zift 0.2.2

Scan codebases for embedded authorization logic and generate Policy as Code (Rego/OPA today)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108

[rule]
id = "ts-role-check-conditional"
languages = ["typescript", "javascript"]
category = "rbac"
confidence = "high"
description = "Direct role comparison in conditional expression"
# Matches `if (<expr>.role === "ADMIN")` and the negated variant
# `if (<expr>.role !== "ADMIN")`. The LHS is a member_expression so the
# query already accepts arbitrarily nested paths like `session.user.role`
# (Next.js/Cal.com handlers) — the property captured is the rightmost
# identifier.
#
# The captured @op is currently informational; the rego template emits an
# allow-shaped `==` regardless of operator. For `!==` matches the
# generated stub will be inverted from the original intent — flagged here
# rather than silently dropping the finding, since the policy decision
# point itself is what matters; the operator inversion is a small manual
# fix during extract.
query = """
(if_statement
  condition: (parenthesized_expression
    (binary_expression
      left: (member_expression
        property: (property_identifier) @prop)
      operator: ["==" "===" "!=" "!=="] @op
      right: (string) @role_value))
) @match
"""

[rule.predicates.prop]
match = "^(role|roles|roleName|userRole|userType)$"

[rule.predicates.role_value]
not_match = "^[\"'](assistant|user|system|tool|function)[\"']$"

[rule.rego_template]
template = """
default allow := false

allow if {
    input.user.role == "{{role_value}}"
}
"""


[rule.cedar_template]
template = """
permit (
    principal,
    action,
    resource
)
when {
    principal.role == "{{role_value}}"
};
"""
[[rule.tests]]
input = """
if (user.role === "admin") {
  deleteUser(id);
}
"""
expect_match = true

# Cal.com / Next.js handler shape: nested member access on the LHS.
[[rule.tests]]
input = """
if (session.user.role === "ADMIN") {
  showAdminPanel();
}
"""
expect_match = true

# Negated comparison: typical "block if not admin" guard. We match this
# now (per corpus shakedown — Cal.com uses `!==` extensively).
[[rule.tests]]
input = """
if (session.user.role !== "ADMIN") {
  throw new ForbiddenError();
}
"""
expect_match = true

# `roleName` is a common variant (e.g. NextAuth session.user.roleName).
[[rule.tests]]
input = """
if (session.user.roleName === "ADMIN") {
  manage();
}
"""
expect_match = true

[[rule.tests]]
input = """
if (user.name === "admin") {
  greet();
}
"""
expect_match = false

# LLM message-role conversation pattern, not authz.
[[rule.tests]]
input = """
if (msg.role === "assistant") {
  processResponse();
}
"""
expect_match = false