package rbac import rego.v1 request = { "roles": input.roles, "path": input.path, "method": input.method, "policies": input.policies, } default allow = false key_match(request_path, policy_path) if { regex.match(policy_path, request_path) } # 方法函數的驗證 method_match(request_method, policy_methods) if { policy_methods[_] == request_method } # 檢驗是不是匹配或繼承 valid_role(user_role, policy_role) if { user_role[_] == policy_role } # 定義一個策略 allow if { policy := input.policies[_] key_match(input.path, policy.path) valid_role(input.roles, policy.role) method_match(input.method, policy.methods) } # 返回當前符合的策略名稱 policy_name := { "name": policy.name| policy := input.policies[_] key_match(input.path, policy.path); valid_role(input.roles, policy.role); method_match(input.method, policy.methods) }