coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
550d096cb2167269b13cd6757cedc86b3c951d6b
flex-auth/examples/caring/policy_package.md
tegwick 550d096cb2
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details
Implement policy package loader
2026-05-17 05:30:40 +02:00

3.0 KiB
Raw Blame History

id, name, namespace, version, status, package, actions, owner, fixtures, caring, activation, metadata
id name namespace version status package actions owner fixtures caring activation metadata
markitect.documents.internal-read Markitect internal document read markitect:document v1 draft flexauth.markitect.documents
read
team:platform-architecture
policy_fixture.yaml
profile enforce canonical_roles organization_relations scopes planes capabilities exposure_modes conditions restrictions
caring-0.4.0-rc2 false
Doer
Customer
level id tenant
Resource document:internal-note tenant:alpha
Data
View
Masked
Plaintext
PurposeBound
Logged
ExportBlocked
mode
local
source
examples/caring/policy_package.md

Markitect Internal Document Read

This package authorizes read access to an internal Markitect document when the request carries a CARING descriptor for a customer Doer with View capability on the document resource and an explicit ExportBlocked restriction.

Rules

import future.keywords.if
import future.keywords.in

default decision := {"effect": "deny", "reason": "no_matching_rule"}

decision := {
  "effect": "allow",
  "reason": "reader_relation",
  "conformance_findings": [{
    "code": "CARING-EXPORT-SEPARATION",
    "severity": "info",
    "message": "View is allowed, but Exportable exposure remains separately blocked."
  }]
} if {
  input.action == "read"
  input.resource.system == "markitect-tool"
  input.resource.type == "document"
  input.caring_context.profile == "caring-0.4.0-rc2"
  input.caring_context.organization_relation == "Customer"
  input.caring_context.canonical_role == "Doer"
  "View" in input.caring_context.capabilities
  "ExportBlocked" in input.caring_context.restrictions
}

Tests

package flexauth.markitect.documents_test

import future.keywords.if
import data.flexauth.markitect.documents

test_reader_relation_allows if {
  documents.decision.effect == "allow" with input as {
    "action": "read",
    "resource": {
      "id": "document:internal-note",
      "type": "document",
      "system": "markitect-tool",
      "tenant": "tenant:alpha"
    },
    "caring_context": {
      "profile": "caring-0.4.0-rc2",
      "organization_relation": "Customer",
      "canonical_role": "Doer",
      "capabilities": ["View"],
      "restrictions": ["ExportBlocked"]
    }
  }
}

test_missing_caring_context_denies if {
  documents.decision.effect == "deny" with input as {
    "action": "read",
    "resource": {
      "id": "document:internal-note",
      "type": "document",
      "system": "markitect-tool",
      "tenant": "tenant:alpha"
    }
  }
}

Fixtures

id: fixture:markitect-internal-read-deny
request:
  id: check:tenant-alpha-internal-note-deny
  subject:
    id: user:bob
    type: Human
    tenant: tenant:alpha
  action: read
  resource:
    id: document:internal-note
    type: document
    system: markitect-tool
    tenant: tenant:alpha
expect:
  effect: deny
  reason: no_matching_rule
metadata:
  source: examples/caring/policy_package.md
Reference in New Issue View Git Blame Copy Permalink