Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adjust Examples #253

Merged
merged 1 commit into from
Dec 1, 2024
Merged

Adjust Examples #253

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 14 additions & 7 deletions policies/catalog.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,10 @@ package catalog_rules

import rego.v1

default decision := {"result": "DENY"}

claims := input.identity.claims
permission := input.permission.name

# Shared helper functions
conditional(plugin_id, resource_type, conditions) := {
Expand All @@ -12,14 +15,18 @@ conditional(plugin_id, resource_type, conditions) := {
"conditions": conditions,
}

catalog_entity_delete_rule := conditional("catalog", "catalog-entity", {"anyOf": [{
"resourceType": "catalog-entity",
"rule": "IS_ENTITY_OWNER",
"params": {"claims": claims},
}]})
decision := conditional("catalog", "catalog-entity", {"anyOf": [{
"resourceType": "catalog-entity",
"rule": "IS_ENTITY_OWNER",
"params": {"claims": claims},
}]}) if {
permission == "catalog.entity.delete"
}

catalog_entity_read_rules := conditional("catalog", "catalog-entity", {"anyOf": [{
decision := conditional("catalog", "catalog-entity", {"anyOf": [{
"resourceType": "catalog-entity",
"rule": "IS_ENTITY_KIND",
"params": {"kinds": ["Component"]},
}]})
}]}) if {
permission == "catalog.entity.read"
}
19 changes: 7 additions & 12 deletions policies/rbac_policy.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,28 +16,23 @@ decision := {"result": "ALLOW"} if {
is_admin
}

# Non-admins can only read components
# Offload all catalog permissions to the catalog_rules
# This is a good example of how you might offload all decisions of a certain plugin, e.g. "plugin_name."
# Does not apply to admins
decision := catalog_rules.catalog_entity_read_rule if {
permission == "catalog.entity.read"
not is_admin
}

# Only owners of the entity can delete it
# Does not apply to admins
decision := catalog_rules.catalog_entity_delete_rule if {
permission == "catalog.entity.delete"
decision := catalog_rules.decision if {
startswith(permission, "catalog.")
not is_admin
}

# Here we don't offload all decisions to the scaffolder_rules, we pick and choose depending.
# Only admins can read templates with the admin tag
decision := scaffolder_rules.scaffolder_entity_read_rule if {
decision := scaffolder_rules.scaffolder_entity_read_admin_tag if {
permission == "scaffolder.template.parameter.read"
not is_admin
}

# Only admins can execute the debug action
decision := scaffolder_rules.scaffolder_entity_action_rule if {
decision := scaffolder_rules.scaffolder_entity_action_debug_log if {
permission == "scaffolder.action.execute"
not is_admin
}
4 changes: 2 additions & 2 deletions policies/scaffolder.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,13 @@ conditional(plugin_id, resource_type, conditions) := {

claims := input.identity.claims

scaffolder_entity__read_rules := conditional("scaffolder", "scaffolder-template", {"not": {"anyOf": [{
scaffolder_entity_read_admin_tag := conditional("scaffolder", "scaffolder-template", {"not": {"anyOf": [{
"resourceType": "scaffolder-template",
"rule": "HAS_TAG",
"params": {"tag": "admin"},
}]}})

scaffolder_entity_action_rules := conditional("scaffolder", "scaffolder-action", {"not": {"anyOf": [{
scaffolder_entity_action_debug_log := conditional("scaffolder", "scaffolder-action", {"not": {"anyOf": [{
"resourceType": "scaffolder-action",
"rule": "HAS_ACTION_ID",
"params": {"actionId": "debug:log"},
Expand Down
Loading