Time-Based Checks
You can grant people access to resources for a specific length of time by adding an expiration time to their role or permission assignment.
Implement the logic
We add a rule to say that a user has a role if they have a role assignment that has not expired.
The has_role_with_expiry
fact is like the usual has_role
fact, but the fourth argument is the
expiration time, expressed as an integer representing seconds since the Unix epoch.
On a *nix system, date +%s
will give you the current Unix time in seconds.
@current_unix_time
is a constant you can use in rules that will resolve to
the current Unix time at the time your query is evaluated.
To implement access expiration, we compare the expiration time with the current time.
actor User { }resource Repository { roles = ["member"]; permissions = ["read"]; "read" if "member";}has_role(actor: Actor, role: String, repo: Repository) if expiration matches Integer and has_role_with_expiry(actor, role, repo, expiration) and expiration > @current_unix_time;
Test it out
To test this, we grant Alice the "member" role until 2033, while Bob's role expired in 2022.
Given those time-bound roles, Alice has access but Bob does not.
test "access to repositories is conditional on expiry" { setup { # Alice's access expires in 2033 has_role_with_expiry(User{"alice"}, "member", Repository{"anvil"}, 2002913298); # Bob's access expired in 2022 has_role_with_expiry(User{"bob"}, "member", Repository{"anvil"}, 1655758135); } assert allow(User{"alice"}, "read", Repository{"anvil"}); assert_not allow(User{"bob"}, "read", Repository{"anvil"});}