stillbox/pkg/rbac/policy/policy.go

package policy

import (
	"dynatron.me/x/stillbox/pkg/rbac/entities"

	"github.com/el-mike/restrict/v2"
)

const (
	PresetUpdateOwn       = "updateOwn"
	PresetDeleteOwn       = "deleteOwn"
	PresetReadShared      = "readShared"
	PresetReadSharedInMap = "readSharedInMap"
	PresetShareOwn        = "shareOwn"

	PresetUpdateSubmitter      = "updateSubmitter"
	PresetDeleteSubmitter      = "deleteSubmitter"
	PresetShareSubmitter       = "shareSubmitter"
	PresetReadInSharedIncident = "readInSharedIncident"
)

var Policy = &restrict.PolicyDefinition{
	Roles: restrict.Roles{
		entities.RoleUser: {
			Description: "An authenticated user",
			Grants: restrict.GrantsMap{
				entities.ResourceIncident: {
					&restrict.Permission{Action: entities.ActionRead},
					&restrict.Permission{Action: entities.ActionCreate},
					&restrict.Permission{Preset: PresetUpdateOwn},
					&restrict.Permission{Preset: PresetDeleteOwn},
					&restrict.Permission{Preset: PresetShareOwn},
				},
				entities.ResourceCall: {
					&restrict.Permission{Action: entities.ActionRead},
					&restrict.Permission{Action: entities.ActionCreate},
					&restrict.Permission{Preset: PresetUpdateSubmitter},
					&restrict.Permission{Preset: PresetDeleteSubmitter},
					&restrict.Permission{Action: entities.ActionShare},
				},
				entities.ResourceTalkgroup: {
					&restrict.Permission{Action: entities.ActionRead},
				},
				entities.ResourceShare: {
					&restrict.Permission{Action: entities.ActionRead},
					&restrict.Permission{Action: entities.ActionCreate},
					&restrict.Permission{Preset: PresetUpdateOwn},
					&restrict.Permission{Preset: PresetDeleteOwn},
				},
			},
		},
		entities.RoleSubmitter: {
			Description: "A role that can submit calls",
			Grants: restrict.GrantsMap{
				entities.ResourceCall: {
					&restrict.Permission{Action: entities.ActionCreate},
				},
				entities.ResourceTalkgroup: {
					// for learning TGs
					&restrict.Permission{Action: entities.ActionCreate},
					&restrict.Permission{Action: entities.ActionUpdate},
				},
			},
		},
		entities.RoleShareGuest: {
			Description: "Someone who has a valid share link",
			Grants: restrict.GrantsMap{
				entities.ResourceCall: {
					&restrict.Permission{Preset: PresetReadShared},
					&restrict.Permission{Preset: PresetReadInSharedIncident},
				},
				entities.ResourceIncident: {
					&restrict.Permission{Preset: PresetReadShared},
				},
				entities.ResourceTalkgroup: {
					&restrict.Permission{Action: entities.ActionRead},
				},
			},
		},
		entities.RoleAdmin: {
			Description: "A superuser",
			Parents: []string{entities.RoleUser},
			Grants: restrict.GrantsMap{
				entities.ResourceIncident: {
					&restrict.Permission{Action: entities.ActionRead},
					&restrict.Permission{Action: entities.ActionUpdate},
					&restrict.Permission{Action: entities.ActionDelete},
					&restrict.Permission{Action: entities.ActionShare},
				},
				entities.ResourceCall: {
					&restrict.Permission{Action: entities.ActionRead},
					&restrict.Permission{Action: entities.ActionUpdate},
					&restrict.Permission{Action: entities.ActionDelete},
					&restrict.Permission{Action: entities.ActionShare},
				},
				entities.ResourceTalkgroup: {
					&restrict.Permission{Action: entities.ActionRead},
					&restrict.Permission{Action: entities.ActionUpdate},
					&restrict.Permission{Action: entities.ActionCreate},
					&restrict.Permission{Action: entities.ActionDelete},
				},
				entities.ResourceShare: {
					&restrict.Permission{Action: entities.ActionRead},
					&restrict.Permission{Action: entities.ActionUpdate},
					&restrict.Permission{Action: entities.ActionCreate},
					&restrict.Permission{Action: entities.ActionDelete},
