login policy with teams

README.md

@@ -52,6 +52,7 @@ _Access policies have been deprecated. Please [read this](./access/README.md) fo
   - [GitHub](./login/external-contributor-access-github.rego)
   - [Google](./login/external-contributor-access-google.rego)
 - [Managing access levels within an organization](./login/access-levels-within-an-organization.rego)
+- [Readers Writers Admins Teams](./login/readers-writers-admins-teams.rego)
 - [Rewriting User Teams](./login/rewriting-user-teams.rego)
 - [Who When Where Login Restrictions](./login/who-when-where-login-restrictions.rego)
 

login/readers-writers-admins-teams.rego

@@ -0,0 +1,43 @@
+package spacelift
+
+# Define team roles
+writers := {"team1", "team2", "team3"}
+
+admins := {"team4", "team5", "team6"}
+
+readers := {"team7", "team8", "team9"}
+
+# Extract login from session
+login := input.session.teams
+
+# Allow based on team role
+allow { # Allow writers
+	writers[login]
+}
+
+allow { # Allow admins
+	admins[login]
+}
+
+allow { # Allow readers
+	readers[login]
+}
+
+# Space access rules
+# Check if user is an admin and assign admin access to the space
+space_admin[space.id] {
+	space := input.spaces[_]
+	admins[login]
+}
+
+# Check if user is a writer and assign write access to the space
+space_write[space.id] {
+	space := input.spaces[_]
+	writers[login]
+}
+
+# Check if user is a reader and assign read access to the space
+space_read[space.id] {
+	space := input.spaces[_]
+	readers[login]
+}

login/readers-writers-admins-teams_test.rego

@@ -0,0 +1,55 @@
+package spacelift
+
+# Test for writers
+test_allow_writers {
+	allow with input as {"session": {"teams": "team1"}} with input.spaces as [{"id": "space1"}, {"id": "space2"}]
+}
+
+test_deny_non_writers {
+	not allow with input as {"session": {"teams": "non_writer_team"}} with input.spaces as [{"id": "space1"}, {"id": "space2"}]
+}
+
+# Test for admins
+test_allow_admins {
+	allow with input as {"session": {"teams": "team4"}} with input.spaces as [{"id": "space1"}, {"id": "space2"}]
+}
+
+test_deny_non_admins {
+	not allow with input as {"session": {"teams": "non_admin_team"}} with input.spaces as [{"id": "space1"}, {"id": "space2"}]
+}
+
+# Test for readers
+test_allow_readers {
+	allow with input as {"session": {"teams": "team7"}} with input.spaces as [{"id": "space1"}, {"id": "space2"}]
+}
+
+test_deny_non_readers {
+	not allow with input as {"session": {"teams": "non_reader_team"}} with input.spaces as [{"id": "space1"}, {"id": "space2"}]
+}
+
+# Test space access for admins
+test_space_admin_access {
+	space_admin.space1 with input as {"session": {"teams": "team4"}, "spaces": [{"id": "space1"}, {"id": "space2"}]}
+}
+
+test_space_admin_no_access {
+	not space_admin.space1 with input as {"session": {"teams": "team1"}, "spaces": [{"id": "space1"}, {"id": "space2"}]}
+}
+
+# Test space access for writers
+test_space_write_access {
+	space_write.space1 with input as {"session": {"teams": "team1"}, "spaces": [{"id": "space1"}, {"id": "space2"}]}
+}
+
+test_space_write_no_access {
+	not space_write.space1 with input as {"session": {"teams": "team7"}, "spaces": [{"id": "space1"}, {"id": "space2"}]}
+}
+
+# Test space access for readers
+test_space_read_access {
+	space_read.space1 with input as {"session": {"teams": "team7"}, "spaces": [{"id": "space1"}, {"id": "space2"}]}
+}
+
+test_space_read_no_access {
+	not space_read.space1 with input as {"session": {"teams": "team1"}, "spaces": [{"id": "space1"}, {"id": "space2"}]}
+}