Checkpoint

testdata/policy/childsafe.rego

@@ -0,0 +1,56 @@
+package styx
+
+import input.client as client
+import input.request as http_request
+
+# HTTP -> HTTPS redirects for allowed domains
+redirect = concat("", ["https://", http_request.host, http_request.path]) if {
+    _social
+    http_request.scheme == "http"
+}
+
+reject = 403 if {
+    _childsafe_network
+    _social
+}
+
+reject = 403 if {
+    _childsafe_network
+    _toxic
+}
+
+# Sensitive domains are always allowed
+permit if {
+    _sensitive
+}
+
+permit if {
+    reject != 0
+}
+
+_sensitive if {
+    styx.in_domains("sensitive", http_request.host)
+}
+
+_social if {
+    styx.in_domains("social", http_request.host)
+    print("Domain in social", http_request.host)
+}
+
+errors contains "Social networking domain not allowed" if {
+    reject != 0
+    _social
+}
+
+_toxic if {
+    styx.in_domains("toxic", http_request.host)
+}
+
+errors contains "Toxic domain not allowed" if {
+    reject != 0
+    _toxic
+}
+
+_childsafe_network if {
+    styx.in_networks("kids", client.ip)
+}