From b71fae252ec77e6c4ad7ea916d6064f236efd211 Mon Sep 17 00:00:00 2001
From: Sebastian Becker <sebastian.becker@de.bosch.com>
Date: Tue, 17 Dec 2024 15:54:49 +0100
Subject: [PATCH] feat(chart): update default policies (#36)

Signed-off-by: Sebastian Becker <sebastian.becker@de.bosch.com>
---
 NOTICE.md                                     |  2 +
 .../access-control/default-policies.yaml      | 75 +++++++++++++++++--
 2 files changed, 69 insertions(+), 8 deletions(-)

diff --git a/NOTICE.md b/NOTICE.md
index bb39d81..96ee6bc 100644
--- a/NOTICE.md
+++ b/NOTICE.md
@@ -11,5 +11,7 @@ file in the Carbyne Stack
 
 ### Robert Bosch GmbH
 
+- Becker Sebastian
+  [sebastian.becker@de.bosch.com](mailto:sebastian.becker@de.bosch.com)
 - Trieflinger Sven
   [sven.trieflinger@de.bosch.com](mailto:sven.trieflinger@de.bosch.com)
diff --git a/charts/thymus/templates/access-control/default-policies.yaml b/charts/thymus/templates/access-control/default-policies.yaml
index fbbfdfa..95ba803 100644
--- a/charts/thymus/templates/access-control/default-policies.yaml
+++ b/charts/thymus/templates/access-control/default-policies.yaml
@@ -6,6 +6,7 @@
 #
 
 # Default OPA policies
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -13,19 +14,77 @@ metadata:
   labels:
     opa.stackable.tech/bundle: "true"
 data:
-  donor-read.rego: |
-    package play
+  defaults.rego: |
+    package carbynestack.def
+
+    import rego.v1
+
+    default read := false
+    default delete := false
+    default tag.read := false
+    default tag.create := false
+    default tag.update := false
+    default tag.delete := false
+    default use := false
+    default execute := false
+  owner-access.rego: |
+    package carbynestack.def
 
     import rego.v1
 
-    tags contains tag if {
-      tag := {"key": "derived-from", "value": input.inputs[_].owner}
+    is_owner if {
+      some i
+      input.tags[i].key == "owner"
+      input.tags[i].value == input.subject
     }
 
-    default read := false
+    read if is_owner
+    delete if is_owner
+    tag.read if is_owner
+    tag.create if is_owner
+    tag.update if is_owner
+    tag.delete if is_owner
+  donor-read.rego: |
+    package carbynestack.def
+
+    import rego.v1
 
-    read if {
+    tags := [
+      {
+        "key": "derived-from",
+        "value": concat(", ", {x |
+          some i
+          x := input.inputs[i].owner
+        })
+      }, {
+        "key": "owner",
+        "value": input.executor
+      }
+    ]
+
+    provided_input if {
       some i
-      tags[i].key == "derived-from"
-      tags[i].value == input.subject
+      input.tags[i].key == "derived-from"
+      contributor := split(input.tags[i].value, ",")
+      trim(contributor[_], " ") == input.subject
     }
+
+    read if provided_input
+    tag.read if provided_input
+  ephemeral-use.rego: |
+    package carbynestack.def
+
+    import rego.v1
+
+    use if {
+        some i
+        input.tags[i].key == "authorizedPrograms"
+        programIds := split(input.tags[i].value, ",")
+        programIds[_] == input.subject
+    }
+  ephemeral-execute.rego: |
+    package carbynestack.def
+
+    import rego.v1
+
+    execute if input.playerCount >= 2