docs: finished opa example

examples/postgres-keycloak-opa/example.py

@@ -112,6 +112,26 @@ class Pets(Base):
     deleted = sqlalchemy.Column(sqlalchemy.Boolean)
 
 
+class PetsAccess(Base):
+    __tablename__ = "petsaccess"
+    pet_id = sqlalchemy.Column(sqlalchemy.Integer, primary_key=True)
+    type = sqlalchemy.Column(sqlalchemy.String)
+    userlist_id = sqlalchemy.Column(sqlalchemy.Integer)
+    grouplist_id = sqlalchemy.Column(sqlalchemy.Integer)
+
+
+class PetsAccessUsers(Base):
+    __tablename__ = "petsaccessuserlist"
+    userlist_id = sqlalchemy.Column(sqlalchemy.Integer, primary_key=True)
+    user_id = sqlalchemy.Column(sqlalchemy.String, primary_key=True)
+
+
+class PetsAccessGroups(Base):
+    __tablename__ = "petsaccessgrouplist"
+    grouplist_id = sqlalchemy.Column(sqlalchemy.Integer, primary_key=True)
+    group_id = sqlalchemy.Column(sqlalchemy.String, primary_key=True)
+
+
 Base.metadata.create_all(engine)
 SLocal = sessionmaker(bind=engine)
 db = SLocal()
@@ -231,6 +251,12 @@ class Pets(Base):
 for pet in db.query(Pets).all():
     print(pet.__dict__)
 
+print(
+    requests.post(
+        "http://localhost:10000/permissionapply",
+        json={"username": user, "sql": str(db.query(Pets))},
+    ).json()
+)
 
 # What if admin user is a killer?
 admin.group_user_add(

examples/postgres-keycloak-opa/policies/pets.rego

@@ -44,30 +44,28 @@ allowed if {
 	not is_pet_hidden
 }
 
-# allowed if {
-# 	data.tables.pets.pet_id = data.tables.petsaccess.pet_id
-# 	data.tables.petsaccess.type = "public"
-# }
-
-# allowed if {
-# 	data.tables.pets.pet_id = data.tables.petsaccess.pet_id
-# 	data.tables.petsaccess.type = "logged_in"
-# 	input.userinfo
-# }
-
-# allowed if {
-# 	data.tables.pets.pet_id = data.tables.petsaccess.pet_id
-# 	data.tables.petsaccess.type = "userlist"
-# 	data.tables.petsaccess.userlist_id = data.tables.petsacessuserlist.userlist_id
-# 	data.tables.petsacessuserlist.user_id = input.userinfo.preferred_username
-# }
-
-# allowed if {
-# 	data.tables.pets.pet_id = data.tables.petsaccess.pet_id
-# 	data.tables.petsaccess.type = "grouplist"
-# 	data.tables.petsaccess.grouplist_id = data.tables.petsacessgrouplist.grouplist_id
-# 	some data.tables.petsacessgrouplist.group_id in input.userinfo.groups
-# }
+allowed if {
+	data.tables.pets.id = data.tables.petsaccess.pet_id
+	data.tables.petsaccess.type = "public"
+}
+
+allowed if {
+	data.tables.pets.id = data.tables.petsaccess.pet_id
+	data.tables.petsaccess.type = "logged_in"
+	input.userinfo
+}
+
+allowed if {
+	data.tables.pets.id = data.tables.petsaccess.pet_id
+	data.tables.petsaccess.type = "userlist"
+	data.tables.petsaccess.userlist_id = data.tables.petsaccessuserlist.userlist_id
+}
+
+allowed if {
+	data.tables.pets.id = data.tables.petsaccess.pet_id
+	data.tables.petsaccess.type = "grouplist"
+	data.tables.petsaccess.grouplist_id = data.tables.petsaccessgrouplist.grouplist_id
+}
 
 is_pet_killer if {
 	"killer" in input.userinfo.groups

examples/postgres-keycloak-opa/policies/petsaccess.rego

@@ -0,0 +1,9 @@
+package petsaccess
+
+import rego.v1
+
+default allow := false
+
+allow if {
+	input.userinfo
+}

examples/postgres-keycloak-opa/policies/petsaccessgrouplist.rego

@@ -0,0 +1,14 @@
+package petsaccessgrouplist
+
+import rego.v1
+
+default allow := false
+
+allow if {
+	"admin" in input.userinfo.groups
+}
+
+allow if {
+	input.userinfo
+	some data.tables.petsaccessgrouplist.group_id in input.userinfo.groups
+}

examples/postgres-keycloak-opa/policies/petsaccessuserlist.rego

@@ -0,0 +1,14 @@
+package petsaccessuserlist
+
+import rego.v1
+
+default allow := false
+
+allow if {
+	"admin" in input.userinfo.groups
+}
+
+allow if {
+	input.userinfo
+	data.tables.petsaccessuserlist.user_id = input.userinfo.preferred_username
+}