enhancement: add mimetype to file extension rego function (#6133)

* enhancement: add mimetype to file extension rego function add rego function to detect the resource extension by mimetype, at the same time this pr introduces a custom ocis namespace for the rego functions. * enhancement: add custom logPrinter to opa policies service * fix: imports and test TypeByExtension which is used to resolve extension by mimetype relies on MIME-info database which differs at my local env (macos <-> drone). This is fixed by using one of the builtinTypes for testing --------- Signed-off-by: Christian Richter <crichter@owncloud.com> Co-authored-by: Christian Richter <crichter@owncloud.com>
2026-01-06 04:09:40 -06:00 · 2023-07-10 16:28:23 +02:00
parent ecfe2d9a7b
commit c09f82405f
14 changed files with 303 additions and 218 deletions
--- a/deployments/examples/service_policies/policies/postprocessing.rego
+++ b/deployments/examples/service_policies/policies/postprocessing.rego
@@ -6,5 +6,12 @@ import data.utils
 default granted := true

 granted = false if {
-    not utils.collection_contains(utils.ALLOWED_FILE_EXTENSIONS, input.resource.name)
+    not utils.is_extension_allowed(input.resource.name)
+}
+
+granted = false if {
+    bytes := ocis.resource.download(input.resource.url)
+    mimetype := ocis.mimetype.detect(bytes)
+
+    not utils.is_mimetype_allowed(mimetype)
 }
--- a/deployments/examples/service_policies/policies/proxy.rego
+++ b/deployments/examples/service_policies/policies/proxy.rego
@@ -6,13 +6,14 @@ import data.utils
 default granted := true

 granted = false if {
-    utils.is_request_type_put
-    not input.request.path == "/data"
-    not utils.collection_contains(utils.ALLOWED_FILE_EXTENSIONS, input.request.path)
+    print("PRINT MESSAGE EXAMPLE")
+    input.request.method == "PUT"
+    not startswith(input.request.path, "/ocs")
+    not utils.is_extension_allowed(input.request.path)
 }

 granted = false if {
-    utils.is_request_type_post
+    input.request.method == "POST"
    startswith(input.request.path, "/remote.php")
-    not utils.collection_contains(utils.ALLOWED_FILE_EXTENSIONS, input.resource.name)
+    not utils.is_extension_allowed(input.resource.name)
 }
--- a/deployments/examples/service_policies/policies/utils.rego
+++ b/deployments/examples/service_policies/policies/utils.rego
@@ -1,8 +1,6 @@
 package utils

-import future.keywords.if
-
-ALLOWED_FILE_EXTENSIONS := [
+ALLOWED_RESOURCE_EXTENSIONS := [
    ".apk", ".avi", ".bat", ".bmp", ".css", ".csv", ".doc", ".docm", ".docx",
    ".docxf", ".dotx", ".eml", ".epub", ".htm", ".html", ".ipa", ".jar", ".java",
    ".jpg", ".js", ".json", ".mp3", ".mp4", ".msg", ".odp", ".ods", ".odt", ".oform",
@@ -11,43 +9,14 @@ ALLOWED_FILE_EXTENSIONS := [
    ".txt", ".xls", ".xlsm", ".xlsx", ".xltm", ".xltx", ".xml", ".zip", ".md"
 ]

-##
-
-is_stage_http {
-    input.stage == "http"
+is_extension_allowed(identifier) {
+     extension := ALLOWED_RESOURCE_EXTENSIONS[_]
+     endswith(identifier, extension)
 }

-is_stage_pp {
-    input.stage == "pp"
-}
-
-##
-
-is_user_admin {
-    input.user.username == "admin"
-}
-
-##
-
-is_request_type_put {
-    is_stage_http
-    input.request.method == "PUT"
-}
-
-is_request_type_post {
-    is_stage_http
-    input.request.method == "POST"
-}
-
-is_request_type_mkcol {
-    is_stage_http
-    input.request.method == "MKCOL"
-}
-
-##
-
-collection_contains(collection, source) {
-     current := collection[_]
-     endswith(source, current)
+is_mimetype_allowed(mimetype) {
+     extensions := ocis.mimetype.extensions(mimetype)
+     extension := extensions[_]
+     is_extension_allowed(extension)
 }