1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
package httpapi.authz
subordinates = {"alice": [], "charlie": [], "bob": ["alice"], "betty": ["charlie"]}
# HTTP API request
import input
# input = { # example input
# "path": ["finance", "salary", "alice"],
# "user": "alice",
# "method": "GET"
# "version": 1
# }
default allow = false
# Allow users to get their own salaries.
allow {
input.version = 1.0e1
input.method = "GET"
input.path = ["finance", "salary", username]
input.user == username
}
# Allow managers to get their subordinates' salaries.
allow {
input.version = 1.0
input.method = "GET"
input.path = ["finance", "salary", username]
subordinates[input.user][_] == username
}
not obj.foo.bar.bar
some_rule[msg] {
msg := "hey"
}
|
