commit f69b047ec0e9133cf80a9031ba057b80e8e09b80
author Sean Condon <sean@opennetworking.org> Tue Jan 11 14:10:45 2022 +0000
committer Sean Condon <sean@opennetworking.org> Tue Jan 11 18:04:35 2022 +0000
tree 5916c16537cd5e42d546a002b3bed100bd9c4c3c
parent e35e683b0a01071ab216ff0b42e7999c3a8efbca

Adding REGO rules for new Aether 2.0.0 models

Change-Id: I9bd02b22f7a9704262c1c7c2544ab0e1772aa2cb

aether-roc-umbrella/files/opa-rbac/aether-2.0.0.rego

diff --git a/aether-roc-umbrella/files/opa-rbac/aether-2.0.0.rego b/aether-roc-umbrella/files/opa-rbac/aether-2.0.0.rego
new file mode 100644
index 0000000..247a974
--- /dev/null
+++ b/aether-roc-umbrella/files/opa-rbac/aether-2.0.0.rego
@@ -0,0 +1,127 @@
+# SPDX-FileCopyrightText: 2022-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+package aether_2_0_0
+
+echo[config] {
+    config := input
+}
+
+allowed[config] {
+    application := applications # refer to rule below
+    connectivity_service := connectivityservices
+    device_group := devicegroups
+    enterprise := enterprises
+    ip_domain := ip_domains
+    site := sites
+    template := templates
+    traffic_class := trafficclasses
+    upf := upfs
+    vcs := vcss
+    config := {
+        "application": {
+            "application": [
+                application
+            ]
+        },
+        "connectivity-service": {
+            "connectivity-service": [
+                connectivity_service
+            ]
+        },
+        "device-group": {
+            "device-group": [
+                device_group
+            ]
+        },
+        "enterprise": {
+            "enterprise": [
+                enterprise
+            ]
+        },
+        "ip-domain": {
+            "ip-domain": [
+                ip_domain
+            ]
+        },
+        "site": {
+            "site": [
+                site
+            ]
+        },
+        "template": {
+            "template": [
+                template
+            ]
+        },
+        "traffic-class": {
+            "traffic-class": {
+                traffic_class
+            }
+        },
+        "upf": {
+            "upf": [
+                upf
+            ]
+        },
+        "vcs": {
+            "vcs": [
+                vcs
+            ]
+        }
+    }
+}
+
+applications[application] {
+    application := input.application.application[_]
+    ["AetherROCAdmin", application.enterprise][_] == input.groups[i]
+}
+
+connectivityservices[connectivity_service] {
+    connectivity_service := input.connectivity_service.connectivity_service[_]
+}
+
+devicegroups[device_group] {
+    device_group := input.device_group.device_group[_]
+    site := sites
+    device_group.site == site[_].id # allow only the device_groups of a known site
+}
+
+enterprises[enterprise] {
+    enterprise := input.enterprise.enterprise[_]
+    ["AetherROCAdmin", enterprise.id][_] == input.groups[i]
+}
+
+ip_domains[ip_domain] {
+    ip_domain := input.ip_domain.ip_domain[_]
+    ["AetherROCAdmin", ip_domain.enterprise][_] == input.groups[i]
+}
+
+sites[site] {
+    site := input.site.site[_]
+    ["AetherROCAdmin", site.enterprise][_] == input.groups[i]
+}
+
+templates[template] {
+    template := input.template.template[_]
+}
+
+trafficclasses[traffic_class] {
+    traffic_class := input.traffic_class.traffic_class[_]
+}
+
+upfs[upf] {
+    upf := input.upf.upf[_]
+    ["AetherROCAdmin", upf.enterprise][_] == input.groups[i]
+}
+
+vcss[vcs] {
+    vcs := input.vcs.vcs[_]
+    ["AetherROCAdmin", vcs.enterprise][_] == input.groups[i]
+}
+
+can_update_enterprise = true {
+    update_enterprise := input.updates.enterprise.enterprise[_]
+    ["AetherROCAdmin", update_enterprise.id][_] == input.groups[i]
+}