zift 0.2.2

[rule]
id = "java-roles-allowed"
languages = ["java"]
category = "rbac"
confidence = "high"
description = "Jakarta/JSR-250 @RolesAllowed annotation"
# Accept both bare and fully-qualified annotation names. Tree-sitter parses
# `@RolesAllowed` as `(identifier)` and `@jakarta.annotation.security.RolesAllowed`
# as `(scoped_identifier name: (identifier))` — alternation here means the
# `anno_name` capture always binds to the trailing identifier so the predicate
# matches both forms across the javax/jakarta migration boundary. The
# `@anno_scope` capture (only present on the qualified branch) feeds
# `provenance_capture` below so consumers can split `javax` from `jakarta`
# in migration reports without re-parsing the snippet.
query = """
(annotation
  name: [
    (identifier) @anno_name
    (scoped_identifier
      scope: (_) @anno_scope
      name: (identifier) @anno_name)
  ]
  arguments: (annotation_argument_list
    (string_literal
      (string_fragment) @role_value))
) @match
"""

provenance_capture = "anno_scope"

[rule.predicates.anno_name]
eq = "RolesAllowed"

[rule.rego_template]
template = """
default allow := false

allow if {
    input.user.role in {"{{role_value}}"}
}
"""


[rule.cedar_template]
template = """
permit (
    principal,
    action,
    resource
)
when {
    principal.role == "{{role_value}}"
};
"""
[[rule.tests]]
input = """
public class UserController {
    @RolesAllowed("admin")
    public void deleteUser(Long id) { }
}
"""
expect_match = true

[[rule.tests]]
input = """
public class UserController {
    @jakarta.annotation.security.RolesAllowed("admin")
    public void deleteUser(Long id) { }
}
"""
expect_match = true

[[rule.tests]]
input = """
public class UserController {
    @javax.annotation.security.RolesAllowed("admin")
    public void deleteUser(Long id) { }
}
"""
expect_match = true

[[rule.tests]]
input = """
public class UserController {
    @Transactional
    public void deleteUser(Long id) { }
}
"""
expect_match = false