-
Notifications
You must be signed in to change notification settings - Fork 0
/
05-define-rules.tql
125 lines (100 loc) · 3.14 KB
/
05-define-rules.tql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
define
last-modified sub attribute, value datetime;
resource owns last-modified;
define
rule resource-last-modified:
when {
$resource isa resource, has modified-timestamp $last-modified;
not {
$resource has modified-timestamp $other-modified;
$other-modified > $last-modified;
};
?timestamp = $last-modified;
} then {
$resource has last-modified ?timestamp;
};
define
rule implicit-last-modified:
when {
$resource isa resource, has created-timestamp $created;
not { $resource has modified-timestamp $modified; };
?timestamp = $created;
} then {
$resource has last-modified ?timestamp;
};
define
rule repository-modified-timestamps:
when {
$repository isa repository;
(repository: $repository) isa commit, has created-timestamp $commit-created;
?timestamp = $commit-created;
} then {
$repository has modified-timestamp ?timestamp;
};
define
indirect-directory-membership sub directory-membership;
rule transitive-directory-memberships:
when {
(directory: $directory-1, directory-member: $directory-2) isa directory-membership;
(directory: $directory-2, directory-member: $object) isa directory-membership;
} then {
(directory: $directory-1, directory-member: $object) isa indirect-directory-membership;
};
define
last-login sub attribute, value datetime;
user owns last-login;
rule automatic-last-login:
when {
$user isa user;
(subject: $user) isa login-event,
has success true,
has login-timestamp $last-login;
not {
(subject: $user) isa login-event,
has success true,
has login-timestamp $other-login;
$other-login > $last-login;
};
?timestamp = $last-login;
} then {
$user has last-login ?timestamp;
};
define
group-permission sub permission;
rule transitive-group-permissions:
when {
(group: $group, group-member: $user) isa group-membership;
(subject: $group, object: $object, access: $access) isa permission;
} then {
(subject: $user, object: $object, access: $access) isa group-permission;
};
define
owner-permission sub permission;
rule full-owner-permissions:
when {
(owned: $object, owner: $owner) isa ownership;
$access isa access;
} then {
(subject: $owner, object: $object, access: $access) isa owner-permission;
};
define
admin-permission sub permission;
rule full-admin-permissions:
when {
$admin isa admin;
$type plays permission:object;
$object isa $type;
$access isa access;
} then {
(subject: $admin, object: $object, access: $access) isa admin-permission;
};
define
implied-permission sub permission;
rule implied-read-permission:
when {
$read isa access, has name "read";
$write isa access, has name "write";
(subject: $subject, object: $object, access: $write) isa permission;
} then {
(subject: $subject, object: $object, access: $read) isa implied-permission;
};