From 02537c00fa66c7e90b0017949699fc359a576dca Mon Sep 17 00:00:00 2001
From: Jeff Chao <jeffchao@me.com>
Date: Thu, 11 Jan 2024 18:03:00 -0800
Subject: [PATCH] Replace `in_group` with `member_of`.

---
 src/abbey/functions/member_of.rego      | 26 ++++++++++++++++
 src/abbey/functions/member_of_test.rego | 41 +++++++++++++++++++++++++
 2 files changed, 67 insertions(+)
 create mode 100644 src/abbey/functions/member_of.rego
 create mode 100644 src/abbey/functions/member_of_test.rego

diff --git a/src/abbey/functions/member_of.rego b/src/abbey/functions/member_of.rego
new file mode 100644
index 0000000..4db4d9e
--- /dev/null
+++ b/src/abbey/functions/member_of.rego
@@ -0,0 +1,26 @@
+package abbey.functions_test
+
+import future.keywords.if
+import future.keywords.in
+
+apps := [
+	"googleworkspace",
+	"okta",
+	"google",
+]
+
+# METADATA
+# title: Member Of
+# description: |
+#  Function which checks whether a user has a specific group membership.
+#  This function will iterate through all of a user's imported `apps` to determine
+#  if any of the `group_id`s match the user's group memberships.
+# related_resources:
+# - ref: https://docs.abbey.io/reference/access-policies/types-of-access-policies
+# entrypoint: false
+member_of(group_id) if {
+	some app in apps # Iterate over each app.
+	user_groups := data.user[app] # Get each app of the user.
+	some group in user_groups.groups # For the app, get the user's group memberships.
+	group_id in group # Check if the group_id is one of the keys of the group object.
+}
diff --git a/src/abbey/functions/member_of_test.rego b/src/abbey/functions/member_of_test.rego
new file mode 100644
index 0000000..399b1d4
--- /dev/null
+++ b/src/abbey/functions/member_of_test.rego
@@ -0,0 +1,41 @@
+package abbey.functions_test
+
+import future.keywords.if
+
+fixture := {
+	"googleworkspace": {"groups": [
+		{"id": "Engineering"},
+		{"id": "R&D"},
+	]},
+	"okta": {"groups": [
+		{"id": "123"},
+		{"id": "456"},
+	]},
+}
+
+test_member_of_googleworkspace_engineering_group if {
+	member_of("Engineering") with data.user as fixture
+}
+
+test_member_of_okta_group if {
+	member_of("123") with data.user as fixture
+}
+
+# Tests if the user is a member of a group within Google. However, technically, the way we implement
+# the `member_of` function entails a lookup against all of the user's `apps`. This means this test
+# will also produce `false` if the group doesn't exist as a result of the group not being imported.
+test_not_member_of_googleworkspace_engineering_group if {
+	not member_of("Marketing") with data.user as fixture
+}
+
+# Tests if the user is a member of a group within Okta. However, technically, the way we implement
+# the `member_of` function entails a lookup against all of the user's `apps`. This means this test
+# will also produce `false` if the group doesn't exist as a result of the group not being imported.
+test_not_member_of_okta_group if {
+	not member_of("789") with data.user as fixture
+}
+
+# Tests if the user is a member of a group, but the group is not imported.
+test_unimported_group if {
+	not member_of("unimported") with data.user as fixture
+}