aboutsummaryrefslogtreecommitdiffstats
path: root/test/policies
diff options
context:
space:
mode:
Diffstat (limited to 'test/policies')
-rw-r--r--test/policies/abac/policy.rego20
-rw-r--r--test/policies/access_method/policy.rego (renamed from test/policies/example/policy.rego)2
-rw-r--r--test/policies/account/policy.rego17
-rw-r--r--test/policies/action/policy.rego21
-rw-r--r--test/policies/blacklist/policy.rego18
-rw-r--r--test/policies/cell/consistency/policy.rego17
-rw-r--r--test/policies/cell/consistency/topology/policy.rego6
-rw-r--r--test/policies/data/abac/data.json94
-rw-r--r--test/policies/data/account/data.json16
-rw-r--r--test/policies/data/action/data.json43
-rw-r--r--test/policies/data/organization/data.json32
-rw-r--r--test/policies/data/role/data.json63
-rw-r--r--test/policies/docs/policy.rego22
-rw-r--r--test/policies/monitor/policy.rego39
-rw-r--r--test/policies/organization/policy.rego38
-rw-r--r--test/policies/vehicle/policy.rego23
-rw-r--r--test/policies/zone/policy.rego23
17 files changed, 81 insertions, 413 deletions
diff --git a/test/policies/abac/policy.rego b/test/policies/abac/policy.rego
deleted file mode 100644
index 9dc6ea9..0000000
--- a/test/policies/abac/policy.rego
+++ /dev/null
@@ -1,20 +0,0 @@
-package abac
-
-import rego.v1
-
-default allow := false
-
-allow if {
- viewable_sensor_data
- action_is_read
-}
-
-action_is_read if "read" in input.actions
-
-viewable_sensor_data contains view_data if {
- some sensor_data in data.abac.sensor_data
- sensor_data.timestamp >= input.time_period.from
- sensor_data.timestamp < input.time_period.to
-
- view_data := {datatype: sensor_data[datatype] | datatype in input.datatypes}
-}
diff --git a/test/policies/example/policy.rego b/test/policies/access_method/policy.rego
index cc19285..618aacc 100644
--- a/test/policies/example/policy.rego
+++ b/test/policies/access_method/policy.rego
@@ -1,4 +1,4 @@
-package example
+package access_method
import rego.v1
diff --git a/test/policies/account/policy.rego b/test/policies/account/policy.rego
deleted file mode 100644
index f99e8eb..0000000
--- a/test/policies/account/policy.rego
+++ /dev/null
@@ -1,17 +0,0 @@
-package account
-
-import rego.v1
-
-default allow := false
-
-allow if {
- creditor_is_valid
- debtor_is_valid
- period_is_valid
- amount_is_valid
-}
-creditor_is_valid if data.account.account_attributes[input.creditor_account].owner == input.creditor
-debtor_is_valid if data.account.account_attributes[input.debtor_account].owner == input.debtor
-
-period_is_valid if input.period <= 30
-amount_is_valid if data.account.account_attributes[input.debtor_account].amount >= input.amount
diff --git a/test/policies/action/policy.rego b/test/policies/action/policy.rego
deleted file mode 100644
index 300fe50..0000000
--- a/test/policies/action/policy.rego
+++ /dev/null
@@ -1,21 +0,0 @@
-package action
-
-import rego.v1
-
-# By default, deny requests.
-default allow := false
-
-
-# Allow the action if admin role is granted permission to perform the action.
