-
Notifications
You must be signed in to change notification settings - Fork 13
/
rewriting-user-teams.rego
43 lines (34 loc) · 1.42 KB
/
rewriting-user-teams.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
package spacelift
import future.keywords.in
# This rule will copy each of the existing teams to the new modified list.
# Remove it if you want to start from scratch.
team[input.session.teams[_]]
# In addition to boolean rules regulating access to your Spacelift account, the login
# policy exposes the team rule, which allows one to dynamically rewrite the list of teams
# received from the identity provider. This operation allows one to define Spacelift roles
# independent of the identity provider. To illustrate this use case, let's imagine you want
# to define a Superwriter role for someone who's:
# - logging in from an office VPN;
# - is a member of the DevOps team, as defined by your IdP;
# - is not a member of the Contractors team, as defined by your IdP;
team["Superwriter"] {
office_vpn
devops
not contractor
}
contractor {
"Contractors" in input.session.teams
}
devops {
"DevOps" in input.session.teams
}
office_vpn {
net.cidr_contains("12.34.56.0/24", input.request.remote_ip)
}
# What's important here is that the team rule overwrites the original list of teams,
# meaning that if it evaluates to a non-empty collection, it will replace the original list
# of teams in the session. In the above example, the Superadmin role will become the only
# team for the evaluated user session.
# Learn more about sampling policy evaluations here:
# https://docs.spacelift.io/concepts/policy#sampling-policy-inputs
sample := true