aboutsummaryrefslogtreecommitdiffstats
path: root/compose/config/opa-pdp/policies
diff options
context:
space:
mode:
Diffstat (limited to 'compose/config/opa-pdp/policies')
-rw-r--r--compose/config/opa-pdp/policies/abac/policy.rego20
-rw-r--r--compose/config/opa-pdp/policies/account/policy.rego17
-rw-r--r--compose/config/opa-pdp/policies/action/policy.rego21
-rw-r--r--compose/config/opa-pdp/policies/data/abac/data.json94
-rw-r--r--compose/config/opa-pdp/policies/data/account/data.json16
-rw-r--r--compose/config/opa-pdp/policies/data/action/data.json43
-rw-r--r--compose/config/opa-pdp/policies/data/organization/data.json32
-rw-r--r--compose/config/opa-pdp/policies/data/role/data.json63
-rw-r--r--compose/config/opa-pdp/policies/example/policy.rego13
-rw-r--r--compose/config/opa-pdp/policies/organization/policy.rego38
-rw-r--r--compose/config/opa-pdp/policies/role/policy.rego53
11 files changed, 410 insertions, 0 deletions
diff --git a/compose/config/opa-pdp/policies/abac/policy.rego b/compose/config/opa-pdp/policies/abac/policy.rego
new file mode 100644
index 00000000..9dc6ea9b
--- /dev/null
+++ b/compose/config/opa-pdp/policies/abac/policy.rego
@@ -0,0 +1,20 @@
+package abac
+
+import rego.v1
+
+default allow := false
+
+allow if {
+ viewable_sensor_data
+ action_is_read
+}
+
+action_is_read if "read" in input.actions
+
+viewable_sensor_data contains view_data if {
+ some sensor_data in data.abac.sensor_data
+ sensor_data.timestamp >= input.time_period.from
+ sensor_data.timestamp < input.time_period.to
+
+ view_data := {datatype: sensor_data[datatype] | datatype in input.datatypes}
+}
diff --git a/compose/config/opa-pdp/policies/account/policy.rego b/compose/config/opa-pdp/policies/account/policy.rego
new file mode 100644
index 00000000..f99e8eb0
--- /dev/null
+++ b/compose/config/opa-pdp/policies/account/policy.rego
@@ -0,0 +1,17 @@
+package account
+
+import rego.v1
+
+default allow := false
+
+allow if {
+ creditor_is_valid
+ debtor_is_valid
+ period_is_valid
+ amount_is_valid
+}
+creditor_is_valid if data.account.account_attributes[input.creditor_account].owner == input.creditor
+debtor_is_valid if data.account.account_attributes[input.debtor_account].owner == input.debtor
+
+period_is_valid if input.period <= 30
+amount_is_valid if data.account.account_attributes[input.debtor_account].amount >= input.amount
diff --git a/compose/config/opa-pdp/policies/action/policy.rego b/compose/config/opa-pdp/policies/action/policy.rego
new file mode 100644
index 00000000..300fe501
--- /dev/null
+++ b/compose/config/opa-pdp/policies/action/policy.rego
@@ -0,0 +1,21 @@
+package action
+
+import rego.v1
+
+# By default, deny requests.
+default allow := false
+
+
+# Allow the action if admin role is granted permission to perform the action.
+allow if {
+ some i
+ data.action.user_roles[input.user][i] == role
+ some j
+ data.action.role_permissions[role].actions[j] == input.action
+ some k
+ data.action.role_permissions[role].resources[k] == input.type
+}
+# * Rego comparison to other systems: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/
+# * Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration
+
+
diff --git a/compose/config/opa-pdp/policies/data/abac/data.json b/compose/config/opa-pdp/policies/data/abac/data.json
new file mode 100644
index 00000000..77b5668e
--- /dev/null
+++ b/compose/config/opa-pdp/policies/data/abac/data.json
@@ -0,0 +1,94 @@
+{
+ "sensor_data": [
+ {
+ "id": "0001",
+ "location": "Sri Lanka",
+ "temperature": "28 C",
+ "precipitation": "1000 mm",
+ "windspeed": "5.5 m/s",
+ "humidity": "40%",
+ "particle_density": "1.3 g/l",
+ "timestamp": "2024-02-26"
+ },
+ {
+ "id": "0002",
+ "location": "Colombo",
+ "temperature": "30 C",
+ "precipitation": "1200 mm",
+ "windspeed": "6.0 m/s",
+ "humidity": "45%",
+ "particle_density": "1.5 g/l",
+ "timestamp": "2024-02-26"
+ },
+ {
+ "id": "0003",
+ "location": "Kandy",
+ "temperature": "25 C",
