guard/internal/usecase/rule.rego

43 lines
895 B
Plaintext

package rbac
import rego.v1
request = {
"roles": input.roles,
"path": input.path,
"method": input.method,
"policies": input.policies,
}
default allow = false
key_match(request_path, policy_path) if {
regex.match(policy_path, request_path)
}
# 方法函數的驗證
method_match(request_method, policy_methods) if {
policy_methods[_] == request_method
}
# 檢驗是不是匹配或繼承
valid_role(user_role, policy_role) if {
user_role[_] == policy_role
}
# 定義一個策略
allow if {
policy := input.policies[_]
key_match(input.path, policy.path)
valid_role(input.roles, policy.role)
method_match(input.method, policy.methods)
}
# 返回當前符合的策略名稱
policy_name := {
"name": policy.name|
policy := input.policies[_]
key_match(input.path, policy.path);
valid_role(input.roles, policy.role);
method_match(input.method, policy.methods)
}