add auth functionality

policies/data.yaml

@@ -0,0 +1,41 @@
+# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json
+# docs: https://docs.cerbos.dev/cerbos/latest/policies/resource_policies
+
+apiVersion: api.cerbos.dev/v1
+resourcePolicy:
+  resource: data
+  version: default
+  rules:
+    - actions:
+        - create
+      effect: EFFECT_ALLOW
+      roles:
+        - admin
+    - actions:
+        - read
+      effect: EFFECT_ALLOW
+      roles:
+        - user
+        - admin
+        - thirdParty
+    - actions:
+        - update
+      effect: EFFECT_ALLOW
+      roles:
+        - admin
+    - actions:
+        - delete
+      effect: EFFECT_ALLOW
+      roles:
+        - admin
+
+    # This is an example of using conditions for attribute-based access control
+    # The action is only allowed if the principal ID matches the ownerId attribute
+    # - actions: 
+    #    - someAction
+    #   effect: EFFECT_ALLOW
+    #   roles:
+    #     - user 
+    #   condition:
+    #     match:
+    #       expr: request.resource.attr.ownerId == request.principal.id

policies/data_test.yaml

@@ -0,0 +1,41 @@
+# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/TestSuite.schema.json
+# docs: https://docs.cerbos.dev/cerbos/latest/policies/compile#testing
+
+name: dataTestSuite
+description: Tests for verifying the data resource policy
+tests:
+  - name: data actions
+    input:
+      principals:
+        - user#1
+        - admin#2
+        - thirdParty#3
+      resources:
+        - data#1
+      actions:
+        - create
+        - read
+        - update
+        - delete
+    expected:
+      - resource: data#1
+        principal: user#1
+        actions:
+          create: EFFECT_DENY
+          read: EFFECT_ALLOW
+          update: EFFECT_DENY
+          delete: EFFECT_DENY
+      - resource: data#1
+        principal: admin#2
+        actions:
+          create: EFFECT_ALLOW
+          read: EFFECT_ALLOW
+          update: EFFECT_ALLOW
+          delete: EFFECT_ALLOW
+      - resource: data#1
+        principal: thirdParty#3
+        actions:
+          create: EFFECT_DENY
+          read: EFFECT_ALLOW
+          update: EFFECT_DENY
+          delete: EFFECT_DENY

policies/privateData.yaml

@@ -0,0 +1,40 @@
+# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json
+# docs: https://docs.cerbos.dev/cerbos/latest/policies/resource_policies
+
+apiVersion: api.cerbos.dev/v1
+resourcePolicy:
+  resource: privateData
+  version: default
+  rules:
+    - actions:
+        - create
+      effect: EFFECT_ALLOW
+      roles:
+        - admin
+    - actions:
+        - read
+      effect: EFFECT_ALLOW
+      roles:
+        - admin
+        - user
+    - actions:
+        - update
+      effect: EFFECT_ALLOW
+      roles:
+        - admin
+    - actions:
+        - delete
+      effect: EFFECT_ALLOW
+      roles:
+        - admin
+
+    # This is an example of using conditions for attribute-based access control
+    # The action is only allowed if the principal ID matches the ownerId attribute
+    # - actions: 
+    #    - someAction
+    #   effect: EFFECT_ALLOW
+    #   roles:
+    #     - admin 
+    #   condition:
+    #     match:
+    #       expr: request.resource.attr.ownerId == request.principal.id

policies/privateData_test.yaml

@@ -0,0 +1,40 @@
+# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json
+# docs: https://docs.cerbos.dev/cerbos/latest/policies/resource_policies
+
+apiVersion: api.cerbos.dev/v1
+resourcePolicy:
+  resource: privateData
+  version: default
+  rules:
+    - actions:
+        - create
+      effect: EFFECT_ALLOW
+      roles:
+        - admin
+    - actions:
+        - read
+      effect: EFFECT_ALLOW
+      roles:
+        - admin
+        - user
+    - actions:
+        - update
+      effect: EFFECT_ALLOW
+      roles:
+        - admin
+    - actions:
+        - delete
+      effect: EFFECT_ALLOW
+      roles:
+        - admin
+
+    # This is an example of using conditions for attribute-based access control
+    # The action is only allowed if the principal ID matches the ownerId attribute
+    # - actions: 
+    #    - someAction
+    #   effect: EFFECT_ALLOW
+    #   roles:
+    #     - admin 
+    #   condition:
+    #     match:
+    #       expr: request.resource.attr.ownerId == request.principal.id

policies/testdata/principals.yaml

@@ -0,0 +1,19 @@
+# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/TestFixture/Principals.schema.json
+# docs: https://docs.cerbos.dev/cerbos/latest/policies/compile#_sharing_test_fixtures
+
+principals:
+  user#1:
+    id: user#1
+    roles:
+      - user
+    attr: {}
+  admin#2:
+    id: admin#2
+    roles:
+      - admin
+    attr: {}
+  thirdParty#3:
+    id: thirdParty#3
+    roles:
+      - thirdParty
+    attr: {}

policies/testdata/resources.yaml

@@ -0,0 +1,12 @@
+# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/TestFixture/Resources.schema.json
+# docs: https://docs.cerbos.dev/cerbos/latest/policies/compile#_sharing_test_fixtures
+
+resources:
+  data#1:
+    id: data#1
+    kind: data
+    attr: {}
+  privateData#2:
+    id: privateData#2
+    kind: privateData
+    attr: {}