-allow if {
- some i
- data.action.user_roles[input.user][i] == role
- some j
- data.action.role_permissions[role].actions[j] == input.action
- some k
- data.action.role_permissions[role].resources[k] == input.type
-}
-# * Rego comparison to other systems: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/
-# * Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration
-
-
diff --git a/test/policies/blacklist/policy.rego b/test/policies/blacklist/policy.rego
new file mode 100644
index 0000000..b285593
--- /dev/null
+++ b/test/policies/blacklist/policy.rego
@@ -0,0 +1,18 @@
+package blacklist
+import future.keywords.in
+import rego.v1
+
+# Define a rule to check if the operation should be allowed
+module_allow[module] := false if {
+ some module in input.vfmodule
+ not validate(module)
+}
+
+module_allow[module] := true if{
+ some module in input.vfmodule
+ validate(module)
+}
+
+validate(module) if {
+ module in data.node.blacklist.blacklist
+}
diff --git a/test/policies/cell/consistency/policy.rego b/test/policies/cell/consistency/policy.rego
new file mode 100644
index 0000000..6137df7
--- /dev/null
+++ b/test/policies/cell/consistency/policy.rego
@@ -0,0 +1,17 @@
+package cell.consistency
+import rego.v1
+default allow = false
+# Rule to check cell consistency
+check_cell_consistency if {
+ input.cell != data.node.cell.consistency.allowedCellId
+}
+# Rule to allow if PCI is within range 1-3000
+allow_if_pci_in_range if {
+ input.PCI >= data.node.cellconsistency.minPCI
+ input.PCI <= data.node.cellconsistency.maxPCI
+}
+# Main rule to determine the final decision
+allow if{
+ check_cell_consistency
+ allow_if_pci_in_range
+}
diff --git a/test/policies/cell/consistency/topology/policy.rego b/test/policies/cell/consistency/topology/policy.rego
new file mode 100644
index 0000000..dccfac6
--- /dev/null
+++ b/test/policies/cell/consistency/topology/policy.rego
@@ -0,0 +1,6 @@
+package cell.consistency.topology
+import rego.v1
+# Rule to check cell consistency
+check_cell_consistency if {
+ input.cell != data.node.cell.consistency.allowedCellId
+}
diff --git a/test/policies/data/abac/data.json b/test/policies/data/abac/data.json
deleted file mode 100644
index 77b5668..0000000
--- a/test/policies/data/abac/data.json
+++ /dev/null
@@ -1,94 +0,0 @@
-{
- "sensor_data": [
- {
- "id": "0001",
- "location": "Sri Lanka",
- "temperature": "28 C",
- "precipitation": "1000 mm",
- "windspeed": "5.5 m/s",
- "humidity": "40%",
- "particle_density": "1.3 g/l",
- "timestamp": "2024-02-26"
- },
- {
- "id": "0002",
- "location": "Colombo",
- "temperature": "30 C",
- "precipitation": "1200 mm",
- "windspeed": "6.0 m/s",
- "humidity": "45%",
- "particle_density": "1.5 g/l",
- "timestamp": "2024-02-26"
- },
- {
- "id": "0003",
- "location": "Kandy",
- "temperature": "25 C",
- "precipitation": "800 mm",
- "windspeed": "4.5 m/s",
- "humidity": "60%",
- "particle_density": "1.1 g/l",
- "timestamp": "2024-02-26"
- },
- {
- "id": "0004",
- "location": "Galle",
- "temperature": "35 C",
- "precipitation": "500 mm",
- "windspeed": "7.2 m/s",
- "humidity": "30%",
- "particle_density": "1.8 g/l",
- "timestamp": "2024-02-27"
- },
- {
- "id": "0005",
- "location": "Jaffna",
- "temperature": "-5 C",
- "precipitation": "300 mm",
- "windspeed": "3.8 m/s",
- "humidity": "20%",
- "particle_density": "0.9 g/l",
- "timestamp": "2024-02-27"
- },
- {
- "id": "0006",
- "location": "Trincomalee",
- "temperature": "20 C",
- "precipitation": "1000 mm",
- "windspeed": "5.0 m/s",
- "humidity": "55%",
- "particle_density": "1.2 g/l",
- "timestamp": "2024-02-28"
- },
- {
- "id": "0007",
- "location": "Nuwara Eliya",
- "temperature": "25 C",
- "precipitation": "600 mm",
- "windspeed": "4.0 m/s",
- "humidity": "50%",
- "particle_density": "1.3 g/l",
