Opa rego access control

.gitignore

@@ -0,0 +1,2 @@
+
+.DS_Store

Authorisation/ACP.access_policy.rego.json

@@ -0,0 +1,24 @@
+{
+    "$schema": "https://github.com/joostholslag/openEHRxNuts/blob/OPA-REGO-ACCESS-CONTROL/Authorisation/access_policy.rego.schema.json",
+    "READ": {
+        "resource": {
+            "template": {
+                "ids": ["composition.acp", "composition.report"]
+            }
+        },
+        "user_roles": [
+            "doctor",
+            "nurse"
+        ]
+    },
+    "WRITE": {
+        "resource": {
+            "template": {
+                "ids": ["composition.acp"]
+            }
+        },
+        "user_roles": [
+            "doctor"
+        ]
+    }
+}

Authorisation/ACP.input.rego.json

@@ -0,0 +1,9 @@
+{
+    "user_role": "nurse",
+    "resource": {
+        "template": {
+            "id": "composition.acp"
+        }
+    },
+    "operation": "WRITE"
+}

Authorisation/README.md

@@ -0,0 +1,3 @@
+This folder contains an experiment to express access control policy (authorisations) for openEHR data.
+It's an attempt to solve the issue described in https://github.com/jorritspee/openEHRxNuts/issues/11.
+

Authorisation/access_policy.rego.schema.json

@@ -0,0 +1,138 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://github.com/joostholslag/openEHRxNuts/blob/OPA-REGO-ACCESS-CONTROL/Authorisation/access_policy.rego.schema.json",
+  "title": "Schema for openEHR Access Policy usable in Rego",
+  "description": "This schema is used to validate json instances for specific access policies. The access policies define rules for accessing dat in openEHR CDRs. The instances are interpreted by a policy defined in Rego. This schema validates wether the instance conforms to the data format expected by the policy in rego/OPA. It can be used by other interpretors, but this is unsupported by the containing project.",
+  "type": "object",
+  "properties": {
+    "READ": {
+      "type": "object",
+      "properties": {
+        "resource": {
+          "type": "object",
+          "properties": {
+            "template": {
+              "type": "object",
+              "properties": {
+                "ids": {
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  }
+                }
+              },
+              "required": [
+                "ids"
+              ]
+            }
+          },
+          "required": [
+            "template"
+          ]
+        },
+        "user_roles": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      },
+      "required": [
+        "resource",
+        "user_roles"
+      ]
+    },
+    "WRITE": {
+      "type": "object",
+      "properties": {
+        "resource": {
+          "type": "object",
+          "properties": {
+            "template": {
+              "type": "object",
+              "properties": {
+                "ids": {
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  }
+                }
+              },
+              "required": [
+                "ids"
+              ]
+            }
+          },
+          "required": [
+            "template"
+          ]
+        },
+        "user_roles": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      },
+      "required": [
+        "resource",
+        "user_roles"
+      ]
+    },
+    "SEARCH": {
+      "type": "object",
+      "properties": {
+        "resource": {
+          "type": "object",
+          "properties": {
+            "template": {
+              "type": "object",
+              "properties": {
+                "ids": {
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  }
+                }
+              },
+              "required": [
+                "ids"
+              ]
+            }
+          },
+          "required": [
+            "template"
+          ]
+        },
+        "user_roles": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      },
+      "required": [
+        "resource",
+        "user_roles"
+      ]
+    }
+  },
+  "anyOf": [
+    {
+      "required": [
+        "READ"
+      ]
+    },
+    {
+      "required": [
+        "WRITE"
+      ]
+    },
+    {
+      "required": [
+        "SEARCH"
+      ]
+    }
+  ],
+  "additionalProperties": false
+}

