diff --git a/policies/catalog.rego b/policies/catalog.rego index 65aa2af..52c2524 100644 --- a/policies/catalog.rego +++ b/policies/catalog.rego @@ -2,7 +2,10 @@ package catalog_rules import rego.v1 +default decision := {"result": "DENY"} + claims := input.identity.claims +permission := input.permission.name # Shared helper functions conditional(plugin_id, resource_type, conditions) := { @@ -12,14 +15,18 @@ conditional(plugin_id, resource_type, conditions) := { "conditions": conditions, } -catalog_entity_delete_rule := conditional("catalog", "catalog-entity", {"anyOf": [{ - "resourceType": "catalog-entity", - "rule": "IS_ENTITY_OWNER", - "params": {"claims": claims}, - }]}) +decision := conditional("catalog", "catalog-entity", {"anyOf": [{ + "resourceType": "catalog-entity", + "rule": "IS_ENTITY_OWNER", + "params": {"claims": claims}, +}]}) if { + permission == "catalog.entity.delete" +} -catalog_entity_read_rules := conditional("catalog", "catalog-entity", {"anyOf": [{ +decision := conditional("catalog", "catalog-entity", {"anyOf": [{ "resourceType": "catalog-entity", "rule": "IS_ENTITY_KIND", "params": {"kinds": ["Component"]}, - }]}) + }]}) if { + permission == "catalog.entity.read" +} diff --git a/policies/rbac_policy.rego b/policies/rbac_policy.rego index 0ca57ba..e35d354 100644 --- a/policies/rbac_policy.rego +++ b/policies/rbac_policy.rego @@ -16,28 +16,23 @@ decision := {"result": "ALLOW"} if { is_admin } -# Non-admins can only read components +# Offload all catalog permissions to the catalog_rules +# This is a good example of how you might offload all decisions of a certain plugin, e.g. "plugin_name." # Does not apply to admins -decision := catalog_rules.catalog_entity_read_rule if { - permission == "catalog.entity.read" - not is_admin -} - -# Only owners of the entity can delete it -# Does not apply to admins -decision := catalog_rules.catalog_entity_delete_rule if { - permission == "catalog.entity.delete" +decision := catalog_rules.decision if { + startswith(permission, "catalog.") not is_admin } +# Here we don't offload all decisions to the scaffolder_rules, we pick and choose depending. # Only admins can read templates with the admin tag -decision := scaffolder_rules.scaffolder_entity_read_rule if { +decision := scaffolder_rules.scaffolder_entity_read_admin_tag if { permission == "scaffolder.template.parameter.read" not is_admin } # Only admins can execute the debug action -decision := scaffolder_rules.scaffolder_entity_action_rule if { +decision := scaffolder_rules.scaffolder_entity_action_debug_log if { permission == "scaffolder.action.execute" not is_admin } diff --git a/policies/scaffolder.rego b/policies/scaffolder.rego index 6764048..b7de687 100644 --- a/policies/scaffolder.rego +++ b/policies/scaffolder.rego @@ -12,13 +12,13 @@ conditional(plugin_id, resource_type, conditions) := { claims := input.identity.claims -scaffolder_entity__read_rules := conditional("scaffolder", "scaffolder-template", {"not": {"anyOf": [{ +scaffolder_entity_read_admin_tag := conditional("scaffolder", "scaffolder-template", {"not": {"anyOf": [{ "resourceType": "scaffolder-template", "rule": "HAS_TAG", "params": {"tag": "admin"}, }]}}) -scaffolder_entity_action_rules := conditional("scaffolder", "scaffolder-action", {"not": {"anyOf": [{ +scaffolder_entity_action_debug_log := conditional("scaffolder", "scaffolder-action", {"not": {"anyOf": [{ "resourceType": "scaffolder-action", "rule": "HAS_ACTION_ID", "params": {"actionId": "debug:log"},