feat: add supertokens

2025-09-24 01:20:09 +02:00
parent 0d70749670
commit 99111b69eb
92 changed files with 1613 additions and 1141 deletions
--- a/modules/workspace/cerbos/policies/workspace.yaml
+++ b/modules/workspace/cerbos/policies/workspace.yaml
@@ -0,0 +1,33 @@
+# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json
+# docs: https://docs.cerbos.dev/cerbos/latest/policies/resource_policies
+
+apiVersion: api.cerbos.dev/v1
+resourcePolicy:
+  resource: workspace
+  version: default
+  rules:
+
+    - actions: ["create"]
+      effect: EFFECT_ALLOW
+      roles: ["super"]
+
+    - actions: ["read"]
+      effect: EFFECT_ALLOW
+      roles: ["super", "admin", "user"]
+      condition:
+        match:
+          expr: R.attr.id in P.attr.workspaceIds
+
+    - actions: ["update"]
+      effect: EFFECT_ALLOW
+      roles: ["super", "admin"]
+      condition:
+        match:
+          expr: R.attr.id in P.attr.workspaceIds
+
+    - actions: ["delete"]
+      effect: EFFECT_ALLOW
+      roles: ["super"]
+      condition:
+        match:
+          expr: R.attr.id in P.attr.workspaceIds
--- a/modules/workspace/cerbos/policies/workspace_user.yaml
+++ b/modules/workspace/cerbos/policies/workspace_user.yaml
@@ -0,0 +1,54 @@
+# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json
+# docs: https://docs.cerbos.dev/cerbos/latest/policies/resource_policies
+
+apiVersion: api.cerbos.dev/v1
+resourcePolicy:
+  resource: workspace_user
+  version: default
+  rules:
+
+    # Admins can invite new members into their own workspace
+
+    - actions:
+        - invite
+      effect: EFFECT_ALLOW
+      roles:
+        - admin
+      condition:
+        match:
+          expr: request.principal.workspaceIds.includes(request.resource.workspaceId)
+
+    # Admins can remove members from their own workspace
+
+    - actions:
+        - remove
+      effect: EFFECT_ALLOW
+      roles:
+        - admin
+      condition:
+        match:
+          expr: request.principal.workspaceIds.includes(request.resource.workspaceId)
+
+    # Admins can update member roles in their own workspace
+
+    - actions:
+        - update_role
+      effect: EFFECT_ALLOW
+      roles:
+        - admin
+      condition:
+        match:
+          expr: request.principal.workspaceIds.includes(request.resource.workspaceId)
+
+    # Admins and users can list/read members of their own workspace
+
+    - actions:
+        - list
+        - read
+      effect: EFFECT_ALLOW
+      roles:
+        - admin
+        - user
+      condition:
+        match:
+          expr: request.principal.workspaceIds.includes(request.resource.workspaceId)