Metadata-Version: 2.1
Name: predicate-dev-test
Version: 0.1.0
Summary: 
Author: Sakshyam Shah
Author-email: sshah@goteleport.com
Requires-Python: >=3.10,<4.0
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Requires-Dist: PyYAML (>=6.0,<7.0)
Requires-Dist: black (>=22.8.0,<23.0.0)
Requires-Dist: click (>=8.1.3,<9.0.0)
Requires-Dist: flake8 (>=5.0.4,<6.0.0)
Requires-Dist: isort (>=5.10.1,<6.0.0)
Requires-Dist: lint-python (>=2.0.0,<3.0.0)
Requires-Dist: mypy (>=0.982,<0.983)
Requires-Dist: pytest (>=7.1.3,<8.0.0)
Requires-Dist: setuptools (>=65.3.0,<66.0.0)
Requires-Dist: z3-solver (>=4.11.2.0,<5.0.0.0)
Description-Content-Type: text/markdown

# predicate

## Installing predicate

```bash
poetry install
```

Alternately, `poetry shell` can also be used to run `predicate`.

## Working with policies

### Example policy

```py
# access.py

from solver.ast import Duration
from solver.teleport import AccessNode, Node, Options, OptionsSet, Policy, Rules, User


class Teleport:
    p = Policy(
        name="access",
        loud=False,
        allow=Rules(
            AccessNode(
                ((AccessNode.login == User.name) & (User.name != "root"))
                | (User.traits["team"] == ("admins",))
            ),
        ),
        options=OptionsSet(Options((Options.max_session_ttl < Duration.new(hours=10)))),
        deny=Rules(
            AccessNode(
                (AccessNode.login == "mike")
                | (AccessNode.login == "jester")
                | (Node.labels["env"] == "prod")
            ),
        ),
    )

    def test_access(self):
        # Alice will be able to login to any machine as herself
        ret, _ = self.p.check(
            AccessNode(
                (AccessNode.login == "alice")
                & (User.name == "alice")
                & (Node.labels["env"] == "dev")
            )
        )
        assert ret is True, "Alice can login with her user to any node"

        # No one is permitted to login as mike
        ret, _ = self.p.query(AccessNode((AccessNode.login == "mike")))
        assert ret is False, "This role does not allow access as mike"

        # No one is permitted to login as jester
        ret, _ = self.p.query(AccessNode((AccessNode.login == "jester")))
        assert ret is False, "This role does not allow access as jester"
```

### Testing a policy

```bash
predicate test access.py
```

```bash
Running 1 tests:
  - test_access: ok
```

### Exporting a policy

```bash
predicate export access.py
```

```yaml
kind: policy
metadata:
  name: access
spec:
  allow:
    access_node: (((access_node.login == user.name) && (!(user.name == "root"))) ||
      equals(user.traits["team"], ["admins"]))
  deny:
    access_node: (((access_node.login == "mike") || (access_node.login == "jester"))
      || (node.labels["env"] == "prod"))
  options: (options.max_session_ttl < 36000000000000)
version: v1
```