+ "precipitation": "800 mm",
+ "windspeed": "4.5 m/s",
+ "humidity": "60%",
+ "particle_density": "1.1 g/l",
+ "timestamp": "2024-02-26"
+ },
+ {
+ "id": "0004",
+ "location": "Galle",
+ "temperature": "35 C",
+ "precipitation": "500 mm",
+ "windspeed": "7.2 m/s",
+ "humidity": "30%",
+ "particle_density": "1.8 g/l",
+ "timestamp": "2024-02-27"
+ },
+ {
+ "id": "0005",
+ "location": "Jaffna",
+ "temperature": "-5 C",
+ "precipitation": "300 mm",
+ "windspeed": "3.8 m/s",
+ "humidity": "20%",
+ "particle_density": "0.9 g/l",
+ "timestamp": "2024-02-27"
+ },
+ {
+ "id": "0006",
+ "location": "Trincomalee",
+ "temperature": "20 C",
+ "precipitation": "1000 mm",
+ "windspeed": "5.0 m/s",
+ "humidity": "55%",
+ "particle_density": "1.2 g/l",
+ "timestamp": "2024-02-28"
+ },
+ {
+ "id": "0007",
+ "location": "Nuwara Eliya",
+ "temperature": "25 C",
+ "precipitation": "600 mm",
+ "windspeed": "4.0 m/s",
+ "humidity": "50%",
+ "particle_density": "1.3 g/l",
+ "timestamp": "2024-02-28"
+ },
+ {
+ "id": "0008",
+ "location": "Anuradhapura",
+ "temperature": "28 C",
+ "precipitation": "700 mm",
+ "windspeed": "5.8 m/s",
+ "humidity": "40%",
+ "particle_density": "1.4 g/l",
+ "timestamp": "2024-02-29"
+ },
+ {
+ "id": "0009",
+ "location": "Matara",
+ "temperature": "32 C",
+ "precipitation": "900 mm",
+ "windspeed": "6.5 m/s",
+ "humidity": "65%",
+ "particle_density": "1.6 g/l",
+ "timestamp": "2024-02-29"
+ }
+ ]
+}
diff --git a/compose/config/opa-pdp/policies/data/account/data.json b/compose/config/opa-pdp/policies/data/account/data.json
new file mode 100644
index 00000000..df263d36
--- /dev/null
+++ b/compose/config/opa-pdp/policies/data/account/data.json
@@ -0,0 +1,16 @@
+{
+ "account_attributes":{
+ "11111":{
+ "owner":"alice",
+ "amount":10000
+ },
+ "22222":{
+ "owner":"bob",
+ "amount":10000
+ },
+ "33333":{
+ "owner":"cam",
+ "amount":10000
+ }
+ }
+}
diff --git a/compose/config/opa-pdp/policies/data/action/data.json b/compose/config/opa-pdp/policies/data/action/data.json
new file mode 100644
index 00000000..99145b74
--- /dev/null
+++ b/compose/config/opa-pdp/policies/data/action/data.json
@@ -0,0 +1,43 @@
+{
+ "user_roles": {
+ "alice": [
+ "admin"
+ ],
+ "bob": [
+ "editor"
+ ],
+ "charlie": [
+ "viewer"
+ ]
+ },
+ "role_permissions": {
+ "admin": {
+ "actions": [
+ "read",
+ "write",
+ "delete"
+ ],
+ "resources": [
+ "server",
+ "database"
+ ]
+ },
+ "editor": {
+ "actions": [
+ "read",
+ "write"
+ ],
+ "resources": [
+ "server"
+ ]
+ },
+ "viewer": {
+ "actions": [
+ "read"
+ ],
+ "resources": [
+ "server"
+ ]
+ }
+ }
+}
diff --git a/compose/config/opa-pdp/policies/data/organization/data.json b/compose/config/opa-pdp/policies/data/organization/data.json
new file mode 100644
index 00000000..35fe4a14
--- /dev/null
+++ b/compose/config/opa-pdp/policies/data/organization/data.json
@@ -0,0 +1,32 @@
+{
+ "acls": [
+ {
+ "user": "alice",
+ "actions": [
+ "edit",
+ "read"
+ ],
+ "component": "component_A",
+ "project": "project_A",
+ "organization": "org_A"
+ },
+ {
+ "user": "bob",
+ "actions": ["read"],
+ "organization": "org_A"
+ },
+ {
+ "user": "bob",
+ "action": ["edit"],
+ "component": "component_A",
+ "project": "project_B",
+ "organization": "org_A"
+ },
+ {
+ "user": "charlie",
+ "action": ["read"],
+ "project": "project_B",
+ "organization": "org_A"
+ }
+ ]
+}
diff --git a/compose/config/opa-pdp/policies/data/role/data.json b/compose/config/opa-pdp/policies/data/role/data.json
new file mode 100644
index 00000000..88ac41b8
--- /dev/null
+++ b/compose/config/opa-pdp/policies/data/role/data.json
@@ -0,0 +1,63 @@
+{
+ "user_roles": {
+ "alice": [
+ "admin"
+ ],
+ "bob": [
+ "employee",
+ "billing"
+ ],
+ "eve": [
+ "customer"
+ ]
+ },
+ "role_grants": {
+ "customer": [
+ {
+ "action": "read",
+ "type": "dog"
+ },
+ {
+ "action": "read",
+ "type": "cat"
+ },
+ {
+ "action": "adopt",
+ "type": "dog"
+ },
+ {
+ "action": "adopt",
+ "type": "cat"
+ }
+ ],
