-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathrbac.rego
156 lines (119 loc) · 4.43 KB
/
rbac.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# Role-based Access Control (RBAC)
# --------------------------------
#
# This example defines an RBAC model for a Blog API. The Blog API allows users to:
#
# * Read Posts,
# * Comment on Posts,
# * Edit and Delete Own Unpublished Posts,
# * Edit and Delete Own Published Posts,
# * Publish Own Posts,
# * Edit, Delete and Publish Any Posts, and so on.
#
# The policy controls which users can perform actions on which resources.
# The policy implements a classic Role-based Access Control model where users are
# assigned to roles and roles are granted the ability to perform some action(s) on
# some type of resource.
#
# This example shows how to:
#
# * Define an RBAC model in Rego that interprets role mappings represented in JSON.
# * Iterate/search across JSON data structures (e.g., role mappings)
#
package cnapp.rbac
import data.cnapp.rbac.roles # import roles list from data.cnapp.rbac
import data.cnapp.rbac.permissions # import permissions list from data.cnapp.rbac
import data.cnapp.rbac.blacklist # import blacklist permissions list from data.cnapp.rbac
import input # import input.json
# By default, deny requests.
default allow = false
# More than one OR Condition for a variable `allow`
# Allow admins to do anything.
allow {
user_is_admin
}
# Allow the action if the user is granted permission to perform the action.
allow {
# check for blacklisted grants for user
not user_grant_is_blacklisted
# Find grants for the user.
some grant
user_is_granted[grant]
# Check if the grant permits the action. And Condition
input.action == grant.action
input.type == grant.type
}
# user_is_admin is true if...
user_is_admin {
# for some `i`...
some i
# "admin" is the `i`-th element in the user->role mappings for the identified user.
roles[input.user][i] == "admin"
}
# user_is_granted is a set of grants for the user identified in the request.
# The `grant` will be contained if the set `user_is_granted` for every...
user_is_granted[grant] {
some i, j
# `role` assigned an element of the user_roles for this user...
role := roles[input.user][i]
# `grant` assigned a single grant from the grants list for 'role'...
grant := permissions[role][j]
}
# user permission has been blacklisted to perform the action.
user_grant_is_blacklisted = true {
# for some `i`...
some i
# `grant` assigned a single blacklist grant from the 'blacklist' user list...
grant := blacklist[input.user][i]
# Check if the grant permits the action.
input.action == grant.action
input.type == grant.type
} else = false
# who_are is a set of users who has roles identified in the request.
who_are[user] {
# for some `user`...
some user
# `roleList` assigned a single user roles list...
roleList := roles[user]
# Check if the roleList matches the input role
roleList[_] == input.role
}
# who_all_are is a set of users along with roles list who has roles identified in the request.
who_all_are[{ user: roleList }] {
# for some `user` and `role`...
some user, role
# `roleList` assigned a single user roles list...
roleList := roles[user]
# Check if the roleList matches the input role list
roleList[_] == input.roles[role]
}
# roles_can is a set of roles who has grants identified in the request.
roles_can[role] {
# for some `role` and `permission`...
some role, permission
# `roleList` assigned a single permission role list...
roleList := permissions[role]
# `grant` assigned a single grant from all grants list...
grant := roleList[permission]
# Check if the grant permits the action.
input.grant.action == grant.action
input.grant.type == grant.type
}
# users_can is a set of roles who has grants identified in the request.
users_can[user] {
# for some `role` and `permission`...
some role, permission
# `roleList` assigned a single permission role list...
roleList := permissions[role]
# `grant` assigned a single grant from all grants list...
grant := roleList[permission]
# Check if the grant permits the action.
input.grant.action == grant.action
input.grant.type == grant.type
# for some `user`
some user
# `askedRoleList` assigned a single user roles list...
askedRoleList := roles[user]
# Check if the askedRoleList matches the selected role from upper iteration
askedRoleList[_] == role
}