- "timestamp": "2024-02-28"
- },
- {
- "id": "0008",
- "location": "Anuradhapura",
- "temperature": "28 C",
- "precipitation": "700 mm",
- "windspeed": "5.8 m/s",
- "humidity": "40%",
- "particle_density": "1.4 g/l",
- "timestamp": "2024-02-29"
- },
- {
- "id": "0009",
- "location": "Matara",
- "temperature": "32 C",
- "precipitation": "900 mm",
- "windspeed": "6.5 m/s",
- "humidity": "65%",
- "particle_density": "1.6 g/l",
- "timestamp": "2024-02-29"
- }
- ]
-}
diff --git a/test/policies/data/account/data.json b/test/policies/data/account/data.json
deleted file mode 100644
index df263d3..0000000
--- a/test/policies/data/account/data.json
+++ /dev/null
@@ -1,16 +0,0 @@
-{
- "account_attributes":{
- "11111":{
- "owner":"alice",
- "amount":10000
- },
- "22222":{
- "owner":"bob",
- "amount":10000
- },
- "33333":{
- "owner":"cam",
- "amount":10000
- }
- }
-}
diff --git a/test/policies/data/action/data.json b/test/policies/data/action/data.json
deleted file mode 100644
index 99145b7..0000000
--- a/test/policies/data/action/data.json
+++ /dev/null
@@ -1,43 +0,0 @@
-{
- "user_roles": {
- "alice": [
- "admin"
- ],
- "bob": [
- "editor"
- ],
- "charlie": [
- "viewer"
- ]
- },
- "role_permissions": {
- "admin": {
- "actions": [
- "read",
- "write",
- "delete"
- ],
- "resources": [
- "server",
- "database"
- ]
- },
- "editor": {
- "actions": [
- "read",
- "write"
- ],
- "resources": [
- "server"
- ]
- },
- "viewer": {
- "actions": [
- "read"
- ],
- "resources": [
- "server"
- ]
- }
- }
-}
diff --git a/test/policies/data/organization/data.json b/test/policies/data/organization/data.json
deleted file mode 100644
index 35fe4a1..0000000
--- a/test/policies/data/organization/data.json
+++ /dev/null
@@ -1,32 +0,0 @@
-{
- "acls": [
- {
- "user": "alice",
- "actions": [
- "edit",
- "read"
- ],
- "component": "component_A",
- "project": "project_A",
- "organization": "org_A"
- },
- {
- "user": "bob",
- "actions": ["read"],
- "organization": "org_A"
- },
- {
- "user": "bob",
- "action": ["edit"],
- "component": "component_A",
- "project": "project_B",
- "organization": "org_A"
- },
- {
- "user": "charlie",
- "action": ["read"],
- "project": "project_B",
- "organization": "org_A"
- }
- ]
-}
diff --git a/test/policies/data/role/data.json b/test/policies/data/role/data.json
deleted file mode 100644
index 88ac41b..0000000
--- a/test/policies/data/role/data.json
+++ /dev/null
@@ -1,63 +0,0 @@
-{
- "user_roles": {
- "alice": [
- "admin"
- ],
- "bob": [
- "employee",
- "billing"
- ],
- "eve": [
- "customer"
- ]
- },
- "role_grants": {
- "customer": [
- {
- "action": "read",
- "type": "dog"
- },
- {
- "action": "read",
- "type": "cat"
- },
- {
- "action": "adopt",
- "type": "dog"
- },
- {
- "action": "adopt",
- "type": "cat"
- }
- ],
- "employee": [
- {
- "action": "read",
- "type": "dog"
- },
- {
- "action": "read",
- "type": "cat"
- },
- {
- "action": "update",
- "type": "dog"
- },
- {
- "action": "update",
- "type": "cat"
- }
- ],
- "billing": [
- {
- "action": "read",
- "type": "finance"
- },
- {
- "action": "update",
- "type": "finance"
- }
- ]
- }
-}
-
diff --git a/test/policies/docs/policy.rego b/test/policies/docs/policy.rego
deleted file mode 100644
index 90ce883..0000000
--- a/test/policies/docs/policy.rego
+++ /dev/null
@@ -1,22 +0,0 @@
-package docs
-
-import rego.v1
-
-default allow := false
-
-allow if {
- has_access_to_file
- action_is_read_or_write
-}
-
-action_is_read_or_write if {
- input.action in ["read", "write"]
-}
-
-has_access_to_file contains file_info if {
- some file in data.docs.files
- file.file_id == input.file_id
- file.access_level == input.access_level
- file_info := {attr: file[attr] | attr in input.attributes}
-}
-
diff --git a/test/policies/monitor/policy.rego b/test/policies/monitor/policy.rego
