learn stuff

ivankatliarchuk · ivankatliarchuk · commit 0de511acd836 · 2025-01-03T18:46:18.000Z
Signed-off-by: ivan katliarchuk &lt;ivan.katliarchuk@gmail.com&gt;
diff --git a/playground/ex13/denied_provisioners.rego b/playground/ex13/denied_provisioners.rego
@@ -10,7 +10,7 @@ denied_provisioners = ["local-exec"]
 
 
 array_contains(arr, elem) {
-  arr[_] = elem
+    arr[_] = elem
 }
 
 module_name(path) = name {
diff --git a/playground/ex17/enforce_aws_resource.rego b/playground/ex17/enforce_aws_resource.rego
@@ -5,6 +5,7 @@
 #       before "not array_contains..."
 #
 #       startswith(resources.type,"aws_")
+# https://www.scalr.com/blog/opa-series-part-1-open-policy-agent-and-terraform
 
 package terraform
 
diff --git a/playground/ex26/data.json b/playground/ex26/data.json
@@ -0,0 +1,17 @@
+{
+  "attributes": {
+    "user": [
+      "read:books"
+    ],
+    "moderator": [
+      "read:books",
+      "write:books"
+    ],
+    "administrator": [
+      "read:books",
+      "write:books",
+      "read:store",
+      "write:store"
+    ]
+  }
+}
diff --git a/playground/ex26/mapping.json b/playground/ex26/mapping.json
@@ -0,0 +1,15 @@
+{
+  "user": [
+    "read:books"
+  ],
+  "moderator": [
+    "read:books",
+    "write:books"
+  ],
+  "administrator": [
+    "read:books",
+    "write:books",
+    "read:store",
+    "write:store"
+  ]
+}
diff --git a/playground/ex26/policy.rego b/playground/ex26/policy.rego
@@ -0,0 +1,23 @@
+# https://stackoverflow.com/questions/71420104/opa-authorization-policies-with-scopes-and-roles?rq=1
+package whatever.authz
+
+context_scope == data["attributes"][principal_role][_]
+
+# context_scope := concat(":", [input.context.action, input.context.resource])
+context_scope = data["attributes"][principal_role][_]
+
+default allow = false
+
+allow if {
+	token_has_context_scope
+	principal_has_resource_access
+}
+
+token_has_context_scope if {
+	context_scope == input.token.scopes[_]
+}
+
+principal_has_resource_access if {
+	principal_role := input.principal.roles[_]
+	context_scope == data[principal_role][_]
+}
diff --git a/playground/ex27/authorizer.rego b/playground/ex27/authorizer.rego
@@ -0,0 +1,7 @@
+package authorizer
+
+default username := null
+
+decode_user(jwt) := user_id {
+    // logic to decode token & return user_id
+}
diff --git a/playground/ex27/policy.rego b/playground/ex27/policy.rego
@@ -0,0 +1,13 @@
+package user
+
+import data.authorizer.*
+
+default allow := false
+
+user_id := x {
+    x := decode_user(input.jwt)
+}
+
+allow := true {
+    user_id != null
+}

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ denied_provisioners = ["local-exec"]`
`10`	`10`
`11`	`11`
`12`	`12`	`array_contains(arr, elem) {`
`13`		`- arr[_] = elem`
	`13`	`+ arr[_] = elem`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`module_name(path) = name {`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`# before "not array_contains..."`
`6`	`6`	`#`
`7`	`7`	`# startswith(resources.type,"aws_")`
	`8`	`+# https://www.scalr.com/blog/opa-series-part-1-open-policy-agent-and-terraform`
`8`	`9`
`9`	`10`	`package terraform`
`10`	`11`