Skip to content

feat: restrict service account to only beamline claim #301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ZohebShaikh merged 1 commit into from
Feb 24, 2026
Merged

feat: restrict service account to only beamline claim #301

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 23 additions & 31 deletions policy/diamond/policy/tiled/tiled.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,57 +32,39 @@ user_session := to_number(_session) if {
_session
}

# service account check
user_session := to_number(_session) if {
input.proposal in token.claims.subject.proposals
}

user_session := to_number(_session) if {
_session in token.claims.subject.sessions
}

user_session := to_number(_session) if {
input.beamline in beamlines
input.beamline == token.claims.beamline
input.beamline == session.beamline_for(input.proposal, input.visit)
_session in data.diamond.data.beamlines[input.beamline].sessions
}

default fedid := ""

fedid := token.claims.fedid

# Validates if the subject has permission to modify
# the specific session in the input.
default modify_session := false

modify_session if session.access_session(
fedid,
token.claims.fedid,
data.diamond.data.sessions[input.session].proposal_number,
data.diamond.data.sessions[input.session].visit_number,
)

# service account check
modify_session if {
data.diamond.data.sessions[input.session].proposal_number in token.claims.subject.proposals
}

modify_session if {
to_number(input.session) in token.claims.subject.sessions
}

modify_session if {
not token.claims.fedid
session.beamline_for(
data.diamond.data.sessions[input.session].proposal_number,
data.diamond.data.sessions[input.session].visit_number,
) in beamlines
) == token.claims.beamline
}

subject := data.diamond.data.subjects[token.claims.fedid] if token.claims.fedid

else := token.claims.subject if token.claims.subject
subject := data.diamond.data.subjects[token.claims.fedid]

# Identifies all beamlines the subject is authorized to access
# based on their assigned permissions.
beamlines contains beamline if {
not admin.is_admin(fedid)
token.claims.fedid
not admin.is_admin(token.claims.fedid)
some p in subject.permissions
some beamline in object.get(data.diamond.data.admin, p, [])
}
Expand All @@ -95,23 +77,33 @@ beamlines contains beamline if {
# 2. Access via beamline-level permissions
# 3. Access via proposal-level permissions
user_sessions contains "*" if {
admin.is_admin(fedid)
subject
admin.is_admin(token.claims.fedid)
}

user_sessions contains to_number(session) if {
not admin.is_admin(fedid)
subject
not admin.is_admin(token.claims.fedid)
some session in subject.sessions
}

user_sessions contains to_number(session) if {
not admin.is_admin(fedid)
subject
not admin.is_admin(token.claims.fedid)
some beamline in beamlines
some session in data.diamond.data.beamlines[beamline].sessions
}

user_sessions contains to_number(session) if {
not admin.is_admin(fedid)
subject
not admin.is_admin(token.claims.fedid)
some p in subject.proposals
some i in data.diamond.data.proposals[format_int(p, 10)]
some session in i
}

# service account check
user_sessions contains to_number(session) if {
not subject
some session in data.diamond.data.beamlines[token.claims.beamline].sessions
}
65 changes: 20 additions & 45 deletions policy/diamond/policy/tiled/tiled_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,72 +131,47 @@ test_modify_session if {

# Service account tests

test_user_session_allow_service_account_on_proposal if {
test_user_session_allow_service_account_on_beamline if {
tiled.user_session == 11 with data.diamond.data as diamond_data
with input as {"beamline": "i03", "proposal": 1, "visit": 1}
with data.diamond.policy.token.claims as {"subject": {"proposals": [1], "sessions": [], "permissions": []}}
}

test_user_session_allow_service_account_on_session if {
tiled.user_session == 11 with data.diamond.data as diamond_data
with input as {"beamline": "i03", "proposal": 1, "visit": 1}
with data.diamond.policy.token.claims as {"subject": {"proposals": [], "sessions": [11], "permissions": []}}
with data.diamond.policy.token.claims as {"beamline": "i03"}
}

test_user_session_not_allow_service_account_wrong_beamline if {
not tiled.user_session with data.diamond.data as diamond_data
with input as {"beamline": "i03", "proposal": 1, "visit": 2}
with data.diamond.policy.token.claims as {"subject": {"proposals": [], "sessions": [], "permissions": ["b07_admin"]}}
with data.diamond.policy.token.claims as {"beamline": "b07"}
}

test_user_session_allow_service_account_with_beamline if {
tiled.user_session with data.diamond.data as diamond_data
with input as {"beamline": "b07", "proposal": 1, "visit": 2}
with data.diamond.policy.token.claims as {
"subject": {"proposals": [], "sessions": [], "permissions": ["b07_admin"]},
"fedid": "",
}
test_user_session_not_allow_service_account_on_none_existent_beamline_beamline if {
not tiled.user_session with data.diamond.data as diamond_data
with input as {"beamline": "i03", "proposal": 1, "visit": 2}
with data.diamond.policy.token.claims as {"beamline": "b007"}
}

test_modify_session_on_proposal if {
test_modify_session_on_beamline if {
tiled.modify_session with data.diamond.data as diamond_data
with input as {"session": "11"}
with data.diamond.policy.token.claims as {"subject": {"proposals": [1], "sessions": [], "permissions": []}}
with data.diamond.policy.token.claims as {"beamline": "i03"}
}

test_modify_session_on_session if {
tiled.modify_session with data.diamond.data as diamond_data
test_modify_session_on_wrong_beamline if {
not tiled.modify_session with data.diamond.data as diamond_data
with input as {"session": "11"}
with data.diamond.policy.token.claims as {"subject": {"proposals": [], "sessions": [11], "permissions": []}}
with data.diamond.policy.token.claims as {"beamline": "b07"}
}

test_modify_session_on_permission if {
tiled.modify_session with data.diamond.data as diamond_data
with input as {"session": "12"}
with data.diamond.policy.token.claims as {"subject": {
"proposals": [],
"sessions": [],
"permissions": ["b07_admin"],
}}
test_modify_session_on_none_existent_beamline if {
not tiled.modify_session with data.diamond.data as diamond_data
with input as {"session": "11"}
with data.diamond.policy.token.claims as {"beamline": "b007"}
}

test_user_session_tags_service_account if {
tiled.user_sessions == {11} with data.diamond.data as diamond_data
with data.diamond.policy.token.claims as {"subject": {
"proposals": [],
"sessions": [11],
"permissions": [],
}}
tiled.user_sessions == {11, 12} with data.diamond.data as diamond_data
with data.diamond.policy.token.claims as {"subject": {
"proposals": [1],
"sessions": [],
"permissions": [],
}}
with data.diamond.policy.token.claims as {"beamline": "i03"}
tiled.user_sessions == {12, 13, 14} with data.diamond.data as diamond_data
with data.diamond.policy.token.claims as {"subject": {
"proposals": [],
"sessions": [],
"permissions": ["b07_admin"],
}}
with data.diamond.policy.token.claims as {"beamline": "b07"}
tiled.user_sessions == set() with data.diamond.data as diamond_data
with data.diamond.policy.token.claims as {"beamline": "b007"}
}
Loading