Skip to content

Commit

Permalink
Mini document-cloud
Browse files Browse the repository at this point in the history 
Signed-off-by: Shaobo He <[email protected]>
  • Loading branch information
@shaobo-he-aws
shaobo-he-aws committed Jul 30, 2024
1 parent 9ca1aed commit 7cbec4c
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 118 deletions.
146 changes: 57 additions & 89 deletions cedar-example-use-cases/document_cloud/policies.cedar
View file
Original file line number Diff line number Diff line change
@@ -1,118 +1,86 @@
/// A drive owner can perform any actions on it
@id("drive-owner")
permit (
principal,
action == Action::"CreateDocument",
resource == Drive::"drive"
);

permit (
principal,
action == Action::"ViewDocument",
resource
)
when { principal == resource.owner };

permit (
principal,
action == Action::"ViewDocument",
resource
)
when { principal in resource.viewACL }
unless { resource.isPrivate };

permit (
principal == Public::"public",
action == Action::"ViewDocument",
resource
principal,
action,
resource is Drive
)
when { resource.publicAccess == "view" || resource.publicAccess == "edit" }
unless { resource.isPrivate };
when { resource.owner == principal };

/// A document owner can perform any actions on it
@id("document-owner")
permit (
principal,
action == Action::"ViewDocument",
resource
principal,
action,
resource is Document
)
when { principal == resource.owner };

/// A group owner can perform any actions on it
@id("group-owner")
permit (
principal,
action == Action::"ModifyDocument",
resource
principal,
action,
resource is Group
)
when { principal == resource.owner };

/// Users in the viewACL group can view the document unless it's private
@id("viewACL")
permit (
principal,
action == Action::"ModifyDocument",
resource
principal,
action == Action::"ViewDocument",
resource
)
when { principal in resource.modifyACL }
unless { resource.isPrivate };
when { principal in resource.viewACL };

/// Any user can view a document when it's publicly accessable and not private
@id("public-view")
permit (
principal == Public::"public",
action == Action::"ViewDocument",
resource
principal,
action == Action::"ViewDocument",
resource
)
when { resource.publicAccess == "edit" }
unless { resource.isPrivate };
when { resource.publicAccess == "view" || resource.publicAccess == "edit" };

/// Users in the modifyACL group can modify the document unless it's private
@id("modifyACL")
permit (
principal,
action in
[Action::"EditIsPrivate",
Action::"AddToShareACL",
Action::"EditPublicAccess"],
resource
principal,
action == Action::"ModifyDocument",
resource
)
when { principal == resource.owner };
when { principal in resource.modifyACL };

/// Any user can modify a document when it's publicly editable and not private
@id("public-edit")
permit (
principal,
action in [Action::"AddToShareACL", Action::"EditPublicAccess"],
resource
principal,
action == Action::"ModifyDocument",
resource
)
when { principal in resource.manageACL };
when { resource.publicAccess == "edit" };

/// Users in the manageACL group can edit built-in groups
@id("manageACL")
permit (
principal,
action == Action::"CreateGroup",
resource == Drive::"drive"
);

permit (
principal,
action in [Action::"ModifyGroup", Action::"DeleteGroup"],
resource
principal,
action in [Action::"AddToShareACL", Action::"EditPublicAccess"],
resource
)
when { principal == resource.owner };
when { principal in resource.manageACL };

/// Blacklisted users cannot perform these actions
@id("blocked-users")
forbid (
principal,
action in
[Action::"ViewDocument",
Action::"ModifyDocument",
Action::"EditIsPrivate",
Action::"AddToShareACL",
Action::"EditPublicAccess",
Action::"DeleteDocument"],
resource
principal,
action in
[Action::"ViewDocument",
Action::"ModifyDocument",
Action::"AddToShareACL",
Action::"EditPublicAccess",
Action::"DeleteDocument"],
resource
)
when
{
principal has blocked &&
(resource.owner.blocked.contains(principal) ||
principal.blocked.contains(resource.owner))
};

forbid (principal, action, resource)
when { !context.is_authenticated };

forbid (principal, action, resource)
when
{
resource has owner &&
principal != resource.owner &&
resource has isPrivate &&
resource.isPrivate
};
{ resource.owner has blocked && resource.owner.blocked.contains(principal) };
40 changes: 11 additions & 29 deletions cedar-example-use-cases/document_cloud/policies.cedarschema
View file
Original file line number Diff line number Diff line change
@@ -1,60 +1,42 @@
entity DocumentShare, Drive;
entity Drive {
owner: User,
};
entity Document = {
"isPrivate": Bool,
"manageACL": DocumentShare,
"modifyACL": DocumentShare,
"manageACL": Group,
"modifyACL": Group,
"owner": User,
"publicAccess": String,
"viewACL": DocumentShare,
"viewACL": Group,
};
entity Group in [DocumentShare] = {
entity Group = {
"owner": User,
};
entity Public in [DocumentShare];
entity User in [Group] = {
"blocked": Set<User>,
entity User in Group = {
blocked?: Set<User>,
"personalGroup": Group,
};

action DeleteGroup, ModifyGroup appliesTo {
principal: [User],
resource: [Group],
context: {
"is_authenticated": Bool,
}
};
action CreateGroup appliesTo {
principal: [User],
resource: [Drive],
context: {
"is_authenticated": Bool,
}
};
action ViewDocument appliesTo {
principal: [User, Public],
principal: [User],
resource: [Document],
context: {
"is_authenticated": Bool,
}
};
action AddToShareACL, DeleteDocument, EditIsPrivate, EditPublicAccess appliesTo {
action AddToShareACL, DeleteDocument, EditPublicAccess appliesTo {
principal: [User],
resource: [Document],
context: {
"is_authenticated": Bool,
}
};
action ModifyDocument appliesTo {
principal: [User],
resource: [Document],
context: {
"is_authenticated": Bool,
}
};
action CreateDocument appliesTo {
principal: [User],
resource: [Drive],
context: {
"is_authenticated": Bool,
}
};

0 comments on commit 7cbec4c

Please sign in to comment.