Authorisation/architecture overview.drawio

@@ -0,0 +1,94 @@
+<mxfile host="app.diagrams.net" modified="2024-07-12T15:03:27.404Z" agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0" etag="O2lJvzmQbU8FuRGJvil8" version="24.3.1" type="device">
+  <diagram name="Page-1" id="9VoOU8_NqmbsLiig9-E2">
+    <mxGraphModel dx="2439" dy="2203" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="850" pageHeight="1100" math="0" shadow="0">
+      <root>
+        <mxCell id="0" />
+        <mxCell id="1" parent="0" />
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-35" value="Policy Repository" style="shape=cylinder3;whiteSpace=wrap;html=1;boundedLbl=1;backgroundOutline=1;size=15;" vertex="1" parent="1">
+          <mxGeometry x="160" y="360" width="165" height="200" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-39" value="Policy" style="ellipse;whiteSpace=wrap;html=1;rounded=0;fillColor=#00CC00;" vertex="1" parent="1">
+          <mxGeometry x="230" y="490" width="80" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-3" value="Actor" style="shape=umlActor;verticalLabelPosition=bottom;verticalAlign=top;html=1;outlineConnect=0;" vertex="1" parent="1">
+          <mxGeometry x="-110" y="160" width="30" height="60" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-6" value="" style="endArrow=classic;html=1;rounded=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" source="pjgg4CAAk_bMe1FnvngC-7" target="pjgg4CAAk_bMe1FnvngC-23">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="480" y="330" as="sourcePoint" />
+            <mxPoint x="480" y="205" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-8" value="" style="endArrow=classic;html=1;rounded=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" source="pjgg4CAAk_bMe1FnvngC-3">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="39" y="191" as="sourcePoint" />
+            <mxPoint x="-40" y="195" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-7" value="&lt;div&gt;Is user allowed to perform READ of composition.uid.value = 87514b6b-963f-484b-b8b3-7d1f9656d88c&lt;/div&gt;&lt;div&gt;with policy XYZ&lt;br&gt;&lt;br&gt;&lt;/div&gt;" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" vertex="1" parent="1">
+          <mxGeometry x="110" y="180" width="290" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-27" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" edge="1" parent="1" source="pjgg4CAAk_bMe1FnvngC-9" target="pjgg4CAAk_bMe1FnvngC-16">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-9" value="Policy Decision Point" style="rounded=0;whiteSpace=wrap;html=1;" vertex="1" parent="1">
+          <mxGeometry x="510" y="430" width="100" height="50" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-15" value="" style="group" vertex="1" connectable="0" parent="1">
+          <mxGeometry x="550" y="340" width="100" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-13" value="Request decision" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" vertex="1" parent="pjgg4CAAk_bMe1FnvngC-15">
+          <mxGeometry width="100" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-16" value="Policy Information Point" style="rounded=0;whiteSpace=wrap;html=1;" vertex="1" parent="1">
+          <mxGeometry x="670" y="500" width="120" height="60" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-18" value="Policy" style="ellipse;whiteSpace=wrap;html=1;rounded=0;" vertex="1" parent="1">
+          <mxGeometry x="280" y="510" width="80" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-41" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=0;exitDx=0;exitDy=0;entryX=1;entryY=0;entryDx=0;entryDy=0;" edge="1" parent="1" source="pjgg4CAAk_bMe1FnvngC-20" target="pjgg4CAAk_bMe1FnvngC-39">
+          <mxGeometry relative="1" as="geometry">
+            <Array as="points">
+              <mxPoint x="560" y="502" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-20" value="Checks" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" vertex="1" parent="1">
+          <mxGeometry x="560" y="480" width="60" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-22" value="" style="shape=image;verticalLabelPosition=bottom;labelBackgroundColor=default;verticalAlign=top;aspect=fixed;imageAspect=0;image=https://miro.medium.com/v2/resize:fit:1400/1*de-WLl2462P3n0lx86OWwA.png;" vertex="1" parent="1">
+          <mxGeometry x="790" y="-250" width="1022" height="786" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-24" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.42;entryY=0.008;entryDx=0;entryDy=0;entryPerimeter=0;" edge="1" parent="1" source="pjgg4CAAk_bMe1FnvngC-23" target="pjgg4CAAk_bMe1FnvngC-9">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-26" value="" style="group" vertex="1" connectable="0" parent="1">
+          <mxGeometry x="450" y="40" width="200" height="250" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-2" value="&lt;div&gt;Contains data e.g. ACP composition&lt;/div&gt;" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" vertex="1" parent="pjgg4CAAk_bMe1FnvngC-26">
+          <mxGeometry x="70" width="60" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-23" value="&lt;div&gt;openEHR CDR&lt;/div&gt;" style="swimlane;whiteSpace=wrap;html=1;fillColor=#00CC00;" vertex="1" parent="pjgg4CAAk_bMe1FnvngC-26">
+          <mxGeometry y="50" width="200" height="200" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-25" value="Policy Enforcement Point" style="rounded=0;whiteSpace=wrap;html=1;" vertex="1" parent="pjgg4CAAk_bMe1FnvngC-23">
+          <mxGeometry x="40" y="130" width="120" height="60" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-28" value="Retrieves extra information from" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" vertex="1" parent="1">
+          <mxGeometry x="650" y="410" width="100" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-32" value="&lt;h1 style=&quot;margin-top: 0px;&quot;&gt;Hoe beslis ik welke policy ik moet gebruiken?&lt;/h1&gt;&lt;p&gt;&lt;font style=&quot;font-size: 14px;&quot;&gt;Optie 1: altijd alle policies evalueren&lt;/font&gt;&lt;/p&gt;&lt;p&gt;&lt;font size=&quot;3&quot;&gt;Optie 2: Client stuurt (gesigned) policy mee&lt;/font&gt;&lt;/p&gt;&lt;p&gt;&lt;font size=&quot;3&quot;&gt;Optie 3: Client stuurt identifier van gesigned policy mee&lt;/font&gt;&lt;br&gt;&lt;/p&gt;" style="text;html=1;whiteSpace=wrap;overflow=hidden;rounded=0;" vertex="1" parent="1">
+          <mxGeometry x="100" y="-200" width="230" height="280" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-34" value="Client application" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#00CC00;" vertex="1" parent="1">
+          <mxGeometry y="165" width="120" height="60" as="geometry" />
+        </mxCell>
+        <mxCell id="pjgg4CAAk_bMe1FnvngC-37" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;" edge="1" parent="1" source="pjgg4CAAk_bMe1FnvngC-35">
+          <mxGeometry relative="1" as="geometry">
+            <mxPoint x="60" y="230" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+      </root>
+    </mxGraphModel>
+  </diagram>
+</mxfile>