Initial import

testdata/policy/auth.rego

@@ -0,0 +1,62 @@
+package conduit
+
+import rego.v1
+
+default permit_certificate := false
+
+# Accept user certificate if no principals have been offered.
+permit_certificate if {
+	count(input.principals) == 0
+}
+
+permit_certificate if {
+	_token_is_valid
+}
+
+default permit_password := false
+
+# Accept user password if no principals have been offered.
+permit_password if {
+	count(input.principals) == 0
+}
+
+permit_password if {
+	_token_is_valid
+}
+
+# Accept user token as second factor if a valid certificate was offered.
+permit_token if {
+	_certificate_is_valid
+}
+
+# Accept user password as second factor if a valid certificate was offered.
+permit_token if {
+	_password_is_valid
+}
+
+default permit := false
+
+# Accept certificate + token
+permit if {
+	_certificate_is_valid
+	_token_is_valid
+}
+
+# Accept token + password
+permit if {
+	_password_is_valid
+	_token_is_valid
+}
+
+_certificate_is_valid if {
+	some principal in input.principals
+	principal.type == "certificate"
+}
+
+_password_is_valid if {
+	input.principals[_].type == "password"
+}
+
+_token_is_valid if {
+	input.principals[_].type == "token"
+}