Add policy for Tiled scopes and filters

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/library/rust:1.84.1-bookworm
+FROM docker.io/library/rust:1.91.1-bookworm
 
 RUN rustup component add rustfmt clippy 
 

bundler/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/library/rust:1.84.1-bookworm AS build
+FROM docker.io/library/rust:1.91.1-bookworm AS build
 
 ARG DATABASE_URL
 

policy/diamond/policy/admin/admin.rego

@@ -3,7 +3,11 @@ package diamond.policy.admin
 import data.diamond.policy.token
 import rego.v1
 
-is_admin[subject] := "super_admin" in data.diamond.data.subjects[subject].permissions
+default is_admin(_) := false
+
+is_admin(subject) if {
+	"super_admin" in data.diamond.data.subjects[subject].permissions
+}
 
 beamline_admin_for_subject[subject_name] contains beamline if {
 	some subject_name, subject in data.diamond.data.subjects
@@ -13,7 +17,7 @@ beamline_admin_for_subject[subject_name] contains beamline if {
 	some beamline in role_beamlines
 }
 
-admin := is_admin[token.claims.fedid] # regal ignore:rule-name-repeats-package
+admin := is_admin(token.claims.fedid) # regal ignore:rule-name-repeats-package
 
 beamline_admin := input.beamline in object.get(beamline_admin_for_subject, token.claims.fedid, [])
 

policy/diamond/policy/admin/admin_test.rego

@@ -33,7 +33,7 @@ diamond_data := {
 }
 
 test_is_admin_for_admin if {
-	admin.is_admin.carol with data.diamond.data as diamond_data
+	admin.is_admin("carol") with data.diamond.data as diamond_data
 }
 
 test_beamline_admin_for_subject_for_beamline_admin if {
@@ -45,11 +45,11 @@ test_beamlines_admin_for_subject_for_group_admin if {
 }
 
 test_is_admin_for_non_admin if {
-	not admin.is_admin.alice with data.diamond.data as diamond_data
+	not admin.is_admin("alice") with data.diamond.data as diamond_data
 }
 
 test_is_admin_for_beamline_admin_not_admin if {
-	not admin.is_admin.bob with data.diamond.data as diamond_data
+	not admin.is_admin("bob") with data.diamond.data as diamond_data
 }
 
 test_beamline_admin_for_subject_for_non_beamline_admin if {

policy/diamond/policy/proposal/proposal.rego

@@ -13,7 +13,7 @@ on_proposal(subject, proposal_number) if {
 default access_proposal(_, _) := false
 
 # Allow if subject has super_admin permission
-access_proposal(subject, proposal_number) if admin.is_admin[subject] # regal ignore:external-reference
+access_proposal(subject, proposal_number) if admin.is_admin(subject) # regal ignore:external-reference
 
 # Allow if subject is on proposal
 access_proposal(subject, proposal_number) if on_proposal(subject, proposal_number)

policy/diamond/policy/session/session.rego

@@ -24,7 +24,7 @@ on_session(subject, proposal_number, visit_number) if {
 default access_session(_, _, _) := false
 
 # Allow if subject has super_admin permission
-access_session(subject, proposal_number, visit_number) if admin.is_admin[subject] # regal ignore:external-reference
+access_session(subject, proposal_number, visit_number) if admin.is_admin(subject) # regal ignore:external-reference
 
 # Allow if subject is admin for beamline containing session
 access_session(subject, proposal_number, visit_number) if {
@@ -55,3 +55,9 @@ write_to_beamline_visit if {
 	access
 	matches_beamline
 }
+
+user_sessions contains user_session if {
+	some session in data.diamond.data.sessions
+	access_session(token.claims.fedid, session.proposal_number, session.visit_number)
+	user_session := sprintf("%s", [session])
+}

