# Our role based permissions.

# Admin can do anything.
ADMIN = {
  publish = ">"
  subscribe = ">"
}

# Can do requests on req.foo or req.bar, and subscribe to anything
# that is a response, e.g. _INBOX.*
#
# Notice that authorization filters can be singletons or arrays.

REQUESTOR = {
  publish = ["req.foo", "req.bar"]
  subscribe = "_INBOX.*"
}

# Default permissions if none presented. e.g. Joe below.
DEFAULT_PERMISSIONS = {
   publish = "SANDBOX.*"
   subscribe = ["PUBLIC.>", "_INBOX.>"]
}

# This is to benchmark pub performance.
BENCH = {
   publish = "a"
}

# New Style Permissions

NEW_STYLE = {
  publish = {
    allow = "*.*"
    deny = ["SYS.*", "bar.baz", "foo.*"]
  }
  subscribe = {
    allow = ["foo.*", "SYS.TEST.>"]
    deny = ["foo.baz", "SYS.*"]
  }
}

NS_PUB = {
  publish = "foo.baz"
  subscribe = "foo.baz"
}

BENCH_DENY = {
   subscribe = {
    allow = ["foo", "*"]
    deny = "foo.bar"
  }
}

# This is for services where you only want
# responses to reply subjects to be allowed.
MY_SERVICE = {
    subscribe = "my.service.req"
    publish_allow_responses: true
  }

# This is a more detailed example where responses
# could be streams and you want to set the TTL
# and maximum allowed.
MY_STREAM_SERVICE = {
    subscribe = "my.service.req"
    allow_responses = {max: 10, ttl: "10ms"}
}