35 lines
654 B
Plaintext
35 lines
654 B
Plaintext
|
package rbac
|
||
|
|
||
|
import rego.v1
|
||
|
|
||
|
request = {
|
||
|
"roles": input.roles,
|
||
|
"path": input.path,
|
||
|
"method": input.method,
|
||
|
"policies": input.policies,
|
||
|
}
|
||
|
|
||
|
default allow = false
|
||
|
|
||
|
key_match(request_path, policy_path) if {
|
||
|
regex.match(policy_path, request_path)
|
||
|
}
|
||
|
|
||
|
# 方法函數的驗證
|
||
|
method_match(request_method, policy_methods) if {
|
||
|
policy_methods[_] == request_method
|
||
|
}
|
||
|
|
||
|
# 檢驗是不是匹配或繼承
|
||
|
valid_role(user_role, policy_role) if {
|
||
|
user_role[_] == policy_role
|
||
|
}
|
||
|
|
||
|
# 定義一個策略
|
||
|
allow if {
|
||
|
policy := input.policies[_]
|
||
|
key_match(input.path, policy.path)
|
||
|
valid_role(input.roles, policy.role)
|
||
|
method_match(input.method, policy.methods)
|
||
|
}
|