Update policy to use static admin data

The mapping from admin groups to which beamlines they refer to allows
the access functions to be greatly simplified. Also adds functions to
differentiate between users that are on a proposal/session and those
that can access it due to being an admin for that beamline.

policy/diamond/policy/admin/admin.rego

@@ -0,0 +1,12 @@
+package diamond.policy.admin
+
+import rego.v1
+
+is_admin(subject) if {
+	"super_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
+}
+
+is_beamline_admin(subject, beamline) if {
+	some admin in data.diamond.data.subjects[subject].permissions
+	beamline in data.diamond.data.admin[admin] # regal ignore:external-reference
+}

policy/diamond/policy/admin/admin_test.rego

@@ -0,0 +1,61 @@
+package diamond.policy.admin_test
+
+import data.diamond.policy.admin
+import rego.v1
+
+diamond_data := {
+	"subjects": {
+		"alice": {
+			"permissions": [],
+			"proposals": [],
+			"sessions": [],
+		},
+		"bob": {
+			"permissions": ["b07_admin"],
+			"proposals": [],
+			"sessions": [],
+		},
+		"carol": {
+			"permissions": ["super_admin"],
+			"proposals": [],
+			"sessions": [],
+		},
+		"oscar": {
+			"permissions": ["group_admin"],
+			"proposals": [],
+			"sessions": [],
+		},
+	},
+	"sessions": {},
+	"proposals": {},
+	"beamlines": {},
+	"admin": {"b07_admin": ["b07"], "group_admin": ["b07", "i07"]},
+}
+
+test_super_admin_subject if {
+	admin.is_admin("carol") with data.diamond.data as diamond_data
+}
+
+test_beamline_admin_subject_beamline if {
+	admin.is_beamline_admin("bob", "b07") with data.diamond.data as diamond_data
+}
+
+test_group_admin_subject_beamline if {
+	admin.is_beamline_admin("oscar", "b07") with data.diamond.data as diamond_data
+}
+
+test_non_admin if {
+	not admin.is_admin("alice") with data.diamond.data as diamond_data
+}
+
+test_beamline_admin_not_admin if {
+	not admin.is_admin("bob") with data.diamond.data as diamond_data
+}
+
+test_non_beamline_admin if {
+	not admin.is_beamline_admin("alice", "b07") with data.diamond.data as diamond_data
+}
+
+test_super_admin_not_beamline_admin if {
+	not admin.is_beamline_admin("carol", "b07") with data.diamond.data as diamond_data
+}

policy/diamond/policy/proposal/proposal.rego

@@ -1,13 +1,14 @@
 package diamond.policy.proposal
 
+import data.diamond.policy.admin
 import rego.v1
 
-# Allow if subject has super_admin permission
-access_proposal(subject, proposal_number) if {
-	"super_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
+on_proposal(subject, proposal_number) if {
+	proposal_number in data.diamond.data.subjects[subject].proposals # regal ignore:external-reference
 }
 
+# Allow if subject has super_admin permission
+access_proposal(subject, proposal_number) if admin.is_admin(subject)
+
 # Allow if subject is on proposal
-access_proposal(subject, proposal_number) if {
-	proposal_number in data.diamond.data.subjects[subject].proposals # regal ignore:external-reference
-}
+access_proposal(subject, proposal_number) if on_proposal(subject, proposal_number)

policy/diamond/policy/proposal/proposal_test.rego

@@ -35,3 +35,11 @@ test_super_admin_allowed if {
 test_non_member_denied if {
 	not proposal.access_proposal("oscar", 1) with data.diamond.data as diamond_data
 }
+
+test_member_on_proposal if {
+	proposal.on_proposal("alice", 1) with data.diamond.data as diamond_data
+}
+
+test_admin_not_on_proposal if {
+	not proposal.on_proposal("carol", 1) with data.diamond.data as diamond_data
+}

policy/diamond/policy/session/session.rego

@@ -1,5 +1,6 @@
 package diamond.policy.session
 
+import data.diamond.policy.admin
 import data.diamond.policy.proposal
 import rego.v1
 
