-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
181 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| [ | ||
| { | ||
| "user": "user:anne", | ||
| "relation": "owner", | ||
| "object": "folder:product" | ||
| }, | ||
| { | ||
| "user": "folder:product", | ||
| "relation": "parent", | ||
| "object": "folder:product-2021" | ||
| }, | ||
| { | ||
| "user": "user:beth", | ||
| "relation": "viewer", | ||
| "object": "folder:product-2021" | ||
| } | ||
| ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| model | ||
| schema 1.1 | ||
| type user | ||
| type folder | ||
| relations | ||
| define parent: [folder] | ||
| define owner: [user] | ||
| define parent_owner: owner from parent or parent_owner from parent | ||
| define viewer: [user] or owner or parent_owner | ||
| define can_share: owner | ||
| define can_write: owner or parent_owner | ||
| define can_view: viewer or viewer from parent |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| name: FolderBox # store name | ||
| model_file: ./model.fga # a global model that would apply to all tests | ||
| # model can be used instead of model_file | ||
| #model: | | ||
| # model | ||
| # schema 1.1 | ||
| # type user | ||
| # ... | ||
| tuples: # global tuples that would apply to all tests | ||
| - user: folder:5 | ||
| relation: parent | ||
| object: folder:product-2021 | ||
| - user: folder:product-2021 | ||
| relation: parent | ||
| object: folder:product-2021Q1 | ||
| tests: | ||
| - name: "folder-document-access" | ||
| description: "" | ||
| tuples: # tuples in tests are appended to the global tuples and do not replace them | ||
| - user: user:anne | ||
| relation: owner | ||
| object: folder:product | ||
| - user: folder:product | ||
| relation: parent | ||
| object: folder:product-2021 | ||
| - user: user:beth | ||
| relation: viewer | ||
| object: folder:product-2021 | ||
| check: # Each check test is made of: a user, an object and the expected result for one or more relations | ||
| - user: user:anne | ||
| object: folder:product-2021 | ||
| assertions: | ||
| can_view: true | ||
| can_write: true | ||
| can_share: false | ||
| - user: user:beth | ||
| object: folder:product-2021 | ||
| assertions: | ||
| can_view: true | ||
| can_write: false | ||
| can_share: false | ||
| - user: user:anne | ||
| object: folder:product-2021Q1 | ||
| assertions: | ||
| can_view: true | ||
| can_write: true | ||
| can_share: false | ||
| list_objects: # Each check test is made of: a user, an object type and the expected result for one or more relations | ||
| - user: user:anne | ||
| type: folder | ||
| assertions: | ||
| can_view: | ||
| - folder:product | ||
| - folder:product-2021 | ||
| - folder:product-2021Q1 | ||
| can_write: | ||
| - folder:product | ||
| - folder:product-2021 | ||
| - folder:product-2021Q1 | ||
| can_share: | ||
| - folder:product | ||
| - user: user:beth | ||
| type: folder | ||
| assertions: | ||
| can_view: | ||
| - folder:product-2021 | ||
| - folder:product-2021Q1 | ||
| can_write: [] | ||
| can_share: [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| model | ||
| schema 1.1 | ||
|
|
||
| type user | ||
|
|
||
| type document | ||
| relations | ||
| define viewer: [user with non_expired_grant_and_valid_ip] | ||
|
|
||
| condition non_expired_grant_and_valid_ip(current_timestamp: timestamp, grant_timestamp: timestamp, grant_duration: duration, user_ip: ipaddress, cidr: string) { | ||
| (current_timestamp < grant_timestamp + grant_duration) && user_ip.in_cidr(cidr) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| - user: folder:5 | ||
| relation: parent | ||
| object: folder:product-2021 | ||
| - user: folder:product-2021 | ||
| relation: parent | ||
| object: folder:product-2021Q1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| name: FolderBox # store name | ||
| model_file: ./model_abac.fga # a global model that would apply to all tests | ||
| # model can be used instead of model_file | ||
| #model: | | ||
| # model | ||
| # schema 1.1 | ||
| # type user | ||
| # ... | ||
| tuples: # global tuples that would apply to all tests | ||
| - user: user:anne | ||
| relation: viewer | ||
| object: document:1 | ||
| condition: | ||
| name: non_expired_grant_and_valid_ip | ||
| context: | ||
| grant_timestamp: "2023-05-03T21:25:20+00:00" | ||
| grant_duration: 10s | ||
| cidr: 192.168.0.0/24 | ||
| tests: | ||
| - name: test-1 | ||
| check: # Each check test is made of: a user, an object and the expected result for one or more relations | ||
| - user: user:anne | ||
| object: document:1 | ||
| context: | ||
| current_timestamp: "2023-05-03T21:25:23+00:00" | ||
| user_ip: "192.168.0.0" | ||
| assertions: | ||
| viewer: true # current time is within granted time interval and the user's ip is within the CIDR range | ||
| - user: user:anne | ||
| object: document:1 | ||
| context: | ||
| current_timestamp: "2023-05-03T21:25:31+00:00" | ||
| user_ip: "192.168.0.0" | ||
| assertions: | ||
| viewer: false # current time is not within granted time | ||
| - user: user:anne | ||
| object: document:1 | ||
| context: | ||
| current_timestamp: "2023-05-03T21:25:23+00:00" | ||
| user_ip: "192.168.1.0" | ||
| assertions: | ||
| viewer: false # current time is within granted time interval but the user's ip address is outside the CIDR range | ||
| list_objects: # Each check test is made of: a user, an object type and the expected result for one or more relations | ||
| - user: user:anne | ||
| type: document | ||
| context: | ||
| current_timestamp: "2023-05-03T21:25:23+00:00" | ||
| user_ip: "192.168.0.0" | ||
| assertions: | ||
| viewer: | ||
| - document:1 | ||
| - user: user:anne | ||
| type: document | ||
| context: | ||
| current_timestamp: "2023-05-03T21:25:31+00:00" | ||
| user_ip: "192.168.0.0" | ||
| assertions: | ||
| viewer: [] | ||
| - user: user:anne | ||
| type: document | ||
| context: | ||
| current_timestamp: "2023-05-03T21:25:23+00:00" | ||
| user_ip: "192.168.1.0" | ||
| assertions: | ||
| viewer: [] |