-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathcontext_broker_policy.rego
151 lines (137 loc) · 4.79 KB
/
context_broker_policy.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
package envoy.authz
import future.keywords.in
import input.attributes.request.http.method as method
import input.attributes.request.http.path as path
import input.attributes.request.http.headers.authorization as authorization
# Checks if the policy has the wildcard asterisks, thus matching paths to any entity or all
path_matches_policy(entry, request) {
entry.resource == "*"
entry.resource_type == "entity"
current_path := split(request.resource, "/")
current_path[1] == "v2"
current_path[2] == "entities"
}
# Checks if the policy is a default
path_matches_policy(entry, request) {
entry.resource == "default"
entry.resource_type == "entity"
current_path := split(request.resource, "/")
current_path[1] == "v2"
current_path[2] == "entities"
}
# Checks if the entity in the policy matches the path
path_matches_policy(entry, request) {
entry.resource_type == "entity"
current_path := split(request.resource, "/")
current_path[1] == "v2"
current_path[2] == "entities"
current_path[3] == entry.resource
}
# Set the header link for the entities
header_link = link {
current_path := split(request.resource, "/")
current_path[2] == "entities"
current_path[3]
not current_path[3] == ""
link := sprintf("<%s/me?resource=%s&&type=%s>; rel=\"acl\"", [api_uri,current_path[3],"entity"])
}
header_link = link {
current_path := split(request.resource, "/")
current_path[2] == "entities"
current_path[3] == ""
link := sprintf("<%s/me?resource=%s&&type=%s>; rel=\"acl\"", [api_uri,"*","entity"])
}
header_link = link {
current_path := split(request.resource, "/")
current_path[2] == "entities"
not current_path[3]
link := sprintf("<%s/me?resource=%s&&type=%s>; rel=\"acl\"", [api_uri,"*","entity"])
}
# Checks if the policy has the wildcard asterisks, thus matching paths to any entity types or all
path_matches_policy(entry, request) {
entry.resource == "*"
entry.resource_type == "entity_type"
current_path := split(request.resource, "/")
current_path[1] == "v2"
current_path[2] == "types"
}
# Checks if the policy is a default
path_matches_policy(entry, request) {
entry.resource == "default"
entry.resource_type == "entity_type"
current_path := split(request.resource, "/")
current_path[1] == "v2"
current_path[2] == "types"
}
# Checks if the entity type in the policy matches the path
path_matches_policy(entry, request) {
entry.resource_type == "entity_type"
current_path := split(request.resource, "/")
current_path[1] == "v2"
current_path[2] == "types"
current_path[3] == entry.resource
}
# Set the header link for the entity types
header_link = link {
current_path := split(request.resource, "/")
current_path[2] == "types"
current_path[3]
not current_path[3] == ""
link := sprintf("<%s/me?resource=%s&&type=%s>; rel=\"acl\"", [api_uri,current_path[3],"entity_type"])
}
header_link = link {
current_path := split(request.resource, "/")
current_path[2] == "types"
current_path[3] == ""
link := sprintf("<%s/me?resource=%s&&type=%s>; rel=\"acl\"", [api_uri,"*","entity_type"])
}
header_link = link {
current_path := split(request.resource, "/")
current_path[2] == "types"
not current_path[3]
link := sprintf("<%s/me?resource=%s&&type=%s>; rel=\"acl\"", [api_uri,"*","entity_type"])
}
# Checks if the policy has the wildcard asterisks, thus matching paths to any subscription or all
path_matches_policy(entry, request) {
entry.resource == "*"
entry.resource_type == "subscription"
current_path := split(request.resource, "/")
current_path[1] == "v2"
current_path[2] == "subscriptions"
}
# Checks if the policy is a default
path_matches_policy(entry, request) {
entry.resource == "default"
entry.resource_type == "subscription"
current_path := split(request.resource, "/")
current_path[1] == "v2"
current_path[2] == "subscriptions"
}
# Checks if the subscription in the policy matches the path
path_matches_policy(entry, request) {
entry.resource_type == "subscription"
current_path := split(request.resource, "/")
current_path[1] == "v2"
current_path[2] == "subscriptions"
current_path[3] == entry.resource
}
# Set the header link for the subscription
header_link = link {
current_path := split(request.resource, "/")
current_path[2] == "subscriptions"
current_path[3]
not current_path[3] == ""
link := sprintf("<%s/me?resource=%s&&type=%s>; rel=\"acl\"", [api_uri,current_path[3],"subscription"])
}
header_link = link {
current_path := split(request.resource, "/")
current_path[2] == "subscriptions"
current_path[3] == ""
link := sprintf("<%s/me?resource=%s&&type=%s>; rel=\"acl\"", [api_uri,"*","subscription"])
}
header_link = link {
current_path := split(request.resource, "/")
current_path[2] == "subscriptions"
not current_path[3]
link := sprintf("<%s/me?resource=%s&&type=%s>; rel=\"acl\"", [api_uri,"*","subscription"])
}