feat: provide JWT token and GlobalID to make the remote authorization decision

3 files changed, 28 insertions, 6 deletions

diff --git a/bin/api b/bin/api
index d3c53175..06500207 100755
--- a/bin/api
+++ b/bin/api
@@ -7,6 +7,7 @@ gemfile do
 
   gem "declarative_policy", "~> 1.0"
   gem "erb", "~> 4.0"
+  gem "globalid", "~> 1.0"
   gem "google-protobuf", "~> 3.0"
   gem "json", "~> 2.0"
   gem "logger", "~> 1.0"
@@ -26,6 +27,16 @@ $scheme = ENV.fetch("SCHEME", "http")
 $port = ENV.fetch("PORT", 8284).to_i
 $host = ENV.fetch("HOST", "localhost:#{$port}")
 
+class Organization
+  def initialize(attributes = {})
+    @attributes = attributes
+  end
+
+  def id
+    @attributes[:id]
+  end
+end
+
 class Project
   class << self
     def all
@@ -49,6 +60,12 @@ class Project
 end
 
 class API
+  attr_reader :rpc
+
+  def initialize
+    @rpc = ::Authx::Rpc::AbilityClient.new("http://idp.example.com:8080/twirp")
+  end
+
   def call(env)
     request = Rack::Request.new(env)
     path = env['PATH_INFO']
@@ -77,13 +94,17 @@ class API
 
   private
 
-  def authorized?(request, permission)
+  def authorized?(request, permission, resource = Organization.new(id: 1))
     # TODO:: Check the JWT for the appropriate claim
     # Connect to the Authz RPC endpoint Ability.allowed?(subject, permission, resource)
-    client = ::Authx::Rpc::AbilityClient.new("http://idp.example.com:8080/twirp")
-    response = client.allowed(subject: "", permission: permission, resource: "")
+    token = request&.get_header('HTTP_AUTHORIZATION')&.split(' ', 2)&.last
+    response = rpc.allowed(
+      subject: token,
+      permission: permission,
+      resource: ::GlobalID.create(resource, app: "example").to_s
+    )
     puts response.inspect
-    response&.error&.nil? && response&.data&.result
+    response.error.nil? && response.data.result
   end
 
   def json_not_found
diff --git a/bin/e2e b/bin/e2e
index bcc2b67c..f4824ec5 100755
--- a/bin/e2e
+++ b/bin/e2e
@@ -19,6 +19,6 @@ $BROWSER http://ui.example.com:8080/saml/new
 $BROWSER http://ui.example.com:8080/oidc/new
 
 curl http://api.example.com:8080/projects.json
-curl -i -XPOST http://api.example.com:8080/projects --data '{"name": "gitlab"}'
+curl -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI2YmYxZTlmMy02OGIwLTQ4NmYtOGVlZi0wODFmZTg2YjJlODMiLCJpYXQiOjE3NDEyOTAzMzJ9.e30=' -XPOST http://api.example.com:8080/projects --data '{"name": "gitlab"}'
 curl http://api.example.com:8080/projects.json
 
diff --git a/bin/idp b/bin/idp
index 47ec2054..48a77f77 100755
--- a/bin/idp
+++ b/bin/idp
@@ -6,8 +6,9 @@ gemfile do
   source "https://rubygems.org"
 
   gem "declarative_policy", "~> 1.0"
-  gem "google-protobuf", "~> 3.0"
   gem "erb", "~> 4.0"
+  gem "globalid", "~> 1.0"
+  gem "google-protobuf", "~> 3.0"
   gem "rack", "~> 3.0"
   gem "rackup", "~> 2.0"
   gem "saml-kit", "~> 1.0"