new file mode 100644
index 0000000..b3d9aaa
--- /dev/null
+++ b/test/policies/monitor/policy.rego
@@ -0,0 +1,39 @@
+package monitor
+
+# Policy allows if a matching threshold is met
+result contains output if {
+ input.domain = data.node.monitor.domain
+ some events in data.node.monitor.metricsPerEventName
+ events.eventName == input.eventName
+ events.controlLoopSchemaType == input.controlLoopSchemaType
+ events.policyScope == input.policyScope
+ events.policyName == input.policyName
+ events.policyVersion == input.policyVersion
+ some value in events.thresholds
+ input.controlname == value.closedLoopControlName
+ input.version == value.version
+ input.thresholdValue == value.thresholdValue
+ output := {
+ "severity" : "MAJOR",
+ "closedLoopEventStatus" : "ABATED"
+ }
+}
+
+# Policy allows if a matching threshold is met
+result contains output if {
+ input.domain = data.node.monitor.domain
+ some events in data.node.monitor.metricsPerEventName
+ events.eventName == input.eventName
+ events.controlLoopSchemaType == input.controlLoopSchemaType
+ events.policyScope == input.policyScope
+ events.policyName == input.policyName
+ events.policyVersion == input.policyVersion
+ some value in events.thresholds
+ input.controlname == value.closedLoopControlName
+ input.version == value.version
+ input.thresholdValue > value.thresholdValue
+ output := {
+ "severity" : "CRITICAL",
+ "closedLoopEventStatus" : "ONSET"
+ }
+}
diff --git a/test/policies/organization/policy.rego b/test/policies/organization/policy.rego
deleted file mode 100644
index 31e7fb6..0000000
--- a/test/policies/organization/policy.rego
+++ /dev/null
@@ -1,38 +0,0 @@
-package organization
-
-import rego.v1
-
-default allow := false
-
-# organization level access
-allow if {
- some acl in data.organization.acls
- acl.user == input.user
- acl.organization == input.organization
- acl.project == input.project
- acl.component == input.component
-
- some action in acl.actions
- action == input.action
-}
-
-# project level access
-allow if {
- some acl in data.organization.acls
- acl.user == input.user
- acl.organization == input.organization
- acl.project == input.project
-
- some action in acl.actions
- action == input.action
-}
-
-# component level access
-allow if {
- some acl in data.organization.acls
- acl.user == input.user
- acl.organization == input.organization
-
- some action in acl.actions
- action == input.action
-}
diff --git a/test/policies/vehicle/policy.rego b/test/policies/vehicle/policy.rego
deleted file mode 100644
index 592afee..0000000
--- a/test/policies/vehicle/policy.rego
+++ /dev/null
@@ -1,23 +0,0 @@
-package vehicle
-
-import rego.v1
-
-default allow := false
-
-allow if {
- user_has_vehicle_access
- action_is_granted
-}
-
-action_is_granted if {
- "use" in input.actions
-}
-
-user_has_vehicle_access contains vehicle_data if {
- some vehicle in data.vehicle.vehicles
- vehicle.vehicle_id == input.vehicle_id
- vehicle.owner == input.user
- vehicle_data := {info: vehicle[info] | info in input.attributes}
-}
-
-
diff --git a/test/policies/zone/policy.rego b/test/policies/zone/policy.rego
deleted file mode 100644
index 75357a6..0000000
--- a/test/policies/zone/policy.rego
+++ /dev/null
@@ -1,23 +0,0 @@
-package zone
-
-import rego.v1
-
-default allow := false
-
-allow if {
- has_zone_access
- action_is_log_view
-}
-
-action_is_log_view if {
- "view" in input.actions
-}
-
-has_zone_access contains access_data if {
- some zone_data in data.zone.zone.zone_access_logs
- zone_data.timestamp >= input.time_period.from
- zone_data.timestamp < input.time_period.to
- zone_data.zone_id == input.zone_id
- access_data := {datatype: zone_data[datatype] | datatype in input.datatypes}
-}
-