package rbac

import rego.v1

request = {
	"roles": input.roles,
	"path": input.path,
	"method": input.method,
    "policies": input.policies,
}

default allow = false

key_match(request_path, policy_path) if {
	regex.match(policy_path, request_path)
}

# 方法函數的驗證
method_match(request_method, policy_methods) if {
	policy_methods[_] == request_method
}

# 檢驗是不是匹配或繼承
valid_role(user_role, policy_role) if {
	user_role[_] == policy_role
}

# 定義一個策略
allow if {
	policy := input.policies[_]
	key_match(input.path, policy.path)
	valid_role(input.roles, policy.role)
	method_match(input.method, policy.methods)
}

# 返回當前符合的策略名稱
policy_name := {
    "name": policy.name|
    policy := input.policies[_]
    key_match(input.path, policy.path);
    valid_role(input.roles, policy.role);
    method_match(input.method, policy.methods)
}