From bdf70df029578bfa3c1a4d6da272b9180e654ca9 Mon Sep 17 00:00:00 2001 From: Zoheb Shaikh <26975142+ZohebShaikh@users.noreply.github.com> Date: Wed, 19 Nov 2025 10:46:23 +0000 Subject: [PATCH 1/7] ci: add policy to ignore admin lint error --- regal.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/regal.yaml b/regal.yaml index 66127a62..3ef80da1 100644 --- a/regal.yaml +++ b/regal.yaml @@ -2,6 +2,8 @@ rules: idiomatic: no-defined-entrypoint: level: ignore + use-some-for-output-vars: + level: ignore imports: unresolved-reference: From dc9ab8c8b5c59e1aecdf44228295655ee42cfe25 Mon Sep 17 00:00:00 2001 From: Zoheb Shaikh <26975142+ZohebShaikh@users.noreply.github.com> Date: Wed, 19 Nov 2025 11:31:20 +0000 Subject: [PATCH 2/7] ci: update rust --- bundler/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundler/Dockerfile b/bundler/Dockerfile index bbe79c19..4764715e 100644 --- a/bundler/Dockerfile +++ b/bundler/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/library/rust:1.84.1-bookworm AS build +FROM docker.io/library/rust:1.91.1-bookworm AS build ARG DATABASE_URL From 0e9837b7ef4ea16eb0bbb51d48e3c232ace49c29 Mon Sep 17 00:00:00 2001 From: Zoheb Shaikh <26975142+ZohebShaikh@users.noreply.github.com> Date: Wed, 19 Nov 2025 12:21:10 +0000 Subject: [PATCH 3/7] fix: change is_admin from array to function --- .devcontainer/Dockerfile | 2 +- policy/diamond/policy/admin/admin.rego | 8 ++++++-- policy/diamond/policy/admin/admin_test.rego | 6 +++--- policy/diamond/policy/proposal/proposal.rego | 2 +- policy/diamond/policy/session/session.rego | 2 +- regal.yaml | 2 -- 6 files changed, 12 insertions(+), 10 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index e36fcab2..df8246f6 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/library/rust:1.84.1-bookworm +FROM docker.io/library/rust:1.91.1-bookworm RUN rustup component add rustfmt clippy diff --git a/policy/diamond/policy/admin/admin.rego b/policy/diamond/policy/admin/admin.rego index b8ada554..c72601be 100644 --- a/policy/diamond/policy/admin/admin.rego +++ b/policy/diamond/policy/admin/admin.rego @@ -3,7 +3,11 @@ package diamond.policy.admin import data.diamond.policy.token import rego.v1 -is_admin[subject] := "super_admin" in data.diamond.data.subjects[subject].permissions +default is_admin(_) := false + +is_admin(subject) if { + "super_admin" in data.diamond.data.subjects[subject].permissions +} beamline_admin_for_subject[subject_name] contains beamline if { some subject_name, subject in data.diamond.data.subjects @@ -13,7 +17,7 @@ beamline_admin_for_subject[subject_name] contains beamline if { some beamline in role_beamlines } -admin := is_admin[token.claims.fedid] # regal ignore:rule-name-repeats-package +admin := is_admin(token.claims.fedid) # regal ignore:rule-name-repeats-package beamline_admin := input.beamline in object.get(beamline_admin_for_subject, token.claims.fedid, []) diff --git a/policy/diamond/policy/admin/admin_test.rego b/policy/diamond/policy/admin/admin_test.rego index 6f9d2257..d28b2028 100644 --- a/policy/diamond/policy/admin/admin_test.rego +++ b/policy/diamond/policy/admin/admin_test.rego @@ -33,7 +33,7 @@ diamond_data := { } test_is_admin_for_admin if { - admin.is_admin.carol with data.diamond.data as diamond_data + admin.is_admin("carol") with data.diamond.data as diamond_data } test_beamline_admin_for_subject_for_beamline_admin if { @@ -45,11 +45,11 @@ test_beamlines_admin_for_subject_for_group_admin if { } test_is_admin_for_non_admin if { - not admin.is_admin.alice with data.diamond.data as diamond_data + not admin.is_admin("alice") with data.diamond.data as diamond_data } test_is_admin_for_beamline_admin_not_admin if { - not admin.is_admin.bob with data.diamond.data as diamond_data + not admin.is_admin("bob") with data.diamond.data as diamond_data } test_beamline_admin_for_subject_for_non_beamline_admin if { diff --git a/policy/diamond/policy/proposal/proposal.rego b/policy/diamond/policy/proposal/proposal.rego