UNPKG

pauldron-policy

Version:

Simple JSON-based Authorization Policy Engine

github.com/mojitoholic/pauldron

mojitoholic/pauldron

79 lines 3 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
{ "type": "pauldron:simple-policy", "name": "Organizational Policy1", "content": { "rules": { "permittedClientsBasedOnClientId": { "name": "Permitted Clients based on client_id", "matchAnyOf":[ {"client_id":"client1"} ], "decision": { "authorization": "Permit", "obligations": { "DENY_SCOPES": ["s1"] } } }, "permittedClientsBasedOnPurpose": { "name": "Permitted Clients Based on pou", "matchAnyOf":[ {"client_id":"client4"} ], "decision": { "authorization": "Permit", "obligations": { "DENY_SCOPES": ["s1"] } }, "condition": "pous.filter((pou)=>(pou.system==='http://hl7.org/fhir/v3/ActReason' && pou.code==='TREAT')).length>0" }, "upstreamClientsWithRPT": { "name": "Permitted only if upstream UMA server approves.", "matchAnyOf":[ {"client_id":"client3"} ], "decision": { "authorization": "Permit", "obligations": { "DENY_SCOPES": ["s1"] } }, "condition": "rpts['http://localhost:3001'].length > 0" }, "upstreamClientsWithoutRPT": { "name": "Redirect to upstream if client doesn't have the right RPT.", "matchAnyOf":[ {"client_id":"client3"} ], "decision": { "authorization": "Indeterminate", "obligations": { "UMA_REDIRECT": { "realm": "Upstream UMA Server", "uri": "http://localhost:3001", "authroization_endpoint": "/authorization", "introspection_endpoint": "/protection/permissions", "permission_registration_endpoint": "/protection/introspection" } } }, "condition": "!rpts.hasOwnProperty('http://localhost:3001')" }, "deniedClients":{ "name": "Denied Clients", "matchAnyOf": [ {"client_id":"client2", "organization": "org1"} ], "decision": { "authorization": "Deny", "obligations": {} } } }, "default": { "authorization": "Deny", "obligations": {} } } }