// Time-Based Access Control Policy
// Restricts access based on time of day, day of week, and business hours
// Compliance: Least Privilege, Temporal Security Controls

// Standard business hours access
permit(
    principal,
    action,
    resource
) when {
    // Business hours: Monday-Friday 8 AM to 6 PM
    context.time.hour >= 8 &&
    context.time.hour < 18 &&
    context.time.day_of_week >= 1 &&
    context.time.day_of_week <= 5 &&
    principal has role &&
    principal.role in ["Employee", "Contractor", "Manager", "Developer"]
};

// Extended access for IT operations team
permit(
    principal,
    action,
    resource
) when {
    // Extended hours: Monday-Friday 6 AM to 10 PM
    context.time.hour >= 6 &&
    context.time.hour < 22 &&
    context.time.day_of_week >= 1 &&
    context.time.day_of_week <= 5 &&
    principal has role &&
    principal.role in ["ITOps", "SRE", "SystemAdmin", "SecurityAnalyst"]
};

// 24/7 access for critical support roles
permit(
    principal,
    action,
    resource
) when {
    principal has role &&
    principal.role in ["OnCallEngineer", "IncidentManager", "SecurityOfficer", "MonitoringService"] &&
    principal has on_call_status &&
    principal.on_call_status.active == true
};

// Weekend access with approval
permit(
    principal,
    action,
    resource
) when {
    (context.time.day_of_week == 0 || context.time.day_of_week == 6) && // Saturday or Sunday
    principal has weekend_access &&
    principal.weekend_access.approved == true &&
    principal.weekend_access.expires_at > context.time.timestamp &&
    principal.weekend_access.justification != ""
};

// Holiday access restrictions
forbid(
    principal,
    action,
    resource
) when {
    context has holiday &&
    context.holiday.is_company_holiday == true &&
    resource has criticality &&
    resource.criticality in ["low", "medium"] &&
    !(principal has holiday_override) &&
    !(principal has role && principal.role in ["OnCallEngineer", "SecurityOfficer"])
};

// After-hours sensitive resource access
permit(
    principal,
    action,
    resource
) when {
    resource has sensitivity &&
    resource.sensitivity == "high" &&
    (
        context.time.hour < 8 ||
        context.time.hour >= 18 ||
        context.time.day_of_week == 0 ||
        context.time.day_of_week == 6
    ) &&
    principal has after_hours_approval &&
    principal.after_hours_approval.granted == true &&
    principal.after_hours_approval.expires_at > context.time.timestamp &&
    principal.after_hours_approval.supervisor_approval == true
};

// Time zone considerations for global teams
permit(
    principal,
    action,
    resource
) when {
    principal has time_zone &&
    context has user_local_time &&
    // Allow access during user's local business hours
    context.user_local_time.hour >= 8 &&
    context.user_local_time.hour < 18 &&
    context.user_local_time.day_of_week >= 1 &&
    context.user_local_time.day_of_week <= 5 &&
    principal has global_access &&
    principal.global_access.authorized == true
};

// Emergency access time override
permit(
    principal,
    action,
    resource
) when {
    principal has emergency_access &&
    principal.emergency_access.active == true &&
    principal.emergency_access.expires_at > context.time.timestamp &&
    principal.emergency_access.incident_level in ["critical", "high"] &&
    principal.emergency_access.authorized_by in ["IncidentCommander", "CISO", "CTO"]
};