DiamondLightSource · DiamondJoseph · Nov 19, 2025 · Nov 19, 2025 · Nov 19, 2025 · Dec 3, 2025
diff --git a/policy/diamond/policy/tiled/tiled.rego b/policy/diamond/policy/tiled/tiled.rego
@@ -0,0 +1,40 @@
+package diamond.policy.tiled
+
+import data.diamond.policy.session.access_session
+import data.diamond.policy.token
+
+read_scopes := {
+	"read:metadata",
+	"read:data",
+}
+
+write_scopes := {
+	"write:metadata",
+	"write:data",
+	"create",
+	"register",
+}
+
+scopes_for(claims) := read_scopes | write_scopes if {
+	"azp" in object.keys(claims)
+	endswith(claims.azp, "-blueapi")
+}
+
+scopes_for(claims) := read_scopes if {
+	"azp" in object.keys(claims)
+	not endswith(claims.azp, "-blueapi")
+}
+
+scopes_for(claims) := read_scopes if {
+	not "azp" in object.keys(claims)
+}
-scopes_for(claims) := read_scopes if {
-	"azp" in object.keys(claims)
-	not endswith(claims.azp, "-blueapi")
-}
-
-scopes_for(claims) := read_scopes if {
-	not "azp" in object.keys(claims)
-}
+scopes_for(claims) := read_scopes if {
+	not "azp" in object.keys(claims)
+	not endswith(claims.azp, "-blueapi")
+}
-scopes_for(claims) := read_scopes if {
-	"azp" in object.keys(claims)
-	not endswith(claims.azp, "-blueapi")
-}
-
-scopes_for(claims) := read_scopes if {
-	not "azp" in object.keys(claims)
-}
+scopes_for(claims) := read_scopes if {
+	not "azp" in object.keys(claims)
+	not endswith(claims.azp, "-blueapi")
+}
+
+default scopes := set()
+
+scopes := scopes_for(token.claims)
+
+user_sessions contains user_session if {
+	some session in data.diamond.data.sessions
+	access_session(token.claims.fedid, session.proposal_number, session.visit_number)
+	user_session := sprintf("%s", [session])
+}
diff --git a/policy/diamond/policy/tiled/tiled_test.rego b/policy/diamond/policy/tiled/tiled_test.rego
@@ -0,0 +1,129 @@
+package diamond.policy.tiled_test
+
+import data.diamond.policy.tiled
+import data.diamond.policy.token
+import rego.v1
+
+test_default_no_scopes if {
+	tiled.scopes == set()
+}
+
+test_wrong_azp_read_scopes if {
+	tiled.scopes == tiled.read_scopes with token.claims as {}
+	tiled.scopes == tiled.read_scopes with token.claims as {"sub": "foo"}
+	tiled.scopes == tiled.read_scopes with token.claims as {"azp": "foo"}
+}
+
+test_blueapi_given_write_scopes if {
+	tiled.scopes == {
+		"read:metadata",
+		"read:data",
+		"write:metadata",
+		"write:data",
+		"create",
+		"register",
+	} with token.claims as {"azp": "foo-blueapi"}
+}
+
+diamond_data := {
+	"subjects": {
+		"alice": {
+			"permissions": [],
+			"proposals": [1],
+			"sessions": [],
+		},
+		"bob": {
+			"permissions": ["b07_admin"],
+			"proposals": [],
+			"sessions": [11],
+		},
+		"carol": {
+			"permissions": ["super_admin"],
+			"proposals": [],
+			"sessions": [],
+		},
+		"desmond": {
+			"permissions": [],
+			"proposals": [2],
+			"sessions": [13],
+		},
+		"edna": {
+			"permissions": [],
+			"proposals": [2],
+			"sessions": [13, 14],
+		},
+		"oscar": {
+			"permissions": [],
+			"proposals": [],
+			"sessions": [],
+		},
+	},
+	"sessions": {
+		"11": {
+			"beamline": "i03",
+			"proposal_number": 1,
+			"visit_number": 1,
+		},
+		"12": {
+			"beamline": "b07",
+			"proposal_number": 1,
+			"visit_number": 2,
+		},
+		"13": {
+			"beamline": "b07",
+			"proposal_number": 2,
+			"visit_number": 1,
+		},
+		"14": {
+			"beamline": "b07",
+			"proposal_number": 2,
+			"visit_number": 2,
+		},
+	},
+	"proposals": {
+		"1": {"sessions": {
+			"1": 11,
+			"2": 12,
+		}},
+		"2": {"sessions": {
+			"1": 13,
+			"2": 14,
+		}},
+	},
+	"beamlines": {"i03": {"sessions": [11]}, "b07": {"sessions": [12, 13, 14]}},
+	"admin": {"b07_admin": ["b07"]},
+}
+
+test_user_session_tags if {
+	tiled.user_sessions == set() with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "oscar"}
+	tiled.user_sessions == {
+		"{\"beamline\": \"b07\", \"proposal_number\": 1, \"visit_number\": 2}",
+		"{\"beamline\": \"i03\", \"proposal_number\": 1, \"visit_number\": 1}",
+	} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "alice"}
+	tiled.user_sessions == {
+		"{\"beamline\": \"b07\", \"proposal_number\": 1, \"visit_number\": 2}",
+		"{\"beamline\": \"i03\", \"proposal_number\": 1, \"visit_number\": 1}",
+		"{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}",
+		"{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}",
+	} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "bob"}
+	tiled.user_sessions == {
+		"{\"beamline\": \"b07\", \"proposal_number\": 1, \"visit_number\": 2}",
+		"{\"beamline\": \"i03\", \"proposal_number\": 1, \"visit_number\": 1}",
+		"{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}",
+		"{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}",
+	} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "carol"}
+	tiled.user_sessions == {
+		"{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}",
+		"{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}",
+	} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "desmond"}
+	tiled.user_sessions == {
+		"{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 1}",
+		"{\"beamline\": \"b07\", \"proposal_number\": 2, \"visit_number\": 2}",
+	} with data.diamond.data as diamond_data
+		with data.diamond.policy.token.claims as {"fedid": "edna"}
+}