forked from PrismJS/prism
/
prism-rego.html
44 lines (34 loc) · 1.03 KB
/
prism-rego.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<h2>Full example</h2>
<pre><code># Role-based Access Control (RBAC)
# By default, deny requests.
default allow = false
# Allow admins to do anything.
allow {
user_is_admin
}
# Allow the action if the user is granted permission to perform the action.
allow {
# Find grants for the user.
some grant
user_is_granted[grant]
# Check if the grant permits the action.
input.action == grant.action
input.type == grant.type
}
# user_is_admin is true if...
user_is_admin {
# for some `i`...
some i
# "admin" is the `i`-th element in the user->role mappings for the identified user.
data.user_roles[input.user][i] == "admin"
}
# user_is_granted is a set of grants for the user identified in the request.
# The `grant` will be contained if the set `user_is_granted` for every...
user_is_granted[grant] {
some i, j
# `role` assigned an element of the user_roles for this user...
role := data.user_roles[input.user][i]
# `grant` assigned a single grant from the grants list for 'role'...
grant := data.role_grants[role][j]
}
</code></pre>