github.com/authzed/spicedb@v1.32.1-0.20240520085336-ebda56537386/internal/services/integrationtesting/testconfigs/quay.yaml

github.com/authzed/spicedb@v1.32.1-0.20240520085336-ebda56537386/internal/services/integrationtesting/testconfigs/quay.yaml (about)

     1  ---
     2  schema: |+
     3    definition user {}
     4  
     5    definition anonymoususer {}
     6  
     7    caveat is_not_geo_banned(user_ip ipaddress, cidr string) {
     8      !user_ip.in_cidr(cidr)
     9    }
    10  
    11    definition namespace {
    12      relation parent: namespace | organization
    13      relation admin: user
    14      relation creator: user
    15  
    16      permission can_admin = admin + parent->can_admin
    17      permission create = can_admin + parent->create
    18    }
    19  
    20    definition organization {
    21      relation admin: user | team#member
    22      relation creator: user | team#member
    23      relation direct_member: user
    24  
    25      permission can_admin = admin
    26      permission create = creator + can_admin
    27      permission member = direct_member + create
    28    }
    29  
    30    definition repo {
    31      relation parent: namespace
    32      relation admin: user
    33      relation writers: user
    34      relation readers: user | anonymoususer:* with is_not_geo_banned
    35  
    36      permission can_admin = admin + parent->can_admin
    37      permission write = writers + can_admin
    38      permission view = readers + write
    39    }
    40  
    41    definition team {
    42      relation parent_org: organization
    43      relation direct_member: user
    44  
    45      permission member = direct_member
    46    }
    47  
    48  relationships: >-
    49    organization:megacorp#admin@user:cto
    50  
    51    team:owners#direct_member@user:cto
    52  
    53    team:owners#direct_member@user:ceo
    54  
    55    team:owners#parent_org@organization:megacorp
    56  
    57    organization:megacorp#admin@team:owners#member
    58  
    59    team:creator#direct_member@user:eng_director
    60  
    61    team:creator#parent_org@organization:megacorp
    62  
    63    organization:megacorp#creator@team:creator#member
    64  
    65    namespace:buynlarge#parent@organization:megacorp
    66  
    67    namespace:buynlarge#admin@user:eng_manager
    68  
    69    repo:buynlarge/orgrepo#parent@namespace:buynlarge
    70  
    71    repo:buynlarge/orgrepo#admin@user:eng_manager
    72  
    73    repo:buynlarge/orgrepo#writers@user:engineer
    74  
    75    repo:buynlarge/orgrepo#readers@user:test_engineer
    76  
    77    namespace:purnkleen#parent@organization:megacorp
    78  
    79    namespace:purnkleen#admin@user:eng_director
    80  
    81    organization:villainorg#admin@user:villain
    82  
    83    repo:buynlarge/orgrepo#readers@anonymoususer:*[is_not_geo_banned:{"cidr":"1.0.0.0/8"}]
    84  
    85  assertions:
    86    assertTrue:
    87      - 'repo:buynlarge/orgrepo#view@user:test_engineer'
    88      - 'repo:buynlarge/orgrepo#view@user:engineer'
    89      - 'repo:buynlarge/orgrepo#view@user:eng_manager'
    90      - 'repo:buynlarge/orgrepo#view@user:ceo'
    91      - 'repo:buynlarge/orgrepo#view@user:cto'
    92      - 'repo:buynlarge/orgrepo#view@anonymoususer:dskfjbdkfjb with {"user_ip": "2.3.4.5"}'
    93      - 'repo:buynlarge/orgrepo#view@anonymoususer:avbcocdhdsc with {"user_ip": "10.11.12.13"}'
    94    assertCaveated:
    95      - 'repo:buynlarge/orgrepo#view@anonymoususer:dskfjbdkfjb'
    96      - 'repo:buynlarge/orgrepo#view@anonymoususer:avbcocdhdsc'
    97    assertFalse:
    98      - 'repo:buynlarge/orgrepo#view@user:villain'
    99      - 'repo:buynlarge/orgrepo#view@user:eng_director'
   100      - 'repo:buynlarge/orgrepo#view@anonymoususer:dskfjbdkfjb with {"user_ip": "1.2.3.4"}'
   101      - 'repo:buynlarge/orgrepo#view@anonymoususer:avbcocdhdsc with {"user_ip": "1.10.20.30"}'