+ "employee": [
+ {
+ "action": "read",
+ "type": "dog"
+ },
+ {
+ "action": "read",
+ "type": "cat"
+ },
+ {
+ "action": "update",
+ "type": "dog"
+ },
+ {
+ "action": "update",
+ "type": "cat"
+ }
+ ],
+ "billing": [
+ {
+ "action": "read",
+ "type": "finance"
+ },
+ {
+ "action": "update",
+ "type": "finance"
+ }
+ ]
+ }
+}
+
diff --git a/compose/config/opa-pdp/policies/example/policy.rego b/compose/config/opa-pdp/policies/example/policy.rego
new file mode 100644
index 00000000..cc192851
--- /dev/null
+++ b/compose/config/opa-pdp/policies/example/policy.rego
@@ -0,0 +1,13 @@
+package example
+
+import rego.v1
+
+allow if {
+ input.path == ["users"]
+ input.method == "POST"
+}
+
+allow if {
+ input.path == ["users", input.user_id]
+ input.method == "GET"
+}
diff --git a/compose/config/opa-pdp/policies/organization/policy.rego b/compose/config/opa-pdp/policies/organization/policy.rego
new file mode 100644
index 00000000..31e7fb66
--- /dev/null
+++ b/compose/config/opa-pdp/policies/organization/policy.rego
@@ -0,0 +1,38 @@
+package organization
+
+import rego.v1
+
+default allow := false
+
+# organization level access
+allow if {
+ some acl in data.organization.acls
+ acl.user == input.user
+ acl.organization == input.organization
+ acl.project == input.project
+ acl.component == input.component
+
+ some action in acl.actions
+ action == input.action
+}
+
+# project level access
+allow if {
+ some acl in data.organization.acls
+ acl.user == input.user
+ acl.organization == input.organization
+ acl.project == input.project
+
+ some action in acl.actions
+ action == input.action
+}
+
+# component level access
+allow if {
+ some acl in data.organization.acls
+ acl.user == input.user
+ acl.organization == input.organization
+
+ some action in acl.actions
+ action == input.action
+}
diff --git a/compose/config/opa-pdp/policies/role/policy.rego b/compose/config/opa-pdp/policies/role/policy.rego
new file mode 100644
index 00000000..54bdecf9
--- /dev/null
+++ b/compose/config/opa-pdp/policies/role/policy.rego
@@ -0,0 +1,53 @@
+# Role-based Access Control (RBAC)
+# --------------------------------
+#
+# This example defines an RBAC model for a Pet Store API. The Pet Store API allows
+# users to look at pets, adopt them, update their stats, and so on. The policy
+# controls which users can perform actions on which resources. The policy implements
+# a classic Role-based Access Control model where users are assigned to roles and
+# roles are granted the ability to perform some action(s) on some type of resource.
+#
+# This example shows how to:
+#
+# * Define an RBAC model in Rego that interprets role mappings represented in JSON.
+# * Iterate/search across JSON data structures (e.g., role mappings)
+#
+# For more information see:
+#package app.rbac
+package role
+
+import rego.v1
+
+# By default, deny requests.
+default allow := false
+
+# Allow admins to do anything.
+allow if user_is_admin
+
+# Allow the action if the user is granted permission to perform the action.
+allow if {
+ # Find grants for the user.
+ some grant in user_is_granted
+
+ # Check if the grant permits the action.
+ input.action == grant.action
+ input.type == grant.type
+}
+
+# user_is_admin is true if "admin" is among the user's roles as per data.user_roles
+user_is_admin if "admin" in data.role.user_roles[input.user]
+
+# user_is_granted is a set of grants for the user identified in the request.
+# The `grant` will be contained if the set `user_is_granted` for every...
+user_is_granted contains grant if {
+ # `role` assigned an element of the user_roles for this user...
+ some role in data.role.user_roles[input.user]
+
+ # `grant` assigned a single grant from the grants list for 'role'...
+ some grant in data.role.role_grants[role]
+}
+
+# * Rego comparison to other systems: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/
+# * Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration
+
+