Checkpoint

testdata/policy/custom/childsafe.rego

@@ -0,0 +1,102 @@
+package custom
+
+_social_domains := [
+	"reddit.com",
+	"roblox.com",
+	# X
+	"twitter.com",
+	"x.com",
+	# YouTube
+	"googlevideo.com",
+	"youtube.com",
+	"youtu.be",
+	"ytimg.com",
+]
+
+_toxic_domains := [
+	# Facebook
+	"facebook.com",
+	"facebook.net",
+	"fbsbx.com",
+	# Pinterest
+	"pinterest.com",
+	# TikTok
+	"isnssdk.com",
+	"musical.ly",
+	"musically.app.link",
+	"musically-alternate.app.link",
+	"musemuse.cn",
+	"sgsnssdk.com",
+	"tiktok.com",
+	"tiktok.org",
+	"tiktokcdn.com",
+	"tiktokcdn-eu.com",
+	"tiktokv.com",
+]
+
+in_domains(list, name) if {
+	some item in list
+	lower(name) == lower(item)
+}
+
+in_domains(list, name) if {
+	some item in list
+	endswith(lower(name), sprintf(".%s", [lower(item)]))
+}
+
+# METADATA
+# description: Apply childssfe rules to the request, reject if it's a social
+#              site between off-hours, reject if it's toxic.
+# entrypoint: true
+default redirect := ""
+
+# HTTP -> HTTPS redirects for allowed domains
+redirect := location if {
+	_social
+	input.request.scheme == "http"
+	location := sprintf("https://%s%s", [input.request.host, input.request.path])
+}
+
+default reject := 0
+
+template := "template/blocked.html" if {
+	_childsafe_network
+	_social
+	# styx.time_between("18:00", "16:00") # allowed between 16:00-18:00
+}
+
+template := "template/blocked.html" if {
+	_toxic
+}
+
+# Sensitive domains are always allowed
+permit if {
+	_sensitive
+	reject != 0
+}
+
+_sensitive if {
+	styx.domains_contain("sensitive", input.request.host)
+}
+
+_social if {
+	#styx.domains_contain("social", input.request.host)
+	in_domains(_social_domains, input.request.host)
+}
+
+_toxic if {
+	in_domains(_toxic_domains, input.request.host)
+}
+
+_childsafe_network if {
+	styx.networks_contain("kids", input.client.ip)
+}
+
+errors contains "Request to social networking site outside of allowed hours" if {
+	_childsafe_network
+	_social
+}
+
+errors contains "Request to toxic site" if {
+	_toxic
+}