				},
			},
		},
		entities.RoleSystem: {
			Description: "A system service",
			Parents: []string{entities.RoleAdmin},
		},
		entities.RolePublic: {
			/*
				Grants: restrict.GrantsMap{
					entities.ResourceShare: {
						&restrict.Permission{Action: entities.ActionRead},
					},
				},
			*/
		},
	},
	PermissionPresets: restrict.PermissionPresets{
		PresetUpdateOwn: &restrict.Permission{
			Action: entities.ActionUpdate,
			Conditions: restrict.Conditions{
				&restrict.EqualCondition{
					ID: "isOwner",
					Left: &restrict.ValueDescriptor{
						Source: restrict.ResourceField,
						Field:  "Owner",
					},
					Right: &restrict.ValueDescriptor{
						Source: restrict.SubjectField,
						Field:  "ID",
					},
				},
			},
		},
		PresetDeleteOwn: &restrict.Permission{
			Action: entities.ActionDelete,
			Conditions: restrict.Conditions{
				&restrict.EqualCondition{
					ID: "isOwner",
					Left: &restrict.ValueDescriptor{
						Source: restrict.ResourceField,
						Field:  "Owner",
					},
					Right: &restrict.ValueDescriptor{
						Source: restrict.SubjectField,
						Field:  "ID",
					},
				},
			},
		},
		PresetShareOwn: &restrict.Permission{
			Action: entities.ActionShare,
			Conditions: restrict.Conditions{
				&restrict.EqualCondition{
					ID: "isOwner",
					Left: &restrict.ValueDescriptor{
						Source: restrict.ResourceField,
						Field:  "Owner",
					},
					Right: &restrict.ValueDescriptor{
						Source: restrict.SubjectField,
						Field:  "ID",
					},
				},
			},
		},
		PresetUpdateSubmitter: &restrict.Permission{
			Action: entities.ActionUpdate,
			Conditions: restrict.Conditions{
				&SubmitterEqualCondition{
					ID: "isSubmitter",
					Left: &restrict.ValueDescriptor{
						Source: restrict.ResourceField,
						Field:  "Submitter",
					},
					Right: &restrict.ValueDescriptor{
						Source: restrict.SubjectField,
						Field:  "ID",
					},
				},
			},
		},
		PresetDeleteSubmitter: &restrict.Permission{
			Action: entities.ActionDelete,
			Conditions: restrict.Conditions{
				&SubmitterEqualCondition{
					ID: "isSubmitter",
					Left: &restrict.ValueDescriptor{
						Source: restrict.ResourceField,
						Field:  "Submitter",
					},
					Right: &restrict.ValueDescriptor{
						Source: restrict.SubjectField,
						Field:  "ID",
					},
				},
			},
		},
		PresetShareSubmitter: &restrict.Permission{
			Action: entities.ActionShare,
			Conditions: restrict.Conditions{
				&SubmitterEqualCondition{
					ID: "isSubmitter",
					Left: &restrict.ValueDescriptor{
						Source: restrict.ResourceField,
						Field:  "Submitter",
					},
					Right: &restrict.ValueDescriptor{
						Source: restrict.SubjectField,
						Field:  "ID",
					},
				},
			},
		},
		PresetReadShared: &restrict.Permission{
			Action: entities.ActionRead,
			Conditions: restrict.Conditions{
				&restrict.EqualCondition{
					ID: "isOwner",
					Left: &restrict.ValueDescriptor{
						Source: restrict.ResourceField,
						Field:  "ID",
					},
					Right: &restrict.ValueDescriptor{
						Source: restrict.SubjectField,
						Field:  "EntityID",
					},
				},
			},
		},
		PresetReadInSharedIncident: &restrict.Permission{
			Action: entities.ActionRead,
			Conditions: restrict.Conditions{
				&CallInIncidentCondition{
					ID: "callInIncident",
					Call: &restrict.ValueDescriptor{
						Source: restrict.ResourceField,
						Field:  "ID",
					},
					Incident: &restrict.ValueDescriptor{
						Source: restrict.SubjectField,
						Field:  "EntityID",
					},
				},
			},
		},
	},
}
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`package policy`
WIP 2025-01-20 20:28:25 -05:00
			`import (`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`"dynatron.me/x/stillbox/pkg/rbac/entities"`

