From cd515f459a92b7ccf806b995c3f674e4ad317a3e Mon Sep 17 00:00:00 2001 From: Roman Donchenko Date: Mon, 29 Apr 2024 19:16:42 +0300 Subject: [PATCH] Modernize Rego syntax Open Policy Agent v0.59 introduced a new directive (`import rego.v1`) that ensures that the file is compatible with OPA v1 (to be released in the future). Add this directive to all Rego files and update the syntax accordingly. Which involves the following: * Rewrite all rules to use the `if` keyword, which is now mandatory. * Where appropriate, use the `in` keyword, which is now available without a future import. It's not mandatory, but it looks much nicer. In addition, update Regal to the latest version, which now enforces the use of `import rego.v1` by default. --- .github/workflows/regallint.yml | 4 +- .../rules/analytics_reports.rego | 6 +- cvat/apps/engine/rules/annotationguides.rego | 32 ++-- cvat/apps/engine/rules/cloudstorages.rego | 47 +++--- cvat/apps/engine/rules/comments.rego | 83 +++++----- cvat/apps/engine/rules/issues.rego | 81 +++++----- cvat/apps/engine/rules/jobs.rego | 131 ++++++++------- cvat/apps/engine/rules/labels.rego | 19 ++- cvat/apps/engine/rules/projects.rego | 91 ++++++----- cvat/apps/engine/rules/server.rego | 7 +- cvat/apps/engine/rules/tasks.rego | 151 ++++++++++-------- .../annotationguides_test.gen.rego.py | 4 +- .../generators/cloudstorages_test.gen.rego.py | 4 +- .../generators/comments_test.gen.rego.py | 4 +- .../tests/generators/issues_test.gen.rego.py | 4 +- .../tests/generators/jobs_test.gen.rego.py | 4 +- .../generators/projects_test.gen.rego.py | 4 +- .../tests/generators/server_test.gen.rego.py | 4 +- .../tests/generators/tasks_test.gen.rego.py | 4 +- .../tests/generators/users_test.gen.rego.py | 4 +- cvat/apps/engine/rules/users.rego | 23 +-- cvat/apps/events/rules/events.rego | 21 +-- .../tests/generators/events_test.gen.rego.py | 4 +- cvat/apps/iam/rules/utils.rego | 20 +-- cvat/apps/lambda_manager/rules/lambda.rego | 22 +-- .../tests/generators/lambda_test.gen.rego.py | 4 +- cvat/apps/log_viewer/rules/analytics.rego | 7 +- .../generators/analytics_test.gen.rego.py | 4 +- .../apps/organizations/rules/invitations.rego | 53 +++--- .../apps/organizations/rules/memberships.rego | 39 ++--- .../organizations/rules/organizations.rego | 37 +++-- .../generators/invitations_test.gen.rego.py | 4 +- .../generators/memberships_test.gen.rego.py | 4 +- .../generators/organizations_test.gen.rego.py | 4 +- .../apps/quality_control/rules/conflicts.rego | 19 ++- .../rules/quality_reports.rego | 19 ++- .../rules/quality_settings.rego | 19 ++- .../generators/webhooks_test.gen.rego.py | 4 +- cvat/apps/webhooks/rules/webhooks.rego | 61 +++---- 39 files changed, 565 insertions(+), 491 deletions(-) diff --git a/.github/workflows/regallint.yml b/.github/workflows/regallint.yml index 2e0c3dd89357..b35a1a862b34 100644 --- a/.github/workflows/regallint.yml +++ b/.github/workflows/regallint.yml @@ -6,7 +6,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Setup Regal - uses: StyraInc/setup-regal@v0.2.0 + uses: StyraInc/setup-regal@v1 with: - version: v0.11.0 + version: v0.21.3 - run: regal lint --format=github cvat/apps/*/rules diff --git a/cvat/apps/analytics_report/rules/analytics_reports.rego b/cvat/apps/analytics_report/rules/analytics_reports.rego index e260760f7e36..b57dc764fcde 100644 --- a/cvat/apps/analytics_report/rules/analytics_reports.rego +++ b/cvat/apps/analytics_report/rules/analytics_reports.rego @@ -1,5 +1,7 @@ package analytics_reports +import rego.v1 + import data.utils import data.organizations @@ -24,11 +26,11 @@ import data.organizations default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.LIST utils.has_perm(utils.WORKER) } diff --git a/cvat/apps/engine/rules/annotationguides.rego b/cvat/apps/engine/rules/annotationguides.rego index 3acb74954fb7..dd512af6d79a 100644 --- a/cvat/apps/engine/rules/annotationguides.rego +++ b/cvat/apps/engine/rules/annotationguides.rego @@ -1,5 +1,7 @@ package annotationguides +import rego.v1 + import data.utils import data.organizations @@ -31,72 +33,72 @@ import data.organizations # } # } -is_target_owner { +is_target_owner if { input.resource.target.owner.id == input.auth.user.id } -is_target_assignee { +is_target_assignee if { input.resource.target.assignee.id == input.auth.user.id } -is_target_staff { +is_target_staff if { is_target_owner } -is_target_staff { +is_target_staff if { is_target_assignee } default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.VIEW utils.is_sandbox utils.has_perm(utils.WORKER) input.resource.target.is_job_staff } -allow { +allow if { input.scope == utils.VIEW utils.is_sandbox utils.has_perm(utils.WORKER) is_target_staff } -allow { - { utils.CREATE, utils.DELETE, utils.UPDATE }[input.scope] +allow if { + input.scope in {utils.CREATE, utils.DELETE, utils.UPDATE} utils.is_sandbox utils.has_perm(utils.USER) is_target_staff } -allow { - { utils.CREATE, utils.DELETE, utils.UPDATE, utils.VIEW }[input.scope] +allow if { + input.scope in {utils.CREATE, utils.DELETE, utils.UPDATE, utils.VIEW} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) } -allow { - { utils.CREATE, utils.DELETE, utils.UPDATE }[input.scope] +allow if { + input.scope in {utils.CREATE, utils.DELETE, utils.UPDATE} input.auth.organization.id == input.resource.organization.id organizations.is_member utils.has_perm(utils.USER) is_target_staff } -allow { +allow if { input.scope == utils.VIEW input.auth.organization.id == input.resource.organization.id organizations.is_member is_target_staff } -allow { +allow if { input.scope == utils.VIEW input.auth.organization.id == input.resource.organization.id organizations.is_member diff --git a/cvat/apps/engine/rules/cloudstorages.rego b/cvat/apps/engine/rules/cloudstorages.rego index 1b57bdee015c..3e278a35a7d5 100644 --- a/cvat/apps/engine/rules/cloudstorages.rego +++ b/cvat/apps/engine/rules/cloudstorages.rego @@ -1,4 +1,7 @@ package cloudstorages + +import rego.v1 + import data.utils import data.organizations @@ -29,80 +32,80 @@ import data.organizations default allow := false # Admin has no restrictions -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.CREATE utils.has_perm(utils.USER) utils.is_sandbox } -allow { +allow if { input.scope == utils.CREATE input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) } -allow { +allow if { input.scope == utils.LIST utils.is_sandbox } -allow { +allow if { input.scope == utils.LIST organizations.is_member } -filter := [] { # Django Q object to filter list of entries +filter := [] if { # Django Q object to filter list of entries utils.is_admin utils.is_sandbox -} else := qobject { +} else := qobject if { utils.is_admin qobject := [ {"organization": input.auth.organization.id} ] -} else := qobject { +} else := qobject if { utils.has_perm(utils.USER) organizations.has_perm(organizations.SUPERVISOR) qobject := [ {"organization": input.auth.organization.id} ] -} else := qobject { +} else := qobject if { utils.is_sandbox qobject := [ {"owner": input.auth.user.id} ] -} else := qobject { +} else := qobject if { utils.is_organization qobject := [ {"owner": input.auth.user.id}, {"organization": input.auth.organization.id}, "&" ] } -allow { - { utils.VIEW, utils.LIST_CONTENT }[input.scope] +allow if { + input.scope in {utils.VIEW, utils.LIST_CONTENT} utils.is_sandbox utils.is_resource_owner } -allow { - { utils.VIEW, utils.LIST_CONTENT }[input.scope] +allow if { + input.scope in {utils.VIEW, utils.LIST_CONTENT} input.auth.organization.id == input.resource.organization.id organizations.is_member utils.is_resource_owner } -allow { - { utils.VIEW, utils.LIST_CONTENT }[input.scope] +allow if { + input.scope in {utils.VIEW, utils.LIST_CONTENT} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.SUPERVISOR) } -allow { - { utils.UPDATE, utils.DELETE }[input.scope] +allow if { + input.scope in {utils.UPDATE, utils.DELETE} utils.is_sandbox utils.has_perm(utils.WORKER) utils.is_resource_owner } -allow { - { utils.UPDATE, utils.DELETE }[input.scope] +allow if { + input.scope in {utils.UPDATE, utils.DELETE} input.auth.organization.id == input.resource.organization.id organizations.is_member utils.has_perm(utils.WORKER) @@ -110,8 +113,8 @@ allow { } -allow { - { utils.UPDATE, utils.DELETE }[input.scope] +allow if { + input.scope in {utils.UPDATE, utils.DELETE} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) diff --git a/cvat/apps/engine/rules/comments.rego b/cvat/apps/engine/rules/comments.rego index cd5b987a50b6..019a5ebcecc4 100644 --- a/cvat/apps/engine/rules/comments.rego +++ b/cvat/apps/engine/rules/comments.rego @@ -1,4 +1,7 @@ package comments + +import rego.v1 + import data.utils import data.organizations @@ -41,100 +44,100 @@ import data.organizations # } # } -is_comment_owner { +is_comment_owner if { input.resource.owner.id == input.auth.user.id } -is_issue_owner { +is_issue_owner if { input.resource.issue.owner.id == input.auth.user.id } -is_issue_assignee { +is_issue_assignee if { input.resource.issue.assignee.id == input.auth.user.id } -is_job_assignee { +is_job_assignee if { input.resource.job.assignee.id == input.auth.user.id } -is_task_owner { +is_task_owner if { input.resource.task.owner.id == input.auth.user.id } -is_task_assignee { +is_task_assignee if { input.resource.task.assignee.id == input.auth.user.id } -is_project_owner { +is_project_owner if { input.resource.project.owner.id == input.auth.user.id } -is_project_assignee { +is_project_assignee if { input.resource.project.assignee.id == input.auth.user.id } -is_project_staff { +is_project_staff if { is_project_owner } -is_project_staff { +is_project_staff if { is_project_assignee } -is_task_staff { +is_task_staff if { is_project_staff } -is_task_staff { +is_task_staff if { is_task_owner } -is_task_staff { +is_task_staff if { is_task_assignee } -is_job_staff { +is_job_staff if { is_task_staff } -is_job_staff { +is_job_staff if { is_job_assignee } -is_issue_staff { +is_issue_staff if { is_job_staff } -is_issue_staff { +is_issue_staff if { is_issue_owner } -is_issue_staff { +is_issue_staff if { is_issue_assignee } -is_comment_staff { +is_comment_staff if { is_issue_staff } -is_comment_staff { +is_comment_staff if { is_comment_owner } default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.CREATE_IN_ISSUE utils.is_sandbox utils.has_perm(utils.WORKER) is_issue_staff } -allow { +allow if { input.scope == utils.CREATE_IN_ISSUE input.auth.organization.id == input.resource.organization.id utils.is_organization @@ -142,7 +145,7 @@ allow { organizations.has_perm(organizations.MAINTAINER) } -allow { +allow if { input.scope == utils.CREATE_IN_ISSUE input.auth.organization.id == input.resource.organization.id utils.is_organization @@ -151,20 +154,20 @@ allow { is_issue_staff } -allow { +allow if { input.scope == utils.LIST utils.is_sandbox } -allow { +allow if { input.scope == utils.LIST organizations.is_member } -filter := [] { # Django Q object to filter list of entries +filter := [] if { # Django Q object to filter list of entries utils.is_admin utils.is_sandbox -} else := qobject { +} else := qobject if { utils.is_admin utils.is_organization org := input.auth.organization @@ -172,7 +175,7 @@ filter := [] { # Django Q object to filter list of entries {"issue__job__segment__task__organization": org.id}, {"issue__job__segment__task__project__organization": org.id}, "|" ] -} else := qobject { +} else := qobject if { utils.is_sandbox user := input.auth.user qobject := [ @@ -185,7 +188,7 @@ filter := [] { # Django Q object to filter list of entries {"issue__job__segment__task__project__owner": user.id}, "|", {"issue__job__segment__task__project__assignee": user.id}, "|" ] -} else := qobject { +} else := qobject if { utils.is_organization utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) @@ -194,7 +197,7 @@ filter := [] { # Django Q object to filter list of entries {"issue__job__segment__task__organization": org.id}, {"issue__job__segment__task__project__organization": org.id}, "|" ] -} else := qobject { +} else := qobject if { organizations.has_perm(organizations.WORKER) user := input.auth.user org := input.auth.organization @@ -212,42 +215,42 @@ filter := [] { # Django Q object to filter list of entries ] } -allow { +allow if { input.scope == utils.VIEW utils.is_sandbox is_comment_staff } -allow { +allow if { input.scope == utils.VIEW input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) } -allow { +allow if { input.scope == utils.VIEW input.auth.organization.id == input.resource.organization.id organizations.is_member is_comment_staff } -allow { - { utils.UPDATE, utils.DELETE }[input.scope] +allow if { + input.scope in {utils.UPDATE, utils.DELETE} utils.is_sandbox utils.has_perm(utils.WORKER) is_comment_staff } -allow { - { utils.UPDATE, utils.DELETE }[input.scope] +allow if { + input.scope in {utils.UPDATE, utils.DELETE} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) } -allow { - { utils.UPDATE, utils.DELETE }[input.scope] +allow if { + input.scope in {utils.UPDATE, utils.DELETE} input.auth.organization.id == input.resource.organization.id is_comment_staff utils.has_perm(utils.WORKER) diff --git a/cvat/apps/engine/rules/issues.rego b/cvat/apps/engine/rules/issues.rego index 0475f832ad53..803dab16c019 100644 --- a/cvat/apps/engine/rules/issues.rego +++ b/cvat/apps/engine/rules/issues.rego @@ -1,4 +1,7 @@ package issues + +import rego.v1 + import data.utils import data.organizations @@ -38,96 +41,96 @@ import data.organizations # } # } -is_issue_owner { +is_issue_owner if { input.resource.owner.id == input.auth.user.id } -is_issue_assignee { +is_issue_assignee if { input.resource.assignee.id == input.auth.user.id } -is_job_assignee { +is_job_assignee if { input.resource.job.assignee.id == input.auth.user.id } -is_task_owner { +is_task_owner if { input.resource.task.owner.id == input.auth.user.id } -is_task_assignee { +is_task_assignee if { input.resource.task.assignee.id == input.auth.user.id } -is_project_owner { +is_project_owner if { input.resource.project.owner.id == input.auth.user.id } -is_project_assignee { +is_project_assignee if { input.resource.project.assignee.id == input.auth.user.id } -is_project_staff { +is_project_staff if { is_project_owner } -is_project_staff { +is_project_staff if { is_project_assignee } -is_task_staff { +is_task_staff if { is_project_staff } -is_task_staff { +is_task_staff if { is_task_owner } -is_task_staff { +is_task_staff if { is_task_assignee } -is_job_staff { +is_job_staff if { is_task_staff } -is_job_staff { +is_job_staff if { is_job_assignee } -is_issue_admin { +is_issue_admin if { is_task_staff } -is_issue_admin { +is_issue_admin if { is_issue_owner } -is_issue_staff { +is_issue_staff if { is_job_staff } -is_issue_staff { +is_issue_staff if { is_issue_admin } -is_issue_staff { +is_issue_staff if { is_issue_assignee } default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.CREATE_IN_JOB utils.is_sandbox utils.has_perm(utils.WORKER) is_job_staff } -allow { +allow if { input.scope == utils.CREATE_IN_JOB input.auth.organization.id == input.resource.organization.id utils.is_organization @@ -135,7 +138,7 @@ allow { organizations.has_perm(organizations.MAINTAINER) } -allow { +allow if { input.scope == utils.CREATE_IN_JOB input.auth.organization.id == input.resource.organization.id utils.is_organization @@ -144,20 +147,20 @@ allow { is_job_staff } -allow { +allow if { input.scope == utils.LIST utils.is_sandbox } -allow { +allow if { input.scope == utils.LIST organizations.is_member } -filter := [] { # Django Q object to filter list of entries +filter := [] if { # Django Q object to filter list of entries utils.is_admin utils.is_sandbox -} else := qobject { +} else := qobject if { utils.is_admin utils.is_organization org := input.auth.organization @@ -165,7 +168,7 @@ filter := [] { # Django Q object to filter list of entries {"job__segment__task__organization": org.id}, {"job__segment__task__project__organization": org.id}, "|" ] -} else := qobject { +} else := qobject if { utils.is_sandbox user := input.auth.user qobject := [ @@ -176,7 +179,7 @@ filter := [] { # Django Q object to filter list of entries {"job__segment__task__project__owner": user.id}, "|", {"job__segment__task__project__assignee": user.id}, "|" ] -} else := qobject { +} else := qobject if { utils.is_organization utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) @@ -185,7 +188,7 @@ filter := [] { # Django Q object to filter list of entries {"job__segment__task__organization": org.id}, {"job__segment__task__project__organization": org.id}, "|" ] -} else := qobject { +} else := qobject if { organizations.has_perm(organizations.WORKER) user := input.auth.user org := input.auth.organization @@ -201,34 +204,34 @@ filter := [] { # Django Q object to filter list of entries ] } -allow { +allow if { input.scope == utils.VIEW utils.is_sandbox is_issue_staff } -allow { +allow if { input.scope == utils.VIEW input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) } -allow { +allow if { input.scope == utils.VIEW input.auth.organization.id == input.resource.organization.id organizations.is_member is_issue_staff } -allow { +allow if { input.scope == utils.UPDATE utils.is_sandbox utils.has_perm(utils.WORKER) is_issue_staff } -allow { +allow if { input.scope == utils.UPDATE input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.WORKER) @@ -236,14 +239,14 @@ allow { is_issue_staff } -allow { +allow if { input.scope == utils.DELETE utils.is_sandbox utils.has_perm(utils.WORKER) is_issue_admin } -allow { +allow if { input.scope == utils.DELETE input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.WORKER) @@ -251,8 +254,8 @@ allow { is_issue_admin } -allow { - { utils.UPDATE, utils.DELETE }[input.scope] +allow if { + input.scope in {utils.UPDATE, utils.DELETE} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) diff --git a/cvat/apps/engine/rules/jobs.rego b/cvat/apps/engine/rules/jobs.rego index 4aaa02dad444..22b91a3a1050 100644 --- a/cvat/apps/engine/rules/jobs.rego +++ b/cvat/apps/engine/rules/jobs.rego @@ -1,4 +1,7 @@ package jobs + +import rego.v1 + import data.utils import data.organizations @@ -36,81 +39,81 @@ import data.organizations # } # } -is_job_assignee { +is_job_assignee if { input.resource.assignee.id == input.auth.user.id } -is_task_owner { +is_task_owner if { input.resource.task.owner.id == input.auth.user.id } -is_task_assignee { +is_task_assignee if { input.resource.task.assignee.id == input.auth.user.id } -is_project_owner { +is_project_owner if { input.resource.project.owner.id == input.auth.user.id } -is_project_assignee { +is_project_assignee if { input.resource.project.assignee.id == input.auth.user.id } -is_project_staff { +is_project_staff if { is_project_owner } -is_project_staff { +is_project_staff if { is_project_assignee } -is_task_staff { +is_task_staff if { is_project_staff } -is_task_staff { +is_task_staff if { is_task_owner } -is_task_staff { +is_task_staff if { is_task_assignee } -is_job_staff { +is_job_staff if { is_task_staff } -is_job_staff { +is_job_staff if { is_job_assignee } default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.LIST utils.is_sandbox } -allow { +allow if { input.scope == utils.LIST organizations.is_member } -filter := [] { # Django Q object to filter list of entries +filter := [] if { # Django Q object to filter list of entries utils.is_admin utils.is_sandbox -} else := qobject { +} else := qobject if { utils.is_admin utils.is_organization qobject := [ {"segment__task__organization": input.auth.organization.id}, {"segment__task__project__organization": input.auth.organization.id}, "|" ] -} else := qobject { +} else := qobject if { utils.is_sandbox user := input.auth.user qobject := [ @@ -119,14 +122,14 @@ filter := [] { # Django Q object to filter list of entries {"segment__task__assignee_id": user.id}, "|", {"segment__task__project__owner_id": user.id}, "|", {"segment__task__project__assignee_id": user.id}, "|"] -} else := qobject { +} else := qobject if { utils.is_organization utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) qobject := [ {"segment__task__organization": input.auth.organization.id}, {"segment__task__project__organization": input.auth.organization.id}, "|"] -} else := qobject { +} else := qobject if { organizations.has_perm(organizations.WORKER) user := input.auth.user qobject := [ @@ -139,102 +142,112 @@ filter := [] { # Django Q object to filter list of entries {"segment__task__project__organization": input.auth.organization.id}, "|", "&"] } -allow { - { utils.CREATE, utils.DELETE }[input.scope] +allow if { + input.scope in {utils.CREATE, utils.DELETE} utils.has_perm(utils.USER) utils.is_sandbox is_task_staff } -allow { - { utils.CREATE, utils.DELETE }[input.scope] +allow if { + input.scope in {utils.CREATE, utils.DELETE} input.auth.organization.id == input.resource.organization.id organizations.has_perm(organizations.SUPERVISOR) utils.has_perm(utils.USER) is_task_staff } -allow { - { utils.VIEW, - utils.EXPORT_DATASET, utils.EXPORT_ANNOTATIONS, - utils.VIEW_ANNOTATIONS, utils.VIEW_DATA, utils.VIEW_METADATA - }[input.scope] +allow if { + input.scope in { + utils.VIEW, + utils.EXPORT_DATASET, utils.EXPORT_ANNOTATIONS, + utils.VIEW_ANNOTATIONS, utils.VIEW_DATA, utils.VIEW_METADATA + } utils.is_sandbox is_job_staff } -allow { - { utils.CREATE, utils.DELETE, utils.VIEW, - utils.EXPORT_DATASET, utils.EXPORT_ANNOTATIONS, - utils.VIEW_ANNOTATIONS, utils.VIEW_DATA, utils.VIEW_METADATA - }[input.scope] +allow if { + input.scope in { + utils.CREATE, utils.DELETE, utils.VIEW, + utils.EXPORT_DATASET, utils.EXPORT_ANNOTATIONS, + utils.VIEW_ANNOTATIONS, utils.VIEW_DATA, utils.VIEW_METADATA + } input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) } -allow { - { utils.VIEW, - utils.EXPORT_DATASET, utils.EXPORT_ANNOTATIONS, - utils.VIEW_ANNOTATIONS, utils.VIEW_DATA, utils.VIEW_METADATA - }[input.scope] +allow if { + input.scope in { + utils.VIEW, + utils.EXPORT_DATASET, utils.EXPORT_ANNOTATIONS, + utils.VIEW_ANNOTATIONS, utils.VIEW_DATA, utils.VIEW_METADATA + } input.auth.organization.id == input.resource.organization.id organizations.has_perm(organizations.WORKER) is_job_staff } -allow { - { utils.UPDATE_STATE, utils.UPDATE_ANNOTATIONS, utils.DELETE_ANNOTATIONS, - utils.IMPORT_ANNOTATIONS, utils.UPDATE_METADATA }[input.scope] +allow if { + input.scope in { + utils.UPDATE_STATE, utils.UPDATE_ANNOTATIONS, utils.DELETE_ANNOTATIONS, + utils.IMPORT_ANNOTATIONS, utils.UPDATE_METADATA + } utils.is_sandbox utils.has_perm(utils.WORKER) is_job_staff } -allow { - { utils.UPDATE_STATE, utils.UPDATE_ANNOTATIONS, utils.DELETE_ANNOTATIONS, - utils.IMPORT_ANNOTATIONS, utils.UPDATE_METADATA }[input.scope] +allow if { + input.scope in { + utils.UPDATE_STATE, utils.UPDATE_ANNOTATIONS, utils.DELETE_ANNOTATIONS, + utils.IMPORT_ANNOTATIONS, utils.UPDATE_METADATA + } input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) } -allow { - { utils.UPDATE_STATE, utils.UPDATE_ANNOTATIONS, utils.DELETE_ANNOTATIONS, - utils.IMPORT_ANNOTATIONS, utils.UPDATE_METADATA }[input.scope] +allow if { + input.scope in { + utils.UPDATE_STATE, utils.UPDATE_ANNOTATIONS, utils.DELETE_ANNOTATIONS, + utils.IMPORT_ANNOTATIONS, utils.UPDATE_METADATA + } input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.WORKER) organizations.has_perm(organizations.WORKER) is_job_staff } -allow { - { utils.VIEW, utils.VIEW_ANNOTATIONS, utils.VIEW_DATA, utils.VIEW_METADATA, - utils.UPDATE_STATE, utils.UPDATE_ANNOTATIONS, utils.DELETE_ANNOTATIONS, - utils.IMPORT_ANNOTATIONS, utils.UPDATE_METADATA - }[input.scope] +allow if { + input.scope in { + utils.VIEW, utils.VIEW_ANNOTATIONS, utils.VIEW_DATA, utils.VIEW_METADATA, + utils.UPDATE_STATE, utils.UPDATE_ANNOTATIONS, utils.DELETE_ANNOTATIONS, + utils.IMPORT_ANNOTATIONS, utils.UPDATE_METADATA + } input.auth.organization.id == input.resource.organization.id input.auth.user.privilege == utils.WORKER input.auth.organization.user.role == null is_job_assignee } -allow { - { utils.UPDATE_STAGE, utils.UPDATE_ASSIGNEE }[input.scope] +allow if { + input.scope in {utils.UPDATE_STAGE, utils.UPDATE_ASSIGNEE} utils.is_sandbox utils.has_perm(utils.WORKER) is_task_staff } -allow { - { utils.UPDATE_STAGE, utils.UPDATE_ASSIGNEE }[input.scope] +allow if { + input.scope in {utils.UPDATE_STAGE, utils.UPDATE_ASSIGNEE} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) } -allow { - { utils.UPDATE_STAGE, utils.UPDATE_ASSIGNEE }[input.scope] +allow if { + input.scope in {utils.UPDATE_STAGE, utils.UPDATE_ASSIGNEE} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.WORKER) organizations.has_perm(organizations.WORKER) diff --git a/cvat/apps/engine/rules/labels.rego b/cvat/apps/engine/rules/labels.rego index 773147636495..a50296377683 100644 --- a/cvat/apps/engine/rules/labels.rego +++ b/cvat/apps/engine/rules/labels.rego @@ -1,7 +1,6 @@ package labels -import future.keywords.if -import future.keywords.in +import rego.v1 import data.utils import data.organizations @@ -44,24 +43,24 @@ import data.organizations default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.LIST utils.is_sandbox } -allow { +allow if { input.scope == utils.LIST organizations.is_member } -filter := [] { # Django Q object to filter list of entries +filter := [] if { # Django Q object to filter list of entries utils.is_admin utils.is_sandbox -} else := qobject { +} else := qobject if { utils.is_admin utils.is_organization org := input.auth.organization @@ -69,7 +68,7 @@ filter := [] { # Django Q object to filter list of entries {"task__organization": org.id}, {"project__organization": org.id}, "|", ] -} else := qobject { +} else := qobject if { utils.is_sandbox user := input.auth.user qobject := [ @@ -78,7 +77,7 @@ filter := [] { # Django Q object to filter list of entries {"project__owner_id": user.id}, "|", {"project__assignee_id": user.id}, "|", ] -} else := qobject { +} else := qobject if { utils.is_organization utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) @@ -87,7 +86,7 @@ filter := [] { # Django Q object to filter list of entries {"task__organization": org.id}, {"project__organization": org.id}, "|", ] -} else := qobject { +} else := qobject if { organizations.has_perm(organizations.WORKER) user := input.auth.user qobject := [ diff --git a/cvat/apps/engine/rules/projects.rego b/cvat/apps/engine/rules/projects.rego index 642574529d07..dadebdc894ad 100644 --- a/cvat/apps/engine/rules/projects.rego +++ b/cvat/apps/engine/rules/projects.rego @@ -1,4 +1,7 @@ package projects + +import rego.v1 + import data.utils import data.organizations @@ -31,91 +34,91 @@ import data.organizations default allow := false -is_project_staff { +is_project_staff if { utils.is_resource_owner } -is_project_staff { +is_project_staff if { utils.is_resource_assignee } -allow { +allow if { utils.is_admin } -allow { - { utils.CREATE, utils.IMPORT_BACKUP }[input.scope] +allow if { + input.scope in {utils.CREATE, utils.IMPORT_BACKUP} utils.is_sandbox utils.has_perm(utils.USER) } -allow { - { utils.CREATE, utils.IMPORT_BACKUP }[input.scope] +allow if { + input.scope in {utils.CREATE, utils.IMPORT_BACKUP} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.SUPERVISOR) } -allow { - { utils.CREATE, utils.IMPORT_BACKUP }[input.scope] +allow if { + input.scope in {utils.CREATE, utils.IMPORT_BACKUP} utils.is_sandbox utils.has_perm(utils.BUSINESS) } -allow { - { utils.CREATE, utils.IMPORT_BACKUP }[input.scope] +allow if { + input.scope in {utils.CREATE, utils.IMPORT_BACKUP} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.BUSINESS) organizations.has_perm(organizations.SUPERVISOR) } -allow { +allow if { input.scope == utils.LIST utils.is_sandbox } -allow { +allow if { input.scope == utils.LIST organizations.is_member } -filter := [] { # Django Q object to filter list of entries +filter := [] if { # Django Q object to filter list of entries utils.is_admin utils.is_sandbox -} else := qobject { +} else := qobject if { utils.is_admin utils.is_organization qobject := [ {"organization": input.auth.organization.id} ] -} else := qobject { +} else := qobject if { utils.is_sandbox user := input.auth.user qobject := [ {"owner_id": user.id}, {"assignee_id": user.id}, "|" ] -} else := qobject { +} else := qobject if { utils.is_organization utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) qobject := [ {"organization": input.auth.organization.id} ] -} else := qobject { +} else := qobject if { organizations.has_perm(organizations.WORKER) user := input.auth.user qobject := [ {"owner_id": user.id}, {"assignee_id": user.id}, "|", {"organization": input.auth.organization.id}, "&" ] } -allow { +allow if { input.scope == utils.VIEW utils.is_sandbox is_project_staff } -allow { +allow if { input.scope == utils.VIEW input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) } -allow { +allow if { input.scope == utils.VIEW input.auth.organization.id == input.resource.organization.id organizations.has_perm(organizations.WORKER) @@ -123,58 +126,58 @@ allow { } -allow { - { utils.DELETE, utils.UPDATE_ORG }[input.scope] +allow if { + input.scope in {utils.DELETE, utils.UPDATE_ORG} utils.is_sandbox utils.has_perm(utils.WORKER) utils.is_resource_owner } -allow { - { utils.DELETE, utils.UPDATE_ORG }[input.scope] +allow if { + input.scope in {utils.DELETE, utils.UPDATE_ORG} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.WORKER) organizations.is_member utils.is_resource_owner } -allow { - { utils.DELETE, utils.UPDATE_ORG }[input.scope] +allow if { + input.scope in {utils.DELETE, utils.UPDATE_ORG} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.is_staff } -allow { - { utils.UPDATE_DESC, utils.IMPORT_DATASET }[input.scope] +allow if { + input.scope in {utils.UPDATE_DESC, utils.IMPORT_DATASET} utils.is_sandbox is_project_staff utils.has_perm(utils.WORKER) } -allow { - { utils.UPDATE_DESC, utils.IMPORT_DATASET }[input.scope] +allow if { + input.scope in {utils.UPDATE_DESC, utils.IMPORT_DATASET} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.is_staff } -allow { - { utils.UPDATE_DESC, utils.IMPORT_DATASET }[input.scope] +allow if { + input.scope in {utils.UPDATE_DESC, utils.IMPORT_DATASET} is_project_staff input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.WORKER) organizations.is_member } -allow { +allow if { input.scope == utils.UPDATE_ASSIGNEE utils.is_sandbox utils.is_resource_owner utils.has_perm(utils.WORKER) } -allow { +allow if { input.scope == utils.UPDATE_ASSIGNEE input.auth.organization.id == input.resource.organization.id utils.is_resource_owner @@ -182,14 +185,14 @@ allow { organizations.is_member } -allow { +allow if { input.scope == utils.UPDATE_ASSIGNEE input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.is_staff } -allow { +allow if { input.scope == utils.UPDATE_OWNER input.auth.organization.id == input.resource.organization.id utils.is_resource_owner @@ -197,28 +200,28 @@ allow { organizations.is_staff } -allow { +allow if { input.scope == utils.UPDATE_OWNER input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.is_staff } -allow { - { utils.EXPORT_ANNOTATIONS, utils.EXPORT_DATASET, utils.EXPORT_BACKUP }[input.scope] +allow if { + input.scope in {utils.EXPORT_ANNOTATIONS, utils.EXPORT_DATASET, utils.EXPORT_BACKUP} utils.is_sandbox is_project_staff } -allow { - { utils.EXPORT_ANNOTATIONS, utils.EXPORT_DATASET, utils.EXPORT_BACKUP }[input.scope] +allow if { + input.scope in {utils.EXPORT_ANNOTATIONS, utils.EXPORT_DATASET, utils.EXPORT_BACKUP} input.auth.organization.id == input.resource.organization.id organizations.is_member is_project_staff } -allow { - { utils.EXPORT_ANNOTATIONS, utils.EXPORT_DATASET, utils.EXPORT_BACKUP }[input.scope] +allow if { + input.scope in {utils.EXPORT_ANNOTATIONS, utils.EXPORT_DATASET, utils.EXPORT_BACKUP} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) diff --git a/cvat/apps/engine/rules/server.rego b/cvat/apps/engine/rules/server.rego index 0aa94d42d1c4..bfe3b47a0d46 100644 --- a/cvat/apps/engine/rules/server.rego +++ b/cvat/apps/engine/rules/server.rego @@ -1,4 +1,7 @@ package server + +import rego.v1 + import data.utils # input: { @@ -22,11 +25,11 @@ import data.utils default allow := false -allow { +allow if { input.scope == utils.VIEW } -allow { +allow if { input.scope == utils.LIST_CONTENT utils.has_perm(utils.USER) } diff --git a/cvat/apps/engine/rules/tasks.rego b/cvat/apps/engine/rules/tasks.rego index 79c057db434b..9f1b7fa951a9 100644 --- a/cvat/apps/engine/rules/tasks.rego +++ b/cvat/apps/engine/rules/tasks.rego @@ -1,7 +1,6 @@ package tasks -import future.keywords.if -import future.keywords.in +import rego.v1 import data.utils import data.organizations @@ -39,89 +38,89 @@ import data.organizations # } # } -is_task_owner { +is_task_owner if { input.resource.owner.id == input.auth.user.id } -is_task_assignee { +is_task_assignee if { input.resource.assignee.id == input.auth.user.id } -is_project_owner { +is_project_owner if { input.resource.project.owner.id == input.auth.user.id } -is_project_assignee { +is_project_assignee if { input.resource.project.assignee.id == input.auth.user.id } -is_project_staff { +is_project_staff if { is_project_owner } -is_project_staff { +is_project_staff if { is_project_assignee } -is_task_staff { +is_task_staff if { is_project_staff } -is_task_staff { +is_task_staff if { is_task_owner } -is_task_staff { +is_task_staff if { is_task_assignee } default allow := false -allow { +allow if { utils.is_admin } -allow { - { utils.CREATE, utils.IMPORT_BACKUP }[input.scope] +allow if { + input.scope in {utils.CREATE, utils.IMPORT_BACKUP} utils.is_sandbox utils.has_perm(utils.USER) } -allow { - { utils.CREATE, utils.IMPORT_BACKUP }[input.scope] +allow if { + input.scope in {utils.CREATE, utils.IMPORT_BACKUP} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.SUPERVISOR) } -allow { - { utils.CREATE, utils.IMPORT_BACKUP }[input.scope] +allow if { + input.scope in {utils.CREATE, utils.IMPORT_BACKUP} utils.is_sandbox utils.has_perm(utils.BUSINESS) } -allow { - { utils.CREATE, utils.IMPORT_BACKUP }[input.scope] +allow if { + input.scope in {utils.CREATE, utils.IMPORT_BACKUP} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.BUSINESS) organizations.has_perm(organizations.SUPERVISOR) } -allow { +allow if { input.scope == utils.CREATE_IN_PROJECT utils.is_sandbox utils.has_perm(utils.USER) is_project_staff } -allow { +allow if { input.scope == utils.CREATE_IN_PROJECT input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.SUPERVISOR) } -allow { +allow if { input.scope == utils.CREATE_IN_PROJECT input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) @@ -129,50 +128,50 @@ allow { is_project_staff } -allow { +allow if { input.scope == utils.CREATE_IN_PROJECT utils.is_sandbox utils.has_perm(utils.BUSINESS) is_project_staff } -allow { +allow if { input.scope == utils.CREATE_IN_PROJECT input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.BUSINESS) organizations.has_perm(organizations.SUPERVISOR) } -allow { +allow if { input.scope == utils.LIST utils.is_sandbox } -allow { +allow if { input.scope == utils.LIST organizations.is_member } -filter := [] { # Django Q object to filter list of entries +filter := [] if { # Django Q object to filter list of entries utils.is_admin utils.is_sandbox -} else := qobject { +} else := qobject if { utils.is_admin utils.is_organization qobject := [ {"organization": input.auth.organization.id}, {"project__organization": input.auth.organization.id}, "|"] -} else := qobject { +} else := qobject if { utils.is_sandbox user := input.auth.user qobject := [ {"owner_id": user.id}, {"assignee_id": user.id}, "|", {"project__owner_id": user.id}, "|", {"project__assignee_id": user.id}, "|"] -} else := qobject { +} else := qobject if { utils.is_organization utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) qobject := [ {"organization": input.auth.organization.id}, {"project__organization": input.auth.organization.id}, "|"] -} else := qobject { +} else := qobject if { organizations.has_perm(organizations.WORKER) user := input.auth.user qobject := [ {"owner_id": user.id}, {"assignee_id": user.id}, "|", @@ -181,90 +180,112 @@ filter := [] { # Django Q object to filter list of entries {"project__organization": input.auth.organization.id}, "|", "&"] } -allow { - { utils.VIEW, utils.VIEW_ANNOTATIONS, utils.EXPORT_DATASET, utils.VIEW_METADATA, - utils.VIEW_DATA, utils.EXPORT_ANNOTATIONS, utils.EXPORT_BACKUP }[input.scope] +allow if { + input.scope in { + utils.VIEW, utils.VIEW_ANNOTATIONS, utils.EXPORT_DATASET, utils.VIEW_METADATA, + utils.VIEW_DATA, utils.EXPORT_ANNOTATIONS, utils.EXPORT_BACKUP + } utils.is_sandbox is_task_staff } -allow { - { utils.VIEW, utils.VIEW_ANNOTATIONS, utils.EXPORT_DATASET, utils.VIEW_METADATA, - utils.VIEW_DATA, utils.EXPORT_ANNOTATIONS, utils.EXPORT_BACKUP }[input.scope] +allow if { + input.scope in { + utils.VIEW, utils.VIEW_ANNOTATIONS, utils.EXPORT_DATASET, utils.VIEW_METADATA, + utils.VIEW_DATA, utils.EXPORT_ANNOTATIONS, utils.EXPORT_BACKUP + } input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) } -allow { - { utils.VIEW, utils.VIEW_ANNOTATIONS, utils.EXPORT_DATASET, utils.VIEW_METADATA, - utils.VIEW_DATA, utils.EXPORT_ANNOTATIONS, utils.EXPORT_BACKUP }[input.scope] +allow if { + input.scope in { + utils.VIEW, utils.VIEW_ANNOTATIONS, utils.EXPORT_DATASET, utils.VIEW_METADATA, + utils.VIEW_DATA, utils.EXPORT_ANNOTATIONS, utils.EXPORT_BACKUP + } input.auth.organization.id == input.resource.organization.id organizations.has_perm(organizations.WORKER) is_task_staff } -allow { - { utils.UPDATE_DESC, utils.UPDATE_ANNOTATIONS, utils.DELETE_ANNOTATIONS, - utils.UPLOAD_DATA, utils.UPDATE_METADATA, utils.IMPORT_ANNOTATIONS }[input.scope] +allow if { + input.scope in { + utils.UPDATE_DESC, utils.UPDATE_ANNOTATIONS, utils.DELETE_ANNOTATIONS, + utils.UPLOAD_DATA, utils.UPDATE_METADATA, utils.IMPORT_ANNOTATIONS + } utils.is_sandbox is_task_staff utils.has_perm(utils.WORKER) } -allow { - { utils.UPDATE_DESC, utils.UPDATE_ANNOTATIONS, utils.DELETE_ANNOTATIONS, - utils.UPLOAD_DATA, utils.UPDATE_METADATA, utils.IMPORT_ANNOTATIONS }[input.scope] +allow if { + input.scope in { + utils.UPDATE_DESC, utils.UPDATE_ANNOTATIONS, utils.DELETE_ANNOTATIONS, + utils.UPLOAD_DATA, utils.UPDATE_METADATA, utils.IMPORT_ANNOTATIONS + } input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) } -allow { - { utils.UPDATE_DESC, utils.UPDATE_ANNOTATIONS, utils.DELETE_ANNOTATIONS, - utils.UPLOAD_DATA, utils.UPDATE_METADATA, utils.IMPORT_ANNOTATIONS }[input.scope] +allow if { + input.scope in { + utils.UPDATE_DESC, utils.UPDATE_ANNOTATIONS, utils.DELETE_ANNOTATIONS, + utils.UPLOAD_DATA, utils.UPDATE_METADATA, utils.IMPORT_ANNOTATIONS + } is_task_staff input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.WORKER) organizations.has_perm(organizations.WORKER) } -allow { - { utils.UPDATE_OWNER, utils.UPDATE_ASSIGNEE, utils.UPDATE_PROJECT, - utils.DELETE, utils.UPDATE_ORG }[input.scope] +allow if { + input.scope in { + utils.UPDATE_OWNER, utils.UPDATE_ASSIGNEE, utils.UPDATE_PROJECT, + utils.DELETE, utils.UPDATE_ORG + } utils.is_sandbox is_project_staff utils.has_perm(utils.WORKER) } -allow { - { utils.UPDATE_OWNER, utils.UPDATE_ASSIGNEE, utils.UPDATE_PROJECT, - utils.DELETE, utils.UPDATE_ORG }[input.scope] +allow if { + input.scope in { + utils.UPDATE_OWNER, utils.UPDATE_ASSIGNEE, utils.UPDATE_PROJECT, + utils.DELETE, utils.UPDATE_ORG + } utils.is_sandbox is_task_owner utils.has_perm(utils.WORKER) } -allow { - { utils.UPDATE_OWNER, utils.UPDATE_ASSIGNEE, utils.UPDATE_PROJECT, - utils.DELETE, utils.UPDATE_ORG }[input.scope] +allow if { + input.scope in { + utils.UPDATE_OWNER, utils.UPDATE_ASSIGNEE, utils.UPDATE_PROJECT, + utils.DELETE, utils.UPDATE_ORG + } input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) } -allow { - { utils.UPDATE_OWNER, utils.UPDATE_ASSIGNEE, utils.UPDATE_PROJECT, - utils.DELETE, utils.UPDATE_ORG }[input.scope] +allow if { + input.scope in { + utils.UPDATE_OWNER, utils.UPDATE_ASSIGNEE, utils.UPDATE_PROJECT, + utils.DELETE, utils.UPDATE_ORG + } input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.WORKER) organizations.has_perm(organizations.WORKER) is_task_owner } -allow { - { utils.UPDATE_OWNER, utils.UPDATE_ASSIGNEE, utils.UPDATE_PROJECT, - utils.DELETE, utils.UPDATE_ORG }[input.scope] +allow if { + input.scope in { + utils.UPDATE_OWNER, utils.UPDATE_ASSIGNEE, utils.UPDATE_PROJECT, + utils.DELETE, utils.UPDATE_ORG + } input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.WORKER) organizations.has_perm(organizations.WORKER) diff --git a/cvat/apps/engine/rules/tests/generators/annotationguides_test.gen.rego.py b/cvat/apps/engine/rules/tests/generators/annotationguides_test.gen.rego.py index c12c56ff54a6..4cf562741677 100644 --- a/cvat/apps/engine/rules/tests/generators/annotationguides_test.gen.rego.py +++ b/cvat/apps/engine/rules/tests/generators/annotationguides_test.gen.rego.py @@ -178,7 +178,7 @@ def is_valid(scope, context, ownership, privilege, membership, resource, same_or def gen_test_rego(name): with open(f"{name}_test.gen.rego", "wt") as f: - f.write(f"package {name}\n\n") + f.write(f"package {name}\nimport rego.v1\n\n") for scope, context, ownership, privilege, membership, same_org, in product( SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG, ): @@ -196,7 +196,7 @@ def gen_test_rego(name): ) result = eval_rule(scope, context, ownership, privilege, membership, data) f.write( - "{test_name} {{\n {allow} with input as {data}\n}}\n\n".format( + "{test_name} if {{\n {allow} with input as {data}\n}}\n\n".format( test_name=test_name, allow="allow" if result else "not allow", data=json.dumps(data), diff --git a/cvat/apps/engine/rules/tests/generators/cloudstorages_test.gen.rego.py b/cvat/apps/engine/rules/tests/generators/cloudstorages_test.gen.rego.py index 04802e5e966b..63460df540b2 100644 --- a/cvat/apps/engine/rules/tests/generators/cloudstorages_test.gen.rego.py +++ b/cvat/apps/engine/rules/tests/generators/cloudstorages_test.gen.rego.py @@ -158,7 +158,7 @@ def is_valid(scope, context, ownership, privilege, membership, resource, same_or def gen_test_rego(name): with open(f"{name}_test.gen.rego", "wt") as f: - f.write(f"package {name}\n\n") + f.write(f"package {name}\nimport rego.v1\n\n") for scope, context, ownership, privilege, membership, same_org in product( SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG ): @@ -176,7 +176,7 @@ def gen_test_rego(name): ) result = eval_rule(scope, context, ownership, privilege, membership, data) f.write( - "{test_name} {{\n {allow} with input as {data}\n}}\n\n".format( + "{test_name} if {{\n {allow} with input as {data}\n}}\n\n".format( test_name=test_name, allow="allow" if result else "not allow", data=json.dumps(data), diff --git a/cvat/apps/engine/rules/tests/generators/comments_test.gen.rego.py b/cvat/apps/engine/rules/tests/generators/comments_test.gen.rego.py index b8c2eff1b7c2..f36c8a7dfa0d 100644 --- a/cvat/apps/engine/rules/tests/generators/comments_test.gen.rego.py +++ b/cvat/apps/engine/rules/tests/generators/comments_test.gen.rego.py @@ -223,7 +223,7 @@ def is_valid(scope, context, ownership, privilege, membership, resource, same_or def gen_test_rego(name): with open(f"{name}_test.gen.rego", "wt") as f: - f.write(f"package {name}\n\n") + f.write(f"package {name}\nimport rego.v1\n\n") for scope, context, ownership, privilege, membership, same_org, has_proj in product( SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG, HAS_PROJ ): @@ -241,7 +241,7 @@ def gen_test_rego(name): ) result = eval_rule(scope, context, ownership, privilege, membership, data) f.write( - "{test_name} {{\n {allow} with input as {data}\n}}\n\n".format( + "{test_name} if {{\n {allow} with input as {data}\n}}\n\n".format( test_name=test_name, allow="allow" if result else "not allow", data=json.dumps(data), diff --git a/cvat/apps/engine/rules/tests/generators/issues_test.gen.rego.py b/cvat/apps/engine/rules/tests/generators/issues_test.gen.rego.py index 7951bc92892e..0a35d83880eb 100644 --- a/cvat/apps/engine/rules/tests/generators/issues_test.gen.rego.py +++ b/cvat/apps/engine/rules/tests/generators/issues_test.gen.rego.py @@ -214,7 +214,7 @@ def is_valid(scope, context, ownership, privilege, membership, resource, same_or def gen_test_rego(name): with open(f"{name}_test.gen.rego", "wt") as f: - f.write(f"package {name}\n\n") + f.write(f"package {name}\nimport rego.v1\n\n") for scope, context, ownership, privilege, membership, same_org, has_proj in product( SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG, HAS_PROJ ): @@ -232,7 +232,7 @@ def gen_test_rego(name): ) result = eval_rule(scope, context, ownership, privilege, membership, data) f.write( - "{test_name} {{\n {allow} with input as {data}\n}}\n\n".format( + "{test_name} if {{\n {allow} with input as {data}\n}}\n\n".format( test_name=test_name, allow="allow" if result else "not allow", data=json.dumps(data), diff --git a/cvat/apps/engine/rules/tests/generators/jobs_test.gen.rego.py b/cvat/apps/engine/rules/tests/generators/jobs_test.gen.rego.py index 7136d358ea75..ca799f953cd3 100644 --- a/cvat/apps/engine/rules/tests/generators/jobs_test.gen.rego.py +++ b/cvat/apps/engine/rules/tests/generators/jobs_test.gen.rego.py @@ -207,7 +207,7 @@ def is_valid(scope, context, ownership, privilege, membership, resource, same_or def gen_test_rego(name): with open(f"{name}_test.gen.rego", "wt") as f: - f.write(f"package {name}\n\n") + f.write(f"package {name}\nimport rego.v1\n\n") for scope, context, ownership, privilege, membership, same_org in product( SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG ): @@ -225,7 +225,7 @@ def gen_test_rego(name): ) result = eval_rule(scope, context, ownership, privilege, membership, data) f.write( - "{test_name} {{\n {allow} with input as {data}\n}}\n\n".format( + "{test_name} if {{\n {allow} with input as {data}\n}}\n\n".format( test_name=test_name, allow="allow" if result else "not allow", data=json.dumps(data), diff --git a/cvat/apps/engine/rules/tests/generators/projects_test.gen.rego.py b/cvat/apps/engine/rules/tests/generators/projects_test.gen.rego.py index ba325f95cad4..6657f21d2994 100644 --- a/cvat/apps/engine/rules/tests/generators/projects_test.gen.rego.py +++ b/cvat/apps/engine/rules/tests/generators/projects_test.gen.rego.py @@ -174,7 +174,7 @@ def is_valid(scope, context, ownership, privilege, membership, resource, same_or def gen_test_rego(name): with open(f"{name}_test.gen.rego", "wt") as f: - f.write(f"package {name}\n\n") + f.write(f"package {name}\nimport rego.v1\n\n") for scope, context, ownership, privilege, membership, same_org in product( SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG ): @@ -192,7 +192,7 @@ def gen_test_rego(name): ) result = eval_rule(scope, context, ownership, privilege, membership, data) f.write( - "{test_name} {{\n {allow} with input as {data}\n}}\n\n".format( + "{test_name} if {{\n {allow} with input as {data}\n}}\n\n".format( test_name=test_name, allow="allow" if result else "not allow", data=json.dumps(data), diff --git a/cvat/apps/engine/rules/tests/generators/server_test.gen.rego.py b/cvat/apps/engine/rules/tests/generators/server_test.gen.rego.py index 84c9f469c783..8e9b57a814d8 100644 --- a/cvat/apps/engine/rules/tests/generators/server_test.gen.rego.py +++ b/cvat/apps/engine/rules/tests/generators/server_test.gen.rego.py @@ -121,7 +121,7 @@ def is_valid(scope, context, ownership, privilege, membership): def gen_test_rego(name): with open(f"{name}_test.gen.rego", "wt") as f: - f.write(f"package {name}\n\n") + f.write(f"package {name}\nimport rego.v1\n\n") for scope, context, ownership, privilege, membership in product( SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES ): @@ -132,7 +132,7 @@ def gen_test_rego(name): test_name = get_name(scope, context, ownership, privilege, membership) result = eval_rule(scope, context, ownership, privilege, membership, data) f.write( - "{test_name} {{\n {allow} with input as {data}\n}}\n\n".format( + "{test_name} if {{\n {allow} with input as {data}\n}}\n\n".format( test_name=test_name, allow="allow" if result else "not allow", data=json.dumps(data), diff --git a/cvat/apps/engine/rules/tests/generators/tasks_test.gen.rego.py b/cvat/apps/engine/rules/tests/generators/tasks_test.gen.rego.py index 05cc890cd673..61da5c8520de 100644 --- a/cvat/apps/engine/rules/tests/generators/tasks_test.gen.rego.py +++ b/cvat/apps/engine/rules/tests/generators/tasks_test.gen.rego.py @@ -201,7 +201,7 @@ def is_valid(scope, context, ownership, privilege, membership, resource, same_or def gen_test_rego(name): with open(f"{name}_test.gen.rego", "wt") as f: - f.write(f"package {name}\n\n") + f.write(f"package {name}\nimport rego.v1\n\n") for scope, context, ownership, privilege, membership, same_org in product( SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG ): @@ -219,7 +219,7 @@ def gen_test_rego(name): ) result = eval_rule(scope, context, ownership, privilege, membership, data) f.write( - "{test_name} {{\n {allow} with input as {data}\n}}\n\n".format( + "{test_name} if {{\n {allow} with input as {data}\n}}\n\n".format( test_name=test_name, allow="allow" if result else "not allow", data=json.dumps(data), diff --git a/cvat/apps/engine/rules/tests/generators/users_test.gen.rego.py b/cvat/apps/engine/rules/tests/generators/users_test.gen.rego.py index 83b70e1ad707..595cbaae4ee4 100644 --- a/cvat/apps/engine/rules/tests/generators/users_test.gen.rego.py +++ b/cvat/apps/engine/rules/tests/generators/users_test.gen.rego.py @@ -138,7 +138,7 @@ def is_valid(scope, context, ownership, privilege, membership, resource): def gen_test_rego(name): with open(f"{name}_test.gen.rego", "wt") as f: - f.write(f"package {name}\n\n") + f.write(f"package {name}\nimport rego.v1\n\n") for scope, context, ownership, privilege, membership in product( SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES ): @@ -150,7 +150,7 @@ def gen_test_rego(name): test_name = get_name(scope, context, ownership, privilege, membership, resource) result = eval_rule(scope, context, ownership, privilege, membership, data) f.write( - "{test_name} {{\n {allow} with input as {data}\n}}\n\n".format( + "{test_name} if {{\n {allow} with input as {data}\n}}\n\n".format( test_name=test_name, allow="allow" if result else "not allow", data=json.dumps(data), diff --git a/cvat/apps/engine/rules/users.rego b/cvat/apps/engine/rules/users.rego index 929ee1b5b1cd..63469228e11a 100644 --- a/cvat/apps/engine/rules/users.rego +++ b/cvat/apps/engine/rules/users.rego @@ -1,4 +1,7 @@ package users + +import rego.v1 + import data.utils import data.organizations @@ -29,42 +32,42 @@ import data.organizations default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.LIST utils.is_sandbox } -allow { +allow if { input.scope == utils.LIST organizations.is_member } -filter := [] { # Django Q object to filter list of entries +filter := [] if { # Django Q object to filter list of entries utils.is_admin utils.is_sandbox -} else := qobject { +} else := qobject if { utils.is_sandbox qobject := [ {"id": input.auth.user.id} ] -} else := qobject { +} else := qobject if { org_id := input.auth.organization.id qobject := [ {"memberships__organization": org_id} ] } -allow { +allow if { input.scope == utils.VIEW input.resource.id == input.auth.user.id } -allow { +allow if { input.scope == utils.VIEW input.resource.membership.role != null } -allow { - { utils.UPDATE, utils.DELETE }[input.scope] +allow if { + input.scope in {utils.UPDATE, utils.DELETE} input.auth.user.id == input.resource.id } diff --git a/cvat/apps/events/rules/events.rego b/cvat/apps/events/rules/events.rego index 903c5453af25..0152ec721ba8 100644 --- a/cvat/apps/events/rules/events.rego +++ b/cvat/apps/events/rules/events.rego @@ -1,4 +1,7 @@ package events + +import rego.v1 + import data.utils import data.organizations @@ -23,42 +26,42 @@ import data.organizations default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.SEND_EVENTS } -allow { +allow if { input.scope == utils.DUMP_EVENTS utils.is_sandbox utils.has_perm(utils.WORKER) } -allow { +allow if { input.scope == utils.DUMP_EVENTS utils.has_perm(utils.WORKER) organizations.has_perm(organizations.WORKER) } -filter := [] { +filter := [] if { utils.is_admin utils.is_sandbox -} else := qobject { +} else := qobject if { utils.is_admin utils.is_organization qobject := [ {"org_id": input.auth.organization.id} ] -} else := qobject { +} else := qobject if { utils.is_sandbox qobject := [ {"user_id": input.auth.user.id} ] -} else := qobject { +} else := qobject if { utils.is_organization utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) qobject := [ {"org_id": input.auth.organization.id} ] -} else := qobject { +} else := qobject if { utils.is_organization utils.has_perm(utils.USER) organizations.has_perm(organizations.WORKER) diff --git a/cvat/apps/events/rules/tests/generators/events_test.gen.rego.py b/cvat/apps/events/rules/tests/generators/events_test.gen.rego.py index b6db2d79fa2d..da9d54d79e22 100644 --- a/cvat/apps/events/rules/tests/generators/events_test.gen.rego.py +++ b/cvat/apps/events/rules/tests/generators/events_test.gen.rego.py @@ -140,7 +140,7 @@ def is_valid(scope, context, ownership, privilege, membership, resource, same_or def gen_test_rego(name): with open(f"{name}_test.gen.rego", "wt") as f: - f.write(f"package {name}\n\n") + f.write(f"package {name}\nimport rego.v1\n\n") print("scopes", SCOPES) for scope, context, ownership, privilege, membership, same_org in product( SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG @@ -159,7 +159,7 @@ def gen_test_rego(name): ) result = eval_rule(scope, context, ownership, privilege, membership, data) f.write( - "{test_name} {{\n {allow} with input as {data}\n}}\n\n".format( + "{test_name} if {{\n {allow} with input as {data}\n}}\n\n".format( test_name=test_name, allow="allow" if result else "not allow", data=json.dumps(data), diff --git a/cvat/apps/iam/rules/utils.rego b/cvat/apps/iam/rules/utils.rego index 7ad2c70d5a1f..c0f719c63957 100644 --- a/cvat/apps/iam/rules/utils.rego +++ b/cvat/apps/iam/rules/utils.rego @@ -1,5 +1,7 @@ package utils +import rego.v1 + # Groups ADMIN := "admin" BUSINESS := "business" @@ -65,38 +67,38 @@ get_priority(privilege) := { null: 1000 }[privilege] -has_perm(group) { +has_perm(group) if { get_priority(input.auth.user.privilege) <= get_priority(group) } -is_admin { +is_admin if { input.auth.user.privilege == ADMIN } -is_business { +is_business if { input.auth.user.privilege == BUSINESS } -is_user { +is_user if { input.auth.user.privilege == USER } -is_worker { +is_worker if { input.auth.user.privilege == WORKER } -is_resource_owner { +is_resource_owner if { input.resource.owner.id == input.auth.user.id } -is_resource_assignee { +is_resource_assignee if { input.resource.assignee.id == input.auth.user.id } -is_sandbox { +is_sandbox if { input.auth.organization == null } -is_organization { +is_organization if { input.auth.organization != null } diff --git a/cvat/apps/lambda_manager/rules/lambda.rego b/cvat/apps/lambda_manager/rules/lambda.rego index 90d30ee9aa81..2829860c0932 100644 --- a/cvat/apps/lambda_manager/rules/lambda.rego +++ b/cvat/apps/lambda_manager/rules/lambda.rego @@ -1,5 +1,7 @@ package lambda +import rego.v1 + import data.utils import data.organizations @@ -24,43 +26,43 @@ import data.organizations default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.LIST } -allow { +allow if { input.scope == utils.VIEW } -allow { - { utils.CALL_ONLINE, utils.CALL_OFFLINE, utils.LIST_OFFLINE }[input.scope] +allow if { + input.scope in {utils.CALL_ONLINE, utils.CALL_OFFLINE, utils.LIST_OFFLINE} utils.has_perm(utils.WORKER) } -filter := [] { # Django Q object to filter list of entries +filter := [] if { # Django Q object to filter list of entries utils.is_admin utils.is_sandbox -} else := qobject { +} else := qobject if { utils.is_admin utils.is_organization qobject := [ {"organization": input.auth.organization.id}, {"project__organization": input.auth.organization.id}, "|"] -} else := qobject { +} else := qobject if { utils.is_sandbox user := input.auth.user qobject := [ {"owner_id": user.id}, {"assignee_id": user.id}, "|", {"project__owner_id": user.id}, "|", {"project__assignee_id": user.id}, "|"] -} else := qobject { +} else := qobject if { utils.is_organization utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) qobject := [ {"organization": input.auth.organization.id}, {"project__organization": input.auth.organization.id}, "|"] -} else := qobject { +} else := qobject if { organizations.has_perm(organizations.WORKER) user := input.auth.user qobject := [ {"owner_id": user.id}, {"assignee_id": user.id}, "|", diff --git a/cvat/apps/lambda_manager/rules/tests/generators/lambda_test.gen.rego.py b/cvat/apps/lambda_manager/rules/tests/generators/lambda_test.gen.rego.py index b2a9a7659707..5a669c5f49fc 100644 --- a/cvat/apps/lambda_manager/rules/tests/generators/lambda_test.gen.rego.py +++ b/cvat/apps/lambda_manager/rules/tests/generators/lambda_test.gen.rego.py @@ -134,7 +134,7 @@ def is_valid(scope, context, ownership, privilege, membership, resource): def gen_test_rego(name): with open(f"{name}_test.gen.rego", "wt") as f: - f.write(f"package {name}\n\n") + f.write(f"package {name}\nimport rego.v1\n\n") for scope, context, ownership, privilege, membership in product( SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES ): @@ -146,7 +146,7 @@ def gen_test_rego(name): test_name = get_name(scope, context, ownership, privilege, membership, resource) result = eval_rule(scope, context, ownership, privilege, membership, data) f.write( - "{test_name} {{\n {allow} with input as {data}\n}}\n\n".format( + "{test_name} if {{\n {allow} with input as {data}\n}}\n\n".format( test_name=test_name, allow="allow" if result else "not allow", data=json.dumps(data), diff --git a/cvat/apps/log_viewer/rules/analytics.rego b/cvat/apps/log_viewer/rules/analytics.rego index ef36929639ff..970a6a3e97d1 100644 --- a/cvat/apps/log_viewer/rules/analytics.rego +++ b/cvat/apps/log_viewer/rules/analytics.rego @@ -1,4 +1,7 @@ package analytics + +import rego.v1 + import data.utils # input: { @@ -25,11 +28,11 @@ import data.utils default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.resource.visibility == utils.PUBLIC input.scope == utils.VIEW utils.has_perm(utils.BUSINESS) diff --git a/cvat/apps/log_viewer/rules/tests/generators/analytics_test.gen.rego.py b/cvat/apps/log_viewer/rules/tests/generators/analytics_test.gen.rego.py index e2fc73ebc314..ce4b50a7c8fb 100644 --- a/cvat/apps/log_viewer/rules/tests/generators/analytics_test.gen.rego.py +++ b/cvat/apps/log_viewer/rules/tests/generators/analytics_test.gen.rego.py @@ -138,7 +138,7 @@ def is_valid(scope, context, ownership, privilege, membership, resource): def gen_test_rego(name): with open(f"{name}_test.gen.rego", "wt") as f: - f.write(f"package {name}\n\n") + f.write(f"package {name}\nimport rego.v1\n\n") for scope, context, ownership, privilege, membership in product( SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES ): @@ -150,7 +150,7 @@ def gen_test_rego(name): test_name = get_name(scope, context, ownership, privilege, membership, resource) result = eval_rule(scope, context, ownership, privilege, membership, data) f.write( - "{test_name} {{\n {allow} with input as {data}\n}}\n\n".format( + "{test_name} if {{\n {allow} with input as {data}\n}}\n\n".format( test_name=test_name, allow="allow" if result else "not allow", data=json.dumps(data), diff --git a/cvat/apps/organizations/rules/invitations.rego b/cvat/apps/organizations/rules/invitations.rego index 9471ec84157f..3a51f76128e5 100644 --- a/cvat/apps/organizations/rules/invitations.rego +++ b/cvat/apps/organizations/rules/invitations.rego @@ -1,4 +1,7 @@ package invitations + +import rego.v1 + import data.utils import data.organizations @@ -29,37 +32,37 @@ import data.organizations default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.LIST utils.is_sandbox } -allow { +allow if { input.scope == utils.LIST organizations.is_member } -filter := [] { # Django Q object to filter list of entries +filter := [] if { # Django Q object to filter list of entries utils.is_sandbox utils.is_admin -} else := qobject { +} else := qobject if { utils.is_sandbox user := input.auth.user qobject := [ {"owner": user.id}, {"membership__user": user.id}, "|" ] -} else := qobject { +} else := qobject if { utils.is_organization utils.is_admin qobject := [ {"membership__organization": input.auth.organization.id} ] -} else := qobject { +} else := qobject if { utils.is_organization organizations.is_staff utils.has_perm(utils.USER) qobject := [ {"membership__organization": input.auth.organization.id} ] -} else := qobject { +} else := qobject if { utils.is_organization user := input.auth.user org_id := input.auth.organization.id @@ -67,7 +70,7 @@ filter := [] { # Django Q object to filter list of entries {"membership__organization": org_id}, "&" ] } -allow { +allow if { input.scope == utils.CREATE input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) @@ -78,7 +81,7 @@ allow { } -allow { +allow if { input.scope == utils.CREATE