diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-04 18:39:27 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-04 18:39:27 -0600 |
| commit | 6c6f1a7225022ae285bd6603aa0a2a81afc8baf3 (patch) | |
| tree | e6714168e8e0e9914893ea88a51a5d0a8dc2426f | |
| parent | 0ba8f6c8ecaa366afbb90fcddbc58fcd395fd03d (diff) | |
refactor: move hard coded checks with cedar policy
| -rw-r--r-- | etc/authzd/policy0.cedar | 12 | ||||
| -rw-r--r-- | src/authorization/cedar_authorizer.rs | 28 |
2 files changed, 17 insertions, 23 deletions
diff --git a/etc/authzd/policy0.cedar b/etc/authzd/policy0.cedar index 034e81b5..56457622 100644 --- a/etc/authzd/policy0.cedar +++ b/etc/authzd/policy0.cedar @@ -18,3 +18,15 @@ when { context.path like "*.html" ) }; + +permit(principal, action, resource) +when { + context has host && context has method && context has path && ( + context.host == "sparkle.staging.runway.gitlab.net" && + context.method == "GET" && ( + context.path == "/" || + context.path == "/app.js" || + context.path == "/callback" + ) + ) +}; diff --git a/src/authorization/cedar_authorizer.rs b/src/authorization/cedar_authorizer.rs index f90e8d8b..96a406d8 100644 --- a/src/authorization/cedar_authorizer.rs +++ b/src/authorization/cedar_authorizer.rs @@ -78,27 +78,6 @@ impl Authorizer for CedarAuthorizer { "Processing HTTP request" ); - if http_request.host == "sparkle.staging.runway.gitlab.net" - && http_request.method == "GET" - && http_request.path == "/" - { - return true; - } - - if http_request.host == "sparkle.staging.runway.gitlab.net" - && http_request.method == "GET" - && http_request.path == "/application.js" - { - return true; - } - - if http_request.host == "sparkle.staging.runway.gitlab.net" - && http_request.method == "GET" - && http_request.path == "/callback" - { - return true; - } - match self.map_from(http_request.clone()) { Ok(cedar_request) => { let entities = Entities::empty(); @@ -109,6 +88,7 @@ impl Authorizer for CedarAuthorizer { matches!(response.decision(), cedar_policy::Decision::Allow) } Err(e) => { + println!("error: {}", e); tracing::error!( error = %e, path = %http_request.path, @@ -128,9 +108,9 @@ impl CedarAuthorizer { let principal = self.principal_from(&http_request)?; let permission = self.permission_from(&http_request)?; let resource = self.resource_from(&http_request)?; - let context = self.context_from(http_request); + let context = self.context_from(http_request)?; - CedarRequest::new(principal, permission, resource, context?, None) + CedarRequest::new(principal, permission, resource, context, None) .map_err(|e| Box::new(e) as Box<dyn std::error::Error>) } @@ -171,6 +151,8 @@ impl CedarAuthorizer { let mut items = std::collections::HashMap::new(); items.insert("bearer_token".to_string(), self.token_from(&http_request)); + items.insert("host".to_string(), self.safe_string(&http_request.host)); + items.insert("method".to_string(), self.safe_string(&http_request.method)); items.insert("path".to_string(), self.safe_string(&http_request.path)); Context::from_pairs(items.into_iter().collect::<Vec<_>>()) |