index f3c28052..4595f77c 100644 --- a/policy/diamond/policy/proposal/proposal.rego +++ b/policy/diamond/policy/proposal/proposal.rego @@ -13,7 +13,7 @@ on_proposal(subject, proposal_number) if { default access_proposal(_, _) := false # Allow if subject has super_admin permission -access_proposal(subject, proposal_number) if admin.is_admin[subject] # regal ignore:external-reference +access_proposal(subject, proposal_number) if admin.is_admin(subject) # regal ignore:external-reference # Allow if subject is on proposal access_proposal(subject, proposal_number) if on_proposal(subject, proposal_number) diff --git a/policy/diamond/policy/session/session.rego b/policy/diamond/policy/session/session.rego index d3c49093..e8ee71e0 100644 --- a/policy/diamond/policy/session/session.rego +++ b/policy/diamond/policy/session/session.rego @@ -24,7 +24,7 @@ on_session(subject, proposal_number, visit_number) if { default access_session(_, _, _) := false # Allow if subject has super_admin permission -access_session(subject, proposal_number, visit_number) if admin.is_admin[subject] # regal ignore:external-reference +access_session(subject, proposal_number, visit_number) if admin.is_admin(subject) # regal ignore:external-reference # Allow if subject is admin for beamline containing session access_session(subject, proposal_number, visit_number) if { diff --git a/regal.yaml b/regal.yaml index 3ef80da1..66127a62 100644 --- a/regal.yaml +++ b/regal.yaml @@ -2,8 +2,6 @@ rules: idiomatic: no-defined-entrypoint: level: ignore - use-some-for-output-vars: - level: ignore imports: unresolved-reference: From ce394eee529dcaf7675811601b7115302aefc885 Mon Sep 17 00:00:00 2001 From: Joseph Ware <53935796+DiamondJoseph@users.noreply.github.com> Date: Wed, 3 Dec 2025 14:43:00 +0000 Subject: [PATCH 4/7] feat(policy): add policies for Tiled authz --- policy/diamond/policy/session/session.rego | 9 +++ .../diamond/policy/session/session_test.rego | 70 +++++++++++++++++-- policy/diamond/policy/tiled/tiled.rego | 33 +++++++++ policy/diamond/policy/tiled/tiled_test.rego | 26 +++++++ 4 files changed, 133 insertions(+), 5 deletions(-) create mode 100644 policy/diamond/policy/tiled/tiled.rego create mode 100644 policy/diamond/policy/tiled/tiled_test.rego diff --git a/policy/diamond/policy/session/session.rego b/policy/diamond/policy/session/session.rego index e8ee71e0..c34a4b72 100644 --- a/policy/diamond/policy/session/session.rego +++ b/policy/diamond/policy/session/session.rego @@ -55,3 +55,12 @@ write_to_beamline_visit if { access matches_beamline } + +user_sessions contains user_session if { + some session in data.diamond.data.sessions + access_session(token.claims.fedid, session.proposal_number, session.visit_number) + user_session := sprintf( + `{"proposal": %d, "visit": %d, "beamline": "%s"}`, + [session.proposal_number, session.visit_number, session.beamline], + ) +} diff --git a/policy/diamond/policy/session/session_test.rego b/policy/diamond/policy/session/session_test.rego index c2b22b91..52607e69 100644 --- a/policy/diamond/policy/session/session_test.rego +++ b/policy/diamond/policy/session/session_test.rego @@ -20,6 +20,16 @@ diamond_data := { "proposals": [], "sessions": [], }, + "desmond": { + "permissions": [], + "proposals": [2], + "sessions": [13], + }, + "edna": { + "permissions": [], + "proposals": [2], + "sessions": [13, 14], + }, "oscar": { "permissions": [], "proposals": [], @@ -37,12 +47,28 @@ diamond_data := { "proposal_number": 1, "visit_number": 2, }, + "13": { + "beamline": "b07", + "proposal_number": 2, + "visit_number": 1, + }, + "14": { + "beamline": "b07", + "proposal_number": 2, + "visit_number": 2, + }, + }, + "proposals": { + "1": {"sessions": { + "1": 11, + "2": 12, + }}, + "2": {"sessions": { + "1": 13, + "2": 14, + }}, }, - "proposals": {"1": {"sessions": { - "1": 11, - "2": 12, - }}}, - "beamlines": {"i03": {"sessions": [11]}, "b07": {"sessions": [12]}}, + "beamlines": {"i03": {"sessions": [11]}, "b07": {"sessions": [12, 