From 05d911cb0a8619cfbb8cd3cd67d30bde75272521 Mon Sep 17 00:00:00 2001
From: Peter Holloway <peter.holloway@diamond.ac.uk>
Date: Fri, 8 May 2026 15:49:58 +0100
Subject: [PATCH 1/3] feat: add rule to check if service account is valid

---
 policy/diamond/policy/tiled/tiled.rego      |  8 ++++++++
 policy/diamond/policy/tiled/tiled_test.rego | 20 ++++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/policy/diamond/policy/tiled/tiled.rego b/policy/diamond/policy/tiled/tiled.rego
index 17644b2f..b747b72b 100644
--- a/policy/diamond/policy/tiled/tiled.rego
+++ b/policy/diamond/policy/tiled/tiled.rego
@@ -23,6 +23,14 @@ scopes := {
 	"tiled-writer" in token.claims.aud
 }
 
+default service_account_for_beamline := false
+
+service_account_for_beamline if {
+	input.beamline == token.claims.beamline
+	"tiled-writer" in token.claims.aud
+	not token.claims.fedid
+}
+
 _session := data.diamond.data.proposals[format_int(input.proposal, 10)].sessions[format_int(input.visit, 10)]
 
 # Returns the session ID if the subject has write permissions for the
diff --git a/policy/diamond/policy/tiled/tiled_test.rego b/policy/diamond/policy/tiled/tiled_test.rego
index 8d8cd308..df943e99 100644
--- a/policy/diamond/policy/tiled/tiled_test.rego
+++ b/policy/diamond/policy/tiled/tiled_test.rego
@@ -175,3 +175,23 @@ test_user_session_tags_service_account if {
 	tiled.user_sessions == set() with data.diamond.data as diamond_data
 		with data.diamond.policy.token.claims as {"beamline": "b007"}
 }
+
+test_service_account_if_beamline_matches if {
+	tiled.service_account_for_beamline with input as {"beamline": "i22"}
+		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"]}
+}
+
+test_not_service_account_if_beamline_mismatch if {
+	not tiled.service_account_for_beamline with input as {"beamline": "b21"}
+		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"]}
+}
+
+test_not_service_account_if_missing_aud if {
+	not tiled.service_account_for_beamline with input as {"beamline": "i22"}
+		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["blueapiCli"]}
+}
+
+test_not_service_account_if_fedid_present if {
+	not tiled.service_account_for_beamline with input as {"beamline": "i22"}
+		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"], "fedid": "abc12345"}
+}

From 910314e9d368d0c1307de78a0993108249c08c53 Mon Sep 17 00:00:00 2001
From: Peter Holloway <peter.holloway@diamond.ac.uk>
Date: Tue, 12 May 2026 10:41:20 +0100
Subject: [PATCH 2/3] Move tiled service account rule to blueapi package

---
 policy/diamond/policy/blueapi/blueapi.rego    | 12 ++++++++++
 .../diamond/policy/blueapi/blueapi_test.rego  | 24 +++++++++++++++++++
 policy/diamond/policy/tiled/tiled.rego        |  8 -------
 policy/diamond/policy/tiled/tiled_test.rego   | 20 ----------------
 4 files changed, 36 insertions(+), 28 deletions(-)
 create mode 100644 policy/diamond/policy/blueapi/blueapi.rego
 create mode 100644 policy/diamond/policy/blueapi/blueapi_test.rego

diff --git a/policy/diamond/policy/blueapi/blueapi.rego b/policy/diamond/policy/blueapi/blueapi.rego
new file mode 100644
index 00000000..b6b732ee
--- /dev/null
+++ b/policy/diamond/policy/blueapi/blueapi.rego
@@ -0,0 +1,12 @@
+package diamond.policy.blueapi
+
+import data.diamond.policy.token
+import rego.v1
+
+default service_account_for_beamline := false
+
+service_account_for_beamline if {
+	input.beamline == token.claims.beamline
+	"tiled-writer" in token.claims.aud
+	not token.claims.fedid
+}
diff --git a/policy/diamond/policy/blueapi/blueapi_test.rego b/policy/diamond/policy/blueapi/blueapi_test.rego
new file mode 100644
index 00000000..35d338ed
--- /dev/null
+++ b/policy/diamond/policy/blueapi/blueapi_test.rego
@@ -0,0 +1,24 @@
+package diamond.policy.blueapi_test
+
+import data.diamond.policy.blueapi
+import rego.v1
+
+test_service_account_if_beamline_matches if {
+	blueapi.service_account_for_beamline with input as {"beamline": "i22"}
+		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"]}
+}
+
+test_not_service_account_if_beamline_mismatch if {
+	not blueapi.service_account_for_beamline with input as {"beamline": "b21"}
+		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"]}
+}
+
+test_not_service_account_if_missing_aud if {
+	not blueapi.service_account_for_beamline with input as {"beamline": "i22"}
+		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["blueapiCli"]}
+}
+
+test_not_service_account_if_fedid_present if {
+	not blueapi.service_account_for_beamline with input as {"beamline": "i22"}
+		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"], "fedid": "abc12345"}
+}
diff --git a/policy/diamond/policy/tiled/tiled.rego b/policy/diamond/policy/tiled/tiled.rego
index b747b72b..17644b2f 100644
--- a/policy/diamond/policy/tiled/tiled.rego
+++ b/policy/diamond/policy/tiled/tiled.rego
@@ -23,14 +23,6 @@ scopes := {
 	"tiled-writer" in token.claims.aud
 }
 
