zift 0.2.2

Scan codebases for embedded authorization logic and generate Policy as Code (Rego/OPA today)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

[rule]
id = "py-ownership-check"
languages = ["python"]
category = "ownership"
confidence = "medium"
description = "Resource ownership comparison (e.g. resource.owner_id == user.id)"
# Catches `<expr>.<owner-style-attr> == <expr>.<id-style-attr>`.
# Confidence is `medium` — the snake_case naming convention makes false
# positives less likely than in TS/Java, but unrelated identity-shaped
# comparisons can still slip through.
query = """
(comparison_operator
  (attribute attribute: (identifier) @left_prop)
  operators: "=="
  (attribute attribute: (identifier) @right_prop)
) @match
"""

[rule.predicates.left_prop]
match = "(?i)^(owner_id|user_id|created_by|author_id|owner|account_id)$"

[rule.predicates.right_prop]
match = "(?i)^(id|user_id|sub|account_id)$"

[rule.rego_template]
template = """
default allow := false

allow if {
    input.resource.owner == input.user.id
}
"""


[rule.cedar_template]
template = """
permit (
    principal,
    action,
    resource
)
when {
    resource.owner == principal
};
"""
[[rule.tests]]
input = """
if resource.owner_id == user.id:
    allow_edit()
"""
expect_match = true

[[rule.tests]]
input = """
if post.author_id == request.user.id:
    edit()
"""
expect_match = true

[[rule.tests]]
input = """
if a.score == b.score:
    tie()
"""
expect_match = false