Skip to content

feat: update tiled policy #300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ZohebShaikh wants to merge 1 commit into
base: main
Choose a base branch
from
+86 −31
Open

feat: update tiled policy #300

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 57 additions & 7 deletions policy/diamond/policy/tiled/tiled.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
package diamond.policy.tiled

import data.diamond.policy.admin
import data.diamond.policy.session
import data.diamond.policy.token
import rego.v1
Expand Down Expand Up @@ -30,15 +31,64 @@ scopes_for(claims) := read_scopes if {
not "azp" in object.keys(claims)
}

# Assign read & write scopes to blueapi clients
# defaults to read-only scopes
default scopes := set()

scopes := scopes_for(token.claims)

user_sessions contains user_session if {
some i in data.diamond.data.sessions
session.access_session(token.claims.fedid, i.proposal_number, i.visit_number)
user_session := sprintf(
`{"proposal": %d, "visit": %d, "beamline": "%s"}`,
[i.proposal_number, i.visit_number, i.beamline],
)
# Returns the session ID if the subject has write permissions for the
# specific beamline, visit and proposal requested in the input.
user_session := to_number(value) if {
session.write_to_beamline_visit
value := data.diamond.data.proposals[format_int(input.proposal, 10)].sessions[format_int(input.visit, 10)]
}

# Validates if the subject has permission to modify
# the specific session in the input.
default modify_session := false

modify_session := session.access_session(
token.claims.fedid,
data.diamond.data.sessions[input.session].proposal_number,
data.diamond.data.sessions[input.session].visit_number,
)

subject := data.diamond.data.subjects[token.claims.fedid]

# Identifies all beamlines the subject is authorized to access
# based on their assigned permissions.
beamlines contains beamline if {
not admin.is_admin(token.claims.fedid)
some p in subject.permissions
some beamline in object.get(data.diamond.data.admin, p, [])
}

# Aggregates all session IDs the subject is authorized to view.
# Admins receive a wildcard "*" granting access to all sessions.

# Regular users gain session access through three pathways:
# 1. Direct session membership
# 2. Access via beamline-level permissions
# 3. Access via proposal-level permissions
user_sessions contains "*" if {
admin.is_admin(token.claims.fedid)
}

user_sessions contains to_number(session) if {
not admin.is_admin(token.claims.fedid)
some session in subject.sessions
}

user_sessions contains to_number(session) if {
not admin.is_admin(token.claims.fedid)
some beamline in beamlines
some session in data.diamond.data.beamlines[beamline].sessions
}

user_sessions contains to_number(session) if {
not admin.is_admin(token.claims.fedid)
some p in subject.proposals
some i in data.diamond.data.proposals[format_int(p, 10)]
some session in i
}
53 changes: 29 additions & 24 deletions policy/diamond/policy/tiled/tiled_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,33 +96,38 @@ diamond_data := {
test_user_session_tags if {
tiled.user_sessions == set() with data.diamond.data as diamond_data
with data.diamond.policy.token.claims as {"fedid": "oscar"}
tiled.user_sessions == {
`{"proposal": 1, "visit": 2, "beamline": "b07"}`,
`{"proposal": 1, "visit": 1, "beamline": "i03"}`,
} with data.diamond.data as diamond_data
tiled.user_sessions == {11, 12} with data.diamond.data as diamond_data
with data.diamond.policy.token.claims as {"fedid": "alice"}
tiled.user_sessions == {
`{"proposal": 1, "visit": 2, "beamline": "b07"}`,
`{"proposal": 1, "visit": 1, "beamline": "i03"}`,
`{"proposal": 2, "visit": 1, "beamline": "b07"}`,
`{"proposal": 2, "visit": 2, "beamline": "b07"}`,
} with data.diamond.data as diamond_data
tiled.user_sessions == {11, 12, 13, 14} with data.diamond.data as diamond_data
with data.diamond.policy.token.claims as {"fedid": "bob"}
tiled.user_sessions == {
`{"proposal": 1, "visit": 2, "beamline": "b07"}`,
`{"proposal": 1, "visit": 1, "beamline": "i03"}`,
`{"proposal": 2, "visit": 1, "beamline": "b07"}`,
`{"proposal": 2, "visit": 2, "beamline": "b07"}`,
} with data.diamond.data as diamond_data
tiled.user_sessions == {"*"} with data.diamond.data as diamond_data
with data.diamond.policy.token.claims as {"fedid": "carol"}
tiled.user_sessions == {
`{"proposal": 2, "visit": 1, "beamline": "b07"}`,
`{"proposal": 2, "visit": 2, "beamline": "b07"}`,
} with data.diamond.data as diamond_data
tiled.user_sessions == {13, 14} with data.diamond.data as diamond_data
with data.diamond.policy.token.claims as {"fedid": "desmond"}
tiled.user_sessions == {
`{"proposal": 2, "visit": 1, "beamline": "b07"}`,
`{"proposal": 2, "visit": 2, "beamline": "b07"}`,
} with data.diamond.data as diamond_data
tiled.user_sessions == {13, 14} with data.diamond.data as diamond_data
with data.diamond.policy.token.claims as {"fedid": "edna"}
}

test_user_session_allow if {
tiled.user_session == 11 with data.diamond.data as diamond_data
with input as {"beamline": "i03", "proposal": 1, "visit": 1}
with data.diamond.policy.token.claims as {"fedid": "carol"}
}

test_user_session_not_allowed if {
not tiled.user_session with data.diamond.data as diamond_data
with input as {"beamline": "i03", "proposal": 1, "visit": 1}
with data.diamond.policy.token.claims as {"fedid": "oscar"}
}

test_not_modify_session if {
not tiled.modify_session with data.diamond.data as diamond_data
with input as {"session": "13"}
with data.diamond.policy.token.claims as {"fedid": "alice"}
}

test_modify_session if {
tiled.modify_session with data.diamond.data as diamond_data
with input as {"session": "11"}
with data.diamond.policy.token.claims as {"fedid": "alice"}
}
Loading