-default service_account_for_beamline := false
-
-service_account_for_beamline if {
-	input.beamline == token.claims.beamline
-	"tiled-writer" in token.claims.aud
-	not token.claims.fedid
-}
-
 _session := data.diamond.data.proposals[format_int(input.proposal, 10)].sessions[format_int(input.visit, 10)]
 
 # Returns the session ID if the subject has write permissions for the
diff --git a/policy/diamond/policy/tiled/tiled_test.rego b/policy/diamond/policy/tiled/tiled_test.rego
index df943e99..8d8cd308 100644
--- a/policy/diamond/policy/tiled/tiled_test.rego
+++ b/policy/diamond/policy/tiled/tiled_test.rego
@@ -175,23 +175,3 @@ test_user_session_tags_service_account if {
 	tiled.user_sessions == set() with data.diamond.data as diamond_data
 		with data.diamond.policy.token.claims as {"beamline": "b007"}
 }
-
-test_service_account_if_beamline_matches if {
-	tiled.service_account_for_beamline with input as {"beamline": "i22"}
-		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"]}
-}
-
-test_not_service_account_if_beamline_mismatch if {
-	not tiled.service_account_for_beamline with input as {"beamline": "b21"}
-		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"]}
-}
-
-test_not_service_account_if_missing_aud if {
-	not tiled.service_account_for_beamline with input as {"beamline": "i22"}
-		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["blueapiCli"]}
-}
-
-test_not_service_account_if_fedid_present if {
-	not tiled.service_account_for_beamline with input as {"beamline": "i22"}
-		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"], "fedid": "abc12345"}
-}

From 9a20fbcaa921b2a2ee023093b75e3ff2e2f1f84a Mon Sep 17 00:00:00 2001
From: Peter Holloway <peter.holloway@diamond.ac.uk>
Date: Tue, 12 May 2026 14:15:07 +0100
Subject: [PATCH 3/3] Rename to tiled_service_account_for_beamline

The package no longer has a link to tiled by default
---
 policy/diamond/policy/blueapi/blueapi.rego      | 4 ++--
 policy/diamond/policy/blueapi/blueapi_test.rego | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/diamond/policy/blueapi/blueapi.rego b/policy/diamond/policy/blueapi/blueapi.rego
index b6b732ee..bf2df8a7 100644
--- a/policy/diamond/policy/blueapi/blueapi.rego
+++ b/policy/diamond/policy/blueapi/blueapi.rego
@@ -3,9 +3,9 @@ package diamond.policy.blueapi
 import data.diamond.policy.token
 import rego.v1
 
-default service_account_for_beamline := false
+default tiled_service_account_for_beamline := false
 
-service_account_for_beamline if {
+tiled_service_account_for_beamline if {
 	input.beamline == token.claims.beamline
 	"tiled-writer" in token.claims.aud
 	not token.claims.fedid
diff --git a/policy/diamond/policy/blueapi/blueapi_test.rego b/policy/diamond/policy/blueapi/blueapi_test.rego
index 35d338ed..73e94a43 100644
--- a/policy/diamond/policy/blueapi/blueapi_test.rego
+++ b/policy/diamond/policy/blueapi/blueapi_test.rego
@@ -4,21 +4,21 @@ import data.diamond.policy.blueapi
 import rego.v1
 
 test_service_account_if_beamline_matches if {
-	blueapi.service_account_for_beamline with input as {"beamline": "i22"}
+	blueapi.tiled_service_account_for_beamline with input as {"beamline": "i22"}
 		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"]}
 }
 
 test_not_service_account_if_beamline_mismatch if {
-	not blueapi.service_account_for_beamline with input as {"beamline": "b21"}
+	not blueapi.tiled_service_account_for_beamline with input as {"beamline": "b21"}
 		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"]}
 }
 
 test_not_service_account_if_missing_aud if {
-	not blueapi.service_account_for_beamline with input as {"beamline": "i22"}
+	not blueapi.tiled_service_account_for_beamline with input as {"beamline": "i22"}
 		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["blueapiCli"]}
 }
 
 test_not_service_account_if_fedid_present if {
-	not blueapi.service_account_for_beamline with input as {"beamline": "i22"}
+	not blueapi.tiled_service_account_for_beamline with input as {"beamline": "i22"}
 		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"], "fedid": "abc12345"}
 }