From 0c1d0447a46113e94ab23cc6464bce12881f0d8d Mon Sep 17 00:00:00 2001
From: Gerald Baulig <gerald.baulig@n-fuse.co>
Date: Wed, 24 Jan 2024 14:12:29 +0100
Subject: [PATCH] feat(shop): add shop policies

---
 datasets/system/data/seed-data/policies.yaml  | 28 ++++++++-
 .../system/data/seed-data/policy_sets.yaml    |  3 +-
 datasets/system/data/seed-data/rules.yaml     | 61 ++++++++++++++++++-
 3 files changed, 89 insertions(+), 3 deletions(-)

diff --git a/datasets/system/data/seed-data/policies.yaml b/datasets/system/data/seed-data/policies.yaml
index 4347450..4f5e990 100644
--- a/datasets/system/data/seed-data/policies.yaml
+++ b/datasets/system/data/seed-data/policies.yaml
@@ -293,6 +293,7 @@
       - id: urn:oasis:names:tc:xacml:1.0:action:action-id
         value: urn:restorecommerce:acs:names:action:execute
     resources: [ ]
+    subjects: [ ]
   combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides
   meta:
     modifiedBy: ""
@@ -462,7 +463,6 @@
           - id: urn:restorecommerce:acs:names:ownerInstance
             value: system
 ---
-  ## Customers policy and 5 Products policy
   id: customers_policy
   name: Customers Policy
   description: Allows normal users to read Customer resource
@@ -488,6 +488,32 @@
         attributes:
           - id: urn:restorecommerce:acs:names:ownerInstance
             value: system
+---
+  id: shops_policy
+  name: Shops Policy
+  description: Allows normal users to read Shop resource
+  evaluationCacheable: false
+  effect: PERMIT
+  target:
+    resources:
+      - id: urn:restorecommerce:acs:names:model:entity
+        value: urn:restorecommerce:acs:model:shop.Shop
+    subjects: [ ]
+    actions: [ ]
+  rules:
+    - org_scoped_shop_read_rule  # Permit: normal user under an Org scope
+    - user_scoped_shop_read_rule  # Permit: normal user who owns the resource and not bounded to any organization
+    - superadmin_rule  # Permit: SuperAdmin
+    - fall_back_rule  # Deny: All
+  combiningAlgorithm: urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides
+  meta:
+    modifiedBy: ""
+    owners:
+      - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity
+        value: urn:restorecommerce:acs:model:organization.Organization
+        attributes:
+          - id: urn:restorecommerce:acs:names:ownerInstance
+            value: system
 ---
   id: products_policy
   name: Products policy
diff --git a/datasets/system/data/seed-data/policy_sets.yaml b/datasets/system/data/seed-data/policy_sets.yaml
index 7172e78..caa9a05 100644
--- a/datasets/system/data/seed-data/policy_sets.yaml
+++ b/datasets/system/data/seed-data/policy_sets.yaml
@@ -8,6 +8,7 @@
     subjects: [ ]
     actions: [ ]
   policies:
+    - execute_action_policy
     - users_policy
     - organizations_policy
     - address_policy
@@ -18,7 +19,6 @@
     - countries_policy
     - roles_policy
     - locales_policy
-    - execute_action_policy
     - commands_policy
     - jobs_policy
     - policy_sets_policy
@@ -27,6 +27,7 @@
     - timezones_policy
     - orders_policy
     - customers_policy
+    - shops_policy
     - products_policy
     - manufacturers_policy
     - product_prototypes_policy
diff --git a/datasets/system/data/seed-data/rules.yaml b/datasets/system/data/seed-data/rules.yaml
index f9a9728..9af3423 100644
--- a/datasets/system/data/seed-data/rules.yaml
+++ b/datasets/system/data/seed-data/rules.yaml
@@ -1098,7 +1098,66 @@
         attributes:
           - id: urn:restorecommerce:acs:names:ownerInstance
             value: system
-## Product, Manufacturer, ProductPrototype, ProductCategory, PriceGroup - Master Data
+---
+  id: org_scoped_shop_read_rule
+  name: Shop read rule for Organizational Scope
+  description: Permits any read if the resource is under an organizational hierarchical scope
+  target:
+    subjects:
+      - id: urn:restorecommerce:acs:names:role
+        value: user-r-id # NormalUser
+      - id: urn:restorecommerce:acs:names:roleScopingEntity
+        value: urn:restorecommerce:acs:model:organization.Organization
+    actions:
+      - id: urn:oasis:names:tc:xacml:1.0:action:action-id
+        value: urn:restorecommerce:acs:names:action:read
+    resources:
+      - id: urn:restorecommerce:acs:names:model:entity
+        value: urn:restorecommerce:acs:model:shop.Shop
+  effect: PERMIT
+  condition: ""
+  evaluationCacheable: false
+  contextQuery:
+    filters: [ ]
+    query: ""
+  meta:
+    modifiedBy: ""
+    owners:
+      - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity
+        value: urn:restorecommerce:acs:model:organization.Organization
+        attributes:
+          - id: urn:restorecommerce:acs:names:ownerInstance
+            value: system
+---
+  id: user_scoped_shop_read_rule
+  name: Shop read rule for Independent User Scope
+  description: Permits any read if the resource is under an user hierarchical scope
+  target:
+    subjects:
+      - id: urn:restorecommerce:acs:names:role
+        value: user-r-id # NormalUser
+      - id: urn:restorecommerce:acs:names:roleScopingEntity
+        value: urn:restorecommerce:acs:model:user.User
+    actions:
+      - id: urn:oasis:names:tc:xacml:1.0:action:action-id
+        value: urn:restorecommerce:acs:names:action:read
+    resources:
+      - id: urn:restorecommerce:acs:names:model:entity
+        value: urn:restorecommerce:acs:model:shop.Shop
+  effect: PERMIT
+  condition: ""
+  evaluationCacheable: false
+  contextQuery:
+    filters: [ ]
+    query: ""
+  meta:
+    modifiedBy: ""
+    owners:
+      - id: urn:restorecommerce:acs:names:ownerIndicatoryEntity
+        value: urn:restorecommerce:acs:model:organization.Organization
+        attributes:
+          - id: urn:restorecommerce:acs:names:ownerInstance
+            value: system
 ---
   id: normal_user_product_read_rule
   name: Product read rule