chore(examples): update examples to match new schema

freakyfelt · freakyfelt · commit 97355b58de37 · 2023-03-08T17:27:44.000+01:00
diff --git a/examples/2022-04/Kitty.jsonc b/examples/2022-04/Kitty.jsonc
@@ -0,0 +1,78 @@
+/*
+  Shows an example usage for our Kitty resource
+
+  == Example Context
+  {
+    kitty: {
+      state: 'purring',
+      ownerId: 'sillyLittleMe'
+    },
+    subject: {
+      id: 'sillyLittleMe',
+      role: 'admin'
+    }
+  }
+*/
+{
+  "$schema": "../../schemas/resource-policy-2022-04.schema.json",
+  "resourceType": "Kitty",
+  "actions": ["create", "read", "update", "pet"],
+  "definitions": [
+    {
+      "environment": "*", // applies across all environments
+      "policies": [
+        {
+          "description": "Allow everyone to create a kitty",
+          "action": "create", // specify a single action
+          "effect": "allow",
+          "constraint": true
+        },
+        {
+          "description": "Allow admins to take any action",
+          "action": "*",
+          "effect": "allow",
+          "constraint": {
+            // expects that context will include a subject object with a role property
+            "===": [
+              { "var": "subject.role" },
+              "admin"
+            ]
+          }
+        },
+        {
+          "description": "allow owners to read, update and pet the kitty",
+          "action": ["read", "update", "pet"], // specify a list of actions
+          "effect": "allow",
+          "constraint": {
+            "===": [
+              { "var": "subject.id" },
+              { "var": "kitty.ownerId" }
+            ]
+          }
+        },
+        {
+          "description": "Do not allow users (even admins!) to pet if the kitty is sleeping or eating",
+          "action": "pet",
+          "effect": "deny", // will override any allow statement
+          "constraint": {
+            "in": [
+              { "var": "kitty.state" },
+              ["eating", "sleeping"]
+            ]
+          }
+        }
+      ]
+    },
+    {
+      "environment": ["development", "alpha", "beta"], // specify a list of environments
+      "policies": [
+        {
+          "description": "allow developers to update any kitty in non-prod environments",
+          "action": "update",
+          "effect": "allow",
+          "constraint": true
+        }
+      ]
+    }
+  ]
+}
diff --git a/examples/2022-04/dumbdata-Document.jsonc b/examples/2022-04/dumbdata-Document.jsonc
@@ -0,0 +1,121 @@
+/*
+  Shows an example usage for creating policies for our dumbdata service's Document resource
+
+  == Example Context
+  {
+    Resource: {
+      Tags: ["Public", "ReadOnly"],
+      AuthorURI: "urn::12345:whodunnit:users/SillyMe",
+      ...
+    },
+    Principal: {
+      URI: "urn::12345:whodunnit:users/SillyMe",
+      RoleURI: "urn::12345:whodunnit:roles/StandardUser"
+    },
+    Environment: {
+      CurrentEnv: "Prod-use1"
+    }
+  }
+*/
+{
+  "$schema": "../../schemas/resource-policy-2022-04.schema.json",
+  "resourceType": "dumbdata:Document",
+  "actions": [
+    "dumbdata:CreateDocument",
+    "dumbdata:DeleteDocument",
+    "dumbdata:GetDocument",
+    "dumbdata:PutDocument",
+    "dumbdata:QueryDocuments"
+  ],
+  "definitions": [
+    {
+      "environment": "*",
+      "policies": [
+        {
+          "description": "Create a dropbox where anyone can create a document, but can't read or update",
+          "action": "dumbdata:CreateDocument",
+          "effect": "allow",
+          "constraint": true
+        },
+        {
+          "description": "Allow anyone to read/query documents with the Public tag",
+          "action": ["dumbdata:GetDocument", "dumbdata:QueryDocuments"],
+          "effect": "allow",
+          "constraint": {
+            "some": [
+              { "var": "Resource.Tags" },
+              // { "var": "" } references the current element from Resource.Tags
+              { "in": [{ "var": "" }, ["Public"]]}
+            ]
+          }
+        },
+        {
+          "description": "Allow users to manage documents they've created if the Editable tag is present",
+          "action": "*",
+          "effect": "allow",
+          "constraint": {
+            "and": [
+              {
+                "some": [
+                  { "var": "Resource.Tags" },
+                  { "===": [{ "var": "" }, "Editable"] }
+                ]
+              },
+              {
+                "===": [
+                  { "var": "Principal.URI" },
+                  { "var": "Resource.AuthorURI" }
+                ]
+              }
+            ]
+          }
+        },
+        {
+          "description": "Block users from managing documents if the ReadOnly tag is present and they're not an admin",
+          "action": ["dumbdata:DeleteDocument", "dumbdata:PutDocument"],
+          "effect": "deny",
+          "constraint": {
+            "all": [
+              {
+                "some": [
+                  { "var": "Resource.Tags" },
+                  { "===": [{ "var": "" }, "ReadOnly"] }
+                ]
+              },
+              {
+                "!==": [
+                  { "var": "Principal.RoleURI" },
+                  "urn::12345:whodunnit:roles/Administrator"
+                ]
+              },
+              // Don't block mutations in the test suite
+              // NOTE: this is just a hypothetical example. Please don't actually do this.
