search

linzhengen / tech-notes

My tech notes write in github issues🧲
1 stars 0 forks source link

[20221014] OPAでRBACを表現してみた #171

Open linzhengen opened 1 year ago

linzhengen commented 1 year ago

https://play.openpolicyagent.org/p/eLMHzIHOMl

rego

package app.rbac

import future.keywords.contains
import future.keywords.if
import future.keywords.in

default allow := false

allow if user_is_admin

allow if {
    some permisson in role_permission
    input.endpoint == permisson.endpoint
    input.method == permisson.method
}

user_is_admin if "admin" in data.user_roles[input.user]

role_permission contains permission if {
    some role in data.user_roles[input.user]
    some permission in data.roles[role]
}

data

{
    "roles": {
        "billing": [
            {
                "endpoint": "/v1/users",
                "method": "post"
            },
            {
                "endpoint": "/v1/users/query",
                "method": "get"
            }
        ],
        "customer": [
            {
                "endpoint": "/v1/users",
                "method": "get"
            },
            {
                "endpoint": "/v1/users/{id}",
                "method": "put"
            },
            {
                "endpoint": "/v1/users",
                "method": "post"
            },
            {
                "endpoint": "/v1/users/query",
                "method": "get"
            }
        ],
        "employee": [
            {
                "endpoint": "/v1/users",
                "method": "get"
            }
        ]
    },
    "user_roles": {
        "alice@example.com": [
            "admin"
        ],
        "bob@example.com": [
            "employee",
            "billing",
            "customer"
        ],
        "eve@example.com": [
            "customer"
        ]
    }
}

input

{
    "endpoint": "/v1/users",
    "method": "put",
    "user": "bob@example.com"
}

output

{
    "allow": false,
    "role_permission": [
        {
            "endpoint": "/v1/users",
            "method": "get"
        },
        {
            "endpoint": "/v1/users",
            "method": "post"
        },
        {
            "endpoint": "/v1/users/query",
            "method": "get"
        },
        {
            "endpoint": "/v1/users/{id}",
            "method": "put"
        }
    ]
}