refactor: extract type mappings for check service

author: mo khan <mo@mokhan.ca> 2025-07-18 10:52:12 -0600
committer: mo khan <mo@mokhan.ca> 2025-07-18 10:52:12 -0600
commit: c10d21934dfdc89b7f288edb71434731a4223a2c (patch)
tree: dd7afd908ec6760136d09482068b75f15880b0f2 /pkg/authz
parent: 515ba2e1a3974e4ac9fb993ee7e75a9fdb4e6ddb (diff)
3 files changed, 68 insertions, 49 deletions
diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go
index 4df0ebe7..75ba3963 100644
--- a/pkg/authz/check_service.go
+++ b/pkg/authz/check_service.go
@@ -11,6 +11,7 @@ import (
 	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 	types "github.com/envoyproxy/go-control-plane/envoy/type/v3"
 	"github.com/xlgmokha/x/pkg/log"
+	"github.com/xlgmokha/x/pkg/mapper"
 	"github.com/xlgmokha/x/pkg/x"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/pls"
 	status "google.golang.org/genproto/googleapis/rpc/status"
@@ -41,7 +42,7 @@ func (svc *CheckService) isAuthorized(ctx context.Context, r *auth.CheckRequest)
 	if !svc.validRequest(ctx, r) {
 		return false
 	}
-	log.WithFields(ctx, svc.fieldsFor(r))
+	log.WithFields(ctx, mapper.MapFrom[*auth.CheckRequest, log.Fields](r))
 
 	if svc.isStaticAsset(ctx, r) {
 		return true
@@ -51,7 +52,7 @@ func (svc *CheckService) isAuthorized(ctx context.Context, r *auth.CheckRequest)
 		return false
 	}
 
-	response, err := svc.client.CheckPermission(ctx, svc.mapFrom(ctx, r))
+	response, err := svc.client.CheckPermission(ctx, mapper.MapFrom[*auth.CheckRequest, *v1.CheckPermissionRequest](r))
 	if err != nil {
 		pls.LogError(ctx, err)
 		return false
@@ -109,50 +110,3 @@ func (svc *CheckService) Denied(ctx context.Context) *auth.CheckResponse {
 		},
 	}
 }
-
-func (svc *CheckService) fieldsFor(r *auth.CheckRequest) log.Fields {
-	return log.Fields{
-		"host":       r.Attributes.Request.Http.Host,
-		"id":         r.Attributes.Request.Http.Id,
-		"method":     r.Attributes.Request.Http.Method,
-		"path":       r.Attributes.Request.Http.Path,
-		"protocol":   r.Attributes.Request.Http.Protocol,
-		"request_id": r.Attributes.Request.Http.Headers["x-request-id"],
-		"scheme":     r.Attributes.Request.Http.Scheme,
-		"subject":    r.Attributes.Request.Http.Headers["x-jwt-claim-username"],
-	}
-}
-
-func (svc *CheckService) mapFrom(ctx context.Context, r *auth.CheckRequest) *v1.CheckPermissionRequest {
-	return &v1.CheckPermissionRequest{
-		Resource:   svc.resourceFrom(ctx, r),
-		Permission: svc.permissionFrom(ctx, r),
-		Subject:    svc.subjectFrom(ctx, r),
-	}
-}
-
-func (svc *CheckService) resourceFrom(ctx context.Context, r *auth.CheckRequest) *v1.ObjectReference {
-	return &v1.ObjectReference{
-		ObjectType: "project",
-		ObjectId:   "1",
-	}
-}
-
-func (svc *CheckService) subjectFrom(ctx context.Context, r *auth.CheckRequest) *v1.SubjectReference {
-	//TODO:: username is not ideal but it works for demo purposes
-	username := r.Attributes.Request.Http.Headers["x-jwt-claim-username"]
-	if x.IsZero(username) {
-		username = "public"
-	}
-
-	return &v1.SubjectReference{
-		Object: &v1.ObjectReference{
-			ObjectType: "user",
-			ObjectId:   username,
-		},
-	}
-}
-
-func (svc *CheckService) permissionFrom(ctx context.Context, r *auth.CheckRequest) string {
-	return "read"
-}
diff --git a/pkg/authz/init.go b/pkg/authz/init.go
new file mode 100644
index 00000000..3ceb1412
--- /dev/null
+++ b/pkg/authz/init.go
@@ -0,0 +1,58 @@
+package authz
+
+import (
+	v1 "github.com/authzed/authzed-go/proto/authzed/api/v1"
+	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	"github.com/xlgmokha/x/pkg/log"
+	"github.com/xlgmokha/x/pkg/mapper"
+	"github.com/xlgmokha/x/pkg/x"
+)
+
+func init() {
+	mapper.Register[*auth.CheckRequest, log.Fields](func(r *auth.CheckRequest) log.Fields {
+		return log.Fields{
+			"host":       r.Attributes.Request.Http.Host,
+			"id":         r.Attributes.Request.Http.Id,
+			"method":     r.Attributes.Request.Http.Method,
+			"path":       r.Attributes.Request.Http.Path,
+			"protocol":   r.Attributes.Request.Http.Protocol,
+			"request_id": r.Attributes.Request.Http.Headers["x-request-id"],
+			"scheme":     r.Attributes.Request.Http.Scheme,
+			"subject":    r.Attributes.Request.Http.Headers["x-jwt-claim-username"],
+		}
+	})
+
+	mapper.Register[*auth.CheckRequest, *v1.ObjectReference](func(r *auth.CheckRequest) *v1.ObjectReference {
+		return &v1.ObjectReference{
+			ObjectType: "project",
+			ObjectId:   "1",
+		}
+	})
+
+	mapper.Register[*auth.CheckRequest, *v1.SubjectReference](func(r *auth.CheckRequest) *v1.SubjectReference {
+		//TODO:: username is not ideal but it works for demo purposes
+		username := r.Attributes.Request.Http.Headers["x-jwt-claim-username"]
+		if x.IsZero(username) {
+			username = "public"
+		}
+
+		return &v1.SubjectReference{
+			Object: &v1.ObjectReference{
+				ObjectType: "user",
+				ObjectId:   username,
+			},
+		}
+	})
+
+	mapper.Register[*auth.CheckRequest, Permission](func(r *auth.CheckRequest) Permission {
+		return "read"
+	})
+
+	mapper.Register[*auth.CheckRequest, *v1.CheckPermissionRequest](func(r *auth.CheckRequest) *v1.CheckPermissionRequest {
+		return &v1.CheckPermissionRequest{
+			Resource:   mapper.MapFrom[*auth.CheckRequest, *v1.ObjectReference](r),
+			Permission: mapper.MapFrom[*auth.CheckRequest, Permission](r).String(),
+			Subject:    mapper.MapFrom[*auth.CheckRequest, *v1.SubjectReference](r),
+		}
+	})
+}
diff --git a/pkg/authz/permission.go b/pkg/authz/permission.go
new file mode 100644
index 00000000..b97e7202
--- /dev/null
+++ b/pkg/authz/permission.go
@@ -0,0 +1,7 @@
+package authz
+
+type Permission string
+
+func (p Permission) String() string {
+	return string(p)
+}
author	mo khan <mo@mokhan.ca>	2025-07-18 10:52:12 -0600
committer	mo khan <mo@mokhan.ca>	2025-07-18 10:52:12 -0600
commit	c10d21934dfdc89b7f288edb71434731a4223a2c (patch)
tree	dd7afd908ec6760136d09482068b75f15880b0f2 /pkg/authz
parent	515ba2e1a3974e4ac9fb993ee7e75a9fdb4e6ddb (diff)