy defined in csv files
| -rw-r--r-- | pkg/policies/album.cedar (renamed from pkg/policies/project.cedar) | 0 | ||||
| -rw-r--r-- | pkg/policies/entities.json | 266 | ||||
| -rw-r--r-- | pkg/policies/organization.cedar | 5 | ||||
| -rw-r--r-- | pkg/rpc/server_test.go | 6 |
4 files changed, 270 insertions, 7 deletions
diff --git a/pkg/policies/project.cedar b/pkg/policies/album.cedar index 6ba3cbd..6ba3cbd 100644 --- a/pkg/policies/project.cedar +++ b/pkg/policies/album.cedar diff --git a/pkg/policies/entities.json b/pkg/policies/entities.json index e6d4145..cfdc099 100644 --- a/pkg/policies/entities.json +++ b/pkg/policies/entities.json @@ -30,17 +30,275 @@ }, { "uid": { + "type": "Organization", + "id": "1", + "attrs": { + "name": "default" + } + } + }, + { + "uid": { + "type": "Organization", + "id": "2", + "attrs": { + "name": "gitlab" + } + } + }, + { + "uid": { + "type": "Group", + "id": "1", + "attrs": { + "name": "A" + }, + "parents": [ + { + "type": "Organization", + "id": "1" + } + ] + } + }, + { + "uid": { + "type": "Group", + "id": "2", + "attrs": { + "name": "B" + }, + "parents": [ + { + "type": "Organization", + "id": "1" + } + ] + } + }, + { + "uid": { + "type": "Group", + "id": "3", + "attrs": { + "name": "gitlab-org" + }, + "parents": [ + { + "type": "Organization", + "id": "2" + } + ] + } + }, + { + "uid": { + "type": "Group", + "id": "4", + "attrs": { + "name": "gitlab-com" + }, + "parents": [ + { + "type": "Organization", + "id": "2" + } + ] + } + }, + { + "uid": { + "type": "Group", + "id": "5", + "attrs": { + "name": "gl-security" + }, + "parents": [ + { + "type": "Organization", + "id": "2" + }, + { + "type": "Group", + "id": "4" + } + ] + } + }, + { + "uid": { + "type": "Group", + "id": "6", + "attrs": { + "name": "test-projects" + }, + "parents": [ + { + "type": "Organization", + "id": "2" + }, + { + "type": "Group", + "id": "5" + } + ] + } + }, + { + "uid": { + "type": "Group", + "id": "7", + "attrs": { + "name": "support" + }, + "parents": [ + { + "type": "Organization", + "id": "2" + }, + { + "type": "Group", + "id": "4" + } + ] + } + }, + { + "uid": { + "type": "Group", + "id": "8", + "attrs": { + "name": "toolbox" + }, + "parents": [ + { + "type": "Organization", + "id": "2" + }, + { + "type": "Group", + "id": "7" + } + ] + } + }, + { + "uid": { + "type": "Project", + "id": "1", + "attrs": { + "name": "A1" + } + }, + "parents": [ + { + "type": "Group", + "id": "1" + } + ] + }, + { + "uid": { + "type": "Project", + "id": "2", + "attrs": { + "name": "B1" + } + }, + "parents": [ + { + "type": "Group", + "id": "2" + } + ] + }, + { + "uid": { "type": "Project", - "id": "3" + "id": "3", + "attrs": { + "name": "gitlab" + } }, "parents": [ { "type": "Group", "id": "3" - }, + } + ] + }, + { + "uid": { + "type": "Project", + "id": "4", + "attrs": { + "name": "eicar-test-project" + } + }, + "parents": [ + { + "type": "Group", + "id": "6" + } + ] + }, + { + "uid": { + "type": "Project", + "id": "5", + "attrs": { + "name": "disclosures" + } + }, + "parents": [ + { + "type": "Group", + "id": "5" + } + ] + }, + { + "uid": { + "type": "Project", + "id": "6", + "attrs": { + "name": "changelog-parser" + } + }, + "parents": [ + { + "type": "Group", + "id": "8" + } + ] + }, + { + "uid": { + "type": "Project", + "id": "7", + "attrs": { + "name": "handbook" + } + }, + "parents": [ + { + "type": "Group", + "id": "4" + } + ] + }, + { + "uid": { + "type": "Project", + "id": "8", + "attrs": { + "name": "www-gitlab-com" + } + }, + "parents": [ { - "type": "Path", - "id": "/projects.json" + "type": "Group", + "id": "4" } ] } diff --git a/pkg/policies/organization.cedar b/pkg/policies/organization.cedar new file mode 100644 index 0000000..22e4b6a --- /dev/null +++ b/pkg/policies/organization.cedar @@ -0,0 +1,5 @@ +permit ( + principal == User::"1", + action == Action::"read", + resource in Organization::"1" +); diff --git a/pkg/rpc/server_test.go b/pkg/rpc/server_test.go index 8f333a5..0871173 100644 --- a/pkg/rpc/server_test.go +++ b/pkg/rpc/server_test.go @@ -51,11 +51,11 @@ func TestServer(t *testing.T) { assert.True(t, reply.Result) }) - t.Run("returns gid://User/1:read_projects:gid://Organization/1", func(t *testing.T) { + t.Run("returns gid://User/1:read:gid://Organization/2", func(t *testing.T) { reply, err := client.Allowed(t.Context(), &AllowRequest{ Subject: "gid://User/1", - Permission: "read_projects", - Resource: "gid://Organization/1", + Permission: "read", + Resource: "gid://Organization/2", }) require.NoError(t, err) assert.True(t, reply.Result) |