feat(chart): update default policies

Signed-off-by: Sebastian Becker <sebastian.becker@de.bosch.com>

NOTICE.md

@@ -11,5 +11,7 @@ file in the Carbyne Stack
 
 ### Robert Bosch GmbH
 
+- Becker Sebastian
+  [sebastian.becker@de.bosch.com](mailto:sebastian.becker@de.bosch.com)
 - Trieflinger Sven
   [sven.trieflinger@de.bosch.com](mailto:sven.trieflinger@de.bosch.com)

charts/thymus/templates/access-control/default-policies.yaml

@@ -6,26 +6,68 @@
 #
 
 # Default OPA policies
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: default-policies
   labels:
     opa.stackable.tech/bundle: "true"
 data:
+  defaults.rego: |
+    package carbynestack.def
+
+    import rego.v1
+
+    default read := false
+    default delete := false
+    default tag.read := false
+    default tag.write := false
+    default tag.update := false
+    default tag.delete := false
+    default use := false
+  owner-access.rego: |
+    package carbynestack.def
+
+    import rego.v1
+
+    is_owner if {
+      some i
+      input.tags[i].key == "owner"
+      input.tags[i].value == input.subject
+    }
+
+    read if is_owner
+    delete if is_owner
+    tag.read if is_owner
+    tag.write if is_owner
+    tag.update if is_owner
+    tag.delete if is_owner
   donor-read.rego: |
-    package play
+    package carbynestack.def
 
     import rego.v1
 
     tags contains tag if {
       tag := {"key": "derived-from", "value": input.inputs[_].owner}
     }
 
-    default read := false
-
-    read if {
+    provided_input if {
       some i
-      tags[i].key == "derived-from"
-      tags[i].value == input.subject
+      input.tags[i].key == "derived-from"
+      input.tags[i].value == input.subject
+    }
+
+    read if provided_input
+    tag.read if provided_input
+  ephemeral-use.rego: |
+    package carbynestack.def
+
+    import rego.v1
+
+    use if {
+        some i
+        input.tags[i].key == "authorizedPrograms"
+        programIds := split(input.tags[i].value, ",")
+        programIds[_] == input.subject
     }