// Geographic Access Restrictions Policy
// Controls access based on geographic location and data residency requirements
// Compliance: GDPR, Data Residency, Export Control Regulations

// Allow access from approved geographic regions
permit(
    principal,
    action,
    resource
) when {
    context has geo &&
    context.geo has country &&
    // General allowed countries for standard resources
    (
        (
            !(resource has geo_restricted) &&
            context.geo.country in ["US", "CA", "GB", "DE", "FR", "AU", "JP", "SG"]
        ) ||
        // Specific country restrictions for sensitive data
        (
            resource has geo_restricted &&
            resource.geo_restricted == true &&
            resource has allowed_countries &&
            context.geo.country in resource.allowed_countries
        )
    )
};

// GDPR-compliant EU data access
permit(
    principal,
    action,
    resource
) when {
    resource has data_classification &&
    resource.data_classification == "eu_personal_data" &&
    context has geo &&
    context.geo has country &&
    context.geo.country in ["GB", "DE", "FR", "IT", "ES", "NL", "SE", "DK", "FI", "IE", "AT", "BE", "PT", "CZ", "PL", "HU"] &&
    principal has gdpr_training &&
    principal.gdpr_training.completed == true &&
    principal.gdpr_training.expires_at > context.time.timestamp
};

// US-only access for export-controlled data
permit(
    principal,
    action,
    resource
) when {
    resource has export_controlled &&
    resource.export_controlled == true &&
    context has geo &&
    context.geo has country &&
    context.geo.country == "US" &&
    principal has security_clearance &&
    principal.security_clearance.level in ["confidential", "secret", "top_secret"] &&
    principal.security_clearance.valid == true
};

// Healthcare data - HIPAA geographic restrictions
permit(
    principal,
    action,
    resource
) when {
    resource has data_type &&
    resource.data_type == "healthcare" &&
    context has geo &&
    context.geo has country &&
    context.geo.country == "US" && // HIPAA applies to US healthcare data
    principal has hipaa_authorization &&
    principal.hipaa_authorization.valid == true &&
    principal.hipaa_authorization.minimum_necessary == true
};

// Financial data - regional compliance
permit(
    principal,
    action,
    resource
) when {
    resource has data_type &&
    resource.data_type == "financial" &&
    context has geo &&
    (
        // US financial data
        (
            resource has jurisdiction &&
            resource.jurisdiction == "US" &&
            context.geo.country == "US" &&
            principal has sox_compliance &&
            principal.sox_compliance.certified == true
        ) ||
        // EU financial data
        (
            resource has jurisdiction &&
            resource.jurisdiction == "EU" &&
            context.geo.country in ["GB", "DE", "FR", "IT", "ES", "NL", "IE"] &&
            principal has mifid_compliance &&
            principal.mifid_compliance.certified == true
        )
    )
};

// VPN exception for authorized remote access
permit(
    principal,
    action,
    resource
) when {
    context has connection &&
    context.connection.type == "vpn" &&
    context.connection.verified == true &&
    principal has vpn_authorization &&
    principal.vpn_authorization.valid == true &&
    principal.vpn_authorization.expires_at > context.time.timestamp &&
    // Additional verification for sensitive access via VPN
    (
        !(resource has geo_restricted) ||
        (
            resource has geo_restricted &&
            resource.geo_restricted == true &&
            principal.vpn_authorization.level in ["executive", "emergency", "business_travel"]
        )
    )
};

// Emergency access override with strict controls
permit(
    principal,
    action,
    resource
) when {
    principal has emergency_override &&
    principal.emergency_override.active == true &&
    principal.emergency_override.expires_at > context.time.timestamp &&
    principal.emergency_override.expires_at < (context.time.timestamp + 14400) && // Max 4 hours
    principal.emergency_override.authorized_by in ["CISO", "CTO", "CEO"] &&
    principal.emergency_override.incident_id != "" &&
    principal.emergency_override.business_justification != ""
};

// Explicit deny for restricted geographic access
forbid(
    principal,
    action,
    resource
) when {
    context has geo &&
    context.geo has country &&
    (
        // Sanctioned or embargoed countries
        context.geo.country in ["IR", "KP", "SY", "CU", "RU"] ||
        // Countries blocked by company policy
        (
            resource has blocked_countries &&
            context.geo.country in resource.blocked_countries
        ) ||
        // Data residency violations
        (
            resource has required_jurisdiction &&
            resource.required_jurisdiction != context.geo.country &&
            !(principal has jurisdiction_override)
        )
    ) &&
    !(principal has emergency_override && principal.emergency_override.active == true)
};

// Audit logging for all geographic access decisions
@audit(true)
permit(principal, action, resource) when {
    context has geo &&
    (
        resource has geo_restricted ||
        resource has data_classification in ["sensitive", "confidential", "restricted"]
    )
};