Add meta permissions (#111)

narval-xyz · Feb 14, 2024 · df31c46 · df31c46
1 parent 190872d
commit df31c46
Show file tree

Hide file tree

Showing 2 changed files with 112 additions and 0 deletions.
diff --git a/apps/authz/src/opa/rego/lib/policies/meta-permission.rego b/apps/authz/src/opa/rego/lib/policies/meta-permission.rego
@@ -0,0 +1,51 @@
+package main
+
+metaPermissions = {
+	"CREATE_ORGANIZATION",
+	"CREATE_USER",
+	"UPDATE_USER",
+	"CREATE_CREDENTIAL",
+	"ASSIGN_USER_GROUP",
+	"ASSIGN_WALLET_GROUP",
+	"ASSIGN_USER_WALLET",
+	"DELETE_USER",
+	"REGISTER_WALLET",
+	"CREATE_ADDRESS_BOOK_ACCOUNT",
+	"EDIT_WALLET",
+	"UNASSIGN_WALLET",
+	"REGISTER_TOKENS",
+	"EDIT_USER_GROUP",
+	"DELETE_USER_GROUP",
+	"CREATE_WALLET_GROUP",
+	"DELETE_WALLET_GROUP",
+}
+
+permit[{"policyId": "permit-meta-permissions", "policyName": "Permit admin user role for meta permissions"}] = reason {
+	checkAction(metaPermissions)
+	checkPrincipalRole({"admin"})
+	approvals = checkApprovals([{
+		"approvalCount": 2,
+		"countPrincipal": false,
+		"approvalEntityType": "Narval::UserRole",
+		"entityIds": ["root", "admin"],
+	}])
+	reason = {
+		"type": "permit",
+		"policyId": "permit-meta-permissions",
+		"policyName": "Permit admin user role for meta permissions",
+		"approvalsSatisfied": approvals.approvalsSatisfied,
+		"approvalsMissing": approvals.approvalsMissing,
+	}
+}
+
+forbid[{"policyId": "forbid-meta-permissions", "policyName": "Forbid member user role for meta permissions"}] = reason {
+	checkAction(metaPermissions)
+	checkPrincipalRole({"member"})
+	reason = {
+		"type": "forbid",
+		"policyId": "forbid-meta-permissions",
+		"policyName": "Forbid member user role for meta permissions",
+		"approvalsSatisfied": [],
+		"approvalsMissing": [],
+	}
+}
diff --git a/apps/authz/src/opa/template/mockData.ts b/apps/authz/src/opa/template/mockData.ts
@@ -110,3 +110,64 @@ export const exampleForbidPolicy: Policy = {
 export const policies = {
   policies: [examplePermitPolicy, exampleForbidPolicy]
 }
+
+const metaPermissions = [
+  Action.CREATE_ORGANIZATION,
+  Action.CREATE_USER,
+  Action.UPDATE_USER,
+  Action.CREATE_CREDENTIAL,
+  Action.ASSIGN_USER_GROUP,
+  Action.ASSIGN_WALLET_GROUP,
+  Action.ASSIGN_USER_WALLET,
+  Action.DELETE_USER,
+  Action.REGISTER_WALLET,
+  Action.CREATE_ADDRESS_BOOK_ACCOUNT,
+  Action.EDIT_WALLET,
+  Action.UNASSIGN_WALLET,
+  Action.REGISTER_TOKENS,
+  Action.EDIT_USER_GROUP,
+  Action.DELETE_USER_GROUP,
+  Action.CREATE_WALLET_GROUP,
+  Action.DELETE_WALLET_GROUP
+]
+
+export const permitMetaPermission: Policy = {
+  name: 'permitMetaPermission',
+  when: [
+    {
+      criterion: Criterion.CHECK_ACTION,
+      args: metaPermissions
+    },
+    {
+      criterion: Criterion.CHECK_PRINCIPAL_ROLE,
+      args: ['admin']
+    },
+    {
+      criterion: Criterion.CHECK_APPROVALS,
+      args: [
+        {
+          approvalCount: 2,
+          countPrincipal: false,
+          approvalEntityType: EntityType.UserRole,
+          entityIds: ['admin', 'root']
+        }
+      ]
+    }
+  ],
+  then: Then.PERMIT
+}
+
+export const forbidMetaPermission: Policy = {
+  name: 'forbidMetaPermission',
+  when: [
+    {
+      criterion: Criterion.CHECK_ACTION,
+      args: metaPermissions
+    },
+    {
+      criterion: Criterion.CHECK_PRINCIPAL_ROLE,
+      args: ['admin']
+    }
+  ],
+  then: Then.FORBID
+}