feat: provide JWT token and GlobalID to make the remote authorization decision

1 files changed, 25 insertions, 4 deletions

diff --git a/bin/api b/bin/api
index d3c53175..06500207 100755
--- a/bin/api
+++ b/bin/api
@@ -7,6 +7,7 @@ gemfile do
 
   gem "declarative_policy", "~> 1.0"
   gem "erb", "~> 4.0"
+  gem "globalid", "~> 1.0"
   gem "google-protobuf", "~> 3.0"
   gem "json", "~> 2.0"
   gem "logger", "~> 1.0"
@@ -26,6 +27,16 @@ $scheme = ENV.fetch("SCHEME", "http")
 $port = ENV.fetch("PORT", 8284).to_i
 $host = ENV.fetch("HOST", "localhost:#{$port}")
 
+class Organization
+  def initialize(attributes = {})
+    @attributes = attributes
+  end
+
+  def id
+    @attributes[:id]
+  end
+end
+
 class Project
   class << self
     def all
@@ -49,6 +60,12 @@ class Project
 end
 
 class API
+  attr_reader :rpc
+
+  def initialize
+    @rpc = ::Authx::Rpc::AbilityClient.new("http://idp.example.com:8080/twirp")
+  end
+
   def call(env)
     request = Rack::Request.new(env)
     path = env['PATH_INFO']
@@ -77,13 +94,17 @@ class API
 
   private
 
-  def authorized?(request, permission)
+  def authorized?(request, permission, resource = Organization.new(id: 1))
     # TODO:: Check the JWT for the appropriate claim
     # Connect to the Authz RPC endpoint Ability.allowed?(subject, permission, resource)
-    client = ::Authx::Rpc::AbilityClient.new("http://idp.example.com:8080/twirp")
-    response = client.allowed(subject: "", permission: permission, resource: "")
+    token = request&.get_header('HTTP_AUTHORIZATION')&.split(' ', 2)&.last
+    response = rpc.allowed(
+      subject: token,
+      permission: permission,
+      resource: ::GlobalID.create(resource, app: "example").to_s
+    )
     puts response.inspect
-    response&.error&.nil? && response&.data&.result
+    response.error.nil? && response.data.result
   end
 
   def json_not_found