From 7e5526491afed5958811e35865d5048bb27a9ed2 Mon Sep 17 00:00:00 2001
From: Jonathan Dursi <jonathan@dursi.ca>
Date: Thu, 15 Aug 2019 15:28:32 -0400
Subject: [PATCH] Updates call to io.jwt.decode, http_api -> input

Signed-off-by: Jonathan Dursi <jonathan@dursi.ca>
---
 api_authz/docker/policy/api_authz_token.rego | 34 +++++++++++---------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/api_authz/docker/policy/api_authz_token.rego b/api_authz/docker/policy/api_authz_token.rego
index 57facb33..70e7f830 100644
--- a/api_authz/docker/policy/api_authz_token.rego
+++ b/api_authz/docker/policy/api_authz_token.rego
@@ -1,35 +1,39 @@
 package httpapi.authz
 
-import input as http_api
-# http_api = {
-#   "path": ["finance", "salary", "alice"],
-#   "user": "alice",
-#   "method": "GET",
-#   "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWxpY2UiLCJhenAiOiJhbGljZSIsInN1Ym9yZGluYXRlcyI6W10sImhyIjpmYWxzZX0.rz3jTY033z-NrKfwrK89_dcLF7TN4gwCMj-fVBDyLoM"
-# }
+import input
 
 # io.jwt.decode takes one argument (the encoded token) and has three outputs:
 # the decoded header, payload and signature, in that order. Our policy only
 # cares about the payload, so we ignore the others.
-token = {"payload": payload} { io.jwt.decode(http_api.token, _, payload, _) }
+token = {"payload": payload} { io.jwt.decode(input.token, [_, payload, _]) }
 
 # Ensure that the token was issued to the user supplying it.
-user_owns_token { http_api.user = token.payload.azp }
+user_owns_token { input.user == token.payload.azp }
 
 default allow = false
 
 # Allow users to get their own salaries.
 allow {
-  http_api.method = "GET"
-  http_api.path = ["finance", "salary", username]
-  username = token.payload.user
+  some username
+  input.method == "GET"
+  input.path = ["finance", "salary", username]
+  token.payload.user == username
   user_owns_token
 }
 
 # Allow managers to get their subordinate' salaries.
 allow {
-  http_api.method = "GET"
-  http_api.path = ["finance", "salary", username]
-  token.payload.subordinates[_] = username
+  some username
+  input.method == "GET"
+  input.path = ["finance", "salary", username]
+  token.payload.subordinates[_] == username
+  user_owns_token
+}
+
+# Allow HR members to get anyone's salary.
+allow {
+  input.method == "GET"
+  input.path = ["finance", "salary", _]
+  token.payload.hr == true
   user_owns_token
 }