diff --git a/magda-opa/policies/object/registry/record/admin_role.rego b/magda-opa/policies/object/registry/record/admin_role.rego deleted file mode 100644 index 9510328bfb..0000000000 --- a/magda-opa/policies/object/registry/record/admin_role.rego +++ /dev/null @@ -1,5 +0,0 @@ -package object.registry.record - -admin_role { - input.user.roles[_].id = "00000000-0000-0003-0000-000000000000" -} diff --git a/magda-opa/policies/object/registry/record/has_permission.rego b/magda-opa/policies/object/registry/record/has_permission.rego deleted file mode 100644 index 60632ce6f4..0000000000 --- a/magda-opa/policies/object/registry/record/has_permission.rego +++ /dev/null @@ -1,9 +0,0 @@ -package object.registry.record.has_permission - -has_permission(permission) { - input.user.permissions[_].operations[_].uri == permission -} - -read { - has_permission("object/registry/record/read") -} diff --git a/magda-opa/policies/object/registry/record/has_permission_test.rego b/magda-opa/policies/object/registry/record/has_permission_test.rego deleted file mode 100644 index b404d53b4e..0000000000 --- a/magda-opa/policies/object/registry/record/has_permission_test.rego +++ /dev/null @@ -1,35 +0,0 @@ -package object.registry.record.has_permission - -test_allow_right_permission { - read with input as { - "user": { - "permissions": [ - { - "operations": [ - { - "id": "some_id", - "uri": "object/registry/record/read" - } - ] - } - ] - } - } -} - -test_deny_wrong_permission { - not read with input as { - "user": { - "permissions": [ - { - "operations": [ - { - "id": "some_id", - "uri": "object/registry/record/write" - } - ] - } - ] - } - } -} diff --git a/magda-opa/policies/object/registry/record/orgunit.rego b/magda-opa/policies/object/registry/record/orgunit.rego deleted file mode 100644 index b27924ba65..0000000000 --- a/magda-opa/policies/object/registry/record/orgunit.rego +++ /dev/null @@ -1,6 +0,0 @@ -package object.registry.record - -# "access-control" is the aspect id defined in the registry database. -orgunit { - input.object.registry.record["access-control"].orgUnitOwnerId == input.user.managingOrgUnitIds[_] -} diff --git a/magda-opa/policies/object/registry/record/orgunit_test.rego b/magda-opa/policies/object/registry/record/orgunit_test.rego deleted file mode 100644 index 2627e80e80..0000000000 --- a/magda-opa/policies/object/registry/record/orgunit_test.rego +++ /dev/null @@ -1,66 +0,0 @@ -package object.registry.record - -test_allow_correct_orgunit { - orgunit with input as { - "user": { - "managingOrgUnitIds": ["1", "2", "3", "4"] - }, - "object": { - "registry": { - "record": { - "access-control": { - "orgUnitOwnerId": "3" - } - } - } - } - } -} - -test_deny_wrong_orgunit { - not orgunit with input as { - "user": { - "managingOrgUnitIds": ["1", "2", "3", "4"] - }, - "object": { - "registry": { - "record": { - "access-control": { - "orgUnitOwnerId": "5" - } - } - } - } - } -} - -test_deny_no_access_control_info { - not orgunit with input as { - "user": { - "managingOrgUnitIds": ["1", "2", "3", "4"] - }, - "object": { - "registry": { - "record": { - } - } - } - } -} - -test_deny_empty_managing_orgunit_ids { - not orgunit with input as { - "user": { - "managingOrgUnitIds": [] - }, - "object": { - "registry": { - "record": { - "access-control": { - "orgUnitOwnerId": "5" - } - } - } - } - } -} diff --git a/magda-opa/policies/object/registry/record/owner.rego b/magda-opa/policies/object/registry/record/owner.rego deleted file mode 100644 index dbeb6cf94c..0000000000 --- a/magda-opa/policies/object/registry/record/owner.rego +++ /dev/null @@ -1,6 +0,0 @@ -package object.registry.record - -# Can only be accessed by the owner -owner { - input.object.registry.record["access-control"].ownerId = input.user.id -} diff --git a/magda-opa/policies/object/registry/record/owner_only.rego b/magda-opa/policies/object/registry/record/owner_only.rego deleted file mode 100644 index 0a7d7053d6..0000000000 --- a/magda-opa/policies/object/registry/record/owner_only.rego +++ /dev/null @@ -1,10 +0,0 @@ -package object.registry.record.owner_only - -import data.object.registry.record.owner -import data.object.registry.record.admin_role -import data.object.registry.record.has_permission - -read { - has_permission.read - owner -} \ No newline at end of file diff --git a/magda-opa/policies/object/registry/record/owner_only_test.rego b/magda-opa/policies/object/registry/record/owner_only_test.rego deleted file mode 100644 index de1428db51..0000000000 --- a/magda-opa/policies/object/registry/record/owner_only_test.rego +++ /dev/null @@ -1,59 +0,0 @@ -package object.registry.record.owner_only - -test_allow_read_if_owner_and_permission_are_correct_regardless_orgunit { - read with input as { - "user": { - "id": "personA", - "permissions": [ - { - "operations": [ - { - "uri": "object/registry/record/read" - } - ] - } - ], - "managingOrgUnitIds": [] - }, - - "object": { - "registry": { - "record": { - "access-control": { - "ownerId": "personA", - "orgUnitOwnerId": "3" - } - } - } - } - } -} - -test_deny_read_if_owner_and_permission_are_incorrect { - not read with input as { - "user": { - "id": "personA", - "permissions": [ - { - "operations": [ - { - "uri": "object/registry/record/read" - } - ] - } - ], - "managingOrgUnitIds": ["3"] - }, - - "object": { - "registry": { - "record": { - "access-control": { - "ownerId": "personB", - "orgUnitOwnerId": "3" - } - } - } - } - } -} \ No newline at end of file diff --git a/magda-opa/policies/object/registry/record/owner_orgunit.rego b/magda-opa/policies/object/registry/record/owner_orgunit.rego deleted file mode 100644 index 2b129f29ce..0000000000 --- a/magda-opa/policies/object/registry/record/owner_orgunit.rego +++ /dev/null @@ -1,20 +0,0 @@ -package object.registry.record.owner_orgunit - -import data.object.registry.record.has_permission -import data.object.registry.record.owner -import data.object.registry.record.orgunit -import data.object.registry.record.admin_role - -read { - admin_role -} - -read { - has_permission.read - owner -} - -read { - has_permission.read - orgunit -} diff --git a/magda-opa/policies/object/registry/record/owner_orgunit_test.rego b/magda-opa/policies/object/registry/record/owner_orgunit_test.rego deleted file mode 100644 index d5f80cdf49..0000000000 --- a/magda-opa/policies/object/registry/record/owner_orgunit_test.rego +++ /dev/null @@ -1,133 +0,0 @@ -package object.registry.record.owner_orgunit - -test_allow_read_if_user_has_admin_role { - read with input as { - "user": { - "roles": [{ - "id": "00000000-0000-0003-0000-000000000000", - "name": "Admin Users", - "permissionIds": [] - }] - } - } -} - -test_allow_read_if_owner_and_permission_are_correct { - read with input as { - "user": { - "id": "personA", - "permissions": [ - { - "operations": [ - { - "uri": "object/registry/record/read" - } - ] - } - ], - "managingOrgUnitIds": ["1", "2"] - }, - - "object": { - "registry": { - "record": { - "access-control": { - "ownerId": "personA", - "orgUnitOwnerId": "3" - } - } - } - } - } -} - -test_allow_read_if_orgunit_and_permission_are_correct { - read with input as { - "user": { - "id": "personA", - "permissions": [ - { - "operations": [ - { - "id": "some_id", - "uri": "object/registry/record/read" - } - ] - } - ], - "managingOrgUnitIds": ["1", "2", "3"] - }, - - "object": { - "registry": { - "record": { - "access-control": { - "ownerId": "personB", - "orgUnitOwnerId": "3" - } - } - } - } - } -} - -test_deny_read_if_both_owner_and_orgunit_are_incorrect { - not read with input as { - "user": { - "id": "personA", - "managingOrgUnitIds": ["1", "2"], - "permissions": [ - { - "operations": [ - { - "id": "some_id", - "uri": "object/registry/record/read" - } - ] - } - ] - }, - - "object": { - "registry": { - "record": { - "access-control": { - "ownerId": "personB", - "orgUnitOwnerId": "3" - } - } - } - } - } -} - -test_deny_read_if_permission_is_incorrect { - not read with input as { - "user": { - "id": "personA", - "managingOrgUnitIds": ["1", "2", "3"], - "permissions": [ - { - "operations": [ - { - "id": "some_id", - "uri": "object/registry/record/not_read" - } - ] - } - ] - }, - - "object": { - "registry": { - "record": { - "access-control": { - "ownerId": "personA", - "orgUnitOwnerId": "3" - } - } - } - } - } -} - diff --git a/magda-opa/policies/object/registry/record/owner_test.rego b/magda-opa/policies/object/registry/record/owner_test.rego deleted file mode 100644 index 486fa671dc..0000000000 --- a/magda-opa/policies/object/registry/record/owner_test.rego +++ /dev/null @@ -1,48 +0,0 @@ -package object.registry.record - -test_allow_owner { - owner with input as { - "user": { - "id": "personA" - }, - "object": { - "registry": { - "record": { - "access-control": { - "ownerId": "personA" - } - } - } - } - } -} - -test_deny_non_owner { - not owner with input as { - "user": { - "id": "personA" - }, - "object": { - "record": { - "access-control": { - "ownerId": "personB" - } - } - } - } -} - -test_deny_no_access_control_info { - not owner with input as { - "user": { - "id": "personA" - }, - "object": { - "record": { - "access-control": { - "someOtherKey": "personB" - } - } - } - } -} diff --git a/magda-opa/policies/object/registry/record/public.rego b/magda-opa/policies/object/registry/record/public.rego deleted file mode 100644 index 3a981632ca..0000000000 --- a/magda-opa/policies/object/registry/record/public.rego +++ /dev/null @@ -1,5 +0,0 @@ -package object.registry.record.public - -read { - true -} \ No newline at end of file diff --git a/magda-opa/policies/object/registry/record/public_test.rego b/magda-opa/policies/object/registry/record/public_test.rego deleted file mode 100644 index 2a2c37af7d..0000000000 --- a/magda-opa/policies/object/registry/record/public_test.rego +++ /dev/null @@ -1,5 +0,0 @@ -package object.registry.record.public - -test_allow_read { - read -}