From 9ba715860e2572011ca44696ec5ef3ffbc9c0eab Mon Sep 17 00:00:00 2001 From: sbriat Date: Thu, 4 May 2023 14:46:40 +0200 Subject: [PATCH] add ad policies --- opa/ad/delete.rego | 11 +++++++++++ opa/ad/list.rego | 3 +++ opa/ad/read.rego | 11 +++++++++++ opa/ad/update.rego | 11 +++++++++++ opa/user/read.rego | 4 ++-- 5 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 opa/ad/delete.rego create mode 100644 opa/ad/list.rego create mode 100644 opa/ad/read.rego create mode 100644 opa/ad/update.rego diff --git a/opa/ad/delete.rego b/opa/ad/delete.rego new file mode 100644 index 0000000..27a0e1a --- /dev/null +++ b/opa/ad/delete.rego @@ -0,0 +1,11 @@ +package AD.DELETE + +default allow := false + +allow { + input.userUuid == input.owner +} + +allow { + input.role == "admin" +} diff --git a/opa/ad/list.rego b/opa/ad/list.rego new file mode 100644 index 0000000..1718a69 --- /dev/null +++ b/opa/ad/list.rego @@ -0,0 +1,3 @@ +package AD.LIST + +default allow := true diff --git a/opa/ad/read.rego b/opa/ad/read.rego new file mode 100644 index 0000000..ed974fe --- /dev/null +++ b/opa/ad/read.rego @@ -0,0 +1,11 @@ +package AD.READ + +default allow := false + +allow { + input.userUuid == input.owner +} + +allow { + input.role == "admin" +} diff --git a/opa/ad/update.rego b/opa/ad/update.rego new file mode 100644 index 0000000..94a0699 --- /dev/null +++ b/opa/ad/update.rego @@ -0,0 +1,11 @@ +package AD.UPDATE + +default allow := false + +allow { + input.userUuid == input.owner +} + +allow { + input.role == "admin" +} diff --git a/opa/user/read.rego b/opa/user/read.rego index 5650aae..843d31b 100644 --- a/opa/user/read.rego +++ b/opa/user/read.rego @@ -2,10 +2,10 @@ package USER.READ default allow := false -allow := true { +allow { input.uuid == input.owner } -allow := true { +allow { input.role == "admin" }