forked from baron/baron-sso
Ory Keto ReBAC Policy & Relation Tuple Architecture
This commit is contained in:
@@ -2,43 +2,23 @@ import { Namespace, Subject, Context, SubjectSet } from "@ory/keto-definitions"
|
||||
|
||||
class User implements Namespace {}
|
||||
|
||||
class TenantGroup implements Namespace {
|
||||
related: {
|
||||
admins: User[]
|
||||
}
|
||||
}
|
||||
|
||||
class UserGroup implements Namespace {
|
||||
related: {
|
||||
members: User[]
|
||||
parent_tenant: Tenant[]
|
||||
}
|
||||
|
||||
permits = {
|
||||
check_member: (ctx: Context): boolean =>
|
||||
this.related.members.includes(ctx.subject)
|
||||
}
|
||||
}
|
||||
|
||||
class Tenant implements Namespace {
|
||||
related: {
|
||||
admins: (User | SubjectSet<UserGroup, "members">)[]
|
||||
members: (User | SubjectSet<UserGroup, "members">)[]
|
||||
parent: Tenant[]
|
||||
parent_group: TenantGroup[]
|
||||
owners: User[]
|
||||
admins: (User | SubjectSet<Tenant, "owners">)[]
|
||||
members: User[]
|
||||
parents: Tenant[]
|
||||
}
|
||||
|
||||
permits = {
|
||||
view: (ctx: Context): boolean =>
|
||||
this.related.members.includes(ctx.subject) ||
|
||||
this.related.admins.includes(ctx.subject) ||
|
||||
this.related.parent.traverse((p) => p.permits.view(ctx)) ||
|
||||
this.related.parent_group.traverse((g) => g.related.admins.includes(ctx.subject)),
|
||||
this.related.parents.traverse((p) => p.permits.view(ctx)),
|
||||
|
||||
manage: (ctx: Context): boolean =>
|
||||
this.related.admins.includes(ctx.subject) ||
|
||||
this.related.parent.traverse((p) => p.permits.manage(ctx)) ||
|
||||
this.related.parent_group.traverse((g) => g.related.admins.includes(ctx.subject)),
|
||||
this.related.parents.traverse((p) => p.permits.manage(ctx)),
|
||||
|
||||
create_subtenant: (ctx: Context): boolean =>
|
||||
this.permits.manage(ctx)
|
||||
@@ -47,24 +27,30 @@ class Tenant implements Namespace {
|
||||
|
||||
class RelyingParty implements Namespace {
|
||||
related: {
|
||||
owners: (User | SubjectSet<UserGroup, "members">)[]
|
||||
parent_tenant: Tenant[]
|
||||
admins: User[]
|
||||
parents: Tenant[]
|
||||
access: (User | SubjectSet<Tenant, "members"> | SubjectSet<System, "authenticated_users">)[]
|
||||
}
|
||||
|
||||
permits = {
|
||||
view: (ctx: Context): boolean =>
|
||||
this.related.owners.includes(ctx.subject) ||
|
||||
this.related.parent_tenant.traverse((t) => t.permits.view(ctx)),
|
||||
this.related.admins.includes(ctx.subject) ||
|
||||
this.related.parents.traverse((t) => t.permits.view(ctx)),
|
||||
|
||||
manage: (ctx: Context): boolean =>
|
||||
this.related.owners.includes(ctx.subject) ||
|
||||
this.related.parent_tenant.traverse((t) => t.permits.manage(ctx))
|
||||
this.related.admins.includes(ctx.subject) ||
|
||||
this.related.parents.traverse((t) => t.permits.manage(ctx)),
|
||||
|
||||
access: (ctx: Context): boolean =>
|
||||
this.related.access.includes(ctx.subject) ||
|
||||
this.permits.manage(ctx)
|
||||
}
|
||||
}
|
||||
|
||||
class System implements Namespace {
|
||||
related: {
|
||||
super_admins: User[]
|
||||
authenticated_users: User[]
|
||||
}
|
||||
|
||||
permits = {
|
||||
|
||||
Reference in New Issue
Block a user