-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathbasic_example.py
More file actions
167 lines (159 loc) · 4.68 KB
/
basic_example.py
File metadata and controls
167 lines (159 loc) · 4.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
import json
import jmespath
from src.reference import authorize_workflow
# 1. Define the identities the calling entity has
identity_definitions = [
{
"identity_type": "User", # unique identity type
"schema": { # JSON Schema
"type": "object",
"properties": {
"id": {
"type": "string"
},
"role": {
"type": "string"
},
"department": {
"type": "string"
},
"email": {
"type": "string",
"pattern": "^.+@myorg.org$"
}
},
"required": [
"id",
"role",
"department",
"email"
]
}
}
]
# 2. Define resources that can be accessed
resource_definitions = [
{
"resource_type": "Balloon", # Resource types must be unique
"actions": [
"Balloon:Read", # Action types can be prefaced by a namespace - preferred so they are not shared across resources
"inflate", # or just plain
"deflate",
"pop",
"tie"
],
"schema": { # JSON Schema
"type": "object",
"properties": {
"id": {
"type": "string"
},
"color": {
"type": "string"
},
"size": {
"type": "string",
"enum": [
"small",
"medium",
"large"
]
}
},
"required": [
"id",
"color",
"size"
]
},
"parent_types": [], # parent resource types, if any
"child_types": [] # child resource types, if any
}
]
# 3. Define Grants - access rules
grants = [
{
"effect": "allow", # allow or deny
"actions": [ # any actions from your resources or empty to match all actions
"Balloon:Read",
"pop"
],
"query": "contains(request.identities.User[*].role, 'admin')", # JMESPath query - Runs on {"request": <request obj>, "grant": <current grant>} and will return `true` if any of the calling entities, User type identities have the admin role
"query_validation": "validate",
"equality": True, # If the request action is in the grants actions and the query result matches this, then the grant is "applicable".
"data": {},
"context_schema": {
"type": "object"
},
"context_validation": "none"
}
]
# 4. Create an authorization request
request = {
"identities": { # create zero or more instances of any identity
"User": [
{
"id": "balloon_luvr",
"role": "admin",
"department": "eng",
"email": "ldfkjdf@myorg.org"
}
]
},
"resource_type": "Balloon", # Request access to a specific resource type
"action": "pop", # to perform a specific action,
"resource": { # on a specific resource.
"id": "b123",
"color": "green",
"size": "medium"
},
"parents": {},
"children": {},
"query_validation": "grant", # optionally override grant level query validation
"context": {
"TEAM": "ABC" # free from data
},
"context_validation": "grant" # optionally override grant level context validation
}
# 5. Check authorization
result = authorize_workflow(
identity_definitions,
resource_definitions,
grants,
request,
jmespath.search
)
print(json.dumps(result, indent=4))
if result["authorized"]:
print("✅ Access granted!")
else:
print("❌ Access denied!")
# OUTPUT:
# {
# "authorized": true,
# "completed": true,
# "grant": {
# "effect": "allow",
# "actions": [
# "Balloon:Read",
# "pop"
# ],
# "query": "contains(request.identities.User[*].role, 'admin')",
# "query_validation": "validate",
# "equality": true,
# "data": {},
# "context_schema": {
# "type": "object"
# },
# "context_validation": "none"
# },
# "message": "An allow grant is applicable to the request, and there are no deny grants that are applicable to the request. Therefore, the request is authorized.",
# "errors": {
# "context": [],
# "definition": [],
# "grant": [],
# "jmespath": [],
# "request": []
# }
# }
# ✅ Access granted!