You've already forked authentication-service
mirror of
https://github.com/matrix-org/matrix-authentication-service.git
synced 2025-07-07 22:41:18 +03:00
39 lines
930 B
Rego
39 lines
930 B
Rego
package authorization_grant
|
|
|
|
import future.keywords.in
|
|
|
|
default allow := false
|
|
|
|
allow {
|
|
count(violation) == 0
|
|
}
|
|
|
|
# Special case to make empty scope work
|
|
allowed_scope("") = true
|
|
|
|
allowed_scope("openid") = true
|
|
|
|
allowed_scope("email") = true
|
|
|
|
allowed_scope("urn:synapse:admin:*") {
|
|
some user in data.admin_users
|
|
input.user.username == user
|
|
}
|
|
|
|
allowed_scope(scope) {
|
|
regex.match("urn:matrix:org.matrix.msc2967.client:device:[A-Za-z0-9-]{10,}", scope)
|
|
}
|
|
|
|
allowed_scope("urn:matrix:org.matrix.msc2967.client:api:*") = true
|
|
|
|
violation[{"msg": msg}] {
|
|
some scope in split(input.authorization_grant.scope, " ")
|
|
not allowed_scope(scope)
|
|
msg := sprintf("scope '%s' not allowed", [scope])
|
|
}
|
|
|
|
violation[{"msg": "only one device scope is allowed at a time"}] {
|
|
scope_list := split(input.authorization_grant.scope, " ")
|
|
count({key | scope_list[key]; startswith(scope_list[key], "urn:matrix:org.matrix.msc2967.client:device:")}) > 1
|
|
}
|