############################################
# Cloudron users
#
# Add additional customizations in this file.
# Certain features, such as Access Control *must* be done in this file.
############################################


# Access Control
#
# Access control is a list of rules defining the authorizations applied for one
# resource to users or group of users.
#
# If 'access_control' is not defined, ACL rules are disabled and the `bypass`
# rule is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
# the rules defined.
#
# Note: One can use the wildcard * to match any subdomain.
# It must stand at the beginning of the pattern. (example: *.mydomain.com)
#
# Note: You must put patterns containing wildcards between simple quotes for the YAML
# to be syntaxically correct.
#
# Definition: A `rule` is an object with the following keys: `domain`, `subject`,
# `policy` and `resources`.
#
# - `domain` defines which domain or set of domains the rule applies to.
#
# - `subject` defines the subject to apply authorizations to. This parameter is
#    optional and matching any user if not provided. If provided, the parameter
#    represents either a user or a group. It should be of the form 'user:<username>'
#    or 'group:<groupname>'.
#
# - `policy` is the policy to apply to resources. It must be either `bypass`,
#   `one_factor`, `two_factor` or `deny`.
#
# - `resources` is a list of regular expressions that matches a set of resources to
#    apply the policy to. This parameter is optional and matches any resource if not
#    provided.
#
# Note: the order of the rules is important. The first policy matching
# (domain, resource, subject) applies.
access_control:
  # Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
  # It is the policy applied to any resource if there is no policy to be applied
  # to the user.
  default_policy: deny

  rules:
    # Rules applied to everyone
    - domain: public.example.com
      policy: two_factor
    - domain: single_factor.example.com
      policy: one_factor

    # Rules applied to 'admin' group
    - domain: 'mx2.mail.example.com'
      subject: 'group:admin'
      policy: deny
    - domain: '*.example.com'
      subject: 'group:admin'
      policy: two_factor

    # Rules applied to 'dev' group
    - domain: dev.example.com
      resources:
        - '^/groups/dev/.*$'
      subject: 'group:dev'
      policy: two_factor

    # Rules applied to user 'john'
    - domain: dev.example.com
      resources:
        - '^/users/john/.*$'
      subject: 'user:john'
      policy: two_factor


    # Rules applied to user 'harry'
    - domain: dev.example.com
      resources:
        - '^/users/harry/.*$'
      subject: 'user:harry'
      policy: two_factor

    # Rules applied to user 'bob'
    - domain: '*.mail.example.com'
      subject: 'user:bob'
      policy: two_factor
    - domain: 'dev.example.com'
      resources:
        - '^/users/bob/.*$'
      subject: 'user:bob'
      policy: two_factor