WIP 2025-01-20 20:28:25 -05:00			`"github.com/el-mike/restrict/v2"`
			`)`

WIP cycle 2025-01-20 22:38:27 -05:00			`const (`
			`PresetUpdateOwn = "updateOwn"`
			`PresetDeleteOwn = "deleteOwn"`
			`PresetReadShared = "readShared"`
			`PresetReadSharedInMap = "readSharedInMap"`
			`PresetShareOwn = "shareOwn"`

working for now 2025-01-21 08:43:03 -05:00			`PresetUpdateSubmitter = "updateSubmitter"`
			`PresetDeleteSubmitter = "deleteSubmitter"`
			`PresetShareSubmitter = "shareSubmitter"`
WIP cycle 2025-01-20 22:38:27 -05:00			`PresetReadInSharedIncident = "readInSharedIncident"`
			`)`

			`var Policy = &restrict.PolicyDefinition{`
WIP 2025-01-20 20:28:25 -05:00			`Roles: restrict.Roles{`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.RoleUser: {`
WIP 2025-01-20 20:28:25 -05:00			`Description: "An authenticated user",`
			`Grants: restrict.GrantsMap{`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.ResourceIncident: {`
			`&restrict.Permission{Action: entities.ActionRead},`
			`&restrict.Permission{Action: entities.ActionCreate},`
WIP 2025-01-20 20:28:25 -05:00			`&restrict.Permission{Preset: PresetUpdateOwn},`
			`&restrict.Permission{Preset: PresetDeleteOwn},`
			`&restrict.Permission{Preset: PresetShareOwn},`
			`},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.ResourceCall: {`
			`&restrict.Permission{Action: entities.ActionRead},`
			`&restrict.Permission{Action: entities.ActionCreate},`
WIP 2025-01-20 20:28:25 -05:00			`&restrict.Permission{Preset: PresetUpdateSubmitter},`
			`&restrict.Permission{Preset: PresetDeleteSubmitter},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`&restrict.Permission{Action: entities.ActionShare},`
WIP 2025-01-20 20:28:25 -05:00			`},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.ResourceTalkgroup: {`
			`&restrict.Permission{Action: entities.ActionRead},`
WIP 2025-01-20 20:28:25 -05:00			`},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.ResourceShare: {`
			`&restrict.Permission{Action: entities.ActionRead},`
			`&restrict.Permission{Action: entities.ActionCreate},`
WIP 2025-01-20 20:28:25 -05:00			`&restrict.Permission{Preset: PresetUpdateOwn},`
			`&restrict.Permission{Preset: PresetDeleteOwn},`
			`},`
			`},`
			`},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.RoleSubmitter: {`
WIP 2025-01-20 20:28:25 -05:00			`Description: "A role that can submit calls",`
			`Grants: restrict.GrantsMap{`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.ResourceCall: {`
			`&restrict.Permission{Action: entities.ActionCreate},`
WIP 2025-01-20 20:28:25 -05:00			`},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.ResourceTalkgroup: {`
WIP 2025-01-20 20:28:25 -05:00			`// for learning TGs`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`&restrict.Permission{Action: entities.ActionCreate},`
			`&restrict.Permission{Action: entities.ActionUpdate},`
WIP 2025-01-20 20:28:25 -05:00			`},`
			`},`
			`},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.RoleShareGuest: {`
WIP 2025-01-20 20:28:25 -05:00			`Description: "Someone who has a valid share link",`
			`Grants: restrict.GrantsMap{`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.ResourceCall: {`
WIP 2025-01-20 20:28:25 -05:00			`&restrict.Permission{Preset: PresetReadShared},`
WIP cycle 2025-01-20 22:38:27 -05:00			`&restrict.Permission{Preset: PresetReadInSharedIncident},`
WIP 2025-01-20 20:28:25 -05:00			`},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.ResourceIncident: {`
