UPDATE

policies/authz.rego

@@ -0,0 +1,68 @@
+package croplogic.authz
+
+import rego.v1
+
+default allow := false
+
+allow if {
+  decision.allow
+}
+
+decision := feature_decision(input.feature)
+
+batch_decision := {
+  "features": {
+    feature: result |
+    feature := input.features[_]
+    result := feature_decision(feature)
+  },
+}
+
+feature_decision(feature) := {
+  "allow": true,
+  "matched_rules": [],
+  "deny_rules": [],
+  "allow_rules": [],
+} if {
+  not has_feature_rule(feature)
+}
+
+feature_decision(feature) := result if {
+  has_feature_rule(feature)
+  rule := feature_rule(feature)
+  matched := [matched_rule | matched_rule := rule; action_match(matched_rule)]
+  deny_rules := [matched_rule | matched_rule := matched[_]; not object.get(matched_rule, "allow", false)]
+  allow_rules := [matched_rule | matched_rule := matched[_]; object.get(matched_rule, "allow", false)]
+  count(deny_rules) == 0
+  result := {
+    "allow": true,
+    "matched_rules": matched,
+    "deny_rules": deny_rules,
+    "allow_rules": allow_rules,
+  }
+}
+
+feature_decision(feature) := result if {
+  has_feature_rule(feature)
+  rule := feature_rule(feature)
+  matched := [matched_rule | matched_rule := rule; action_match(matched_rule)]
+  deny_rules := [matched_rule | matched_rule := matched[_]; not object.get(matched_rule, "allow", false)]
+  allow_rules := [matched_rule | matched_rule := matched[_]; object.get(matched_rule, "allow", false)]
+  count(deny_rules) > 0
+  result := {
+    "allow": false,
+    "matched_rules": matched,
+    "deny_rules": deny_rules,
+    "allow_rules": allow_rules,
+  }
+}
+
+action_match(rule) if {
+  count(object.get(rule, "actions_any", [])) == 0
+}
+
+action_match(rule) if {
+  requested_action := lower(sprintf("%v", [object.get(input, "action", "view")]))
+  action := object.get(rule, "actions_any", [])[_]
+  lower(sprintf("%v", [action])) == requested_action
+}