feat: update cerbos to use json

2025-11-23 13:44:39 +00:00
parent 7504361d88
commit 2b462993cc
12 changed files with 120 additions and 188 deletions
--- a/modules/workspace/cerbos/policies/workspace.yaml
+++ b/modules/workspace/cerbos/policies/workspace.yaml
@@ -1,33 +0,0 @@
-# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json
-# docs: https://docs.cerbos.dev/cerbos/latest/policies/resource_policies
-
-apiVersion: api.cerbos.dev/v1
-resourcePolicy:
-  resource: workspace
-  version: default
-  rules:
-
-    - actions: ["create"]
-      effect: EFFECT_ALLOW
-      roles: ["super"]
-
-    - actions: ["read"]
-      effect: EFFECT_ALLOW
-      roles: ["super", "admin", "user"]
-      condition:
-        match:
-          expr: R.attr.workspaceId in P.attr.workspaceIds
-
-    - actions: ["update"]
-      effect: EFFECT_ALLOW
-      roles: ["super", "admin"]
-      condition:
-        match:
-          expr: R.attr.workspaceId in P.attr.workspaceIds
-
-    - actions: ["delete"]
-      effect: EFFECT_ALLOW
-      roles: ["super"]
-      condition:
-        match:
-          expr: R.attr.workspaceId in P.attr.workspaceIds
--- a/modules/workspace/cerbos/policies/workspace_user.yaml
+++ b/modules/workspace/cerbos/policies/workspace_user.yaml
@@ -1,54 +0,0 @@
-# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json
-# docs: https://docs.cerbos.dev/cerbos/latest/policies/resource_policies
-
-apiVersion: api.cerbos.dev/v1
-resourcePolicy:
-  resource: workspace_user
-  version: default
-  rules:
-
-    # Admins can invite new members into their own workspace
-
-    - actions:
-        - invite
-      effect: EFFECT_ALLOW
-      roles:
-        - admin
-      condition:
-        match:
-          expr: request.principal.workspaceIds.includes(request.resource.workspaceId)
-
-    # Admins can remove members from their own workspace
-
-    - actions:
-        - remove
-      effect: EFFECT_ALLOW
-      roles:
-        - admin
-      condition:
-        match:
-          expr: request.principal.workspaceIds.includes(request.resource.workspaceId)
-
-    # Admins can update member roles in their own workspace
-
-    - actions:
-        - update_role
-      effect: EFFECT_ALLOW
-      roles:
-        - admin
-      condition:
-        match:
-          expr: request.principal.workspaceIds.includes(request.resource.workspaceId)
-
-    # Admins and users can list/read members of their own workspace
-
-    - actions:
-        - list
-        - read
-      effect: EFFECT_ALLOW
-      roles:
-        - admin
-        - user
-      condition:
-        match:
-          expr: request.principal.workspaceIds.includes(request.resource.workspaceId)
--- a/modules/workspace/cerbos/resources.ts
+++ b/modules/workspace/cerbos/resources.ts
@@ -1,20 +0,0 @@
-/*
-export const resources = new ResourceRegistry([
-  {
-    kind: "workspace",
-    actions: [],
-    attr: {
-      workspaceId: z.string(),
-    },
-  },
-  {
-    kind: "workspace_user",
-    actions: [],
-    attr: {
-      workspaceId: z.string(),
-    },
-  },
-] as const);
-
-export type Resource = typeof resources.$resource;
-*/