policy/diamond/policy/session/session_test.rego

@@ -20,6 +20,16 @@ diamond_data := {
 			"proposals": [],
 			"sessions": [],
 		},
+		"desmond": {
+			"permissions": [],
+			"proposals": [2],
+			"sessions": [13],
+		},
+		"edna": {
+			"permissions": [],
+			"proposals": [2],
+			"sessions": [13, 14],
+		},
 		"oscar": {
 			"permissions": [],
 			"proposals": [],
@@ -37,12 +47,28 @@ diamond_data := {
 			"proposal_number": 1,
 			"visit_number": 2,
 		},
+		"13": {
+			"beamline": "b07",
+			"proposal_number": 2,
+			"visit_number": 1,
+		},
+		"14": {
+			"beamline": "b07",
+			"proposal_number": 2,
+			"visit_number": 2,
+		},
+	},
+	"proposals": {
+		"1": {"sessions": {
+			"1": 11,
+			"2": 12,
+		}},
+		"2": {"sessions": {
+			"1": 13,
+			"2": 14,
+		}},
 	},
-	"proposals": {"1": {"sessions": {
-		"1": 11,
-		"2": 12,
-	}}},
-	"beamlines": {"i03": {"sessions": [11]}, "b07": {"sessions": [12]}},
+	"beamlines": {"i03": {"sessions": [11]}, "b07": {"sessions": [12, 13, 14]}},
 	"admin": {"b07_admin": ["b07"]},
 }
 
@@ -181,3 +207,37 @@ test_session_beamline if {
 		with data.diamond.data as diamond_data
 	bl2 == "b07"
 }
+
+test_user_session_tags if {
+	session.user_sessions == set() with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "oscar"}
+	session.user_sessions == {
+		"{\"beamline\": \"b07\", \"proposal_number\": 1, \"visit_number\": 2}",
+		"{\"beamline\": \"i03\", \"proposal_number\": 1, \"visit_number\": 1}",
+	} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "alice"}
+	session.user_sessions == {
+		"{\"beamline\": \"b07\", \"proposal_number\": 1, \"visit_number\": 2}",
+		"{\"beamline\": \"i03\", \"proposal_number\": 1, \"visit_number\": 1}",
+		"{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}",
+		"{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}",
+	} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "bob"}
+	session.user_sessions == {
+		"{\"beamline\": \"b07\", \"proposal_number\": 1, \"visit_number\": 2}",
+		"{\"beamline\": \"i03\", \"proposal_number\": 1, \"visit_number\": 1}",
+		"{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}",
+		"{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}",
+	} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "carol"}
+	session.user_sessions == {
+		"{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}",
+		"{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}",
+	} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "desmond"}
+	session.user_sessions == {
+		"{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}",
+		"{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}",
+	} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "edna"}
+}

policy/diamond/policy/tiled/tiled.rego

@@ -0,0 +1,33 @@
+package diamond.policy.tiled
+
+import data.diamond.policy.token
+
+read_scopes := {
+	"read:metadata",
+	"read:data",
+}
+
+write_scopes := {
+	"write:metadata",
+	"write:data",
+	"create",
+	"register",
+}
+
+scopes_for(claims) := read_scopes | write_scopes if {
+	"azp" in object.keys(claims)
+	endswith(claims.azp, "-blueapi")
+}
+
+scopes_for(claims) := read_scopes if {
+	"azp" in object.keys(claims)
+	not endswith(claims.azp, "-blueapi")
+}
+
+scopes_for(claims) := read_scopes if {
+	not "azp" in object.keys(claims)
+}
+
+default scopes := set()
+
+scopes := scopes_for(token.claims)

policy/diamond/policy/tiled/tiled_test.rego

@@ -0,0 +1,26 @@
+package diamond.policy.tiled_test
+
+import data.diamond.policy.tiled
+import data.diamond.policy.token
+import rego.v1
+
+test_default_no_scopes if {
+	tiled.scopes == set()
+}
+
+test_wrong_azp_read_scopes if {
+	tiled.scopes == tiled.read_scopes with token.claims as {}
+	tiled.scopes == tiled.read_scopes with token.claims as {"sub": "foo"}
+	tiled.scopes == tiled.read_scopes with token.claims as {"azp": "foo"}
+}
+
+test_blueapi_given_write_scopes if {
+	tiled.scopes == {
+		"read:metadata",
+		"read:data",
+		"write:metadata",
+		"write:data",
+		"create",
+		"register",
+	} with token.claims as {"azp": "foo-blueapi"}
+}