// Production Environment Approval Policy
// Requires explicit approval for production operations
// Compliance: SOC2 Change Management, ITIL Change Control

// Allow production operations with valid approval
permit(
    principal,
    action in [Action::"deploy", Action::"modify", Action::"delete", Action::"restart"],
    resource
) when {
    resource has environment &&
    resource.environment == "production" &&
    principal has approval &&
    principal.approval.environment == "production" &&
    principal.approval.approved_by in ["ProductionAdmin", "SRE", "ChangeManager"] &&
    principal.approval.approved_at > (context.time.timestamp - 86400) && // Valid for 24 hours
    principal.approval.expires_at > context.time.timestamp &&
    principal.approval.change_ticket != "" &&
    principal.approval.risk_assessment in ["low", "medium"] // High risk requires additional controls
};

// Allow read-only operations in production without approval
permit(
    principal,
    action in [Action::"read", Action::"list", Action::"describe"],
    resource
) when {
    resource has environment &&
    resource.environment == "production" &&
    principal has role &&
    principal.role in ["Developer", "SRE", "Observer", "ProductionAdmin"]
};

// Emergency access with time-limited override
permit(
    principal,
    action,
    resource
) when {
    resource has environment &&
    resource.environment == "production" &&
    principal has emergency_access &&
    principal.emergency_access.granted == true &&
    principal.emergency_access.expires_at > context.time.timestamp &&
    principal.emergency_access.expires_at < (context.time.timestamp + 3600) && // Max 1 hour
    principal.emergency_access.incident_number != "" &&
    principal.emergency_access.authorized_by in ["IncidentCommander", "CTO"]
};

// Explicit deny for production write operations without approval
forbid(
    principal,
    action in [Action::"deploy", Action::"modify", Action::"delete", Action::"restart", Action::"scale"],
    resource
) when {
    resource has environment &&
    resource.environment == "production" &&
    (
        !(principal has approval) ||
        principal.approval.environment != "production" ||
        !(principal.approval.approved_by in ["ProductionAdmin", "SRE", "ChangeManager"]) ||
        principal.approval.approved_at <= (context.time.timestamp - 86400) ||
        principal.approval.expires_at <= context.time.timestamp ||
        principal.approval.change_ticket == ""
    ) &&
    !(principal has emergency_access && principal.emergency_access.granted == true)
};

// Maintenance window exception
permit(
    principal,
    action,
    resource
) when {
    resource has environment &&
    resource.environment == "production" &&
    context has maintenance_window &&
    context.maintenance_window.active == true &&
    context.time.hour >= context.maintenance_window.start_hour &&
    context.time.hour < context.maintenance_window.end_hour &&
    principal has role &&
    principal.role in ["SRE", "MaintenanceTeam"] &&
    principal has maintenance_approval &&
    principal.maintenance_approval.valid == true
};