package conduit

import rego.v1

default permit_certificate := false

# Accept user certificate if no principals have been offered.
permit_certificate if {
	count(input.principals) == 0
}

permit_certificate if {
	_token_is_valid
}

default permit_password := false

# Accept user password if no principals have been offered.
permit_password if {
	count(input.principals) == 0
}

permit_password if {
	_token_is_valid
}

# Accept user token as second factor if a valid certificate was offered.
permit_token if {
	_certificate_is_valid
}

# Accept user password as second factor if a valid certificate was offered.
permit_token if {
	_password_is_valid
}

default permit := false

# Accept certificate + token
permit if {
	_certificate_is_valid
	_token_is_valid
}

# Accept token + password
permit if {
	_password_is_valid
	_token_is_valid
}

_certificate_is_valid if {
	some principal in input.principals
	principal.type == "certificate"
}

_password_is_valid if {
	input.principals[_].type == "password"
}

_token_is_valid if {
	input.principals[_].type == "token"
}