feat: embed cedar policies in policies package

3 files changed, 26 insertions, 5 deletions

diff --git a/pkg/rpc/ability_handler.go b/pkg/rpc/ability_handler.go
index b36ce14e..973e1db8 100644
--- a/pkg/rpc/ability_handler.go
+++ b/pkg/rpc/ability_handler.go
@@ -2,14 +2,25 @@ package rpc
 
 import (
 	context "context"
+
+	"github.com/cedar-policy/cedar-go"
+	"gitlab.com/mokhax/spike/pkg/policies"
 )
 
 type AbilityHandler struct {
 	UnimplementedAbilityServer
 }
 
+func NewAbilityHandler() *AbilityHandler {
+	return &AbilityHandler{}
+}
+
 func (h *AbilityHandler) Allowed(ctx context.Context, req *AllowRequest) (*AllowReply, error) {
-	return &AllowReply{
-		Result: false,
-	}, nil
+	ok := policies.Allowed(cedar.Request{
+		Principal: cedar.NewEntityUID("User", cedar.String(req.Subject)),
+		Action:    cedar.NewEntityUID("Action", cedar.String(req.Permission)),
+		Resource:  cedar.NewEntityUID("Album", cedar.String(req.Resource)),
+		Context:   cedar.NewRecord(cedar.RecordMap{}),
+	})
+	return &AllowReply{Result: ok}, nil
 }
diff --git a/pkg/rpc/server.go b/pkg/rpc/server.go
index c78b5d42..90bfdaf9 100644
--- a/pkg/rpc/server.go
+++ b/pkg/rpc/server.go
@@ -6,6 +6,6 @@ import (
 
 func New(options ...grpc.ServerOption) *grpc.Server {
 	server := grpc.NewServer(options...)
-	RegisterAbilityServer(server, &AbilityHandler{})
+	RegisterAbilityServer(server, NewAbilityHandler())
 	return server
 }
diff --git a/pkg/rpc/server_test.go b/pkg/rpc/server_test.go
index 0ae0f013..266f1434 100644
--- a/pkg/rpc/server_test.go
+++ b/pkg/rpc/server_test.go
@@ -31,7 +31,7 @@ func TestServer(t *testing.T) {
 	defer connection.Close()
 	client := NewAbilityClient(connection)
 
-	t.Run("returns a result", func(t *testing.T) {
+	t.Run("returns false", func(t *testing.T) {
 		reply, err := client.Allowed(t.Context(), &AllowRequest{
 			Subject:    "",
 			Permission: "",
@@ -40,4 +40,14 @@ func TestServer(t *testing.T) {
 		require.NoError(t, err)
 		assert.False(t, reply.Result)
 	})
+
+	t.Run("returns true", func(t *testing.T) {
+		reply, err := client.Allowed(t.Context(), &AllowRequest{
+			Subject:    "alice",
+			Permission: "view",
+			Resource:   "jane_vacation",
+		})
+		require.NoError(t, err)
+		assert.True(t, reply.Result)
+	})
 }