Access/policies/authz.rego

package croplogic.authz

import rego.v1

default allow := false

allow if {
  decision.allow
}

decision := feature_decision(input.feature)

batch_decision := {
  "features": {
    feature: result |
    feature := input.features[_]
    result := feature_decision(feature)
  },
}

feature_decision(feature) := {
  "allow": true,
  "matched_rules": [],
  "deny_rules": [],
  "allow_rules": [],
} if {
  not has_feature_rule(feature)
}

feature_decision(feature) := result if {
  has_feature_rule(feature)
  rule := feature_rule(feature)
  matched := [matched_rule | matched_rule := rule; action_match(matched_rule)]
  deny_rules := [matched_rule | matched_rule := matched[_]; not object.get(matched_rule, "allow", false)]
  allow_rules := [matched_rule | matched_rule := matched[_]; object.get(matched_rule, "allow", false)]
  count(deny_rules) == 0
  result := {
    "allow": true,
    "matched_rules": matched,
    "deny_rules": deny_rules,
    "allow_rules": allow_rules,
  }
}

feature_decision(feature) := result if {
  has_feature_rule(feature)
  rule := feature_rule(feature)
  matched := [matched_rule | matched_rule := rule; action_match(matched_rule)]
  deny_rules := [matched_rule | matched_rule := matched[_]; not object.get(matched_rule, "allow", false)]
  allow_rules := [matched_rule | matched_rule := matched[_]; object.get(matched_rule, "allow", false)]
  count(deny_rules) > 0
  result := {
    "allow": false,
    "matched_rules": matched,
    "deny_rules": deny_rules,
    "allow_rules": allow_rules,
  }
}

action_match(rule) if {
  count(object.get(rule, "actions_any", [])) == 0
}

action_match(rule) if {
  requested_action := lower(sprintf("%v", [object.get(input, "action", "view")]))
  action := object.get(rule, "actions_any", [])[_]
  lower(sprintf("%v", [action])) == requested_action
}