13, 14]}}, "admin": {"b07_admin": ["b07"]}, } @@ -181,3 +207,37 @@ test_session_beamline if { with data.diamond.data as diamond_data bl2 == "b07" } + +test_user_session_tags if { + session.user_sessions == set() with data.diamond.data as diamond_data + with data.diamond.policy.token.claims as {"fedid": "oscar"} + session.user_sessions == { + `{"proposal": 1, "visit": 2, "beamline": "b07"}`, + `{"proposal": 1, "visit": 1, "beamline": "i03"}`, + } with data.diamond.data as diamond_data + with data.diamond.policy.token.claims as {"fedid": "alice"} + session.user_sessions == { + `{"proposal": 1, "visit": 2, "beamline": "b07"}`, + `{"proposal": 1, "visit": 1, "beamline": "i03"}`, + `{"proposal": 2, "visit": 1, "beamline": "b07"}`, + `{"proposal": 2, "visit": 2, "beamline": "b07"}`, + } with data.diamond.data as diamond_data + with data.diamond.policy.token.claims as {"fedid": "bob"} + session.user_sessions == { + `{"proposal": 1, "visit": 2, "beamline": "b07"}`, + `{"proposal": 1, "visit": 1, "beamline": "i03"}`, + `{"proposal": 2, "visit": 1, "beamline": "b07"}`, + `{"proposal": 2, "visit": 2, "beamline": "b07"}`, + } with data.diamond.data as diamond_data + with data.diamond.policy.token.claims as {"fedid": "carol"} + session.user_sessions == { + `{"proposal": 2, "visit": 1, "beamline": "b07"}`, + `{"proposal": 2, "visit": 2, "beamline": "b07"}`, + } with data.diamond.data as diamond_data + with data.diamond.policy.token.claims as {"fedid": "desmond"} + session.user_sessions == { + `{"proposal": 2, "visit": 1, "beamline": "b07"}`, + `{"proposal": 2, "visit": 2, "beamline": "b07"}`, + } with data.diamond.data as diamond_data + with data.diamond.policy.token.claims as {"fedid": "edna"} +} diff --git a/policy/diamond/policy/tiled/tiled.rego b/policy/diamond/policy/tiled/tiled.rego new file mode 100644 index 00000000..c5972676 --- /dev/null +++ b/policy/diamond/policy/tiled/tiled.rego @@ -0,0 +1,33 @@ +package diamond.policy.tiled + +import data.diamond.policy.token + +read_scopes := { + "read:metadata", + "read:data", +} + +write_scopes := { + "write:metadata", + "write:data", + "create", + "register", +} + +scopes_for(claims) := read_scopes | write_scopes if { + "azp" in object.keys(claims) + endswith(claims.azp, "-blueapi") +} + +scopes_for(claims) := read_scopes if { + "azp" in object.keys(claims) + not endswith(claims.azp, "-blueapi") +} + +scopes_for(claims) := read_scopes if { + not "azp" in object.keys(claims) +} + +default scopes := set() + +scopes := scopes_for(token.claims) diff --git a/policy/diamond/policy/tiled/tiled_test.rego b/policy/diamond/policy/tiled/tiled_test.rego new file mode 100644 index 00000000..38efaa13 --- /dev/null +++ b/policy/diamond/policy/tiled/tiled_test.rego @@ -0,0 +1,26 @@ +package diamond.policy.tiled_test + +import data.diamond.policy.tiled +import data.diamond.policy.token +import rego.v1 + +test_default_no_scopes if { + tiled.scopes == set() +} + +test_wrong_azp_read_scopes if { + tiled.scopes == tiled.read_scopes with token.claims as {} + tiled.scopes == tiled.read_scopes with token.claims as {"sub": "foo"} + tiled.scopes == tiled.read_scopes with token.claims as {"azp": "foo"} +} + +test_blueapi_given_write_scopes if { + tiled.scopes == { + "read:metadata", + "read:data", + "write:metadata", + "write:data", + "create", + "register", + } with token.claims as {"azp": "foo-blueapi"} +} From 67a04cdcd8a067436416cddac8580d095c311d51 Mon Sep 17 00:00:00 2001 From: Joseph Ware <53935796+DiamondJoseph@users.noreply.github.com> Date: Mon, 8 Dec 2025 15:48:07 +0000 Subject: [PATCH 5/7] Return session unformatted --- policy/diamond/policy/session/session.rego | 5 +--- .../diamond/policy/session/session_test.rego | 28 +++++++++---------- 2 files changed, 15 insertions(+), 18 deletions(-) diff --git a/policy/diamond/policy/session/session.rego b/policy/diamond/policy/session/session.rego index c34a4b72..79b57540 100644 --- a/policy/diamond/policy/session/session.rego +++ b/policy/diamond/policy/session/session.rego @@ -59,8 +59,5 @@ write_to_beamline_visit if { user_sessions contains user_session if { some session in data.diamond.data.sessions access_session(token.claims.fedid, session.proposal_number, session.visit_number) - user_session := sprintf( - `{"proposal": %d, "visit": %d, "beamline": "%s"}`, - [session.proposal_number, session.visit_number, session.beamline], - ) + user_session := sprintf("%s", [session]) } diff --git a/policy/diamond/policy/session/session_test.rego b/policy/diamond/policy/session/session_test.rego index 52607e69..98f65c81 100644 --- a/policy/diamond/policy/session/session_test.rego +++ b/policy/diamond/policy/session/session_test.rego @@ -212,32 +212,32 @@ test_user_session_tags if { session.user_sessions == set() with data.diamond.data as diamond_data with data.diamond.policy.token.claims as {"fedid": "oscar"} session.user_sessions == { - `{"proposal": 1, "visit": 2, "beamline": "b07"}`, - `{"proposal": 1, "visit": 1, "beamline": "i03"}`, + "{\"beamline\": \"b07\", \"proposal_number\": 1, \"visit_number\": 2}", + "{\"beamline\": \"i03\", \"proposal_number\": 1, \"visit_number\": 1}", } with data.diamond.data as diamond_data with data.diamond.policy.token.claims as {"fedid": "alice"} session.user_sessions == { - `{"proposal": 1, "visit": 2, "beamline": "b07"}`, - `{"proposal": 1, "visit": 1, "beamline": "i03"}`, - `{"proposal": 2, "visit": 1, "beamline": "b07"}`, - `{"proposal": 2, "visit": 2, "beamline": "b07"}`, + "{\"beamline\": \"b07\", \"proposal_number\": 1, \"visit_number\": 2}", + "{\"beamline\": \"i03\", \"proposal_number\": 1, \"visit_number\": 1}", + "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}", + "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}", } with data.diamond.data as diamond_data with data.diamond.policy.token.claims as {"fedid": "bob"} session.user_sessions == { - `{"proposal": 1, "visit": 2, "beamline": "b07"}`, - `{"proposal": 1, "visit": 1, "beamline": "i03"}`, - `{"proposal": 2, "visit": 1, "beamline": "b07"}`, - `{"proposal": 2, "visit": 2, "beamline": "b07"}`, + "{\"beamline\": \"b07\", \"proposal_number\": 1, \"visit_number\": 2}", + "{\"beamline\": \"i03\", \"proposal_number\": 1, \"visit_number\": 1}", + "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}", + "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}", } with data.diamond.data as diamond_data with data.diamond.policy.token.claims as {"fedid": "carol"} session.user_sessions == { - `{"proposal": 2, "visit": 1, "beamline": "b07"}`, - `{"proposal": 2, "visit": 2, "beamline": "b07"}`, + "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}", + "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}", } with data.diamond.data as diamond_data with data.diamond.policy.token.claims as {"fedid": "desmond"} session.user_sessions == { - `{"proposal": 2, "visit": 1, "beamline": "b07"}`, - `{"proposal": 2, "visit": 2, "beamline": "b07"}`, + "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}", + "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}", } with data.diamond.data as diamond_data with data.diamond.policy.token.claims as {"fedid": "edna"} } From 15a31ed4245ce123c0af00226a0932db7ded9b81 Mon Sep 17 00:00:00 2001 From: Joseph Ware <53935796+DiamondJoseph@users.noreply.github.com> Date: Wed, 10 Dec 2025 11:44:25 +0000 Subject: [PATCH 6/7] Extract Tiled specific policy --- policy/diamond/policy/session/session.rego | 6 - .../diamond/policy/session/session_test.rego | 70 +----------- policy/diamond/policy/tiled/tiled.rego | 7 ++ policy/diamond/policy/tiled/tiled_test.rego | 103 ++++++++++++++++++ 4 files changed, 115 insertions(+), 71 deletions(-) diff --git a/policy/diamond/policy/session/session.rego b/policy/diamond/policy/session/session.rego index 79b57540..e8ee71e0 100644 --- a/policy/diamond/policy/session/session.rego +++ b/policy/diamond/policy/session/session.rego @@ -55,9 +55,3 @@ write_to_beamline_visit if { access matches_beamline } - -user_sessions contains user_session if { - some session in data.diamond.data.sessions - access_session(token.claims.fedid, session.proposal_number, session.visit_number) - user_session := sprintf("%s", [session]) -} diff --git a/policy/diamond/policy/session/session_test.rego b/policy/diamond/policy/session/session_test.rego index 98f65c81..c2b22b91 100644 --- a/policy/diamond/policy/session/session_test.rego +++ b/policy/diamond/policy/session/session_test.rego @@ -20,16 +20,6 @@ diamond_data := { "proposals": [], "sessions": [], }, - "desmond": { - "permissions": [], - "proposals": [2], - "sessions": [13], - }, - "edna": { - "permissions": [], - "proposals": [2], - "sessions": [13, 14], - }, "oscar": { "permissions": [], "proposals": [], @@ -47,28 +37,12 @@ diamond_data := { "proposal_number": 1, "visit_number": 2, }, - "13": { - "beamline": "b07", - "proposal_number": 2, - "visit_number": 1, - }, - "14": { - "beamline": "b07", - "proposal_number": 2, - "visit_number": 2, - }, - }, - "proposals": { - "1": {"sessions": { - "1": 11, - "2": 12, - }}, - "2": {"sessions": { - "1": 13, - "2": 14, - }}, }, - "beamlines": {"i03": {"sessions": [11]}, "b07": {"sessions": [12, 13, 14]}}, + "proposals": {"1": {"sessions": { + "1": 11, + "2": 12, + }}}, + "beamlines": {"i03": {"sessions": [11]}, "b07": {"sessions": [12]}}, "admin": {"b07_admin": ["b07"]}, } @@ -207,37 +181,3 @@ test_session_beamline if { with data.diamond.data as diamond_data bl2 == "b07" } - -test_user_session_tags if { - session.user_sessions == set() with data.diamond.data as diamond_data - with data.diamond.policy.token.claims as {"fedid": "oscar"} - session.user_sessions == { - "{\"beamline\": \"b07\", \"proposal_number\": 1, \"visit_number\": 2}", - "{\"beamline\": \"i03\", \"proposal_number\": 1, \"visit_number\": 1}", - } with data.diamond.data as diamond_data - with data.diamond.policy.token.claims as {"fedid": "alice"} - session.user_sessions == { - "{\"beamline\": \"b07\", \"proposal_number\": 1, \"visit_number\": 2}", - "{\"beamline\": \"i03\", \"proposal_number\": 1, \"visit_number\": 1}", - "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}", - "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}", - } with data.diamond.data as diamond_data - with data.diamond.policy.token.claims as {"fedid": "bob"} - session.user_sessions == { - "{\"beamline\": \"b07\", \"proposal_number\": 1, \"visit_number\": 2}", - "{\"beamline\": \"i03\", \"proposal_number\": 1, \"visit_number\": 1}", - "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}", - "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}", - } with data.diamond.data as diamond_data - with data.diamond.policy.token.claims as {"fedid": "carol"} - session.user_sessions == { - "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}", - "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}", - } with data.diamond.data as diamond_data - with data.diamond.policy.token.claims as {"fedid": "desmond"} - session.user_sessions == { - "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}", - "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}", - } with data.diamond.data as diamond_data - with data.diamond.policy.token.claims as {"fedid": "edna"} -} diff --git a/policy/diamond/policy/tiled/tiled.rego b/policy/diamond/policy/tiled/tiled.rego index c5972676..7fcf29fd 100644 --- a/policy/diamond/policy/tiled/tiled.rego +++ b/policy/diamond/policy/tiled/tiled.rego @@ -1,6 +1,7 @@ package diamond.policy.tiled import data.diamond.policy.token +import data.diamond.policy.session.access_session read_scopes := { "read:metadata", @@ -31,3 +32,9 @@ scopes_for(claims) := read_scopes if { default scopes := set() scopes := scopes_for(token.claims) + +user_sessions contains user_session if { + some session in data.diamond.data.sessions + access_session(token.claims.fedid, session.proposal_number, session.visit_number) + user_session := sprintf("%s", [session]) +} diff --git a/policy/diamond/policy/tiled/tiled_test.rego b/policy/diamond/policy/tiled/tiled_test.rego index 38efaa13..bbbbe100 100644 --- a/policy/diamond/policy/tiled/tiled_test.rego +++ b/policy/diamond/policy/tiled/tiled_test.rego @@ -24,3 +24,106 @@ test_blueapi_given_write_scopes if { "register", } with token.claims as {"azp": "foo-blueapi"} } + +diamond_data := { + "subjects": { + "alice": { + "permissions": [], + "proposals": [1], + "sessions": [], + }, + "bob": { + "permissions": ["b07_admin"], + "proposals": [], + "sessions": [11], + }, + "carol": { + "permissions": ["super_admin"], + "proposals": [], + "sessions": [], + }, + "desmond": { + "permissions": [], + "proposals": [2], + "sessions": [13], + }, + "edna": { + "permissions": [], + "proposals": [2], + "sessions": [13, 14], + }, + "oscar": { + "permissions": [], + "proposals": [], + "sessions": [], + }, + }, + "sessions": { + "11": { + "beamline": "i03", + "proposal_number": 1, + "visit_number": 1, + }, + "12": { + "beamline": "b07", + "proposal_number": 1, + "visit_number": 2, + }, + "13": { + "beamline": "b07", + "proposal_number": 2, + "visit_number": 1, + }, + "14": { + "beamline": "b07", + "proposal_number": 2, + "visit_number": 2, + }, + }, + "proposals": { + "1": {"sessions": { + "1": 11, + "2": 12, + }}, + "2": {"sessions": { + "1": 13, + "2": 14, + }}, + }, + "beamlines": {"i03": {"sessions": [11]}, "b07": {"sessions": [12, 13, 14]}}, + "admin": {"b07_admin": ["b07"]}, +} + +test_user_session_tags if { + tiled.user_sessions == set() with data.diamond.data as diamond_data + with data.diamond.policy.token.claims as {"fedid": "oscar"} + tiled.user_sessions == { + "{\"beamline\": \"b07\", \"proposal_number\": 1, \"visit_number\": 2}", + "{\"beamline\": \"i03\", \"proposal_number\": 1, \"visit_number\": 1}", + } with data.diamond.data as diamond_data + with data.diamond.policy.token.claims as {"fedid": "alice"} + tiled.user_sessions == { + "{\"beamline\": \"b07\", \"proposal_number\": 1, \"visit_number\": 2}", + "{\"beamline\": \"i03\", \"proposal_number\": 1, \"visit_number\": 1}", + "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}", + "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}", + } with data.diamond.data as diamond_data + with data.diamond.policy.token.claims as {"fedid": "bob"} + tiled.user_sessions == { + "{\"beamline\": \"b07\", \"proposal_number\": 1, \"visit_number\": 2}", + "{\"beamline\": \"i03\", \"proposal_number\": 1, \"visit_number\": 1}", + "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}", + "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}", + } with data.diamond.data as diamond_data + with data.diamond.policy.token.claims as {"fedid": "carol"} + tiled.user_sessions == { + "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}", + "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}", + } with data.diamond.data as diamond_data + with data.diamond.policy.token.claims as {"fedid": "desmond"} + tiled.user_sessions == { + "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}", + "{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}", + } with data.diamond.data as diamond_data + with data.diamond.policy.token.claims as {"fedid": "edna"} +} From 7397c94dec93ae6efd7e01075ada3eb2436968e0 Mon Sep 17 00:00:00 2001 From: Joseph Ware <53935796+DiamondJoseph@users.noreply.github.com> Date: Wed, 10 Dec 2025 12:10:47 +0000 Subject: [PATCH 7/7] Apply formatting --- policy/diamond/policy/tiled/tiled.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/diamond/policy/tiled/tiled.rego b/policy/diamond/policy/tiled/tiled.rego index 7fcf29fd..9ff350de 100644 --- a/policy/diamond/policy/tiled/tiled.rego +++ b/policy/diamond/policy/tiled/tiled.rego @@ -1,7 +1,7 @@ package diamond.policy.tiled -import data.diamond.policy.token import data.diamond.policy.session.access_session +import data.diamond.policy.token read_scopes := { "read:metadata",