-
Notifications
You must be signed in to change notification settings - Fork 21
Expand file tree
/
Copy pathpolicy.rego.j2
More file actions
33 lines (27 loc) · 850 Bytes
/
policy.rego.j2
File metadata and controls
33 lines (27 loc) · 850 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
package esgf
default allow = false
# Determine access to the resource
allow = true {
allowed_hosts[resource_host]
count(violation) == 0
}
# Check that the user belongs to a certain group
has_group(name) {
some i
input.subject.groups[i] == name
}
# Separate parts of a resource URL, if applicable
parts := regex.find_all_string_submatch_n("^(?:(?:http|https|ftp):\/\/([^\/ ]*))?(\/.*)", input.resource, -1)
resource_host := parts[_][1]
resource_path := parts[_][2]
# Declare all allowed resource hosts
allowed_hosts := {
"{{ ansible_host }}",
}
# Check requested path against restricted paths
{% for restricted_path in opa_policy_restricted_paths %}
violation["{{ restricted_path['name'] }}"] {
regex.match("{{ restricted_path['path'] }}", resource_path)
not has_group("{{ restricted_path['group'] }}")
}
{% endfor %}