+              {
+                "!==": [
+                  { "var": "Environment.CurrentEnv" },
+                  "test"
+                ]
+              }
+            ]
+          }
+        }
+      ]
+    },
+    {
+      "environment": "test",
+      "policies": [
+        {
+          "description": "Allow the test runner to delete documents it created, regardless of the Editable tag being present",
+          "action": "dumbdata:DeleteItem",
+          "effect": "allow",
+          "constraint": {
+            "===": [
+              { "var": "Resource.AuthorURI" },
+              { "var": "Principal.URI" }
+            ]
+          }
+        }
+      ]
+    }
+  ]
+}
diff --git a/examples/Kitty.jsonc b/examples/Kitty.jsonc
@@ -15,9 +15,8 @@
 */
 {
   "$schema": "../schemas/resource-policy-2023-02.schema.json",
-  "resourceType": "Kitty",
   "actions": ["create", "read", "update", "pet"],
-  "policies": [
+  "statement": [
     {
       "description": "Allow everyone to create a kitty",
       "action": "create", // specify a single action
diff --git a/examples/dumbdata-Document.jsonc b/examples/dumbdata-Document.jsonc
@@ -12,22 +12,11 @@
       URI: "urn::12345:whodunnit:users/SillyMe",
       RoleURI: "urn::12345:whodunnit:roles/StandardUser"
     },
-    Environment: {
-      CurrentEnv: "Prod-use1"
-    }
   }
 */
 {
   "$schema": "../schemas/resource-policy-2023-02.schema.json",
-  "resourceType": "dumbdata:Document",
-  "actions": [
-    "dumbdata:CreateDocument",
-    "dumbdata:DeleteDocument",
-    "dumbdata:GetDocument",
-    "dumbdata:PutDocument",
-    "dumbdata:QueryDocuments"
-  ],
-  "policies": [
+  "statement": [
     {
       "description": "Create a dropbox where anyone can create a document, but can't read or update",
       "action": "dumbdata:CreateDocument",
@@ -84,17 +73,9 @@
               { "var": "Principal.RoleURI" },
               "urn::12345:whodunnit:roles/Administrator"
             ]
-          },
-          // Don't block mutations in the test suite
-          // NOTE: this is just a hypothetical example. Please don't actually do this.
-          {
-            "!==": [
-              { "var": "Environment.CurrentEnv" },
-              "test"
-            ]
           }
         ]
       }
     }
   ]
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -15,9 +15,8 @@`
`15`	`15`	`*/`
`16`	`16`	`{`
`17`	`17`	`"$schema": "../schemas/resource-policy-2023-02.schema.json",`
`18`		`- "resourceType": "Kitty",`
`19`	`18`	`"actions": ["create", "read", "update", "pet"],`
`20`		`- "policies": [`
	`19`	`+ "statement": [`
`21`	`20`	`{`
`22`	`21`	`"description": "Allow everyone to create a kitty",`
`23`	`22`	`"action": "create", // specify a single action`
Original file line number	Diff line number	Diff line change
`@@ -12,22 +12,11 @@`
`12`	`12`	`URI: "urn::12345:whodunnit:users/SillyMe",`
`13`	`13`	`RoleURI: "urn::12345:whodunnit:roles/StandardUser"`
`14`	`14`	`},`
`15`		`- Environment: {`
`16`		`- CurrentEnv: "Prod-use1"`
`17`		`- }`
`18`	`15`	`}`
`19`	`16`	`*/`
`20`	`17`	`{`
`21`	`18`	`"$schema": "../schemas/resource-policy-2023-02.schema.json",`
`22`		`- "resourceType": "dumbdata:Document",`
`23`		`- "actions": [`
`24`		`- "dumbdata:CreateDocument",`
`25`		`- "dumbdata:DeleteDocument",`
`26`		`- "dumbdata:GetDocument",`
`27`		`- "dumbdata:PutDocument",`
`28`		`- "dumbdata:QueryDocuments"`
`29`		`- ],`
`30`		`- "policies": [`
	`19`	`+ "statement": [`
`31`	`20`	`{`
`32`	`21`	`"description": "Create a dropbox where anyone can create a document, but can't read or update",`
`33`	`22`	`"action": "dumbdata:CreateDocument",`
`@@ -84,17 +73,9 @@`
`84`	`73`	`{ "var": "Principal.RoleURI" },`
`85`	`74`	`"urn::12345:whodunnit:roles/Administrator"`
`86`	`75`	`]`
`87`		`- },`
`88`		`- // Don't block mutations in the test suite`
`89`		`- // NOTE: this is just a hypothetical example. Please don't actually do this.`
`90`		`- {`
`91`		`- "!==": [`
`92`		`- { "var": "Environment.CurrentEnv" },`
`93`		`- "test"`
`94`		`- ]`
`95`	`76`	`}`
`96`	`77`	`]`
`97`	`78`	`}`
`98`	`79`	`}`
`99`	`80`	`]`
`100`		`-}`
	`81`	`+}`