summaryrefslogtreecommitdiff
path: root/pkg/policies
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/policies')
-rw-r--r--pkg/policies/album.cedar6
-rw-r--r--pkg/policies/entities.json9
-rw-r--r--pkg/policies/init.go3
-rw-r--r--pkg/policies/organization.cedar6
-rw-r--r--pkg/policies/policies_test.go59
-rw-r--r--pkg/policies/rest.cedar51
6 files changed, 85 insertions, 49 deletions
diff --git a/pkg/policies/album.cedar b/pkg/policies/album.cedar
index 6ba3cbd..aed5a53 100644
--- a/pkg/policies/album.cedar
+++ b/pkg/policies/album.cedar
@@ -1,5 +1,5 @@
permit (
- principal == User::"alice",
- action == Action::"view",
- resource in Album::"jane_vacation"
+ principal == User::"alice",
+ action == Permission::"view",
+ resource in Album::"jane_vacation"
);
diff --git a/pkg/policies/entities.json b/pkg/policies/entities.json
index cfdc099..3df6e43 100644
--- a/pkg/policies/entities.json
+++ b/pkg/policies/entities.json
@@ -26,7 +26,8 @@
"uid": {
"type": "User",
"id": "1"
- }
+ },
+ "parents": []
},
{
"uid": {
@@ -301,5 +302,11 @@
"id": "4"
}
]
+ },
+ {
+ "uid": {
+ "type": "HttpPath",
+ "id": "/projects.json"
+ }
}
]
diff --git a/pkg/policies/init.go b/pkg/policies/init.go
index cabfbec..a10526f 100644
--- a/pkg/policies/init.go
+++ b/pkg/policies/init.go
@@ -5,7 +5,6 @@ import (
_ "embed"
"fmt"
"io/fs"
- "log"
"strings"
"github.com/cedar-policy/cedar-go"
@@ -57,7 +56,7 @@ func init() {
})
if err != nil {
- log.Fatal(err)
+ xlog.Default.Printf("error: %v\n", err)
}
}
diff --git a/pkg/policies/organization.cedar b/pkg/policies/organization.cedar
index 22e4b6a..8ac143c 100644
--- a/pkg/policies/organization.cedar
+++ b/pkg/policies/organization.cedar
@@ -1,5 +1,5 @@
permit (
- principal == User::"1",
- action == Action::"read",
- resource in Organization::"1"
+ principal == User::"1",
+ action == Permission::"read",
+ resource in Organization::"2"
);
diff --git a/pkg/policies/policies_test.go b/pkg/policies/policies_test.go
new file mode 100644
index 0000000..e038edb
--- /dev/null
+++ b/pkg/policies/policies_test.go
@@ -0,0 +1,59 @@
+package policies
+
+import (
+ "fmt"
+ "testing"
+
+ "github.com/cedar-policy/cedar-go"
+ "github.com/stretchr/testify/assert"
+ "gitlab.com/mokhax/spike/pkg/gid"
+)
+
+func build(f func(*cedar.Request)) *cedar.Request {
+ request := &cedar.Request{
+ Principal: gid.NewEntityUID("gid://User/1"),
+ Action: cedar.NewEntityUID("HttpMethod", cedar.String("GET")),
+ Resource: cedar.NewEntityUID("HttpPath", cedar.String("/projects.json")),
+ Context: cedar.NewRecord(cedar.RecordMap{"host": cedar.String("api.example.com")}),
+ }
+ if f != nil {
+ f(request)
+ }
+ return request
+}
+
+func TestAllowed(t *testing.T) {
+ allowed := []*cedar.Request{
+ build(func(r *cedar.Request) {}),
+ build(func(r *cedar.Request) { r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("POST")) }),
+ build(func(r *cedar.Request) { r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("PUT")) }),
+ build(func(r *cedar.Request) { r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("PATCH")) }),
+ build(func(r *cedar.Request) { r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("DELETE")) }),
+ build(func(r *cedar.Request) { r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("HEAD")) }),
+ }
+
+ for _, tt := range allowed {
+ t.Run(fmt.Sprintf("allows: %v %v %v %v", tt.Principal, tt.Action, tt.Resource, tt.Context), func(t *testing.T) {
+ assert.True(t, Allowed(*tt))
+ })
+ }
+
+ denied := []*cedar.Request{
+ build(func(r *cedar.Request) {
+ r.Principal = gid.NewEntityUID("gid://User/*")
+ r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("POST"))
+ }),
+ build(func(r *cedar.Request) {
+ r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("unknown.example.com")})
+ }),
+ build(func(r *cedar.Request) {
+ r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("TRACE"))
+ }),
+ }
+
+ for _, tt := range denied {
+ t.Run(fmt.Sprintf("denies: %v %v %v %v", tt.Principal, tt.Action, tt.Resource, tt.Context), func(t *testing.T) {
+ assert.False(t, Allowed(*tt))
+ })
+ }
+}
diff --git a/pkg/policies/rest.cedar b/pkg/policies/rest.cedar
index a889684..c6c4f74 100644
--- a/pkg/policies/rest.cedar
+++ b/pkg/policies/rest.cedar
@@ -1,41 +1,12 @@
permit (
- principal == Subject::"*",
- action == Action::"GET",
- resource in Path::"/projects.json"
-);
-
-permit (
- principal == Subject::"gid://User/1",
- action == Action::"GET",
- resource in Path::"/*.json"
-);
-
-permit (
- principal == Subject::"gid://User/1",
- action == Action::"POST",
- resource in Path::"/*.json"
-);
-
-permit (
- principal == Subject::"gid://User/1",
- action == Action::"PUT",
- resource in Path::"/*.json"
-);
-
-permit (
- principal == Subject::"gid://User/1",
- action == Action::"PATCH",
- resource in Path::"/*.json"
-);
-
-permit (
- principal == Subject::"gid://User/1",
- action == Action::"DELETE",
- resource in Path::"/*.json"
-);
-
-permit (
- principal == Subject::"gid://User/1",
- action == Action::"HEAD",
- resource in Path::"/*.json"
-);
+ principal == User::"1",
+ action in [
+ HttpMethod::"GET",
+ HttpMethod::"POST",
+ HttpMethod::"PUT",
+ HttpMethod::"PATCH",
+ HttpMethod::"DELETE",
+ HttpMethod::"HEAD"
+ ],
+ resource
+) when { context.host == "api.example.com" };
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-02 04:26:25 +0000