generated from coulomb/repo-seed
138 lines
3.0 KiB
Markdown
138 lines
3.0 KiB
Markdown
---
|
|
id: markitect.documents.internal-read
|
|
name: Markitect internal document read
|
|
namespace: markitect:document
|
|
version: v1
|
|
status: draft
|
|
package: flexauth.markitect.documents
|
|
actions:
|
|
- read
|
|
owner: team:platform-architecture
|
|
fixtures:
|
|
- policy_fixture.yaml
|
|
caring:
|
|
profile: caring-0.4.0-rc2
|
|
enforce: false
|
|
canonical_roles:
|
|
- Doer
|
|
organization_relations:
|
|
- Customer
|
|
scopes:
|
|
- level: Resource
|
|
id: document:internal-note
|
|
tenant: tenant:alpha
|
|
planes:
|
|
- Data
|
|
capabilities:
|
|
- View
|
|
exposure_modes:
|
|
- Masked
|
|
- Plaintext
|
|
conditions:
|
|
- PurposeBound
|
|
- Logged
|
|
restrictions:
|
|
- ExportBlocked
|
|
activation:
|
|
mode: local
|
|
metadata:
|
|
source: examples/caring/policy_package.md
|
|
---
|
|
|
|
# Markitect Internal Document Read
|
|
|
|
This package authorizes read access to an internal Markitect document when
|
|
the request carries a CARING descriptor for a customer Doer with View
|
|
capability on the document resource and an explicit ExportBlocked restriction.
|
|
|
|
## Rules
|
|
|
|
```rego
|
|
import future.keywords.if
|
|
import future.keywords.in
|
|
|
|
default decision := {"effect": "deny", "reason": "no_matching_rule"}
|
|
|
|
decision := {
|
|
"effect": "allow",
|
|
"reason": "reader_relation",
|
|
"conformance_findings": [{
|
|
"code": "CARING-EXPORT-SEPARATION",
|
|
"severity": "info",
|
|
"message": "View is allowed, but Exportable exposure remains separately blocked."
|
|
}]
|
|
} if {
|
|
input.action == "read"
|
|
input.resource.system == "markitect-tool"
|
|
input.resource.type == "document"
|
|
input.caring_context.profile == "caring-0.4.0-rc2"
|
|
input.caring_context.organization_relation == "Customer"
|
|
input.caring_context.canonical_role == "Doer"
|
|
"View" in input.caring_context.capabilities
|
|
"ExportBlocked" in input.caring_context.restrictions
|
|
}
|
|
```
|
|
|
|
## Tests
|
|
|
|
```rego test
|
|
package flexauth.markitect.documents_test
|
|
|
|
import future.keywords.if
|
|
import data.flexauth.markitect.documents
|
|
|
|
test_reader_relation_allows if {
|
|
documents.decision.effect == "allow" with input as {
|
|
"action": "read",
|
|
"resource": {
|
|
"id": "document:internal-note",
|
|
"type": "document",
|
|
"system": "markitect-tool",
|
|
"tenant": "tenant:alpha"
|
|
},
|
|
"caring_context": {
|
|
"profile": "caring-0.4.0-rc2",
|
|
"organization_relation": "Customer",
|
|
"canonical_role": "Doer",
|
|
"capabilities": ["View"],
|
|
"restrictions": ["ExportBlocked"]
|
|
}
|
|
}
|
|
}
|
|
|
|
test_missing_caring_context_denies if {
|
|
documents.decision.effect == "deny" with input as {
|
|
"action": "read",
|
|
"resource": {
|
|
"id": "document:internal-note",
|
|
"type": "document",
|
|
"system": "markitect-tool",
|
|
"tenant": "tenant:alpha"
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
## Fixtures
|
|
|
|
```yaml fixture
|
|
id: fixture:markitect-internal-read-deny
|
|
request:
|
|
id: check:tenant-alpha-internal-note-deny
|
|
subject:
|
|
id: user:bob
|
|
type: Human
|
|
tenant: tenant:alpha
|
|
action: read
|
|
resource:
|
|
id: document:internal-note
|
|
type: document
|
|
system: markitect-tool
|
|
tenant: tenant:alpha
|
|
expect:
|
|
effect: deny
|
|
reason: no_matching_rule
|
|
metadata:
|
|
source: examples/caring/policy_package.md
|
|
```
|