input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) @@ -87,73 +90,73 @@ allow { input.resource.role != organizations.OWNER } -allow { +allow if { input.scope == utils.VIEW utils.is_sandbox utils.is_resource_owner } -allow { +allow if { input.scope == utils.VIEW utils.is_sandbox input.resource.invitee.id == input.auth.user.id } -allow { +allow if { input.scope == utils.VIEW input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.is_staff } -allow { +allow if { input.scope == utils.VIEW input.auth.organization.id == input.resource.organization.id utils.is_resource_owner } -allow { +allow if { input.scope == utils.VIEW input.auth.organization.id == input.resource.organization.id input.resource.invitee.id == input.auth.user.id } -allow { +allow if { input.scope == utils.RESEND utils.has_perm(utils.WORKER) utils.is_sandbox utils.is_resource_owner } -allow { +allow if { input.scope == utils.RESEND input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.is_staff } -allow { +allow if { input.scope == utils.RESEND input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.WORKER) utils.is_resource_owner } -allow { +allow if { input.scope == utils.DELETE utils.is_sandbox utils.has_perm(utils.WORKER) utils.is_resource_owner } -allow { +allow if { input.scope == utils.DELETE input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.USER) organizations.is_staff } -allow { +allow if { input.scope == utils.DELETE input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.WORKER) @@ -161,14 +164,14 @@ allow { } -allow { - { utils.ACCEPT, utils.DECLINE }[input.scope] +allow if { + input.scope in {utils.ACCEPT, utils.DECLINE} input.resource.invitee.id == input.auth.user.id utils.is_sandbox } -allow { - { utils.ACCEPT, utils.DECLINE }[input.scope] +allow if { + input.scope in {utils.ACCEPT, utils.DECLINE} input.auth.organization.id == input.resource.organization.id input.resource.invitee.id == input.auth.user.id } diff --git a/cvat/apps/organizations/rules/memberships.rego b/cvat/apps/organizations/rules/memberships.rego index 497b6fe58ebe..c23f3039ff16 100644 --- a/cvat/apps/organizations/rules/memberships.rego +++ b/cvat/apps/organizations/rules/memberships.rego @@ -1,4 +1,7 @@ package memberships + +import rego.v1 + import data.utils import data.organizations @@ -29,53 +32,53 @@ import data.organizations default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.LIST utils.is_sandbox } -allow { +allow if { input.scope == utils.LIST organizations.is_member } -filter := [] { # Django Q object to filter list of entries +filter := [] if { # Django Q object to filter list of entries utils.is_admin utils.is_sandbox -} else := qobject { +} else := qobject if { utils.is_sandbox qobject := [ {"user": input.auth.user.id}, {"is_active": true}, "&" ] -} else := qobject { +} else := qobject if { utils.is_admin org_id := input.auth.organization.id qobject := [ {"organization": org_id} ] -} else := qobject { +} else := qobject if { organizations.is_staff org_id := input.auth.organization.id qobject := [ {"organization": org_id} ] -} else := qobject { +} else := qobject if { org_id := input.auth.organization.id qobject := [ {"organization": org_id}, {"is_active": true}, "&" ] } -allow { +allow if { input.scope == utils.VIEW input.resource.is_active utils.is_sandbox input.resource.user.id == input.auth.user.id } -allow { +allow if { input.scope == utils.VIEW organizations.is_staff input.resource.organization.id == input.auth.organization.id } -allow { +allow if { input.scope == utils.VIEW input.resource.is_active organizations.is_member @@ -84,22 +87,22 @@ allow { # maintainer of the organization can change the role of any member and remove any member except # himself/another maintainer/owner -allow { - { utils.CHANGE_ROLE, utils.DELETE }[input.scope] +allow if { + input.scope in {utils.CHANGE_ROLE, utils.DELETE} input.resource.organization.id == input.auth.organization.id utils.has_perm(utils.USER) organizations.is_maintainer - not { + not input.resource.role in { organizations.OWNER, organizations.MAINTAINER - }[input.resource.role] + } input.resource.user.id != input.auth.user.id } # owner of the organization can change the role of any member and remove any member except himself -allow { - { utils.CHANGE_ROLE, utils.DELETE }[input.scope] +allow if { + input.scope in {utils.CHANGE_ROLE, utils.DELETE} input.resource.organization.id == input.auth.organization.id utils.has_perm(utils.USER) organizations.is_owner @@ -108,7 +111,7 @@ allow { } # member can leave the organization except case when member is the owner -allow { +allow if { input.scope == utils.DELETE input.resource.is_active organizations.is_member diff --git a/cvat/apps/organizations/rules/organizations.rego b/cvat/apps/organizations/rules/organizations.rego index af9533c481dc..24643feab703 100644 --- a/cvat/apps/organizations/rules/organizations.rego +++ b/cvat/apps/organizations/rules/organizations.rego @@ -1,4 +1,7 @@ package organizations + +import rego.v1 + import data.utils # input: { @@ -23,24 +26,24 @@ MAINTAINER := "maintainer" SUPERVISOR := "supervisor" WORKER := "worker" -is_owner { +is_owner if { input.auth.organization.owner.id == input.auth.user.id input.auth.organization.user.role == OWNER } -is_maintainer { +is_maintainer if { input.auth.organization.user.role == MAINTAINER } -is_staff { +is_staff if { is_owner } -is_staff { +is_staff if { is_maintainer } -is_member { +is_member if { input.auth.organization.user.role != null } @@ -51,60 +54,60 @@ get_priority(role) := { WORKER: 100 }[role] -has_perm(role) { +has_perm(role) if { get_priority(input.auth.organization.user.role) <= get_priority(role) } default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.CREATE utils.has_perm(utils.USER) } -allow { +allow if { input.scope == utils.CREATE utils.has_perm(utils.BUSINESS) } -filter := [] { # Django Q object to filter list of entries +filter := [] if { # Django Q object to filter list of entries utils.is_admin -} else := qobject { +} else := qobject if { user := input.auth.user qobject := [{"members__user_id": user.id}, {"members__is_active": true}, "&", {"owner_id": user.id}, "|" ] } -allow { +allow if { input.scope == utils.LIST } -allow { +allow if { input.scope == utils.VIEW utils.is_resource_owner } -allow { +allow if { input.scope == utils.VIEW input.resource.user.role != null } -allow { +allow if { input.scope == utils.UPDATE utils.has_perm(utils.WORKER) utils.is_resource_owner } -allow { +allow if { input.scope == utils.UPDATE utils.has_perm(utils.WORKER) input.resource.user.role == MAINTAINER } -allow { +allow if { input.scope == utils.DELETE utils.has_perm(utils.WORKER) utils.is_resource_owner diff --git a/cvat/apps/organizations/rules/tests/generators/invitations_test.gen.rego.py b/cvat/apps/organizations/rules/tests/generators/invitations_test.gen.rego.py index 1865236b1fc6..c3ba86abb75f 100644 --- a/cvat/apps/organizations/rules/tests/generators/invitations_test.gen.rego.py +++ b/cvat/apps/organizations/rules/tests/generators/invitations_test.gen.rego.py @@ -170,7 +170,7 @@ def is_valid(scope, context, ownership, privilege, membership, resource, same_or def gen_test_rego(name): with open(f"{name}_test.gen.rego", "wt") as f: - f.write(f"package {name}\n\n") + f.write(f"package {name}\nimport rego.v1\n\n") for scope, context, ownership, privilege, membership, same_org in product( SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG ): @@ -188,7 +188,7 @@ def gen_test_rego(name): ) result = eval_rule(scope, context, ownership, privilege, membership, data) f.write( - "{test_name} {{\n {allow} with input as {data}\n}}\n\n".format( + "{test_name} if {{\n {allow} with input as {data}\n}}\n\n".format( test_name=test_name, allow="allow" if result else "not allow", data=json.dumps(data), diff --git a/cvat/apps/organizations/rules/tests/generators/memberships_test.gen.rego.py b/cvat/apps/organizations/rules/tests/generators/memberships_test.gen.rego.py index 7cf9cfca255e..b86548142da7 100644 --- a/cvat/apps/organizations/rules/tests/generators/memberships_test.gen.rego.py +++ b/cvat/apps/organizations/rules/tests/generators/memberships_test.gen.rego.py @@ -174,7 +174,7 @@ def is_valid(scope, context, ownership, privilege, membership, resource, same_or def gen_test_rego(name): with open(f"{name}_test.gen.rego", "wt") as f: - f.write(f"package {name}\n\n") + f.write(f"package {name}\nimport rego.v1\n\n") for scope, context, ownership, privilege, membership, same_org in product( SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG ): @@ -192,7 +192,7 @@ def gen_test_rego(name): ) result = eval_rule(scope, context, ownership, privilege, membership, data) f.write( - "{test_name} {{\n {allow} with input as {data}\n}}\n\n".format( + "{test_name} if {{\n {allow} with input as {data}\n}}\n\n".format( test_name=test_name, allow="allow" if result else "not allow", data=json.dumps(data), diff --git a/cvat/apps/organizations/rules/tests/generators/organizations_test.gen.rego.py b/cvat/apps/organizations/rules/tests/generators/organizations_test.gen.rego.py index d4acedb42f69..a6c111bfef40 100644 --- a/cvat/apps/organizations/rules/tests/generators/organizations_test.gen.rego.py +++ b/cvat/apps/organizations/rules/tests/generators/organizations_test.gen.rego.py @@ -127,7 +127,7 @@ def is_valid(scope, context, ownership, privilege, membership, resource): def gen_test_rego(name): with open(f"{name}_test.gen.rego", "wt") as f: - f.write(f"package {name}\n\n") + f.write(f"package {name}\nimport rego.v1\n\n") for scope, context, ownership, privilege, membership in product( SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES ): @@ -139,7 +139,7 @@ def gen_test_rego(name): data = get_data(scope, context, ownership, privilege, membership, resource) result = eval_rule(scope, context, ownership, privilege, membership, data) f.write( - "{test_name} {{\n {allow} with input as {data}\n}}\n\n".format( + "{test_name} if {{\n {allow} with input as {data}\n}}\n\n".format( test_name=test_name, allow="allow" if result else "not allow", data=json.dumps(data), diff --git a/cvat/apps/quality_control/rules/conflicts.rego b/cvat/apps/quality_control/rules/conflicts.rego index