styx/testdata/policy/custom/childsafe.rego

package custom

_social_domains := [
	"reddit.com",
	"roblox.com",
	# X
	"twitter.com",
	"x.com",
	# YouTube
	"googlevideo.com",
	"youtube.com",
	"youtu.be",
	"ytimg.com",
]

_toxic_domains := [
	# Facebook
	"facebook.com",
	"facebook.net",
	"fbsbx.com",
	# Pinterest
	"pinterest.com",
	# TikTok
	"isnssdk.com",
	"musical.ly",
	"musically.app.link",
	"musically-alternate.app.link",
	"musemuse.cn",
	"sgsnssdk.com",
	"tiktok.com",
	"tiktok.org",
	"tiktokcdn.com",
	"tiktokcdn-eu.com",
	"tiktokv.com",
]

in_domains(list, name) if {
	some item in list
	lower(name) == lower(item)
}

in_domains(list, name) if {
	some item in list
	endswith(lower(name), sprintf(".%s", [lower(item)]))
}

# METADATA
# description: Apply childssfe rules to the request, reject if it's a social
#              site between off-hours, reject if it's toxic.
# entrypoint: true
default redirect := ""

# HTTP -> HTTPS redirects for allowed domains
redirect := location if {
	_social
	input.request.scheme == "http"
	location := sprintf("https://%s%s", [input.request.host, input.request.path])
}

default reject := 0

template := "template/blocked.html" if {
	_childsafe_network
	_social
	# styx.time_between("18:00", "16:00") # allowed between 16:00-18:00
}

template := "template/blocked.html" if {
	_toxic
}

# Sensitive domains are always allowed
permit if {
	_sensitive
	reject != 0
}

_sensitive if {
	styx.domains_contain("sensitive", input.request.host)
}

_social if {
	#styx.domains_contain("social", input.request.host)
	in_domains(_social_domains, input.request.host)
}

_toxic if {
	in_domains(_toxic_domains, input.request.host)
}

_childsafe_network if {
	styx.networks_contain("kids", input.client.ip)
}

errors contains "Request to social networking site outside of allowed hours" if {
	_childsafe_network
	_social
}

errors contains "Request to toxic site" if {
	_toxic
}