WIP 2025-01-20 20:28:25 -05:00			`&restrict.Permission{Preset: PresetReadShared},`
			`},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.ResourceTalkgroup: {`
			`&restrict.Permission{Action: entities.ActionRead},`
WIP 2025-01-20 20:28:25 -05:00			`},`
			`},`
			`},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.RoleAdmin: {`
Description 2025-01-29 20:56:03 -05:00			`Description: "A superuser",`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`Parents: []string{entities.RoleUser},`
WIP 2025-01-20 20:28:25 -05:00			`Grants: restrict.GrantsMap{`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.ResourceIncident: {`
Catch TG errors, fix policy cycle 2025-01-29 20:37:17 -05:00			`&restrict.Permission{Action: entities.ActionRead},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`&restrict.Permission{Action: entities.ActionUpdate},`
			`&restrict.Permission{Action: entities.ActionDelete},`
			`&restrict.Permission{Action: entities.ActionShare},`
WIP 2025-01-20 20:28:25 -05:00			`},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.ResourceCall: {`
Catch TG errors, fix policy cycle 2025-01-29 20:37:17 -05:00			`&restrict.Permission{Action: entities.ActionRead},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`&restrict.Permission{Action: entities.ActionUpdate},`
			`&restrict.Permission{Action: entities.ActionDelete},`
			`&restrict.Permission{Action: entities.ActionShare},`
WIP 2025-01-20 20:28:25 -05:00			`},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.ResourceTalkgroup: {`
Catch TG errors, fix policy cycle 2025-01-29 20:37:17 -05:00			`&restrict.Permission{Action: entities.ActionRead},`
			`&restrict.Permission{Action: entities.ActionUpdate},`
			`&restrict.Permission{Action: entities.ActionCreate},`
			`&restrict.Permission{Action: entities.ActionDelete},`
			`},`
			`entities.ResourceShare: {`
			`&restrict.Permission{Action: entities.ActionRead},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`&restrict.Permission{Action: entities.ActionUpdate},`
			`&restrict.Permission{Action: entities.ActionCreate},`
			`&restrict.Permission{Action: entities.ActionDelete},`
WIP 2025-01-20 20:28:25 -05:00			`},`
			`},`
			`},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.RoleSystem: {`
Description 2025-01-29 20:56:03 -05:00			`Description: "A system service",`
Catch TG errors, fix policy cycle 2025-01-29 20:37:17 -05:00			`Parents: []string{entities.RoleAdmin},`
WIP 2025-01-20 20:28:25 -05:00			`},`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.RolePublic: {`
WIP 2025-01-20 20:28:25 -05:00			`/*`
			`Grants: restrict.GrantsMap{`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`entities.ResourceShare: {`
			`&restrict.Permission{Action: entities.ActionRead},`
WIP 2025-01-20 20:28:25 -05:00			`},`
			`},`
			`*/`
			`},`
			`},`
			`PermissionPresets: restrict.PermissionPresets{`
			`PresetUpdateOwn: &restrict.Permission{`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`Action: entities.ActionUpdate,`
WIP 2025-01-20 20:28:25 -05:00			`Conditions: restrict.Conditions{`
			`&restrict.EqualCondition{`
			`ID: "isOwner",`
			`Left: &restrict.ValueDescriptor{`
			`Source: restrict.ResourceField,`
			`Field: "Owner",`
			`},`
			`Right: &restrict.ValueDescriptor{`
			`Source: restrict.SubjectField,`
			`Field: "ID",`
			`},`
			`},`
			`},`
			`},`
			`PresetDeleteOwn: &restrict.Permission{`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`Action: entities.ActionDelete,`
