authentication-service/policies/authorization_grant_test.rego

package authorization_grant

user := {"username": "john"}

client := {"client_id": "client"}

test_standard_scopes {
	allow with input.user as user
		with input.client as client
		with input.scope as ""

	allow with input.user as user
		with input.client as client
		with input.scope as "openid"

	allow with input.user as user
		with input.client as client
		with input.scope as "email"

	allow with input.user as user
		with input.client as client
		with input.scope as "openid email"

	# Not supported yet
	not allow with input.user as user
		with input.client as client
		with input.scope as "phone"

	# Not supported yet
	not allow with input.user as user
		with input.client as client
		with input.scope as "profile"
}

test_matrix_scopes {
	allow with input.user as user
		with input.client as client
		with input.grant_type as "authorization_code"
		with input.scope as "urn:matrix:org.matrix.msc2967.client:api:*"
}

test_device_scopes {
	allow with input.user as user
		with input.client as client
		with input.grant_type as "authorization_code"
		with input.scope as "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01"

	allow with input.user as user
		with input.client as client
		with input.grant_type as "authorization_code"
		with input.scope as "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01-asdasdsa1-2313"

	# Invalid characters
	not allow with input.user as user
		with input.client as client
		with input.grant_type as "authorization_code"
		with input.scope as "urn:matrix:org.matrix.msc2967.client:device:AABB:CCDDEE"

	not allow with input.user as user
		with input.client as client
		with input.grant_type as "authorization_code"
		with input.scope as "urn:matrix:org.matrix.msc2967.client:device:AABB*CCDDEE"

	not allow with input.user as user
		with input.client as client
		with input.grant_type as "authorization_code"
		with input.scope as "urn:matrix:org.matrix.msc2967.client:device:AABB!CCDDEE"

	# Too short
	not allow with input.user as user
		with input.client as client
		with input.grant_type as "authorization_code"
		with input.scope as "urn:matrix:org.matrix.msc2967.client:device:abcd"

	# Multiple device scope
	not allow with input.user as user
		with input.client as client
		with input.grant_type as "authorization_code"
		with input.scope as "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01 urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd02"

	# Not allowed for the client credentials grant
	not allow with input.client as client
		with input.grant_type as "client_credentials"
		with input.scope as "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01"
}

test_synapse_admin_scopes {
	allow with input.user as user
		with input.client as client
		with data.admin_users as ["john"]
		with input.grant_type as "authorization_code"
		with input.scope as "urn:synapse:admin:*"

	not allow with input.user as user
		with input.client as client
		with data.admin_users as []
		with input.grant_type as "authorization_code"
		with input.scope as "urn:synapse:admin:*"

	allow with input.user as user
		with input.user.can_request_admin as true
		with input.client as client
		with data.admin_users as []
		with input.grant_type as "authorization_code"
		with input.scope as "urn:synapse:admin:*"

	not allow with input.user as user
		with input.user.can_request_admin as false
		with input.client as client
		with data.admin_users as []
		with input.grant_type as "authorization_code"
		with input.scope as "urn:synapse:admin:*"
}

test_mas_scopes {
	allow with input.user as user
		with input.client as client
		with input.scope as "urn:mas:graphql:*"

	allow with input.user as user
		with input.client as client
		with data.admin_users as ["john"]
		with input.grant_type as "authorization_code"
		with input.scope as "urn:mas:admin"

	not allow with input.user as user
		with input.client as client
		with data.admin_users as []
		with input.grant_type as "authorization_code"
		with input.scope as "urn:mas:admin"
}