# =============================================================================
# MOON 设备授权配置(规则化分层模型)
# =============================================================================
# 文件语义:
# - 必选根层:global(全局授权基线)
# - 可选覆盖层:groups.<name>(组级覆盖)、devices.<sn>(设备级覆盖)
# - 合并优先级:devices > groups > global
# - 规则模型: (resource, target, match-type, operation, effect, priority)
# - operation 输入兼容:
# - 单值字符串:operation = "read"
# - 数组:operation = ["read", "write"](内部会展开为多条单 operation 规则)
#
# 枚举全集(供全文引用):
# - access-policy: [allow-all, deny-all]
# - effect: [allow, deny]
# - resource: [service, command, filesystem, application]
# - match-type: [exact, prefix, glob]
# - operation:
# - service: [use]
# - command: [execute]
# - filesystem: [read, write, delete, execute]
# - application: [launch]
#
# 时间格式:
# - issued-at / expires-at 必须使用 ISO 8601(UTC),例如 2026年01月01日T00:00:00Z
# =============================================================================
# 必选
# 语义:配置修订版本,建议使用时间戳(可用于审计/冲突判断)
# 默认值:无(必须显式配置)
revision = "2026年03月13日T12:00:00Z"
# 必选
# 语义:全局兜底策略(当规则未命中时使用)
# 默认值:deny-all(代码默认)
# 可取值集合:["allow-all", "deny-all"]
access-policy = "deny-all"
[global.access]
# 可选
# 语义:允许访问的用户名列表
# 默认值:[](空列表,表示不额外放行)
# 集合元素可取值:任意字符串用户名;可使用 "*" 表示全部用户
allowed-users = ["admin"]
# 可选
# 语义:允许访问的用户组列表
# 默认值:[](空列表)
# 集合元素可取值:任意字符串组名;可使用 "*" 表示全部用户组
allowed-user-groups = ["ops"]
# 必选
# 语义:是否启用独占访问(true 表示同一时间仅允许单会话)
# 默认值:false
# 可取值集合:[true, false]
exclusive = false
# 必选
# 语义:最大并发会话数(0 表示不限制),独占模式先无意义
# 默认值:0
# 可取值集合:整数 >= 0
max-sessions = 0
[[global.rule-set.rules]]
# 必选
# 语义:规则作用资源类型
# 默认值:无
# 可取值集合:["service", "command", "filesystem", "application"]
resource = "service"
# 必选
# 语义:规则匹配目标
# 默认值:无
# 可取值集合:
# - resource=service/application: 任意服务/应用标识字符串
# - resource=command: 任意命令字符串,可配合 glob
# - resource=filesystem: 任意路径字符串
target = "stat"
# 必选
# 语义:target 的匹配方式
# 默认值:无
# 可取值集合:["exact", "prefix", "glob"]
match-type = "exact"
# 必选
# 语义:资源操作类型
# 默认值:无
# 输入格式:
# - 字符串(单值)
# - 数组(多值,至少 1 个元素)
# 可取值集合(按 resource):
# - service: ["use"]
# - command: ["execute"]
# - filesystem: ["read", "write", "delete", "execute"]
# - application: ["launch"]
operation = "use"
# 必选
# 语义:命中该规则后的判定结果
# 默认值:无
# 可取值集合:["allow", "deny"]
effect = "allow"
# 可选
# 语义:规则优先级(越大越优先)
# 默认值:0
# 可取值集合:任意整数(建议 >= 0)
priority = 10
[[global.rule-set.rules]]
# 必选;同上
resource = "service"
# 必选;同上
target = "dufs"
# 必选;同上
match-type = "exact"
# 必选;同上
operation = "use"
# 必选;同上
effect = "allow"
# 可选;同上
priority = 10
[[global.rule-set.rules]]
# 必选;同上
resource = "command"
# 必选;同上
target = "rm -rf *"
# 必选;同上
match-type = "glob"
# 必选;同上
operation = "execute"
# 必选;同上
effect = "deny"
# 可选;同上
priority = 200
[[global.rule-set.rules]]
# 必选;同上
resource = "filesystem"
# 必选;同上
target = "/data/local/tmp"
# 必选;同上
match-type = "prefix"
# 必选;同上
operation = "read"
# 必选;同上
effect = "allow"
# 可选;同上
priority = 10
[[global.rule-set.rules]]
# 必选;同上
resource = "filesystem"
# 必选;同上
target = "/data/local/tmp"
# 必选;同上
match-type = "prefix"
# 必选;同上
operation = ["write", "delete", "execute"]
