From 519afb2b11bfb1219ae20726a5b4f0390073b294 Mon Sep 17 00:00:00 2001 From: Jeff Chao Date: Thu, 11 Jan 2024 18:03:00 -0800 Subject: [PATCH] Replace `in_group` with `member_of`. --- src/abbey/functions/in_group.rego | 11 ----- src/abbey/functions/in_group_test.rego | 11 ----- src/abbey/functions/member_of.rego | 26 ++++++++++++ src/abbey/functions/member_of_test.rego | 53 +++++++++++++++++++++++++ 4 files changed, 79 insertions(+), 22 deletions(-) delete mode 100644 src/abbey/functions/in_group.rego delete mode 100644 src/abbey/functions/in_group_test.rego create mode 100644 src/abbey/functions/member_of.rego create mode 100644 src/abbey/functions/member_of_test.rego diff --git a/src/abbey/functions/in_group.rego b/src/abbey/functions/in_group.rego deleted file mode 100644 index 0404df9..0000000 --- a/src/abbey/functions/in_group.rego +++ /dev/null @@ -1,11 +0,0 @@ -package abbey.functions - -import future.keywords.if -import future.keywords.in - -# Function which checks whether a user is in a given group. -# Groups are kept within an object called group_memberships in the -# system.abbey object -in_group(group_name) := true if { - group_name in data.system.abbey.group_memberships -} diff --git a/src/abbey/functions/in_group_test.rego b/src/abbey/functions/in_group_test.rego deleted file mode 100644 index 408059d..0000000 --- a/src/abbey/functions/in_group_test.rego +++ /dev/null @@ -1,11 +0,0 @@ -package abbey.functions - -import future.keywords.if - -test_in_group_engineering if { - in_group("Engineering") with data.system.abbey.group_memberships as ["Engineering", "R&D"] -} - -test_not_in_group_marketing if { - not in_group("Marketing") with data.system.abbey.group_memberships as ["Engineering", "R&D"] -} diff --git a/src/abbey/functions/member_of.rego b/src/abbey/functions/member_of.rego new file mode 100644 index 0000000..5576a27 --- /dev/null +++ b/src/abbey/functions/member_of.rego @@ -0,0 +1,26 @@ +package abbey.functions_test + +import future.keywords.if +import future.keywords.in + +apps := [ + "googleworkspace", + "okta", + "google", +] + +# METADATA +# title: Member Of +# description: | +# Function which checks whether a user is in a given group. +# Groups are kept within an object called group_memberships in the +# system.abbey object. +# related_resources: +# - ref: https://docs.abbey.io/reference/access-policies/types-of-access-policies +# entrypoint: false +member_of(group_id) if { + some app in apps # Iterate over each app. + user_groups := data.user[app] # Get each app of the user. + some group in user_groups.groups # For the app, get the user's group memberships. + group_id in group # Check if the group_id is one of the keys of the group object. +} diff --git a/src/abbey/functions/member_of_test.rego b/src/abbey/functions/member_of_test.rego new file mode 100644 index 0000000..c9f9160 --- /dev/null +++ b/src/abbey/functions/member_of_test.rego @@ -0,0 +1,53 @@ +package abbey.functions_test + +import future.keywords.if + +fixture := { + "googleworkspace": { + "groups": [ + { + "id": "Engineering" + }, + { + "id": "R&D" + }, + ] + }, + "okta": { + "groups": [ + { + "id": "123" + }, + { + "id": "456" + }, + ] + } +} + +test_member_of_googleworkspace_engineering_group if { + member_of("Engineering") with data.user as fixture +} + +test_member_of_okta_group if { + member_of("123") with data.user as fixture +} + +# Tests if the user is a member of a group within Google. However, technically, the way we implement +# the `member_of` function entails a lookup against all of the user's `apps`. This means this test +# will also produce `false` if the group doesn't exist as a result of the group not being imported. +test_not_member_of_googleworkspace_engineering_group if { + not member_of("Marketing") with data.user as fixture +} + +# Tests if the user is a member of a group within Okta. However, technically, the way we implement +# the `member_of` function entails a lookup against all of the user's `apps`. This means this test +# will also produce `false` if the group doesn't exist as a result of the group not being imported. +test_not_member_of_okta_group if { + not member_of("789") with data.user as fixture +} + +# Tests if the user is a member of a group, but the group is not imported. +test_unimported_group if { + not member_of("unimported") with data.user as fixture +}