UPDATE

2026-05-11 03:27:21 +03:30
parent cf7cbb937c
commit d0e68a1a56
854 changed files with 102985 additions and 76 deletions
@@ -0,0 +1,68 @@
+package croplogic.authz
+
+import rego.v1
+
+default allow := false
+
+allow if {
+  decision.allow
+}
+
+decision := feature_decision(input.feature)
+
+batch_decision := {
+  "features": {
+    feature: result |
+    feature := input.features[_]
+    result := feature_decision(feature)
+  },
+}
+
+feature_decision(feature) := {
+  "allow": true,
+  "matched_rules": [],
+  "deny_rules": [],
+  "allow_rules": [],
+} if {
+  not has_feature_rule(feature)
+}
+
+feature_decision(feature) := result if {
+  has_feature_rule(feature)
+  rule := feature_rule(feature)
+  matched := [matched_rule | matched_rule := rule; action_match(matched_rule)]
+  deny_rules := [matched_rule | matched_rule := matched[_]; not object.get(matched_rule, "allow", false)]
+  allow_rules := [matched_rule | matched_rule := matched[_]; object.get(matched_rule, "allow", false)]
+  count(deny_rules) == 0
+  result := {
+    "allow": true,
+    "matched_rules": matched,
+    "deny_rules": deny_rules,
+    "allow_rules": allow_rules,
+  }
+}
+
+feature_decision(feature) := result if {
+  has_feature_rule(feature)
+  rule := feature_rule(feature)
+  matched := [matched_rule | matched_rule := rule; action_match(matched_rule)]
+  deny_rules := [matched_rule | matched_rule := matched[_]; not object.get(matched_rule, "allow", false)]
+  allow_rules := [matched_rule | matched_rule := matched[_]; object.get(matched_rule, "allow", false)]
+  count(deny_rules) > 0
+  result := {
+    "allow": false,
+    "matched_rules": matched,
+    "deny_rules": deny_rules,
+    "allow_rules": allow_rules,
+  }
+}
+
+action_match(rule) if {
+  count(object.get(rule, "actions_any", [])) == 0
+}
+
+action_match(rule) if {
+  requested_action := lower(sprintf("%v", [object.get(input, "action", "view")]))
+  action := object.get(rule, "actions_any", [])[_]
+  lower(sprintf("%v", [action])) == requested_action
+}
@@ -0,0 +1,3 @@
+{
+  "authz": {}
+}
@@ -0,0 +1,48 @@
+package croplogic.authz
+
+import rego.v1
+
+has_feature_rule(feature) if {
+  is_sensor_7_in_1_feature(feature)
+}
+
+feature_rule(feature) := {
+  "code": "sensor-7-in-1-requires-sensor-code",
+  "allow": true,
+  "reason": "sensor-7-in-1 feature requires sensor_codes to include a supported 7-in-1 sensor code",
+} if {
+  is_sensor_7_in_1_feature(feature)
+  has_any_supported_sensor_7_in_1_code
+}
+
+feature_rule(feature) := {
+  "code": "sensor-7-in-1-requires-sensor-code",
+  "allow": false,
+  "reason": "sensor-7-in-1 feature requires sensor_codes to include a supported 7-in-1 sensor code",
+} if {
+  is_sensor_7_in_1_feature(feature)
+  not has_any_supported_sensor_7_in_1_code
+}
+
+is_sensor_7_in_1_feature(feature) if {
+  lower(sprintf("%v", [feature])) == "sensor-7-in-1"
+}
+
+has_any_supported_sensor_7_in_1_code if {
+  supported_code := {"sensor-7-in-1", "sensor_7_soil_moisture_sensor_v1_2"}[_]
+  has_sensor_code(supported_code)
+}
+
+has_sensor_code(code) if {
+  sensor_codes := object.get(input.resource, "sensor_codes", [])
+  is_array(sensor_codes)
+  sensor_code := sensor_codes[_]
+  lower(sprintf("%v", [sensor_code])) == lower(sprintf("%v", [code]))
+}
+
+has_sensor_code(code) if {
+  sensor_code := object.get(input.resource, "sensor_codes", null)
+  sensor_code != null
+  not is_array(sensor_code)
+  lower(sprintf("%v", [sensor_code])) == lower(sprintf("%v", [code]))
+}