coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
main
flex-auth/examples/markitect/check_policy_package.md
tegwick 7e09a21c5f
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details
Add Markitect check fixtures
2026-05-17 06:32:05 +02:00

153 lines
3.6 KiB
Markdown
Raw Permalink Blame History

---
id: markitect.gateway.check-fixtures
name: Markitect gateway check fixtures
namespace: markitect:gateway
version: v1
status: draft
package: flexauth.markitect.gateway
actions:
- read
- export
- activate_context
owner: team:platform-architecture
fixtures:
- check_fixtures.yaml
caring:
profile: caring-0.4.0-rc2
enforce: false
canonical_roles:
- Doer
- Maintainer
- Verifier
organization_relations:
- Customer
scopes:
- level: Resource
id: document:public-note
tenant: tenant:alpha
- level: Resource
id: document:internal-note
tenant: tenant:alpha
- level: Dataset
id: context-package:internal-note-review
tenant: tenant:alpha
planes:
- Intent
- Data
- Audit
capabilities:
- View
- Export
- Use
- Execute
exposure_modes:
- Metadata
- Masked
- Plaintext
- Exportable
conditions:
- MFARequired
- PurposeBound
- Logged
restrictions:
- ExportBlocked
metadata:
source: examples/markitect/check_policy_package.md
---
# Markitect Gateway Check Fixtures
This package captures the first Markitect gateway scenarios as executable Rego
and external fixtures.
## Rules
```rego
import future.keywords.if
import future.keywords.in
default decision := {"effect": "deny", "reason": "no_matching_rule"}
decision := {"effect": "allow", "reason": "public_document"} if {
input.action == "read"
input.resource.type == "document"
"public" in object.get(input.resource.attributes, "labels", [])
}
decision := {"effect": "allow", "reason": "reader_group"} if {
input.action == "read"
input.resource.type == "document"
"internal" in object.get(input.resource.attributes, "labels", [])
"group:platform-architecture" in object.get(input.subject.attributes, "groups", [])
"View" in input.caring_context.capabilities
}
decision := {
"effect": "allow",
"reason": "steward_export_mfa",
"conformance_findings": [{
"code": "MARKITECT-EXPORT-MFA-LOGGED",
"severity": "info",
"message": "Export is allowed only with steward role, MFA, and logging."
}]
} if {
input.action == "export"
"steward" in object.get(input.subject.attributes, "roles", [])
input.context.mfa == true
"Export" in input.caring_context.capabilities
"Exportable" in input.caring_context.exposure_modes
}
decision := {
"effect": "allow",
"reason": "fresh_context_package",
"obligations": [{
"type": "record_context_activation",
"parameters": {"freshness_seconds": input.context.freshness_seconds}
}],
"conformance_findings": [{
"code": "MARKITECT-CONTEXT-FRESHNESS",
"severity": "info",
"message": "Context package activation includes policy version and freshness metadata."
}]
} if {
input.action == "activate_context"
input.resource.type == "context_package"
input.policy_version != ""
input.context.freshness_seconds <= 900
"Use" in input.caring_context.capabilities
"Execute" in input.caring_context.capabilities
}
```
## Tests
```rego test
package flexauth.markitect.gateway_test
import future.keywords.if
import data.flexauth.markitect.gateway
test_public_document_allows if {
gateway.decision.effect == "allow" with input as {
"action": "read",
"resource": {
"type": "document",
"attributes": {"labels": ["public"]}
}
}
}
test_export_requires_mfa if {
gateway.decision.effect == "deny" with input as {
"action": "export",
"subject": {"attributes": {"roles": ["steward"]}},
"context": {"mfa": false},
"caring_context": {
"capabilities": ["Export"],
"exposure_modes": ["Exportable"]
}
}
}
```
Reference in New Issue View Git Blame Copy Permalink