From 013514db471a8ca870b1a4df4d32a066ec625452 Mon Sep 17 00:00:00 2001
From: Zoheb Shaikh <26975142+ZohebShaikh@users.noreply.github.com>
Date: Wed, 19 Nov 2025 09:43:56 +0000
Subject: [PATCH] feat: add policy to get sessions for a given subject

---
 .../subject_session/subject_session.rego      | 58 ++++++++++++++
 .../subject_session/subject_session_test.rego | 80 +++++++++++++++++++
 2 files changed, 138 insertions(+)
 create mode 100644 policy/diamond/policy/subject_session/subject_session.rego
 create mode 100644 policy/diamond/policy/subject_session/subject_session_test.rego

diff --git a/policy/diamond/policy/subject_session/subject_session.rego b/policy/diamond/policy/subject_session/subject_session.rego
new file mode 100644
index 00000000..ab8e93f9
--- /dev/null
+++ b/policy/diamond/policy/subject_session/subject_session.rego
@@ -0,0 +1,58 @@
+package diamond.policy.subject_session
+
+import data.diamond.policy.admin
+import data.diamond.policy.token
+import rego.v1
+
+beamlines contains beamline if {
+	some p in data.diamond.data.subjects[token.claims.fedid].permissions
+	some beamline in object.get(data.diamond.data.admin, p, [])
+}
+
+tags contains to_number(tag) if {
+	"super_admin" in data.diamond.data.subjects[token.claims.fedid].permissions
+	some tag in object.keys(data.diamond.data.sessions)
+}
+
+tags contains to_number(tag) if {
+	some tag in data.diamond.data.subjects[token.claims.fedid].sessions
+}
+
+tags contains to_number(tag) if {
+	some beamline in beamlines
+	some tag in data.diamond.data.beamlines[beamline].sessions
+}
+
+read_scopes := {
+	"read:metadata",
+	"read:data",
+}
+
+all_scopes := {
+	"read:metadata",
+	"read:data",
+	"write:metadata",
+	"write:data",
+	"delete:revision",
+	"delete:node",
+	"create",
+	"register",
+}
+
+scopes contains scope if {
+	"blueapi" in token.claims.aud
+	some scope in all_scopes
+}
+
+scopes contains scope if {
+	some scope in read_scopes
+}
+
+default allow := false
+
+# Allow to modify and create tiled node if the sessions are accessible to the user
+allow if {
+	every tag in input.access_blob.tags {
+		to_number(tag) in tags
+	}
+}
diff --git a/policy/diamond/policy/subject_session/subject_session_test.rego b/policy/diamond/policy/subject_session/subject_session_test.rego
new file mode 100644
index 00000000..57f49bee
--- /dev/null
+++ b/policy/diamond/policy/subject_session/subject_session_test.rego
@@ -0,0 +1,80 @@
+package diamond.policy.subject_session_test
+
+import data.diamond.policy.subject_session
+
+import rego.v1
+
+diamond_data := {
+	"subjects": {
+		"alice": {
+			"permissions": [],
+			"proposals": [1],
+			"sessions": [1, 2],
+		},
+		"carol": {
+			"permissions": ["super_admin"],
+			"proposals": [],
+			"sessions": [],
+		},
+		"oscar": {
+			"permissions": ["b07_admin"],
+			"proposals": [],
+			"sessions": [],
+		},
+	},
+	"sessions": {
+		"11": {
+			"beamline": "i03",
+			"proposal_number": 1,
+			"visit_number": 1,
+		},
+		"12": {
+			"beamline": "b07",
+			"proposal_number": 1,
+			"visit_number": 2,
+		},
+	},
+	"proposals": {"1": {"sessions": {
+		"1": 11,
+		"2": 12,
+	}}},
+	"beamlines": {"i03": {"sessions": [11]}, "b07": {"sessions": [12]}},
+	"admin": {"b07_admin": ["b07"]},
+}
+
+test_tags_for_super_admin if {
+	subject_session.tags == {11, 12} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "carol"}
+}
+
+test_tags_form_subject_sessions if {
+	subject_session.tags == {1, 2} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "alice"}
+}
+
+test_tags_from_subject_beamline_permissions if {
+	subject_session.tags == {12} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "oscar"}
+}
+
+test_scopes_for_subject if {
+	subject_session.scopes == subject_session.read_scopes with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "oscar"}
+}
+
+test_scopes_for_subject_all_scopes_if_blueapi if {
+	subject_session.scopes == subject_session.all_scopes with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "oscar", "aud": ["blueapi"]}
+}
+
+test_allow if {
+	subject_session.allow with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "carol"}
+		with input as {"access_blob": {"tags": ["11", "12"]}}
+}
+
+test_allow_denied if {
+	not subject_session.allow with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "carol"}
+		with input as {"access_blob": {"tags": ["1"]}}
+}