-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpolicy.rego
More file actions
51 lines (42 loc) · 1.16 KB
/
policy.rego
File metadata and controls
51 lines (42 loc) · 1.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
package envoy.authz
import input.attributes.request.http as http_request
permissions := {
"people.get": {"method": "GET", "object": "people"},
"people.post": {"method": "POST", "object": "people"},
"people.delete": {"method": "DELETE", "object": "people"}
}
role_permissions := {
"guest": [
permissions["people.get"]
],
"admin": [
permissions["people.get"],
permissions["people.post"],
permissions["people.delete"]
]
}
default allow = false
allow {
is_token_valid
action_allowed
not deny_same_first_name
}
is_token_valid {
token.valid
now := time.now_ns() / 1000000000
token.payload.nbf <= now
now < token.payload.exp
}
action_allowed {
object_name := split(http_request.path, "/")
permissions := role_permissions[token.payload.role]
p := permissions[_]
p == {"method": http_request.method, "object": object_name[1]}
}
deny_same_first_name {
lower(input.parsed_body.firstname) == base64url.decode(token.payload.sub)
}
token := {"valid": valid, "payload": payload} {
[_, encoded] := split(http_request.headers.authorization, " ")
[valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"})
}