zift 0.2.2

Scan codebases for embedded authorization logic and generate Policy as Code (Rego/OPA today)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

[rule]
id = "py-has-perm-call"
languages = ["python"]
category = "rbac"
confidence = "high"
description = "Django-style permission check (request.user.has_perm / has_perms)"
# Matches both `<expr>.has_perm("app.codename")` and the bulk variant
# `<expr>.has_perms(["app.a", "app.b"])` when permission codes are literal
# strings. Dynamic (non-literal) permission codes will surface via deep mode.
query = """
(call
  function: (attribute
    attribute: (identifier) @method)
  arguments: (argument_list
    [
      (string (string_content) @perm_name)
      (list
        (string (string_content) @perm_name))
    ])
) @match
"""

[rule.predicates.method]
match = "^(has_perm|has_perms)$"

[rule.rego_template]
template = """
default allow := false

allow if {
    "{{perm_name}}" in input.user.permissions
}
"""


[rule.cedar_template]
template = """
permit (
    principal,
    action,
    resource
)
when {
    "{{perm_name}}" in principal.permissions
};
"""
[[rule.tests]]
input = """
if request.user.has_perm('app.delete_user'):
    delete_user()
"""
expect_match = true

[[rule.tests]]
input = """
if user.has_perm('blog.add_post'):
    create()
"""
expect_match = true

[[rule.tests]]
input = """
if request.user.has_perms(['blog.add_post', 'blog.change_post']):
    bulk_edit()
"""
expect_match = true

[[rule.tests]]
input = """
result.has_value('foo')
"""
expect_match = false