e0c94f0c86fd..f8e570b58826 100644 --- a/cvat/apps/quality_control/rules/conflicts.rego +++ b/cvat/apps/quality_control/rules/conflicts.rego @@ -1,7 +1,6 @@ package conflicts -import future.keywords.if -import future.keywords.in +import rego.v1 import data.utils import data.organizations @@ -44,24 +43,24 @@ import data.organizations default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.LIST utils.is_sandbox } -allow { +allow if { input.scope == utils.LIST organizations.is_member } -filter := [] { # Django Q object to filter list of entries +filter := [] if { # Django Q object to filter list of entries utils.is_admin utils.is_sandbox -} else := qobject { +} else := qobject if { utils.is_admin utils.is_organization org := input.auth.organization @@ -71,7 +70,7 @@ filter := [] { # Django Q object to filter list of entries {"report__task__organization": org.id}, "|", {"report__task__project__organization": org.id}, "|", ] -} else := qobject { +} else := qobject if { utils.is_sandbox user := input.auth.user qobject := [ @@ -84,7 +83,7 @@ filter := [] { # Django Q object to filter list of entries {"report__task__project__owner_id": user.id}, "|", {"report__task__project__assignee_id": user.id}, "|", ] -} else := qobject { +} else := qobject if { utils.is_organization utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) @@ -95,7 +94,7 @@ filter := [] { # Django Q object to filter list of entries {"report__task__organization": org.id}, "|", {"report__task__project__organization": org.id}, "|", ] -} else := qobject { +} else := qobject if { organizations.has_perm(organizations.WORKER) user := input.auth.user org := input.auth.organization diff --git a/cvat/apps/quality_control/rules/quality_reports.rego b/cvat/apps/quality_control/rules/quality_reports.rego index 025a869e472c..d7fff8ac7e74 100644 --- a/cvat/apps/quality_control/rules/quality_reports.rego +++ b/cvat/apps/quality_control/rules/quality_reports.rego @@ -1,7 +1,6 @@ package quality_reports -import future.keywords.if -import future.keywords.in +import rego.v1 import data.utils import data.organizations @@ -44,24 +43,24 @@ import data.organizations default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.LIST utils.is_sandbox } -allow { +allow if { input.scope == utils.LIST organizations.is_member } -filter := [] { # Django Q object to filter list of entries +filter := [] if { # Django Q object to filter list of entries utils.is_admin utils.is_sandbox -} else := qobject { +} else := qobject if { utils.is_admin utils.is_organization org := input.auth.organization @@ -71,7 +70,7 @@ filter := [] { # Django Q object to filter list of entries {"task__organization": org.id}, "|", {"task__project__organization": org.id}, "|", ] -} else := qobject { +} else := qobject if { utils.is_sandbox user := input.auth.user qobject := [ @@ -84,7 +83,7 @@ filter := [] { # Django Q object to filter list of entries {"task__project__owner_id": user.id}, "|", {"task__project__assignee_id": user.id}, "|", ] -} else := qobject { +} else := qobject if { utils.is_organization utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) @@ -95,7 +94,7 @@ filter := [] { # Django Q object to filter list of entries {"task__organization": org.id}, "|", {"task__project__organization": org.id}, "|", ] -} else := qobject { +} else := qobject if { organizations.has_perm(organizations.WORKER) user := input.auth.user org := input.auth.organization diff --git a/cvat/apps/quality_control/rules/quality_settings.rego b/cvat/apps/quality_control/rules/quality_settings.rego index 1ed7a6bded37..ec2d1c307a6b 100644 --- a/cvat/apps/quality_control/rules/quality_settings.rego +++ b/cvat/apps/quality_control/rules/quality_settings.rego @@ -1,7 +1,6 @@ package quality_settings -import future.keywords.if -import future.keywords.in +import rego.v1 import data.utils import data.organizations @@ -44,24 +43,24 @@ import data.organizations default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.LIST utils.is_sandbox } -allow { +allow if { input.scope == utils.LIST organizations.is_member } -filter := [] { # Django Q object to filter list of entries +filter := [] if { # Django Q object to filter list of entries utils.is_admin utils.is_sandbox -} else := qobject { +} else := qobject if { utils.is_admin utils.is_organization org := input.auth.organization @@ -69,7 +68,7 @@ filter := [] { # Django Q object to filter list of entries {"task__organization": org.id}, {"task__project__organization": org.id}, "|", ] -} else := qobject { +} else := qobject if { utils.is_sandbox user := input.auth.user qobject := [ @@ -78,7 +77,7 @@ filter := [] { # Django Q object to filter list of entries {"task__project__owner_id": user.id}, "|", {"task__project__assignee_id": user.id}, "|", ] -} else := qobject { +} else := qobject if { utils.is_organization utils.has_perm(utils.USER) organizations.has_perm(organizations.MAINTAINER) @@ -87,7 +86,7 @@ filter := [] { # Django Q object to filter list of entries {"task__organization": org.id}, {"task__project__organization": org.id}, "|", ] -} else := qobject { +} else := qobject if { organizations.has_perm(organizations.WORKER) user := input.auth.user org := input.auth.organization diff --git a/cvat/apps/webhooks/rules/tests/generators/webhooks_test.gen.rego.py b/cvat/apps/webhooks/rules/tests/generators/webhooks_test.gen.rego.py index 764e6610f5a6..c367a42cc98b 100644 --- a/cvat/apps/webhooks/rules/tests/generators/webhooks_test.gen.rego.py +++ b/cvat/apps/webhooks/rules/tests/generators/webhooks_test.gen.rego.py @@ -193,7 +193,7 @@ def is_valid(scope, context, ownership, privilege, membership, resource, same_or def gen_test_rego(name): with open(f"{name}_test.gen.rego", "wt") as f: - f.write(f"package {name}\n\n") + f.write(f"package {name}\nimport rego.v1\n\n") for scope, context, ownership, privilege, membership, same_org in product( SCOPES, CONTEXTS, OWNERSHIPS, GROUPS, ORG_ROLES, SAME_ORG ): @@ -213,7 +213,7 @@ def gen_test_rego(name): result = eval_rule(scope, context, ownership, privilege, membership, data) f.write( - "{test_name} {{\n {allow} with input as {data}\n}}\n\n".format( + "{test_name} if {{\n {allow} with input as {data}\n}}\n\n".format( test_name=test_name, allow="allow" if result else "not allow", data=json.dumps(data), diff --git a/cvat/apps/webhooks/rules/webhooks.rego b/cvat/apps/webhooks/rules/webhooks.rego index 144e3ad14d1d..a74a88c6a965 100644 --- a/cvat/apps/webhooks/rules/webhooks.rego +++ b/cvat/apps/webhooks/rules/webhooks.rego @@ -1,4 +1,7 @@ package webhooks + +import rego.v1 + import data.utils import data.organizations @@ -31,54 +34,54 @@ import data.organizations # } # -is_project_owner { +is_project_owner if { input.resource.project.owner.id == input.auth.user.id } -is_webhook_owner { +is_webhook_owner if { input.resource.owner.id == input.auth.user.id } default allow := false -allow { +allow if { utils.is_admin } -allow { +allow if { input.scope == utils.CREATE_IN_PROJECT utils.is_sandbox utils.has_perm(utils.USER) is_project_owner } -allow { +allow if { input.scope == utils.LIST utils.is_sandbox } -allow { +allow if { input.scope == utils.LIST organizations.is_member } -filter := [] { # Django Q object to filter list of entries +filter := [] if { # Django Q object to filter list of entries utils.is_admin utils.is_sandbox -} else := qobject { +} else := qobject if { utils.is_admin utils.is_organization qobject := [ {"organization": input.auth.organization.id} ] -} else := qobject { +} else := qobject if { utils.is_sandbox user := input.auth.user qobject := [ {"owner_id": user.id}, {"project__owner_id": user.id}, "|" ] -} else := qobject { +} else := qobject if { utils.is_organization utils.has_perm(utils.WORKER) organizations.has_perm(organizations.MAINTAINER) qobject := [ {"organization": input.auth.organization.id} ] -} else := qobject { +} else := qobject if { utils.is_organization utils.has_perm(utils.WORKER) organizations.has_perm(organizations.WORKER) @@ -88,48 +91,48 @@ filter := [] { # Django Q object to filter list of entries } -allow { +allow if { input.scope == utils.VIEW utils.is_sandbox utils.is_resource_owner } -allow { +allow if { input.scope == utils.VIEW utils.is_sandbox is_project_owner } -allow { - { utils.UPDATE, utils.DELETE }[input.scope] +allow if { + input.scope in {utils.UPDATE, utils.DELETE} utils.is_sandbox utils.has_perm(utils.WORKER) utils.is_resource_owner } -allow { - { utils.UPDATE, utils.DELETE }[input.scope] +allow if { + input.scope in {utils.UPDATE, utils.DELETE} utils.is_sandbox utils.has_perm(utils.WORKER) is_project_owner } -allow { +allow if { input.scope == utils.VIEW input.auth.organization.id == input.resource.organization.id organizations.has_perm(organizations.WORKER) utils.is_resource_owner } -allow { +allow if { input.scope == utils.VIEW input.auth.organization.id == input.resource.organization.id organizations.has_perm(organizations.WORKER) is_project_owner } -allow { - { utils.UPDATE, utils.DELETE }[input.scope] +allow if { + input.scope in {utils.UPDATE, utils.DELETE} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.WORKER) organizations.has_perm(organizations.WORKER) @@ -137,30 +140,30 @@ allow { } -allow { - { utils.UPDATE, utils.DELETE, utils.VIEW }[input.scope] +allow if { + input.scope in {utils.UPDATE, utils.DELETE, utils.VIEW} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.WORKER) organizations.has_perm(organizations.MAINTAINER) } -allow { - { utils.CREATE_IN_PROJECT, utils.CREATE_IN_ORGANIZATION }[input.scope] +allow if { + input.scope in {utils.CREATE_IN_PROJECT, utils.CREATE_IN_ORGANIZATION} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.WORKER) organizations.has_perm(organizations.MAINTAINER) } -allow { - { utils.UPDATE, utils.DELETE }[input.scope] +allow if { + input.scope in {utils.UPDATE, utils.DELETE} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.WORKER) organizations.has_perm(organizations.WORKER) is_project_owner } -allow { - { utils.CREATE_IN_PROJECT }[input.scope] +allow if { + input.scope in {utils.CREATE_IN_PROJECT} input.auth.organization.id == input.resource.organization.id utils.has_perm(utils.WORKER) organizations.has_perm(organizations.WORKER)