// Multi-Factor Authentication Policy
// Requires MFA for access to sensitive resources
// Compliance: SOC2 Type II, ISO 27001

// Allow access to sensitive resources only with MFA enabled
permit(
    principal,
    action == Action::"access",
    resource
) when {
    resource has classification &&
    resource.classification in ["sensitive", "confidential"] &&
    principal has mfa_enabled &&
    principal.mfa_enabled == true &&
    principal has mfa_last_verified &&
    principal.mfa_last_verified > (context.time.timestamp - 3600) // MFA verified within last hour
};

// Allow access to non-sensitive resources without MFA requirement
permit(
    principal,
    action == Action::"access",
    resource
) when {
    !(resource has classification) ||
    resource.classification in ["public", "internal"]
};

// Explicit deny for sensitive access without MFA
forbid(
    principal,
    action == Action::"access",
    resource
) when {
    resource has classification &&
    resource.classification in ["sensitive", "confidential"] &&
    (
        !(principal has mfa_enabled) ||
        principal.mfa_enabled == false ||
        !(principal has mfa_last_verified) ||
        principal.mfa_last_verified <= (context.time.timestamp - 3600)
    )
};

// Special exemption for service accounts with proper justification
permit(
    principal,
    action == Action::"access",
    resource
) when {
    principal has account_type &&
    principal.account_type == "service" &&
    principal has mfa_exemption &&
    principal.mfa_exemption.approved == true &&
    principal.mfa_exemption.expires_at > context.time.timestamp &&
    principal.mfa_exemption.justification != ""
};