fix: fix typo in cedar policy file

4 files changed, 68 insertions, 65 deletions

diff --git a/etc/authzd/policy0.cedar b/etc/authzd/policy0.cedar
index 75cf8178..e1037457 100644
--- a/etc/authzd/policy0.cedar
+++ b/etc/authzd/policy0.cedar
@@ -44,6 +44,7 @@ when {
     ) || (
       context.method == "POST" && (
         context.path == "/sparkles/restore"
+      )
     )
   )
 };
diff --git a/src/authorization/cedar_authorizer.rs b/src/authorization/cedar_authorizer.rs
index 96a406d8..9fb7513a 100644
--- a/src/authorization/cedar_authorizer.rs
+++ b/src/authorization/cedar_authorizer.rs
@@ -49,58 +49,7 @@ impl CedarAuthorizer {
 
         Ok(policies)
     }
-}
-
-impl Default for CedarAuthorizer {
-    fn default() -> Self {
-        Self::new_from(std::path::Path::new("/etc/authzd"))
-    }
-}
-
-impl Authorizer for CedarAuthorizer {
-    fn authorize(&self, request: CheckRequest) -> bool {
-        let http_request = match request
-            .attributes
-            .as_ref()
-            .and_then(|attr| attr.request.as_ref())
-            .and_then(|req| req.http.as_ref())
-        {
-            Some(http) => http,
-            None => return false,
-        };
-
-        tracing::info!(
-            method = %http_request.method,
-            host = %http_request.host,
-            path = %http_request.path,
-            scheme = %http_request.scheme,
-            protocol = %http_request.protocol,
-            "Processing HTTP request"
-        );
 
-        match self.map_from(http_request.clone()) {
-            Ok(cedar_request) => {
-                let entities = Entities::empty();
-                let response =
-                    self.authorizer
-                        .is_authorized(&cedar_request, &self.policies, &entities);
-
-                matches!(response.decision(), cedar_policy::Decision::Allow)
-            }
-            Err(e) => {
-                println!("error: {}", e);
-                tracing::error!(
-                    error = %e,
-                    path = %http_request.path,
-                    "Failed to create Cedar request"
-                );
-                false
-            }
-        }
-    }
-}
-
-impl CedarAuthorizer {
     fn map_from(
         &self,
         http_request: envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest,
@@ -110,8 +59,9 @@ impl CedarAuthorizer {
         let resource = self.resource_from(&http_request)?;
         let context = self.context_from(http_request)?;
 
-        CedarRequest::new(principal, permission, resource, context, None)
-            .map_err(|e| Box::new(e) as Box<dyn std::error::Error>)
+        Ok(CedarRequest::new(
+            principal, permission, resource, context, None,
+        )?)
     }
 
     fn principal_from(
@@ -147,7 +97,7 @@ impl CedarAuthorizer {
     fn context_from(
         &self,
         http_request: envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest,
-    ) -> Result<cedar_policy::Context, cedar_policy::ContextCreationError> {
+    ) -> Result<cedar_policy::Context, Box<dyn std::error::Error>> {
         let mut items = std::collections::HashMap::new();
 
         items.insert("bearer_token".to_string(), self.token_from(&http_request));
@@ -155,7 +105,7 @@ impl CedarAuthorizer {
         items.insert("method".to_string(), self.safe_string(&http_request.method));
         items.insert("path".to_string(), self.safe_string(&http_request.path));
 
-        Context::from_pairs(items.into_iter().collect::<Vec<_>>())
+        Ok(Context::from_pairs(items.into_iter().collect::<Vec<_>>())?)
     }
 
     fn token_from(
@@ -175,3 +125,53 @@ impl CedarAuthorizer {
         cedar_policy::RestrictedExpression::new_string(item.to_string())
     }
 }
+
+impl Default for CedarAuthorizer {
+    fn default() -> Self {
+        Self::new_from(std::path::Path::new("/etc/authzd"))
+    }
+}
+
+impl Authorizer for CedarAuthorizer {
+    fn authorize(&self, request: CheckRequest) -> bool {
+        let http_request = match request
+            .attributes
+            .as_ref()
+            .and_then(|attr| attr.request.as_ref())
+            .and_then(|req| req.http.as_ref())
+        {
+            Some(http) => http,
+            None => return false,
+        };
+
+        tracing::info!(
+            method = %http_request.method,
+            host = %http_request.host,
+            path = %http_request.path,
+            scheme = %http_request.scheme,
+            protocol = %http_request.protocol,
+            "Processing HTTP request"
+        );
+
+        let entities = Entities::empty();
+
+        match self.map_from(http_request.clone()) {
+            Ok(cedar_request) => {
+                let response =
+                    self.authorizer
+                        .is_authorized(&cedar_request, &self.policies, &entities);
+
+                matches!(response.decision(), cedar_policy::Decision::Allow)
+            }
+            Err(e) => {
+                println!("error: {}", e);
+                tracing::error!(
+                    error = %e,
+                    path = %http_request.path,
+                    "Failed to create Cedar request"
+                );
+                false
+            }
+        }
+    }
+}
diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs
index 317ef67f..ccf8a1f8 100644
--- a/tests/authorization/cedar_authorizer_test.rs
+++ b/tests/authorization/cedar_authorizer_test.rs
@@ -5,16 +5,18 @@ mod tests {
     use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest;
     use std::collections::HashMap;
 
+    fn subject() -> authzd::CedarAuthorizer {
+        build_cedar_authorizer()
+    }
+
     #[test]
     fn test_cedar_authorizer_allows_valid_token() {
-        let request = build_request(|item: &mut HttpRequest| {
+        assert!(subject().authorize(build_request(|item: &mut HttpRequest| {
             item.headers = build_headers(vec![(
                 "authorization".to_string(),
                 "Bearer valid-token".to_string(),
             )]);
-        });
-
-        assert!(build_cedar_authorizer().authorize(request));
+        })));
     }
 
     #[test]
@@ -26,7 +28,7 @@ mod tests {
             )]);
         });
 
-        assert!(!build_cedar_authorizer().authorize(request));
+        assert!(!subject().authorize(request));
     }
 
     #[test]
@@ -35,7 +37,7 @@ mod tests {
             item.headers = HashMap::new();
         });
 
-        assert!(!build_cedar_authorizer().authorize(request));
+        assert!(!subject().authorize(request));
     }
 
     #[test]
@@ -55,7 +57,7 @@ mod tests {
             ]);
         });
 
-        assert!(build_cedar_authorizer().authorize(request));
+        assert!(subject().authorize(request));
     }
 
     #[test]
@@ -75,6 +77,6 @@ mod tests {
             ]);
         });
 
-        assert!(build_cedar_authorizer().authorize(request));
+        assert!(subject().authorize(request));
     }
 }
diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs
index 5ea0cb95..a32f2a2c 100644
--- a/tests/authorization/check_service_test.rs
+++ b/tests/authorization/check_service_test.rs
@@ -224,13 +224,13 @@ mod tests {
                 "GET",
                 "/dashboard",
                 "sparkle.staging.runway.gitlab.net",
-                tonic::Code::PermissionDenied,
+                tonic::Code::Unauthenticated,
             ),
             (
                 "POST",
                 "/sparkles",
                 "sparkle.staging.runway.gitlab.net",
-                tonic::Code::PermissionDenied,
+                tonic::Code::Unauthenticated,
             ),
         ];