diff options
Diffstat (limited to 'compose/config/opa-pdp/policies')
11 files changed, 410 insertions, 0 deletions
diff --git a/compose/config/opa-pdp/policies/abac/policy.rego b/compose/config/opa-pdp/policies/abac/policy.rego new file mode 100644 index 00000000..9dc6ea9b --- /dev/null +++ b/compose/config/opa-pdp/policies/abac/policy.rego @@ -0,0 +1,20 @@ +package abac + +import rego.v1 + +default allow := false + +allow if { + viewable_sensor_data + action_is_read +} + +action_is_read if "read" in input.actions + +viewable_sensor_data contains view_data if { + some sensor_data in data.abac.sensor_data + sensor_data.timestamp >= input.time_period.from + sensor_data.timestamp < input.time_period.to + + view_data := {datatype: sensor_data[datatype] | datatype in input.datatypes} +} diff --git a/compose/config/opa-pdp/policies/account/policy.rego b/compose/config/opa-pdp/policies/account/policy.rego new file mode 100644 index 00000000..f99e8eb0 --- /dev/null +++ b/compose/config/opa-pdp/policies/account/policy.rego @@ -0,0 +1,17 @@ +package account + +import rego.v1 + +default allow := false + +allow if { + creditor_is_valid + debtor_is_valid + period_is_valid + amount_is_valid +} +creditor_is_valid if data.account.account_attributes[input.creditor_account].owner == input.creditor +debtor_is_valid if data.account.account_attributes[input.debtor_account].owner == input.debtor + +period_is_valid if input.period <= 30 +amount_is_valid if data.account.account_attributes[input.debtor_account].amount >= input.amount diff --git a/compose/config/opa-pdp/policies/action/policy.rego b/compose/config/opa-pdp/policies/action/policy.rego new file mode 100644 index 00000000..300fe501 --- /dev/null +++ b/compose/config/opa-pdp/policies/action/policy.rego @@ -0,0 +1,21 @@ +package action + +import rego.v1 + +# By default, deny requests. +default allow := false + + +# Allow the action if admin role is granted permission to perform the action. +allow if { + some i + data.action.user_roles[input.user][i] == role + some j + data.action.role_permissions[role].actions[j] == input.action + some k + data.action.role_permissions[role].resources[k] == input.type +} +# * Rego comparison to other systems: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/ +# * Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration + + diff --git a/compose/config/opa-pdp/policies/data/abac/data.json b/compose/config/opa-pdp/policies/data/abac/data.json new file mode 100644 index 00000000..77b5668e --- /dev/null +++ b/compose/config/opa-pdp/policies/data/abac/data.json @@ -0,0 +1,94 @@ +{ + "sensor_data": [ + { + "id": "0001", + "location": "Sri Lanka", + "temperature": "28 C", + "precipitation": "1000 mm", + "windspeed": "5.5 m/s", + "humidity": "40%", + "particle_density": "1.3 g/l", + "timestamp": "2024-02-26" + }, + { + "id": "0002", + "location": "Colombo", + "temperature": "30 C", + "precipitation": "1200 mm", + "windspeed": "6.0 m/s", + "humidity": "45%", + "particle_density": "1.5 g/l", + "timestamp": "2024-02-26" + }, + { + "id": "0003", + "location": "Kandy", + "temperature": "25 C", + "precipitation": "800 mm", + "windspeed": "4.5 m/s", + "humidity": "60%", + "particle_density": "1.1 g/l", + "timestamp": "2024-02-26" + }, + { + "id": "0004", + "location": "Galle", + "temperature": "35 C", + "precipitation": "500 mm", + "windspeed": "7.2 m/s", + "humidity": "30%", + "particle_density": "1.8 g/l", + "timestamp": "2024-02-27" + }, + { + "id": "0005", + "location": "Jaffna", + "temperature": "-5 C", + "precipitation": "300 mm", + "windspeed": "3.8 m/s", + "humidity": "20%", + "particle_density": "0.9 g/l", + "timestamp": "2024-02-27" + }, + { + "id": "0006", + "location": "Trincomalee", + "temperature": "20 C", + "precipitation": "1000 mm", + "windspeed": "5.0 m/s", + "humidity": "55%", + "particle_density": "1.2 g/l", + "timestamp": "2024-02-28" + }, + { + "id": "0007", + "location": "Nuwara Eliya", + "temperature": "25 C", + "precipitation": "600 mm", + "windspeed": "4.0 m/s", + "humidity": "50%", + "particle_density": "1.3 g/l", + "timestamp": "2024-02-28" + }, + { + "id": "0008", + "location": "Anuradhapura", + "temperature": "28 C", + "precipitation": "700 mm", + "windspeed": "5.8 m/s", + "humidity": "40%", + "particle_density": "1.4 g/l", + "timestamp": "2024-02-29" + }, + { + "id": "0009", + "location": "Matara", + "temperature": "32 C", + "precipitation": "900 mm", + "windspeed": "6.5 m/s", + "humidity": "65%", + "particle_density": "1.6 g/l", + "timestamp": "2024-02-29" + } + ] +} diff --git a/compose/config/opa-pdp/policies/data/account/data.json b/compose/config/opa-pdp/policies/data/account/data.json new file mode 100644 index 00000000..df263d36 --- /dev/null +++ b/compose/config/opa-pdp/policies/data/account/data.json @@ -0,0 +1,16 @@ +{ + "account_attributes":{ + "11111":{ + "owner":"alice", + "amount":10000 + }, + "22222":{ + "owner":"bob", + "amount":10000 + }, + "33333":{ + "owner":"cam", + "amount":10000 + } + } +} diff --git a/compose/config/opa-pdp/policies/data/action/data.json b/compose/config/opa-pdp/policies/data/action/data.json new file mode 100644 index 00000000..99145b74 --- /dev/null +++ b/compose/config/opa-pdp/policies/data/action/data.json @@ -0,0 +1,43 @@ +{ + "user_roles": { + "alice": [ + "admin" + ], + "bob": [ + "editor" + ], + "charlie": [ + "viewer" + ] + }, + "role_permissions": { + "admin": { + "actions": [ + "read", + "write", + "delete" + ], + "resources": [ + "server", + "database" + ] + }, + "editor": { + "actions": [ + "read", + "write" + ], + "resources": [ + "server" + ] + }, + "viewer": { + "actions": [ + "read" + ], + "resources": [ + "server" + ] + } + } +} diff --git a/compose/config/opa-pdp/policies/data/organization/data.json b/compose/config/opa-pdp/policies/data/organization/data.json new file mode 100644 index 00000000..35fe4a14 --- /dev/null +++ b/compose/config/opa-pdp/policies/data/organization/data.json @@ -0,0 +1,32 @@ +{ + "acls": [ + { + "user": "alice", + "actions": [ + "edit", + "read" + ], + "component": "component_A", + "project": "project_A", + "organization": "org_A" + }, + { + "user": "bob", + "actions": ["read"], + "organization": "org_A" + }, + { + "user": "bob", + "action": ["edit"], + "component": "component_A", + "project": "project_B", + "organization": "org_A" + }, + { + "user": "charlie", + "action": ["read"], + "project": "project_B", + "organization": "org_A" + } + ] +} diff --git a/compose/config/opa-pdp/policies/data/role/data.json b/compose/config/opa-pdp/policies/data/role/data.json new file mode 100644 index 00000000..88ac41b8 --- /dev/null +++ b/compose/config/opa-pdp/policies/data/role/data.json @@ -0,0 +1,63 @@ +{ + "user_roles": { + "alice": [ + "admin" + ], + "bob": [ + "employee", + "billing" + ], + "eve": [ + "customer" + ] + }, + "role_grants": { + "customer": [ + { + "action": "read", + "type": "dog" + }, + { + "action": "read", + "type": "cat" + }, + { + "action": "adopt", + "type": "dog" + }, + { + "action": "adopt", + "type": "cat" + } + ], + "employee": [ + { + "action": "read", + "type": "dog" + }, + { + "action": "read", + "type": "cat" + }, + { + "action": "update", + "type": "dog" + }, + { + "action": "update", + "type": "cat" + } + ], + "billing": [ + { + "action": "read", + "type": "finance" + }, + { + "action": "update", + "type": "finance" + } + ] + } +} + diff --git a/compose/config/opa-pdp/policies/example/policy.rego b/compose/config/opa-pdp/policies/example/policy.rego new file mode 100644 index 00000000..cc192851 --- /dev/null +++ b/compose/config/opa-pdp/policies/example/policy.rego @@ -0,0 +1,13 @@ +package example + +import rego.v1 + +allow if { + input.path == ["users"] + input.method == "POST" +} + +allow if { + input.path == ["users", input.user_id] + input.method == "GET" +} diff --git a/compose/config/opa-pdp/policies/organization/policy.rego b/compose/config/opa-pdp/policies/organization/policy.rego new file mode 100644 index 00000000..31e7fb66 --- /dev/null +++ b/compose/config/opa-pdp/policies/organization/policy.rego @@ -0,0 +1,38 @@ +package organization + +import rego.v1 + +default allow := false + +# organization level access +allow if { + some acl in data.organization.acls + acl.user == input.user + acl.organization == input.organization + acl.project == input.project + acl.component == input.component + + some action in acl.actions + action == input.action +} + +# project level access +allow if { + some acl in data.organization.acls + acl.user == input.user + acl.organization == input.organization + acl.project == input.project + + some action in acl.actions + action == input.action +} + +# component level access +allow if { + some acl in data.organization.acls + acl.user == input.user + acl.organization == input.organization + + some action in acl.actions + action == input.action +} diff --git a/compose/config/opa-pdp/policies/role/policy.rego b/compose/config/opa-pdp/policies/role/policy.rego new file mode 100644 index 00000000..54bdecf9 --- /dev/null +++ b/compose/config/opa-pdp/policies/role/policy.rego @@ -0,0 +1,53 @@ +# Role-based Access Control (RBAC) +# -------------------------------- +# +# This example defines an RBAC model for a Pet Store API. The Pet Store API allows +# users to look at pets, adopt them, update their stats, and so on. The policy +# controls which users can perform actions on which resources. The policy implements +# a classic Role-based Access Control model where users are assigned to roles and +# roles are granted the ability to perform some action(s) on some type of resource. +# +# This example shows how to: +# +# * Define an RBAC model in Rego that interprets role mappings represented in JSON. +# * Iterate/search across JSON data structures (e.g., role mappings) +# +# For more information see: +#package app.rbac +package role + +import rego.v1 + +# By default, deny requests. +default allow := false + +# Allow admins to do anything. +allow if user_is_admin + +# Allow the action if the user is granted permission to perform the action. +allow if { + # Find grants for the user. + some grant in user_is_granted + + # Check if the grant permits the action. + input.action == grant.action + input.type == grant.type +} + +# user_is_admin is true if "admin" is among the user's roles as per data.user_roles +user_is_admin if "admin" in data.role.user_roles[input.user] + +# user_is_granted is a set of grants for the user identified in the request. +# The `grant` will be contained if the set `user_is_granted` for every... +user_is_granted contains grant if { + # `role` assigned an element of the user_roles for this user... + some role in data.role.user_roles[input.user] + + # `grant` assigned a single grant from the grants list for 'role'... + some grant in data.role.role_grants[role] +} + +# * Rego comparison to other systems: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/ +# * Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration + + |