From 15d1e11e5130d3a26d31e2b18fce8a42f280bfaa Mon Sep 17 00:00:00 2001 From: Kevin Hakanson Date: Thu, 31 Oct 2024 07:19:25 -0500 Subject: [PATCH] chore: update examples --- test/data/namespaces.cedarschema | 21 +++++++++++++++ test/data/namespaces.html | 21 +++++++++++++++ test/data/numeronym.cedar | 8 ++++++ test/data/numeronym.html | 8 ++++++ test/data/quotes.cedar | 12 +++++++-- test/data/quotes.html | 12 +++++++-- test/static/index.html | 44 ++++++++++++++++++++++++++++++-- test/vite/index.html | 44 ++++++++++++++++++++++++++++++-- 8 files changed, 162 insertions(+), 8 deletions(-) create mode 100644 test/data/numeronym.cedar create mode 100644 test/data/numeronym.html diff --git a/test/data/namespaces.cedarschema b/test/data/namespaces.cedarschema index dc7e08f..8d6b172 100644 --- a/test/data/namespaces.cedarschema +++ b/test/data/namespaces.cedarschema @@ -35,3 +35,24 @@ namespace N2 { // no namespace entity Y; + +// numeronym namespace (like k8s or i18n) +namespace k8s { + entity User in Group; + entity Group; + entity Resource { + metadata?: String + }; + action "list" appliesTo { + principal: [k8s::User], + resource: [k8s::Resource], + context: {} + }; + action "update" appliesTo { + principal: [k8s::User], + resource: [k8s::Resource], + context: { + oldObject?: String + } + }; +} \ No newline at end of file diff --git a/test/data/namespaces.html b/test/data/namespaces.html index e996db2..71a1899 100644 --- a/test/data/namespaces.html +++ b/test/data/namespaces.html @@ -35,3 +35,24 @@ // no namespace entity Y; + +// numeronym namespace (like k8s or i18n) +namespace k8s { + entity User in Group; + entity Group; + entity Resource { + metadata?: String + }; + action "list" appliesTo { + principal: [k8s::User], + resource: [k8s::Resource], + context: {} + }; + action "update" appliesTo { + principal: [k8s::User], + resource: [k8s::Resource], + context: { + oldObject?: String + } + }; +} \ No newline at end of file diff --git a/test/data/numeronym.cedar b/test/data/numeronym.cedar new file mode 100644 index 0000000..995af9c --- /dev/null +++ b/test/data/numeronym.cedar @@ -0,0 +1,8 @@ +// inspired by https://www.cedarpolicy.com/blog/cedar-for-kubernetes +forbid ( + principal is k8s::User, + action in [k8s::Action::"list", k8s::Action::"update"], + resource is k8s::Resource +) when { + principal in k8s::Group::"block-list" +}; \ No newline at end of file diff --git a/test/data/numeronym.html b/test/data/numeronym.html new file mode 100644 index 0000000..0ff0bc7 --- /dev/null +++ b/test/data/numeronym.html @@ -0,0 +1,8 @@ +// inspired by https://www.cedarpolicy.com/blog/cedar-for-kubernetes +forbid ( + principal is k8s::User, + action in [k8s::Action::"list", k8s::Action::"update"], + resource is k8s::Resource +) when { + principal in k8s::Group::"block-list" +}; \ No newline at end of file diff --git a/test/data/quotes.cedar b/test/data/quotes.cedar index c81c10a..c7ca7c5 100644 --- a/test/data/quotes.cedar +++ b/test/data/quotes.cedar @@ -1,4 +1,12 @@ // you "must" be 54" tall to ride (wink) -@id("54\" rule") // 54" is 4' 6" +@id("54\" rule") // 54" is 4' 6" forbid (principal, action, resource) -when { resource.restriction == "54\"" && principal.height < 54 }; \ No newline at end of file +when +{ + resource.restriction == "54\"" && + principal.height < 54 && + principal.attrSet.contains({ + "key": "height", + "values": ["54\"", "4' 6\""] + }) +}; \ No newline at end of file diff --git a/test/data/quotes.html b/test/data/quotes.html index f52d47c..c09b402 100644 --- a/test/data/quotes.html +++ b/test/data/quotes.html @@ -1,4 +1,12 @@ // you "must" be 54" tall to ride (wink) -@id("54\" rule") // 54" is 4' 6" +@id("54\" rule") // 54" is 4' 6" forbid (principal, action, resource) -when { resource.restriction == "54\"" && principal.height < 54 }; \ No newline at end of file +when +{ + resource.restriction == "54\"" && + principal.height < 54 && + principal.attrSet.contains({ + "key": "height", + "values": ["54\"", "4' 6\""] + }) +}; \ No newline at end of file diff --git a/test/static/index.html b/test/static/index.html index 75714c0..c9a6fc6 100644 --- a/test/static/index.html +++ b/test/static/index.html @@ -129,14 +129,34 @@

is.cedar

// false - `ExampleCo::User` and `User` are different entity types ExampleCo::User::"alice" is User }; + + +

numeronym.cedar

+ 

+// inspired by https://www.cedarpolicy.com/blog/cedar-for-kubernetes
+forbid (
+    principal is k8s::User,
+    action in [k8s::Action::"list", k8s::Action::"update"],
+    resource is k8s::Resource
+) when {
+    principal in k8s::Group::"block-list"
+};

quotes.cedar


 // you "must" be 54" tall to ride (wink)
-@id("54\" rule") // 54" is 4' 6" 
+@id("54\" rule") // 54" is 4' 6"
 forbid (principal, action, resource)
-when { resource.restriction == "54\"" && principal.height < 54 };
+when
+{
+  resource.restriction == "54\"" &&
+  principal.height < 54 &&
+  principal.attrSet.contains({
+    "key": "height", 
+    "values": ["54\"", "4' 6\""]
+  })
+};

template.cedar

@@ -211,6 +231,26 @@

namespaces.cedarschema

// no namespace entity Y; +// numeronym namespace (like k8s or i18n) +namespace k8s { + entity User in Group; + entity Group; + entity Resource { + metadata?: String + }; + action "list" appliesTo { + principal: [k8s::User], + resource: [k8s::Resource], + context: {} + }; + action "update" appliesTo { + principal: [k8s::User], + resource: [k8s::Resource], + context: { + oldObject?: String + } + }; +} diff --git a/test/vite/index.html b/test/vite/index.html index 6807bde..01e6d68 100644 --- a/test/vite/index.html +++ b/test/vite/index.html @@ -119,14 +119,34 @@

is.cedar

// false - `ExampleCo::User` and `User` are different entity types ExampleCo::User::"alice" is User }; + + +

numeronym.cedar

+ 

+// inspired by https://www.cedarpolicy.com/blog/cedar-for-kubernetes
+forbid (
+    principal is k8s::User,
+    action in [k8s::Action::"list", k8s::Action::"update"],
+    resource is k8s::Resource
+) when {
+    principal in k8s::Group::"block-list"
+};

quotes.cedar


 // you "must" be 54" tall to ride (wink)
-@id("54\" rule") // 54" is 4' 6" 
+@id("54\" rule") // 54" is 4' 6"
 forbid (principal, action, resource)
-when { resource.restriction == "54\"" && principal.height < 54 };
+when
+{
+  resource.restriction == "54\"" &&
+  principal.height < 54 &&
+  principal.attrSet.contains({
+    "key": "height", 
+    "values": ["54\"", "4' 6\""]
+  })
+};

template.cedar

@@ -201,6 +221,26 @@

namespaces.cedarschema

// no namespace entity Y; +// numeronym namespace (like k8s or i18n) +namespace k8s { + entity User in Group; + entity Group; + entity Resource { + metadata?: String + }; + action "list" appliesTo { + principal: [k8s::User], + resource: [k8s::Resource], + context: {} + }; + action "update" appliesTo { + principal: [k8s::User], + resource: [k8s::Resource], + context: { + oldObject?: String + } + }; +}