coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
main
flex-auth/examples/markitect/check_policy_package.md
tegwick 7e09a21c5f
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details
Add Markitect check fixtures
2026-05-17 06:32:05 +02:00

3.6 KiB
Raw Permalink Blame History

id, name, namespace, version, status, package, actions, owner, fixtures, caring, metadata
id name namespace version status package actions owner fixtures caring metadata
markitect.gateway.check-fixtures Markitect gateway check fixtures markitect:gateway v1 draft flexauth.markitect.gateway
read
export
activate_context
team:platform-architecture
check_fixtures.yaml
profile enforce canonical_roles organization_relations scopes planes capabilities exposure_modes conditions restrictions
caring-0.4.0-rc2 false
Doer
Maintainer
Verifier
Customer
level id tenant
Resource document:public-note tenant:alpha
level id tenant
Resource document:internal-note tenant:alpha
level id tenant
Dataset context-package:internal-note-review tenant:alpha
Intent
Data
Audit
View
Export
Use
Execute
Metadata
Masked
Plaintext
Exportable
MFARequired
PurposeBound
Logged
ExportBlocked
source
examples/markitect/check_policy_package.md

Markitect Gateway Check Fixtures

This package captures the first Markitect gateway scenarios as executable Rego and external fixtures.

Rules

import future.keywords.if
import future.keywords.in

default decision := {"effect": "deny", "reason": "no_matching_rule"}

decision := {"effect": "allow", "reason": "public_document"} if {
  input.action == "read"
  input.resource.type == "document"
  "public" in object.get(input.resource.attributes, "labels", [])
}

decision := {"effect": "allow", "reason": "reader_group"} if {
  input.action == "read"
  input.resource.type == "document"
  "internal" in object.get(input.resource.attributes, "labels", [])
  "group:platform-architecture" in object.get(input.subject.attributes, "groups", [])
  "View" in input.caring_context.capabilities
}

decision := {
  "effect": "allow",
  "reason": "steward_export_mfa",
  "conformance_findings": [{
    "code": "MARKITECT-EXPORT-MFA-LOGGED",
    "severity": "info",
    "message": "Export is allowed only with steward role, MFA, and logging."
  }]
} if {
  input.action == "export"
  "steward" in object.get(input.subject.attributes, "roles", [])
  input.context.mfa == true
  "Export" in input.caring_context.capabilities
  "Exportable" in input.caring_context.exposure_modes
}

decision := {
  "effect": "allow",
  "reason": "fresh_context_package",
  "obligations": [{
    "type": "record_context_activation",
    "parameters": {"freshness_seconds": input.context.freshness_seconds}
  }],
  "conformance_findings": [{
    "code": "MARKITECT-CONTEXT-FRESHNESS",
    "severity": "info",
    "message": "Context package activation includes policy version and freshness metadata."
  }]
} if {
  input.action == "activate_context"
  input.resource.type == "context_package"
  input.policy_version != ""
  input.context.freshness_seconds <= 900
  "Use" in input.caring_context.capabilities
  "Execute" in input.caring_context.capabilities
}

Tests

package flexauth.markitect.gateway_test

import future.keywords.if
import data.flexauth.markitect.gateway

test_public_document_allows if {
  gateway.decision.effect == "allow" with input as {
    "action": "read",
    "resource": {
      "type": "document",
      "attributes": {"labels": ["public"]}
    }
  }
}

test_export_requires_mfa if {
  gateway.decision.effect == "deny" with input as {
    "action": "export",
    "subject": {"attributes": {"roles": ["steward"]}},
    "context": {"mfa": false},
    "caring_context": {
      "capabilities": ["Export"],
      "exposure_modes": ["Exportable"]
    }
  }
}
Reference in New Issue View Git Blame Copy Permalink