Built-in conditions: user_is X, is_read, client_ip

[rsinger86]

Rather than having to always write a custom method when a statement needs to examine the contextual details of the request/user/object, some built-in conditions could be provided. I think the syntax would be to use a dictionary for these built-in checks, and have string values continue to reference a custom method on the policy.

{
   "action": "*",
   "principal": "*",
   "condition": { "<condition_type>": "<value_option>" }
}

There could be three to start with:

{
   "action": "*",
   "principal": "*",
   "condition": { "is_read": false }  # whether the request method is HEAD, GET or OPTIONS
}

{
   "action": "*",
   "principal": "*",
   "condition": { "client_ip": "203.0.113.0/24" }  # whether the requester's IP matches 
}

{
   "action": "*",
   "principal": "*",
   "condition": { "user_is": "owner" }  # Whether a field on the object instance (from view.get_object()) is equal to the request user
}

{
   "action": "*",
   "principal": "*",
   "condition": { "is_authenticated": True } # whether the user is authenticated
}

AWS IAM provides a much more feature-rich version of this: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html

However, since we have the flexibility to write custom methods, I think it's best to only cover most common and simple cases with built-in conditions.