From 03d0a028bb1e2a3856a6fcd6acd11f92faa68744 Mon Sep 17 00:00:00 2001
From: vahidrezvani <vahidre127.2018@yahoo.com>
Date: Sat, 12 Jul 2025 15:43:06 +0330
Subject: [PATCH] test1

---
 docker-compose.yml       | 10 ++++++++++
 opa/app/rbac/policy.rego | 30 ++++++++++++++++++++++++++++++
 opa/data.json            | 20 ++++++++++++++++++++
 3 files changed, 60 insertions(+)
 create mode 100644 docker-compose.yml
 create mode 100644 opa/app/rbac/policy.rego
 create mode 100644 opa/data.json

diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..b195fa7
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,10 @@
+version: "3.8"
+services:
+  opa:
+    image: openpolicyagent/opa:latest
+    container_name: opa
+    command: run --server --log-level debug --addr=0.0.0.0:8181 --bundle /bundle
+    ports:
+      - "8181:8181"
+    volumes:
+      - ./opa:/bundle
\ No newline at end of file
diff --git a/opa/app/rbac/policy.rego b/opa/app/rbac/policy.rego
new file mode 100644
index 0000000..f9d7803
--- /dev/null
+++ b/opa/app/rbac/policy.rego
@@ -0,0 +1,30 @@
+package app.rbac
+
+# By default, deny requests.
+default allow := false
+
+# Allow admins to do anything.
+allow if user_is_admin
+
+# Allow the action if the user is granted permission to perform the action.
+allow if {
+	# Find grants for the user.
+	some grant in user_is_granted
+
+	# Check if the grant permits the action.
+	input.action == grant.action
+	input.type == grant.type
+}
+
+# user_is_admin is true if "admin" is among the user's roles as per data.user_roles
+user_is_admin if "admin" in data.user_roles[input.user]
+
+# user_is_granted is a set of grants for the user identified in the request.
+# The `grant` will be contained if the set `user_is_granted` for every...
+user_is_granted contains grant if {
+	# `role` assigned an element of the user_roles for this user...
+	some role in data.user_roles[input.user]
+
+	# `grant` assigned a single grant from the grants list for 'role'...
+	some grant in data.role_grants[role]
+}
diff --git a/opa/data.json b/opa/data.json
new file mode 100644
index 0000000..13e5ba8
--- /dev/null
+++ b/opa/data.json
@@ -0,0 +1,20 @@
+{
+  "user_roles": {
+    "alice": ["admin", "developer"],
+    "bob": ["developer"],
+    "charlie": ["guest"]
+  },
+  "role_grants": {
+    "admin": [
+      {"action": "read", "type": "any"},
+      {"action": "write", "type": "any"}
+    ],
+    "developer": [
+      {"action": "read", "type": "code"},
+      {"action": "write", "type": "code"}
+    ],
+    "guest": [
+      {"action": "read", "type": "docs"}
+    ]
+  }
+}