feat(chart): update default policies (#36)

Signed-off-by: Sebastian Becker <[email protected]>
carbynestack · Dec 17, 2024 · b71fae2 · b71fae2
1 parent 4f0f334
commit b71fae2
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 8 deletions.
diff --git a/NOTICE.md b/NOTICE.md
@@ -11,5 +11,7 @@ file in the Carbyne Stack
 
 ### Robert Bosch GmbH
 
+- Becker Sebastian
+  [[email protected]](mailto:[email protected])
 - Trieflinger Sven
   [[email protected]](mailto:[email protected])
diff --git a/charts/thymus/templates/access-control/default-policies.yaml b/charts/thymus/templates/access-control/default-policies.yaml
@@ -6,26 +6,85 @@
 #
 
 # Default OPA policies
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: default-policies
   labels:
     opa.stackable.tech/bundle: "true"
 data:
-  donor-read.rego: |
-    package play
+  defaults.rego: |
+    package carbynestack.def
+
+    import rego.v1
+
+    default read := false
+    default delete := false
+    default tag.read := false
+    default tag.create := false
+    default tag.update := false
+    default tag.delete := false
+    default use := false
+    default execute := false
+  owner-access.rego: |
+    package carbynestack.def
 
     import rego.v1
 
-    tags contains tag if {
-      tag := {"key": "derived-from", "value": input.inputs[_].owner}
+    is_owner if {
+      some i
+      input.tags[i].key == "owner"
+      input.tags[i].value == input.subject
     }
 
-    default read := false
+    read if is_owner
+    delete if is_owner
+    tag.read if is_owner
+    tag.create if is_owner
+    tag.update if is_owner
+    tag.delete if is_owner
+  donor-read.rego: |
+    package carbynestack.def
+
+    import rego.v1
 
-    read if {
+    tags := [
+      {
+        "key": "derived-from",
+        "value": concat(", ", {x |
+          some i
+          x := input.inputs[i].owner
+        })
+      }, {
+        "key": "owner",
+        "value": input.executor
+      }
+    ]
+
+    provided_input if {
       some i
-      tags[i].key == "derived-from"
-      tags[i].value == input.subject
+      input.tags[i].key == "derived-from"
+      contributor := split(input.tags[i].value, ",")
+      trim(contributor[_], " ") == input.subject
     }
+
+    read if provided_input
+    tag.read if provided_input
+  ephemeral-use.rego: |
+    package carbynestack.def
+
+    import rego.v1
+
+    use if {
+        some i
+        input.tags[i].key == "authorizedPrograms"
+        programIds := split(input.tags[i].value, ",")
+        programIds[_] == input.subject
+    }
+  ephemeral-execute.rego: |
+    package carbynestack.def
+
+    import rego.v1
+
+    execute if input.playerCount >= 2