43 lines
895 B
Plaintext
43 lines
895 B
Plaintext
package rbac
|
|
|
|
import rego.v1
|
|
|
|
request = {
|
|
"roles": input.roles,
|
|
"path": input.path,
|
|
"method": input.method,
|
|
"policies": input.policies,
|
|
}
|
|
|
|
default allow = false
|
|
|
|
key_match(request_path, policy_path) if {
|
|
regex.match(policy_path, request_path)
|
|
}
|
|
|
|
# 方法函數的驗證
|
|
method_match(request_method, policy_methods) if {
|
|
policy_methods[_] == request_method
|
|
}
|
|
|
|
# 檢驗是不是匹配或繼承
|
|
valid_role(user_role, policy_role) if {
|
|
user_role[_] == policy_role
|
|
}
|
|
|
|
# 定義一個策略
|
|
allow if {
|
|
policy := input.policies[_]
|
|
key_match(input.path, policy.path)
|
|
valid_role(input.roles, policy.role)
|
|
method_match(input.method, policy.methods)
|
|
}
|
|
|
|
# 返回當前符合的策略名稱
|
|
policy_name := {
|
|
"name": policy.name|
|
|
policy := input.policies[_]
|
|
key_match(input.path, policy.path);
|
|
valid_role(input.roles, policy.role);
|
|
method_match(input.method, policy.methods)
|
|
} |