# 必选;同上
effect = "allow"
# 可选;同上
priority = 10
[global.validity]
# 必选(global 级有效期)
# 语义:生效起始时间
# 默认值:无(必须显式配置)
issued-at = "2026年01月01日T00:00:00Z"
# 必选(global 级有效期)
# 语义:过期时间,必须 >= issued-at
# 默认值:无(必须显式配置)
expires-at = "2026年12月31日T23:59:59Z"
[groups.lab-devices]
# 可选(组定义时通常必填)
# 语义:组成员设备 SN 列表
# 默认值:[](空组)
# 集合元素可取值:任意设备 SN 字符串
members = ["SN-LAB-001", "SN-LAB-002"]
[groups.lab-devices.access]
# 可选;语义/默认值同 global.access.allowed-users
# 集合元素可取值:任意字符串用户名;可使用 "*" 表示全部用户
allowed-users = ["developer", "tester"]
# 可选;语义/默认值同 global.access.allowed-user-groups
# 集合元素可取值:任意字符串组名;可使用 "*" 表示全部用户组
allowed-user-groups = ["toolchain", "qa"]
# 可选;语义/默认值同 global.access.exclusive
# 可取值集合:[true, false]
exclusive = false
# 可选;语义/默认值同 global.access.max-sessions
# 可取值集合:整数 >= 0
max-sessions = 0
[[groups.lab-devices.rules]]
# 必选;语义同 global.rule-set.rules.resource
resource = "service"
# 必选;语义同 global.rule-set.rules.target
target = "rush"
# 必选;语义同 global.rule-set.rules.match-type
match-type = "exact"
# 必选;语义同 global.rule-set.rules.operation
operation = "use"
# 必选;语义同 global.rule-set.rules.effect
effect = "allow"
# 可选;语义同 global.rule-set.rules.priority
priority = 20
[[groups.lab-devices.rules]]
# 必选;同上
resource = "filesystem"
# 必选;同上
target = "/sdcard"
# 必选;同上
match-type = "prefix"
# 必选;同上
operation = "read"
# 必选;同上
effect = "allow"
# 可选;同上
priority = 20
[devices."SN-LAB-001"]
# 可选
# 语义:设备所属组名(用于继承组级规则)
# 默认值:无(不继承任何组)
# 可取值集合:已存在组名字符串
group = "lab-devices"
[devices."SN-LAB-001".access]
# 可选
# 语义:在继承访问控制基础上追加允许用户
# 默认值:[](不追加)
# 集合元素可取值:任意字符串用户名;可使用 "*" 表示全部用户
additional-users = ["guest-researcher"]
[devices."SN-LAB-001".validity]
# 可选(设备级有效期)
# 语义:设备授权生效起始时间
# 默认值:无(未配置时继承上层有效期)
issued-at = "2026年02月01日T00:00:00Z"
# 可选(设备级有效期)
# 语义:设备授权过期时间,必须 >= issued-at
# 默认值:无
expires-at = "2026年06月30日T23:59:59Z"
[[devices."SN-LAB-001".rules]]
# 必选;语义同 global.rule-set.rules.resource
resource = "command"
# 必选;语义同 global.rule-set.rules.target
target = "*"
# 必选;语义同 global.rule-set.rules.match-type
match-type = "glob"
# 必选;语义同 global.rule-set.rules.operation
operation = "execute"
# 必选;语义同 global.rule-set.rules.effect
effect = "allow"
# 可选;语义同 global.rule-set.rules.priority
priority = 50
[devices."SN-RESTRICTED-001"]
[devices."SN-RESTRICTED-001".access]
# 可选;语义/默认值同 global.access.allowed-users
# 集合元素可取值:任意字符串用户名;可使用 "*" 表示全部用户
allowed-users = ["admin"]
# 可选;语义/默认值同 global.access.allowed-user-groups
# 集合元素可取值:任意字符串组名;可使用 "*" 表示全部用户组
allowed-user-groups = []
# 可选;语义/默认值同 global.access.exclusive
# 可取值集合:[true, false]
exclusive = true
# 可选;语义/默认值同 global.access.max-sessions
# 可取值集合:整数 >= 0
max-sessions = 1
[[devices."SN-RESTRICTED-001".rules]]
# 必选;语义同 global.rule-set.rules.resource
resource = "service"
# 必选;语义同 global.rule-set.rules.target
target = "stat"
# 必选;语义同 global.rule-set.rules.match-type
match-type = "exact"
# 必选;语义同 global.rule-set.rules.operation
operation = "use"
# 必选;语义同 global.rule-set.rules.effect
effect = "allow"
# 可选;语义同 global.rule-set.rules.priority
priority = 50