WIP 2025-01-20 20:28:25 -05:00			`Conditions: restrict.Conditions{`
			`&restrict.EqualCondition{`
			`ID: "isOwner",`
			`Left: &restrict.ValueDescriptor{`
			`Source: restrict.ResourceField,`
			`Field: "Owner",`
			`},`
			`Right: &restrict.ValueDescriptor{`
			`Source: restrict.SubjectField,`
			`Field: "ID",`
			`},`
			`},`
			`},`
			`},`
			`PresetShareOwn: &restrict.Permission{`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`Action: entities.ActionShare,`
WIP 2025-01-20 20:28:25 -05:00			`Conditions: restrict.Conditions{`
			`&restrict.EqualCondition{`
			`ID: "isOwner",`
			`Left: &restrict.ValueDescriptor{`
			`Source: restrict.ResourceField,`
			`Field: "Owner",`
			`},`
			`Right: &restrict.ValueDescriptor{`
			`Source: restrict.SubjectField,`
			`Field: "ID",`
			`},`
			`},`
			`},`
			`},`
			`PresetUpdateSubmitter: &restrict.Permission{`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`Action: entities.ActionUpdate,`
WIP 2025-01-20 20:28:25 -05:00			`Conditions: restrict.Conditions{`
			`&SubmitterEqualCondition{`
			`ID: "isSubmitter",`
			`Left: &restrict.ValueDescriptor{`
			`Source: restrict.ResourceField,`
			`Field: "Submitter",`
			`},`
			`Right: &restrict.ValueDescriptor{`
			`Source: restrict.SubjectField,`
			`Field: "ID",`
			`},`
			`},`
			`},`
			`},`
			`PresetDeleteSubmitter: &restrict.Permission{`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`Action: entities.ActionDelete,`
WIP 2025-01-20 20:28:25 -05:00			`Conditions: restrict.Conditions{`
			`&SubmitterEqualCondition{`
			`ID: "isSubmitter",`
			`Left: &restrict.ValueDescriptor{`
			`Source: restrict.ResourceField,`
			`Field: "Submitter",`
			`},`
			`Right: &restrict.ValueDescriptor{`
			`Source: restrict.SubjectField,`
			`Field: "ID",`
			`},`
			`},`
			`},`
			`},`
			`PresetShareSubmitter: &restrict.Permission{`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`Action: entities.ActionShare,`
WIP 2025-01-20 20:28:25 -05:00			`Conditions: restrict.Conditions{`
			`&SubmitterEqualCondition{`
			`ID: "isSubmitter",`
			`Left: &restrict.ValueDescriptor{`
			`Source: restrict.ResourceField,`
			`Field: "Submitter",`
			`},`
			`Right: &restrict.ValueDescriptor{`
			`Source: restrict.SubjectField,`
			`Field: "ID",`
			`},`
			`},`
			`},`
			`},`
			`PresetReadShared: &restrict.Permission{`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`Action: entities.ActionRead,`
WIP 2025-01-20 20:28:25 -05:00			`Conditions: restrict.Conditions{`
			`&restrict.EqualCondition{`
			`ID: "isOwner",`
			`Left: &restrict.ValueDescriptor{`
			`Source: restrict.ResourceField,`
			`Field: "ID",`
			`},`
			`Right: &restrict.ValueDescriptor{`
			`Source: restrict.SubjectField,`
			`Field: "EntityID",`
			`},`
			`},`
			`},`
			`},`
WIP cycle 2025-01-20 22:38:27 -05:00			`PresetReadInSharedIncident: &restrict.Permission{`
Able to use store in rbac policy finally 2025-01-22 10:39:23 -05:00			`Action: entities.ActionRead,`
WIP cycle 2025-01-20 22:38:27 -05:00			`Conditions: restrict.Conditions{`
working for now 2025-01-21 08:43:03 -05:00			`&CallInIncidentCondition{`
WIP cycle 2025-01-20 22:38:27 -05:00			`ID: "callInIncident",`
			`Call: &restrict.ValueDescriptor{`
			`Source: restrict.ResourceField,`
			`Field: "ID",`
			`},`
			`Incident: &restrict.ValueDescriptor{`
			`Source: restrict.SubjectField,`
			`Field: "EntityID",`
			`},`
			`},`
			`},`
			`},`
WIP 2025-01-20 20:28:25 -05:00			`},`
			`}`