# enforce default to drop all permissions
default policy 
  drop (cap)

  test 
    so not (cap)
    if failure then break circuit

# allow read only permission for file-access actions
policy read-only
  ## this statement on it's own will drop all 
  ## permissions then allow read
  allow only (cap READ)
  action is file-access

  test 
    with action as file-access
    so only (cap READ)
    if failure then break circuit

# the following policies also set the environment
# that they apply to, in this case it's the office
policy write-for-staff in office
  allow (cap WRITE)
  ## where is used as syntax-sugar here
  ## to make the children statements easier 
  ## to grok.
  where
    action is file-access
    subject must have attribute "staff"

  test 
    as correct
      with 
        action as file-access
        empty subject apply attribute as tag "staff"
      so (cap READ) and (cap WRITE)
      if failure then break circuit

    as incorrect
      with
        action as file-access
        empty subject
      so (cap READ)
      so not (cap WRITE)
      if failure then break circuit

policy create-for-admin in office
  allow (cap CREATE)
  where
    subject must have
      attribute "staff"
      attribute "admin"
    ## when a user creates a resource we add 
    ## an attribute to it as a specific keyvalue
    ## type. Read the colon symbol as where
  apply attribute to resource as keyvalue :
    key is "glenda-can-delete" 
    ### we set the value from the environment
    ### and enforce the type as ternary value
    ### : true, unknown, or false. If set 
    ### and contents considered truthy then 
    ### value will be true, else false. If 
    ### not set then the value will be unknown
    value is ternary (env GLENDA_ALLOWED)

  test 
    as correct
      with 
        empty subject 
          apply attribute
             as tag "staff"
             as tag "admin"
      so (cap CREATE)
      so resouce has attribute "glenda-can-delete"
        with ternary value 
      if failure then break circuit

     as incorrect
       with empty subject 
       so not (cap CREATE)
       if failure then break circuit 

policy destroy-only-for-glenda in remote-office
  allow (cap DESTROY)
  where
    resource must have attribute "glenda-can-delete"
      value must be true
    subject must have 
      attribute "staff"
      attribute "username"
        value is "glenda"
  test
    as correct
      with 
        empty resource 
          apply attribute as ternary "glenda-can-delete" 
            with value true 
        empty subject 
          apply attribute as tag "staff"
          apply attribute as keyvalue :
            key is "username" 
            value is "glenda"
      so (cap DESTROY)
      if failure then break circuit