Replace in_group with member_of.

.github/workflows/opa.yml

@@ -1,5 +1,6 @@
 name: Run OPA Tests
 on: [push, workflow_dispatch]
+
 jobs:
   Run-OPA-Tests:
     runs-on: ubuntu-latest
@@ -12,5 +13,13 @@ jobs:
       with:
         version: latest
 
+    - name: Setup Regal
+      uses: StyraInc/setup-regal@v0.2.0
+      with:
+        version: latest
+
     - name: Run OPA Tests
       run: opa test src -v
+
+    - name: Lint OPA Policies
+      run: regal lint --format github ./src

.regal/config.yaml

@@ -0,0 +1,5 @@
+rules:
+  idiomatic:
+    no-defined-entrypoint:
+      # This repo consists of a set of library functions, which therefore have no entrypoint.
+      level: ignore

src/abbey/functions/expire_after.rego

@@ -1,16 +1,22 @@
-package abbey.functions
+package abbey.functions_test
 
 import future.keywords.if
 
-# Function that checks if the time at `ts` has expired, relative to the time at `approved_at`.
-# The `ts` input is a string that can be parsed by Rego's native `time.parse_duration_ns` function.
-# Valid string values are derived from https://pkg.go.dev/time#ParseDuration.
-# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-# This function compares against data under the `system.abbey.target` namespace.
+# METADATA
+# title: Expire After
+# description: |
+#  Function that checks if the time at `ts` has expired, relative to the time at `approved_at`.
+#  The `ts` input is a string that can be parsed by Rego's native `time.parse_duration_ns` function.
+#  Valid string values are derived from https://pkg.go.dev/time#ParseDuration.
+#  Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+#  This function compares against data under the `system.abbey.target` namespace.
+# related_resources:
+# - ref: https://docs.abbey.io/use-cases/time-based-access/expire-after-a-duration
+# entrypoint: false
 expire_after(ts) := live if {
 	expires_after := time.parse_duration_ns(ts)
 	approved_at := time.parse_rfc3339_ns(data.system.abbey.target.grant.approved_at)
 	expires_at := approved_at + expires_after
 	now := time.now_ns()
 	live := (now - expires_at) < 0
-}
+}

src/abbey/functions/expire_after_test.rego

@@ -1,18 +1,18 @@
-package abbey.functions
+package abbey.functions_test
 
 import future.keywords.if
 
-test_expired if {
-    not expire_after("1m") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
-        with time.now_ns as 1672534900000000000
+test_after_expired_duration if {
+	not expire_after("1m") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
+		with time.now_ns as 1672534900000000000
 }
 
-test_expired if {
-    not expire_after("1m") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
-        with time.now_ns as 1672534860000000000
+test_at_expired_duration if {
+	not expire_after("1m") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
+		with time.now_ns as 1672534860000000000
 }
 
-test_not_expired if {
-    expire_after("1m") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
-        with time.now_ns as 0
+test_before_expired_duration if {
+	expire_after("1m") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
+		with time.now_ns as 0
 }

src/abbey/functions/expire_at.rego

@@ -1,10 +1,16 @@
-package abbey.functions
+package abbey.functions_test
 
 import future.keywords.if
 
-# Function that checks if the time at `ts` has expired, relative to the time at `approved_at`.
-# The `ts` input is a string representing the RFC 3339 date time format.
-# This function compares against data under the `system.abbey.target` namespace.
+# METADATA
+# title: Expire At
+# description: |
+#  Function that checks if the time at `ts` has expired, relative to the time at `approved_at`.
+#  The `ts` input is a string representing the RFC 3339 date time format.
+#  This function compares against data under the `system.abbey.target` namespace.
+# related_resources:
+# - ref: https://docs.abbey.io/use-cases/time-based-access/expire-at-a-specific-time
+# entrypoint: false
 expire_at(ts) := live if {
 	expires_at := time.parse_rfc3339_ns(ts)
 	now := time.now_ns()

src/abbey/functions/expire_at_test.rego

@@ -1,18 +1,18 @@
-package abbey.functions
+package abbey.functions_test
 
 import future.keywords.if
 
-test_expired if {
-    not expire_at("2023-01-01T02:00:00Z") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
-        with time.now_ns as 1672538500000000000
+test_after_expired_at_threshold if {
+	not expire_at("2023-01-01T02:00:00Z") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
+		with time.now_ns as 1672538500000000000
 }
 
-test_expired if {
-    not expire_at("2023-01-01T01:00:00Z") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
-        with time.now_ns as 1672538400000000000
+test_on_expired_at_threshold if {
+	not expire_at("2023-01-01T01:00:00Z") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
+		with time.now_ns as 1672538400000000000
 }
 
-test_not_expired if {
-    expire_at("2023-01-01T01:00:00Z") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
-        with time.now_ns as 0
-}
+test_before_expired_at_threshold if {
+	expire_at("2023-01-01T01:00:00Z") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
+		with time.now_ns as 0
+}

src/abbey/functions/member_of.rego

@@ -0,0 +1,26 @@
+package abbey.functions_test
+
+import future.keywords.if
+import future.keywords.in
+
+apps := [
+	"googleworkspace",
+	"okta",
+	"google",
+]
+
+# METADATA
+# title: Member Of
+# description: |
+#  Function which checks whether a user has a specific group membership.
+#  This function will iterate through all of a user's imported `apps` to determine
+#  if any of the `group_id`s match the user's group memberships.
+# related_resources:
+# - ref: https://docs.abbey.io/reference/access-policies/types-of-access-policies
+# entrypoint: false
+member_of(group_id) if {
+	some app in apps # Iterate over each app.
+	user_groups := data.user[app] # Get each app of the user.
+	some group in user_groups.groups # For the app, get the user's group memberships.
+	group_id in group # Check if the group_id is one of the keys of the group object.
+}

src/abbey/functions/member_of_test.rego

@@ -0,0 +1,41 @@
+package abbey.functions_test
+
+import future.keywords.if
+
+fixture := {
+	"googleworkspace": {"groups": [
+		{"id": "Engineering"},
+		{"id": "R&D"},
+	]},
+	"okta": {"groups": [
+		{"id": "123"},
+		{"id": "456"},
+	]},
+}
+
+test_member_of_googleworkspace_engineering_group if {
+	member_of("Engineering") with data.user as fixture
+}
+
+test_member_of_okta_group if {
+	member_of("123") with data.user as fixture
+}
+
+# Tests if the user is a member of a group within Google. However, technically, the way we implement
+# the `member_of` function entails a lookup against all of the user's `apps`. This means this test
+# will also produce `false` if the group doesn't exist as a result of the group not being imported.
+test_not_member_of_googleworkspace_engineering_group if {
+	not member_of("Marketing") with data.user as fixture
+}
+
+# Tests if the user is a member of a group within Okta. However, technically, the way we implement
+# the `member_of` function entails a lookup against all of the user's `apps`. This means this test
+# will also produce `false` if the group doesn't exist as a result of the group not being imported.
+test_not_member_of_okta_group if {
+	not member_of("789") with data.user as fixture
+}
+
+# Tests if the user is a member of a group, but the group is not imported.
+test_unimported_group if {
+	not member_of("unimported") with data.user as fixture
+}