Skip to content

Commit

Permalink
Allow ixx_admin to view session on ixx in OPA policy
Browse files Browse the repository at this point in the history
  • Loading branch information
@garryod
garryod committed Mar 28, 2024
1 parent 19531e7 commit f73c0b6
Showing 1 changed file with 149 additions and 11 deletions.
160 changes: 149 additions & 11 deletions policy/system.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,22 +10,160 @@ main := {"allow": allow}

default allow := false

# Allow if the SKIP_AUTHORIZATION environment variable is set and a preset token is supplied
allow if {
opa.runtime().env.SKIP_AUTHORIZATION
input.token == "ValidToken"
}

# Allow if on proposal which contains session
# Allow if subject on proposal which contains session
allow if {
some proposal_number in data.diamond.data.subjects[token.claims.fedid].proposals
proposal_number == input.parameters.proposal
}

# Allow if directly on session
# Allow if subject directly on session
allow if {
some session_id in data.diamond.data.subjects[token.claims.fedid].sessions
session := data.diamond.data.sessions[session_id]
session.proposal_number == input.parameters.proposal
session.visit_number == input.parameters.visit
subject_session := data.diamond.data.sessions[session_id]
subject_session.proposal_number == input.parameters.proposal
subject_session.visit_number == input.parameters.visit
}

proposal := data.diamond.data.proposals[input.parameters.proposal]

session_id := proposal.sessions[format_int(input.parameters.visit, 10)]

session := data.diamond.data.sessions[session_id]

# Allow if on session on b07 and subject has b07_admin permission
allow if {
session.beamline == "b07"
"b07_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on b16 and subject has b16_admin permission
allow if {
session.beamline == "b16"
"b16_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on b18 and subject has b18_admin permission
allow if {
session.beamline == "b18"
"b18_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on b22 and subject has b22_admin permission
allow if {
session.beamline == "b22"
"b22_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on b23 and subject has b23_admin permission
allow if {
session.beamline == "b23"
"b23_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on b24 and subject has b24_admin permission
allow if {
session.beamline == "b24"
"b24_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on i05 and subject has i05_admin permission
allow if {
session.beamline == "i05"
"i05_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on i06 and subject has i06_admin permission
allow if {
session.beamline == "i06"
"i06_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on i07 and subject has i07_admin permission
allow if {
session.beamline == "i07"
"i07_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on i08 and subject has i08_admin permission
allow if {
session.beamline == "i08"
"i08_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on i09 and subject has i09_admin permission
allow if {
session.beamline == "i09"
"i09_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on i10 and subject has i10_admin permission
allow if {
session.beamline == "i10"
"i10_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on i11 and subject has i11_admin permission
allow if {
session.beamline == "i11"
"i11_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on i12 and subject has i12_admin permission
allow if {
session.beamline == "i12"
"i12_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on i13 and subject has i13_admin permission
allow if {
session.beamline == "i13"
"i13_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on i14 and subject has i14_admin permission
allow if {
session.beamline == "i14"
"i14_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on i16 and subject has i16_admin permission
allow if {
session.beamline == "i16"
"i16_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on i18 and subject has i18_admin permission
allow if {
session.beamline == "i18"
"i18_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on i20 and subject has i20_admin permission
allow if {
session.beamline == "i20"
"i20_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on i21 and subject has i21_admin permission
allow if {
session.beamline == "i21"
"i21_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on k11 and subject has i11_admin permission
allow if {
session.beamline == "k11"
"k11_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on p45 and subject has p45_admin permission
allow if {
session.beamline == "p45"
"p45_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

# Allow if on session on p99 and subject has p99_admin permission
allow if {
session.beamline == "p99"
"p99_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
}

0 comments on commit f73c0b6

Please sign in to comment.