@@ -10,200 +11,23 @@ beamline(proposal_number, visit_number) := beamline if {
 	beamline := session.beamline
 }
 
-# Allow if subject has super_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	"super_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if subject on proposal which contains session
-access_session(subject, proposal_number, visit_number) if {
-	proposal.access_proposal(subject, proposal_number)
-}
-
-# Allow if subject directly on session
-access_session(subject, proposal_number, visit_number) if {
+on_session(subject, proposal_number, visit_number) if {
 	some session_id in data.diamond.data.subjects[subject].sessions # regal ignore:external-reference
 	subject_session := data.diamond.data.sessions[format_int(session_id, 10)] # regal ignore:external-reference
 	subject_session.proposal_number == proposal_number
 	subject_session.visit_number == visit_number
 }
 
-# Allow if on session on b07 and subject has b07_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "b07"
-	"b07_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on b16 and subject has b16_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "b16"
-	"b16_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on b18 and subject has b18_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "b18"
-	"b18_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on b22 and subject has b22_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "b22"
-	"b22_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on b23 and subject has b23_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "b23"
-	"b23_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on b24 and subject has b24_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "b24"
-	"b24_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i02-1 (VMXm) and subject has mx_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i02"
-	"mx_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i02-2 (VMXi) and subject has mx_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i02-2"
-	"mx_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i03 and subject has mx_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i03"
-	"mx_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i04 and subject has mx_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i04"
-	"mx_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i04-1 and subject has mx_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i04-1"
-	"mx_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i05 and subject has i05_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i05"
-	"i05_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i06 and subject has i06_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i06"
-	"i06_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i07 and subject has i07_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i07"
-	"i07_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i08 and subject has i08_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i08"
-	"i08_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i09 and subject has i09_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i09"
-	"i09_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i10 and subject has i10_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i10"
-	"i10_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i11 and subject has i11_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i11"
-	"i11_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i12 and subject has i12_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i12"
-	"i12_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i13 and subject has i13_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i13"
-	"i13_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i14 and subject has i14_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i14"
-	"i14_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i16 and subject has i16_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i16"
-	"i16_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i18 and subject has i18_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i18"
-	"i18_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i20 and subject has i20_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i20"
-	"i20_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i21 and subject has i21_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i21"
-	"i21_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i23 and subject has mx_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i23"
-	"mx_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
-
-# Allow if on session on i24 and subject has mx_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "i24"
-	"mx_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
+# Allow if subject has super_admin permission
+access_session(subject, proposal_number, visit_number) if admin.is_admin(subject)
 
-# Allow if on session on k11 and subject has i11_admin permission
+# Allow if subject is admin for beamline containing session
 access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "k11"
-	"k11_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
+	admin.is_beamline_admin(subject, beamline(proposal_number, visit_number))
 }
 
-# Allow if on session on p45 and subject has p45_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "p45"
-	"p45_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
+# Allow if subject on proposal which contains session
+access_session(subject, proposal_number, visit_number) if proposal.on_proposal(subject, proposal_number)
 
-# Allow if on session on p99 and subject has p99_admin permission
-access_session(subject, proposal_number, visit_number) if {
-	beamline(proposal_number, visit_number) == "p99"
-	"p99_admin" in data.diamond.data.subjects[subject].permissions # regal ignore:external-reference
-}
+# Allow if subject directly on session
+access_session(subject, proposal_number, visit_number) if on_session(subject, proposal_number, visit_number)

policy/diamond/policy/session/session_test.rego

@@ -43,6 +43,7 @@ diamond_data := {
 		"2": 12,
 	}}},
 	"beamlines": {"i03": {"sessions": [11]}, "b07": {"sessions": [12]}},
+	"admin": {"b07_admin": ["b07"]},
 }
 
 test_session_member_allowed if {
@@ -64,3 +65,7 @@ test_super_admin_allowed if {
 test_non_member_denied if {
 	not session.access_session("oscar", 1, 1) with data.diamond.data as diamond_data
 }
+
+test_admin_not_on_session if {
+	not session.on_session("carol", 1, 1) with data.diamond.data as diamond_data
+}