Skip to content

Commit 856a933

Browse files
EmyrkEmyrk
committed
Add rego comments
1 parent fae3314 commit 856a933

File tree

1 file changed

+14
-5
lines changed

1 file changed

+14
-5
lines changed

coderd/authz/policy.rego

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,10 @@ package authz
22
import future.keywords.in
33
import future.keywords.every
44

5-
# https://play.openpolicyagent.org/p/Jlzq5gIjkd
6-
# grant_allow: https://play.openpolicyagent.org/p/9wpE9x6Tg2
5+
# A great playground: https://play.openpolicyagent.org/
6+
# TODO: Add debug instructions to do in the cli. Running really short on time, the
7+
# playground is sufficient for now imo. In the future we can provide a tidy bash
8+
# script for running this against predefined input.
79

810
# bool_flip lets you assign a value to an inverted bool.
911
# You cannot do 'x := !false', but you can do 'x := bool_flip(false)'
@@ -38,8 +40,10 @@ perms_grant(permissions) = grants {
3840
# result is the default value.
3941
default site = {}
4042
site = grant {
41-
# Boolean set for all site wide permissions
42-
grant = { v |
43+
# Boolean set for all site wide permissions.
44+
grant = { v | # Use set comprehension to remove dulpicate values
45+
# For each role, grab the site permission.
46+
# Find the grants on this permission list.
4347
v = perms_grant(input.subject.roles[_].site)[_]
4448
}
4549
}
@@ -49,13 +53,16 @@ user = grant {
4953
# Only apply user permissions if the user owns the resource
5054
input.object.owner != ""
5155
input.object.owner == input.subject.id
52-
grant = { v |
56+
grant = { v | # Use set comprehension to remove dulpicate values
57+
# For each role, grab the user permissions.
58+
# Find the grants on this permission list.
5359
v = perms_grant(input.subject.roles[_].user)[_]
5460
}
5561
}
5662

5763
# Organizations are more complex. If the user has no roles that specifically indicate the org_id of the object,
5864
# then we want to block the action. This is because that means the user is not a member of the org.
65+
# A non-member cannot access any org resources.
5966

6067
# org_member returns the set of permissions associated with a user if the user is a member of the
6168
# organization
@@ -94,6 +101,8 @@ org = set {
94101

95102
# The allow block is quite simple. Any set with `false` cascades down in levels.
96103
# Authorization looks for any `allow` statement that is true. Multiple can be true!
104+
# Note that the absense of `allow` means "unauthorized".
105+
# An explicit `"allow": true` is required.
97106

98107
# site allow
99108
allow {

0 commit comments

Comments
 (0)