diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-18 10:52:12 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-18 10:52:12 -0600 |
| commit | c10d21934dfdc89b7f288edb71434731a4223a2c (patch) | |
| tree | dd7afd908ec6760136d09482068b75f15880b0f2 /pkg/authz/check_service.go | |
| parent | 515ba2e1a3974e4ac9fb993ee7e75a9fdb4e6ddb (diff) | |
refactor: extract type mappings for check service
Diffstat (limited to 'pkg/authz/check_service.go')
| -rw-r--r-- | pkg/authz/check_service.go | 52 |
1 files changed, 3 insertions, 49 deletions
diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go index 4df0ebe7..75ba3963 100644 --- a/pkg/authz/check_service.go +++ b/pkg/authz/check_service.go @@ -11,6 +11,7 @@ import ( auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" types "github.com/envoyproxy/go-control-plane/envoy/type/v3" "github.com/xlgmokha/x/pkg/log" + "github.com/xlgmokha/x/pkg/mapper" "github.com/xlgmokha/x/pkg/x" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/pls" status "google.golang.org/genproto/googleapis/rpc/status" @@ -41,7 +42,7 @@ func (svc *CheckService) isAuthorized(ctx context.Context, r *auth.CheckRequest) if !svc.validRequest(ctx, r) { return false } - log.WithFields(ctx, svc.fieldsFor(r)) + log.WithFields(ctx, mapper.MapFrom[*auth.CheckRequest, log.Fields](r)) if svc.isStaticAsset(ctx, r) { return true @@ -51,7 +52,7 @@ func (svc *CheckService) isAuthorized(ctx context.Context, r *auth.CheckRequest) return false } - response, err := svc.client.CheckPermission(ctx, svc.mapFrom(ctx, r)) + response, err := svc.client.CheckPermission(ctx, mapper.MapFrom[*auth.CheckRequest, *v1.CheckPermissionRequest](r)) if err != nil { pls.LogError(ctx, err) return false @@ -109,50 +110,3 @@ func (svc *CheckService) Denied(ctx context.Context) *auth.CheckResponse { }, } } - -func (svc *CheckService) fieldsFor(r *auth.CheckRequest) log.Fields { - return log.Fields{ - "host": r.Attributes.Request.Http.Host, - "id": r.Attributes.Request.Http.Id, - "method": r.Attributes.Request.Http.Method, - "path": r.Attributes.Request.Http.Path, - "protocol": r.Attributes.Request.Http.Protocol, - "request_id": r.Attributes.Request.Http.Headers["x-request-id"], - "scheme": r.Attributes.Request.Http.Scheme, - "subject": r.Attributes.Request.Http.Headers["x-jwt-claim-username"], - } -} - -func (svc *CheckService) mapFrom(ctx context.Context, r *auth.CheckRequest) *v1.CheckPermissionRequest { - return &v1.CheckPermissionRequest{ - Resource: svc.resourceFrom(ctx, r), - Permission: svc.permissionFrom(ctx, r), - Subject: svc.subjectFrom(ctx, r), - } -} - -func (svc *CheckService) resourceFrom(ctx context.Context, r *auth.CheckRequest) *v1.ObjectReference { - return &v1.ObjectReference{ - ObjectType: "project", - ObjectId: "1", - } -} - -func (svc *CheckService) subjectFrom(ctx context.Context, r *auth.CheckRequest) *v1.SubjectReference { - //TODO:: username is not ideal but it works for demo purposes - username := r.Attributes.Request.Http.Headers["x-jwt-claim-username"] - if x.IsZero(username) { - username = "public" - } - - return &v1.SubjectReference{ - Object: &v1.ObjectReference{ - ObjectType: "user", - ObjectId: username, - }, - } -} - -func (svc *CheckService) permissionFrom(ctx context.Context, r *auth.CheckRequest) string { - return "read" -} |