feat: connect ext-authz rpc endpoint to cedar policies

1 files changed, 12 insertions, 1 deletions

diff --git a/app/services/check.go b/app/services/check.go
index d0004572..23deecb9 100644
--- a/app/services/check.go
+++ b/app/services/check.go
@@ -3,9 +3,12 @@ package services
 import (
 	"context"
 
+	"github.com/cedar-policy/cedar-go"
 	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 	types "github.com/envoyproxy/go-control-plane/envoy/type/v3"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/gid"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/policies"
 	status "google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc/codes"
 )
@@ -26,7 +29,15 @@ func (svc *CheckService) Check(ctx context.Context, request *auth.CheckRequest)
 }
 
 func (svc *CheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bool {
-	return true
+	return policies.Allowed(ctx, cedar.Request{
+		Principal: gid.NewEntityUID("gid://gitlab/User/*"),
+		Action:    cedar.NewEntityUID("HttpMethod", cedar.String(r.Attributes.Request.Http.Method)),
+		Resource:  cedar.NewEntityUID("HttpPath", cedar.String(r.Attributes.Request.Http.Path)),
+		Context: cedar.NewRecord(cedar.RecordMap{
+			"host": cedar.String(r.Attributes.Request.Http.Host),
+		}),
+	})
+
 }
 
 func (svc *CheckService) OK(ctx context.Context) *auth.CheckResponse {